The Forest machine is a deliberately vulnerable machine with a Windows operating system, which is among the retired machines. It is expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
ClassicScan
Full Port Scan
As a result of the port scan, we came across quite a few ports.
- Since 88 kerberos and 389 ldap ports are open, we understand that it is most likely a Windows Active directory machine.
- Domain information is htb.loca and hostname (FQDN) information is FOREST.htb.local.
- It has Windows Server 2016 Standard 14393 operating system.
- We will need to provide anonymous LDAP and SMB enumeration
- If we find the Credential information from LDAP or SMB, I can use winrm wsman ports.
As a result of the Nmap scan, we collected this information on the system.
We provide Ldap enumeration;
ldapServiceName: htb.local:forest$@HTB.LOCAL
Filter users
Here we have identified users
Let’s provide smb enumeration with enum4linux tool
The user svc-alfresco is noteworthy here because we did not see this user when we looked with ldapsearch and it is also noteworthy that it is “Service Accounts”
We checked the sharing areas with Smbclinet and found no results
We see that anonymous login is successful but no shares are listed.
Let’s try an asep-roasting attack here using the GetNPUsers.py tool, where we can get the TGT ticket, then break the hash and get the password.
Here we created userlist.txt with nano and then queried using the tool
We saved this TGT as a hash and then we broke it with john.
This is how we got the password
svc-alfresco:s3rvice
Let’s connect to evilwinrm using this credential
We have successfully connected and got our user flag, but we still cannot access the root flag, so we provide local enumeration.
Install and run Winpeas
Let’s use bloodhound without success with winpeas output
First I install and run sharphound on the target machine
After the process is complete, it gives us a zip file.
We forward this zip file to our local machine to examine it with bloundhound
I export the resulting zip file to the blound hound file
I right click on the user SVC-ALFRESCO and mark it as “User as Owned”.
In the Analaysisi section I click on “Shortest Path from Owned Principals”
and I interpret the resulting graph
We can see that the user svc-alfresco is a member of the Service Accounts group which is a member of the Privileged IT Accounts group which is a member of Account Operators. Also the Account Operators group has GenericAll permissions in the Exchange Windows Permissions group which has WriteDacl permissions in the domain domain.
svc-alfresco is not only a member of Service Accounts, it is also a member of the Privileged IT Accounts and Account Operators groups.
The Service Accounts group grants the user limited account creation privileges. Therefore, the user svc-alfresco can create other users in the domain.
The Service Accounts group has the GenericAll permission in the Exchange Windows Permission group. This permission essentially gives members full control over the group and therefore allows members to change group membership directly. svc-alfresco is a member of Service Accounts, so it can change the permissions of the Exchange Windows Permission group.
The Exchange Windows Permission group has the WriteDacl permission on the HTB.LOCAL domain. This permission allows members to modify the DACL (Discretionary Access Control List) in the domain. We will abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and discard all password hashes from the domain.
Putting all the pieces together, our attack path is as follows.
- Create a user in the domain. This is possible because svc-alfresco is a member of the Service Accounts group.
- Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions in the Exchange Windows Permission group.
- Grant the user DcSync privileges. This is possible because the user is part of the Exchange Windows Permissions group, which has WriteDacl permission on the htb.local domain.
- Perform a DcSync attack and dump the password hashes of all users in the domain.
- Perform a Pass the Hash attack to gain access to the administrator’s account.
We create a user named Ma
I include user Ma in the Exchange Windows Permissions group
Let’s see that the user is in the group
Then this user became the consistency we wanted
Grant DCSync privileges to the user. We will use PowerView for this. First, we upload Powerview with the upload command.
We activate the powerview file
Then we activate dssync
After activating it here, we get the hash information from the machine using the secretdump tool
We have obtained the hash information of the Administrator user, we will perform paas the hash attack using this hash with the psexec tool tool.
We have obtained a shell on the nt authority\system user so we can read the root flagi