Hack the box -Forest
This following write up is for the machine: Forest
Hack the Box is an online practice platform where you can enhance your penetration testing skills. The aim is to find two flags i.e. User flag and Root flag to successfully own the machine. The forest is a Windows-based easy machine.
- Scanning the target network
An NMAP scan shows the following (partial) output:
nmap -sC -sV -oA 10.10.10.161
Note: Read the command and flags explanation
- sC: To scan with default Nmap scripts.
- sV (Version detection)
- oA: To write the output file in the three major formats at once.
We discover:
I found several ports are opened. Scanning reports and opened ports show the domain controller of the domain ‘htb.local’. The domain services such as LDAP, SMB, Kerberos are opened.
For more enumeration, I decided to run rpcclient to gather the user information.
1.1 Enum4linux: Enum4linux is a tool for enumerating information from Windows and Samba systems.
#enum4linux -a 10.10.10.161
1.2 Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.
As we can see in the above figure: 3,4. We found few users called Sebastien, Lucinda, andy, mark and service account svc-alfresco. So, we focused on the Kerberos attack.
2. Exploiting the target
We used GetNPUsers.py to check which user has the property Do not require Kerberos pre-authentication set (DONT_REQUIRE_PREAUTH) bit set. If this bit is set we can easily retrieve a TGT ( Ticket Granting Ticket) for that user without having to execute Kerberos pre-authentication.
Kerberos Authentication is the first step for the Pre-Authentication method, it’s main purpose is to stop against Brute-Force password guessing attacks. Through Pre-Auth a user will enter his credentials that will be used to encode a timestamp and the Domain Controller will decode it to verify that the correct credential was used. If the DC verifies okay it will issue a TGT. nevertheless, if Pre-authentication is disabled it can allow an intruder to request a ticket for any user and the DC would simply return a TGT
ASREP Roast : The script GetNPUsers.py can be used from a Linux machine in order to harvest the non-preauth AS_REP responses [1]
As you can see in the above fig:5. We were able to recover the TGT and put the hash in a format. We got a hash of svc-alfresco
We cracked the hash with john the ripper. We got the password of svc-alfresco i.e. s3rvice [2].
3. Gaining access to svc-alfresco
This shell is the ultimate WinRM shell for hacking/pen-testing.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol [3]
Identified the presence of WinRM (Microsoft Windows Remote Management 5985/tcp)
Evil-winrm allows us to successfully gain the user flag.
4. Privilege Escalation
For Privilege escalation, we used Bloodhound tool.
We used SharpHound.ps1 to enumerate AD and each user privilege in a graphic form. We imported SharpHound from our host machine.
The BloodHound collects the visual information of the user “ Shortest Path to Domain Admin”
“Exchange Windows Persmissions” is allowed to change the Discretionary Access Control List (DACL), Which has WriteDacl permission on the domain object.
A user of that group can give privileges such as DCSync.
As you can see we created a new user: new-rohit. We have to assigned the permission to the new user. We have added it to the Remote Management user group to connect with Evil-WinRM.
Assign DCSyn rights to new-rohit user created.
Now, we can dump the hashes of each user with the help of Impacket tool- Secretsdump. So, we find the hash of the administrator.
We used this hash to login with an administrator and got our root flag.
So that’s how I cracked the Forest from Hack the Box. I hope you guys have learned something out of this write-up. This is my first writeup on this platform. All comments/feedback are welcome.
Thanks for reading
HTB Profile: https://www.hackthebox.eu/home/users/profile/116842