In this writeup I will do my bets to explain Forest from HTB from MY OWN explination for the box it will include screenshots the commands i put and the explination for it. This box is a great intro box to leard Active Directory tools and exploitation. What we will first do on this map is a nmap scan. I keep it simple and do a nmap with nmap -sC -sV (ip)
Now after the scan is finished we can see services and port that are open (due to the scope of the walkthrough im showing solutions first then what wouldnt work.) we will focus on port 135 whhich is msrpc and port 445 as SMB is enabled and we can see its associated with Windows 2016 server.
Trying SMBmap -H or any SMBclient wont do us any good or enum4linux ( will show after root) now ive seen other people recommend LDAPSEARCH or a tool such as Windapsearch.py but that is mostly unesessary and since we have a bind RPC on port 135 we will be able to rpcclient into it with a null value. With the command of rpcclient -U '' -N (ip)
And After we log in the rpcclientwith no creds you can do Help and it will show you a great ammount of commands you can do. RPC over LDAP: Some systems use RPC protocols on top of or alongside LDAP for more complex operations, especially for Microsoft Active Directory (AD) environments. RPC allows for more sophisticated interactions than basic LDAP queries.
Now that that was established I then did the command of enumdomusers and it will dump all the user accounts associated with this Domain. You can also get this by typing querydispinfo but we will just do the first one.
Now that it was able to dump the users , now we create a new text note and add the users found onto it as a list. Feel free to only add the names that look normal the other ones wont be needed.
After making the list of users and saving it , you will need to go ahead and download a Tool called Impacket , by Forta and can be downloaded and set up from their github at https://github.com/fortra/impacket just copy and paste that into a browser.
After doownloading and seting it up properly what we will be doing is called "AS-REP Roasting" AS-REP Roasting is a type of cyber attack that exploits a vulnerability in Kerberos, a widely used authentication protocol. Specifically, it targets user accounts that do not require Kerberos pre-authentication, allowing attackers to perform offline password cracking attacks so with the user list we made we will be checking if they they do not require Kerberos Pre auth and we will be doing it with the command of GetNPUsers.py htb.local/ -dc-ip 10.129.231.189 -no-pass -usersfile users indicating the users list as well as the domain and ip.
After getting the response from impacket we can see there is a hash that populated that we see belongs to a service account of svc-alfresco and now we will grab that hash add it to another text file and try cracking it with either Hashcat or John the Ripper , I personally prefer John so lets give it a shot.
Now for this to work since it will be a offline brute force attack you will need your wordlist such as Rockyou.txt In the image above shows me putting the hash into a text file now we would run the attack with John to crack the password using rockyou.txt of john hash.txt -w=(directory of wordlist)
After that finishes we see that that the password was cracked with the pass of s3rvice and with that we can try to login with Evil-winrm to see whats there and we can do that with the command of evil-winrm -i (your ip) -u svc-alfresco -p 's3rvice'
And right after if you navigate to the Desktop you should find the user flag.
Afterwards you will want to crack out that bloodhound. Yes the next step will be using BloodHound to look more into the AD infrastructure and see all of the groups and Account associated within the enviroment. If you need a guide to set up the tool go to here for refrence -> https://bloodhound.specterops.io/get-started/quickstart/community-edition-quickstart <- .
Go ahead and copy and paste it to learn how to set it up if needed. Once set up go ahead and start it.
Then with that running in the background you will then type the following command to get the JSON files to then inspect which is Bloodhound-python -d htb.local -u svc-alfresco -p "s3rvice" -ns (yourip) -c All .
Now after the scan finishes and it populates the json files , you then drag and rop them into bloodhound for inspection.
Now after the scan finishes and it populates the json files , you then drag and rop them into bloodhound for inspection.
After waiting for it to load I usually go "Shortest path to domain admin." Now from here to root the priveledge escalation is ALL about Permissions and we see the misconfigured Permissions in the bloodhound scan and take advantage of them.
From selecting svc-alfresco account to see its path to domain admin it shows us the path of all the groups / permissions associated with it.
Now from above we can see svc-alfresco is a member of "Privledged IT accounts" as well as "Account Operators" Account Operators and people in the group are allowed to create and modify users and add them to non protected groups to any.
Later we can see that there is "Exhange Windows Permissions " group has WriteDacl privs on the domain so it means we can add a user to this group since we have account operator privs by default and give it DSYNC privs to do a DSYNC attack.
Next to make the magic happen we will need to use a tool called PowerView that can be downloaded here https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Now with that we know that , within the same session we Previously used EvilWin-RM on and have that session , we can literally just UPLOAD the Powerview file with the upload command.
Now this step is important for the rest of it to work , you simply just Import the Module in powersherll with the command of Import-Module ./PowerView.ps1
Now after that I decided to make a user account named "deeznutz" and as well add the account to "Exchange Windows Permission" Group as well as "Remote Management Users" with the following commands:
net user deeznutz abc123! /add /domain then net group "Exchange Windows Permission" deeznutz /add Then net localgroup "Remote Management Users" deeznutz /add .
And with that done since the PowerView Module was already Imported we can do the following commands to then give deeznuts DSync rights lol.
We will be adding the DSync right to deeznutz lol with the following commands : $pass = convertto-securestring 'abc123!' -asplain -force as well as $cred = new-object system. management. automation.pscredential('htb\deeznutz', $pass) and finally Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
And BATTA BING BATTA BANG After that DEEZNUTZ should have DSYNC rights now all we gotta do is test it with Impacket snd run secretsdump.py to dump all the hashes and get Admin Hash with the command of secretsdump.py htb/deeznutz@(yourip)
And FINALLY we can log into the account using psexec.py in impacket using the hash with the command of psexec.py administrator@(your ip) -hashes (your hash)
and the ROOT flag is on the Desktop
