Forest — HTB walkthrough
As the name goes you will come across dense Active Directory nodes. Considering tree structure of LDAP directories, it is named Forest. As far as I guess ; well !!
With the user list we created above, we will try AS_REP ROAST
User =svc-alfresco : Password = s3rvice
Using crackmapexec to see if it works with smb and winrm
After enumerating and playing around . I found I couldn’t execute any script. So we will do AD Enumeration
For this first download SharpHound on your kali linux and then transfer it to windows.
We can see a zip file, created after a minute or two.
Downloading this zip file to our machine, which we will analyse using bloodhound. You can use direct evil-winrm Utility to download the file
Or trivial way, I used smbserver.py
On target machine
Note here you need to del Zip file and remove share : Clearing the traces.
To analyze contents of ZIP, download BloodHound on your machine
Run: neo4j console — ->bloodhound . A message will appear
Traversing on browser http://127.0.0.1:7474/ , we get user prompt. Login using default password : neo4j . Then change the password
Now run Bloodhound
On the blank screen that appears after login, drag n drop your zip file
File gets processed in background. Then run few queries as shown
And you will see a graph gets created as soon as you run queries
You can see the path from svc-alfresco to Domain Admins, which goes through exploiting writeDACL
So we have priv to add user to DACL with EXCHANGE WINDOWS PERMISSIONS. So we will either create a new user or svc-alfresco can be taken as user.
1) net group “Exchange Windows Permissions” n00bDi /add
Or You could follow below steps
2.1) $pass = ConvertTo-SecureString “password12” -AsPlainText -Force
2.2) New-ADUser n00bDi -AccountPassword $pass -Enabled $True
Also we can observe that the above mentioned command(2.2) gives already present account, if we have used step (1) instead of 2. Then finally we give EXCHANGE WINDOWS PERMISSION to user n00bDi
3) Add-ADGroupMember -Identity “Exchange Windows Permissions” -members n00bDi
4)Running query to list users in group “Exchange Windows Permissions” we see we have n00bDi
Now we will run ntlmrelayx.py to relay priv
NTLMRELAYX.PY : This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy. Acts as MITM
On browser: Go to 127.0.0.1 and login using n00bDi:password12
We get success on ntlmreplax.py
Now we will use secretsdump.py to collect hashes
Passing the Hash using evil-winrm