CTF-Writeups/HackTheBox/Forest.md

HackTheBox-Forest

NMAP

PORT     STATE SERVICE           REASON          VERSION                                                                                            
53/tcp   open  domain?           syn-ack ttl 127
| fingerprint-strings:                     
|   DNSVersionBindReqTCP:                                              
|     version                                           
|_    bind                                                        
88/tcp   open  spark             syn-ack ttl 127 Apache Spark             
135/tcp  open  msrpc?            syn-ack ttl 127                          
139/tcp  open  netbios-ssn?      syn-ack ttl 127
464/tcp  open  kpasswd5?         syn-ack ttl 127                     
593/tcp  open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?          syn-ack ttl 127
3268/tcp open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)         
3269/tcp open  globalcatLDAPssl? syn-ack ttl 127\                     
5985/tcp open  http              syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:                                                           
|_  Supported Methods: HEAD                   
9389/tcp open  adws?             syn-ack ttl 127
Host script results:                                                      
|_clock-skew: mean: 3h40m48s, deviation: 4h57m02s, median: 10m45s
| smb-os-discovery:                                                       
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST            
|   NetBIOS computer name: FOREST\x00 
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2021-05-11T11:43:01-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)

Here we port 88 open which is for Kerberos and port 3268 for ldap which tells that this is an Active Directory machine , we also have smb port open on the machine so we can check if there are any smb shares or not

PORT 139/445 (SMB)

We get an authentication error means that Anonymous login is disabled so let's move to ldap

PORT 3268 (LDAP)

LDAP stands for Lightweight Directory Access Protocol , it is used for querying /locating data about organizations, individuals and other resources such as files and devices in a network so there is a tool for performing searches for users ,groups and etc.

https://github.com/ropnop/go-windapsearch

This is the tool that I found was working , there is no need to clone this simply go to releases and download the compiled binary

windapsearch-linux-amd64 -d 'htb.local' --dc 10.10.10.161 -m users

Let's break down the syntax of this tool

-d ---> This specifies the domain name which htb.local

--dc ---> This specifies domain controller ip (machine ip)

-m ---> This is for specifying module to use in this case we are using users module which will try to query information about users

These are the available modules . We know that service accounts are usually kerberoastable so we are going to search for a service account , in order to that we need to run a custom module in which we are going to use a filter (objectclass=*) when executing this query, we will be presented with all objects and all attributes available in the tree

This will show a lot of output so start searching for Service Accounts till you find a service account name

Alternatively we can use enum4linux which can enumerate smb shares and query LDAP and look for users and shares.

We can see this service account svc-alfresco as the prefix svc is for service, so we will use impacket GetNPUsers.py since this service account won't require kerberos pre-authentication this is know nas AS-REP Roasting you'll see the hash will be different than normal kerberos hash

So we can crack this hash either with john or hashcat, I will be using hashcat and we may need to know the type of hash in hashcat so going to hashcat examples we can find which mode we need to supply

Perfect we have the password , now we can use bloodhound-injestor to collection information about the AD environment

https://github.com/fox-it/BloodHound.py

python3 bloodhound.py -d 'htb.local' -u 'svc-alfresco' -p 's3rvice' -gc 'FOREST.htb.local' -c all -ns 10.10.10.161

We'll have these json files so we put all these files in an archive and launch bloodhound and import that archive file

We can ran query Find All Domain Admins and can see the result

Run the query Find AS-REP Kerbroastable Users

And mark the account as owned , click on the account and on the left side you can see in how may groups this account has permissions

Select Reachable Higher Targets

Exaplain about WriteDACL

Login with the credentials with evil-winrm and upload PowerView.ps1 powershell script

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Now we need to create a new user , so I am going to create a user named arz, then add it to the Exchange Windows Permissions group which is a domain group. After that we will create variable having arz's password which should converted it to a secure form and create a powershell object through that ,lastly we will use powerview's Add-DomainObjectAcl function that will allow us to give this user DCSync rights which are replication rights which will allows us to rrequest password hashes from the Domain Controller.

Now we need to run impacket's secretsdump.py which will dump password hashes from NTDS.dit file

We could have also done this we service account as well