Hack The Box - Forest Server


Forest is retired (21.3.2020) Microsoft Windows server on the HackTheBox penetration testing lab. It was marked with Easy difficulty and would be ideal for anyone interested in Active Directory hacking.  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why. 
We will use/learn: nmap, samba, smbclient, enum4linux, various impacket tools, john the ripper & cracking hashed passwords, evil-winrm tool, bloodhound tool, powershell, net group & powershell 

Getting User:

I am going to add the server's IP (10.10.10.161) to /etc/hosts file, so I can keep using hostname (forest.htb) instead of the IP address.

Let's start with a basic enumeration of the ports & services running on the server with nmap (Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. Link.  

For those not familiar with the command I suggest checking this cheat-sheet first:  CheatSheet

command: nmap -sC -sV -A -p- forest.htb


The scan found multiple ports, among which some Samba ports (139, 445). However, connecting via smbclinent -L shows us nothing. (FYI: Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller or as a domain member. source).


As we don't have any other account available, we enumerate the server further with enum4linux script (enum4Linux is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts, can be downloaded here: Download). 

We can see that there are some default users created on the system: 


But more important right now are these users:


Now, when we have users, we need to get their passwords (or at least hashed/encrypted password). There are several tools available on the internet for exactly this purpose. I personally use Impacket scripts - I call them a Swiss knife for Windows hacking :-)  (More information about Impacket, its github clone and/or the code download and installation procedure can be found here:  Impacket). 

We are going to use GetNPUsers.py script for getting the user's passwords. The flags we are going to use are: 

-request: Requests credentials for users and output them in John/hashcat format
-k : Use Kerberos authentication (we can see from the nmap that Kerberos is used here - Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. )
-no-pass : Don't ask for a password (usually used with Kerberos authentication)
-dc-ip : IP address of the domain controller we are getting the information from (in this case our server)

Let's start with user sebastien: 


And that does not work. So let's go through all of them one by one. svc-alfresco works: 


Now we have hash for svc-alfresco user. We need to un-hash (decrypt) it. For that we are going to use John The Ripper tool (John the Ripper is a fast password cracker, currently available for many flavours of Unix, macOS, Windows, etc. Source) . 

We store the hash into a file and crack it with John The Ripper by using the rockyou.txt file with 14.5 million stored passwords:


So the password for user svc_alfresco is s3rvice

Now we can login to the server with svc_alfresco user by using evil-winrm tool (This is the ultimate shell for hacking/pen-testing on Windows. Download: https://github.com/Hackplayers/evil-winrm). 

Install it with the command : gem install evil-winrm .

And execute: evil-winrm -i forest.htb -u svc-alfresco -p s3rvice

Now we can login and get the User's flag: 



Getting Root:


On any windows server, I always check couple of things first. One of them is what groups and permissions the user I logged in with has assigned. 


The only interesting thing here is the Privileged IT Accounts group, but that does not really tell us what we can do with it. We would need to visualise or map this information somehow. 

For this purpose, there is a free graphical tool called Bloodhound (Bloodhound is an application used to visualize active directory environments. It can be used on engagements to identify different attack paths in Active Directory (AD), this encompasses access control lists (ACLs), users, groups, trust relationships and unique AD objects. Source).  I am going to install this in a moment. 

First we will need to collect the data from the server. That can be done with the  "sharphound" powershell script,  which we will "feed" to the bloodhound later. It can be downloaded from this Github repository: SharpHound.ps1

IMPORTANT: make sure you copy the RAW version, otherwise you will get plenty of errors when running import-module later… (got stuck in this step for a while wondering, why it is not running!) 

With sharphound.ps1 script downloaded, we need to upload it and then run it on the server:


More information about import-module:

The Collection method used above is explained within the SharpHound.ps1 script: 


So now we have 20200321041810_Bloodhound.zip created. It is time to start Bloodhound and import this file to it. At first download it to the Kali box: command: download 20200321041810_Bloodhound.zip 

Then install bloodhound: command: apt-get install bloodhound

And start its Database: command:  neo4j console (please note you will have to configure the default username and password the first time you run it. Check the output you will get when running neo4j console - it will provide you with detailed instructions - I think you can leave the default neo4j/neo4j as username&password)

Once the DB is running, start bloodhound in another terminal window (the neo4j console has to be running as well): command: bloodhound . A new window will open - Enter the username and password you created earlier (I left the default neo4j/neo4j). 

When bloodhound window is running, we need to import the zip file we created and downloaded earlier ( simply drag and drop it from your Kali Linux into Bloodhound window, select 'Find Shortest Paths to Domain Admins' and it will generate a graph for you) : 



We can see that svc-alfresco is a member of the Service Accounts group, Privileged IT Accounts and Account Operators group. We can also see that Account Operators has "GenericAll" permission to Exchange Windows Permissions group.  As explained here: Link, GenericAll permission grants you full rights to the object (e.g. add users to a group or reset user's password). So we are able to add user svc-alfresco to the Exchange Windows Permissions group. Please note the /domain flag is important. If you omit it, you will only add the rights on a local level, not on the domain level!



Now we need another Impacket's script, which would escalate the privileges of our user svc-alfresco and get it the domain admin privileges. This article helped me a lot to understand what exactly is going on at the background: privexchange-domain-admin


At this stage, the HTTP Server is started and it is waiting for us to confirm it. Open Internet Browser and type http://localhost/privexchange , enter svc-alfresco with its s3rvice password and confirm. 


the ntlmrelayx.py script will continue: 


And we can see that our user svc-alfresco has admin privileges on the domain. So now we should be able to download the Administrator's hashes. 

That is done by the third Impacket's script called secretsdump.py (Performs various techniques to dump hashes from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\\Temp dir) and read the rest of the data from there.)



Please note that all 3 steps (net group, ntlmrelay.py and secretsdump.py) has to be done within a minute or so, otherwise the user will be deleted from the group and neither ntlmrelay nor secretsdump will work! My tip is to have the commands written in 3 different terminals so you save time typing them in... 


Now, when we have got the administrator's hash, we can login by using it.
Hash: aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

The command that allows us to login with the hash is wmiexec.py (again it is part of the impacket's toolset - the code can be found here: wmiexec.py). 




Now we are logged in as Administrator via wmiexec.py script, which btw keeps very little tracks in the logs, so it is quite difficult for Security teams to detect. 

Thanks for reading! 

https://www.hackthebox.eu/profile/117977

Comments

Post a Comment

Popular posts from this blog

Hackthebox - Registry server

Image
Registry is retired Linux server on the HackTheBox penetration testing lab. It was marked with  Hard difficulty  and can be cracked by using vulnerabilities in Docker, Bolt CMS and  Restic backup software... There are 2 ways how to proceed with this server. The first one was to install docker on a local system and import the image found. I choose not to do this and used bit of reverse engineering & searched the image manually.  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.  We will use/learn:  nmap, gobustDocker, White Wolf Webshell, reverse shell, Bolt CMS, Restic, port forwarding Getting User: I am going to add the server's IP (10.10.10.159) to /etc/hosts file, so I can keep using the hostname (registry.htb) instead of the IP address. Let's start with a basic enumeration of the ports & services running on the server with nmap ( Nmap ("N...
Read more

Hack The Box - Writeup server

Image
Writeup is retired Linux server on the HackTheBox penetration testing lab. It was marked with  Easy difficulty , which again makes it an ideal candidate for beginners to start with. I am writing this blog as there is almost identical vulnerability as in one recently released server.  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.  We will use/learn:  nmap, www.exploit-db, pspy, reverse shell,  Getting User: Let's start with basic enumeration of the ports & services running on the server with nmap ( Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.  Source ).   For those not familiar with the command I suggest checking this cheat-sheet first:   nmap-cheat-sheet .  Before we start, let's add the IP address of the server (10.10.10.138) into /etc/hosts file , ...
Read more

Hack The Box - Sniper Server

Image
Sniper is retired (28.3.2020) Microsoft Windows server on the HackTheBox penetration testing lab. It was marked with  Medium difficulty  and can be cracked by using a vulnerability in  Windows help files...  As usual, I am going to try to write the entire walkthrough as detailed as possible, so it is clear to everyone what is being done and why.  We will use/learn:  nmap, burpsuite, samba, enum4linux, reverse shell, netcat, powershell & credentials creation from cleartext in PS, Windows Help files (*.chm) etc. Getting User: I am going to add the server's IP (10.10.10.151) to /etc/hosts file, so I can keep using the hostname (sniper.htb) instead of the IP address. Let's start with a basic enumeration of the ports & services running on the server with nmap ( Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing.  Source .   For those not familiar with the command...
Read more