Forest just retired today. Being my first AD box, I spent more than 20 hours on the root part, but I learned a lot of new things. Its IP address is ‘10.10.10.161’ and I added it to ‘/etc/hosts’ as ‘forest.htb’. Without further ado, let’s jump right in!
Scanning & User Enumeration
A light nmap scan was enough to get me started:
As this was a Windows AD server, there were a lot of open ports. I also ran enum4linux and managed to get a list of the users on the box:
After a lot of trial-and-error, I came across this cheatsheet. I began running Impacket’s GetNPUsers.py on all the users I’ve found previously and succeeded in getting a ticket-granting ticket (TGT) for svc-alfresco:
I then saved the ticket in a file named tgt.txt and proceeded to crack it with johnTheRipper:
The password for svc-alfresco was ‘s3rvice’. However, Windows doesn’t come with any SSH server pre-installed, so I had to try various methods of authentication until I found one that worked: evil-winrm
The user proof starts with ‘e5’ 😉
BloodHound to the Rescue
As I said at the beginning of this article, I had zero experience in pwning Windows AD boxes. Luckily for me, someone recommended using BloodHound. BloodHound is now one of my go-to tools for privesc, so I really recommend you take the time to install it. While we are at it, if you run into issues with neo4j when installing it, use the following command to fetch and run a pre-made docker container:
Before using BloodHound, I upgraded my shell to a PowerShell one. There are many advantages in using PowerShell, and I can’t imagine doing privesc without it. The following script spawns a reverse shell when it is run:
I used evil-winrm’s upload function to transfer the shell.ps1 script and then ran it:
Once the reverse shell connected, I made sure the execution policy is set to bypass:
In order to use BloodHound, we need to give it some data. SharpHound is an utility that can generate this data by being run on the target machine and zip it. The only thing a user needs to do is to import that data into BloodHound by clicking the ‘Upload Data’ button. SharpHound comes in two flavours: an .exe file and a PowerShell script. The stand-alone executable didn’t work for me in this case, so I used the PowerShell version. I uploaded it using evil-winrm:
Next, I switched over to my PowerShell shell, imported the module and ran it using the previously-found credentials:
After downloading the resulting zip file and importing it in BloodHound, I chose the ‘Find Shortest Path to Domain Admin’ option and got the following graph:
The user I owned, svc-alfresco, was the node with a skull next to it (I added it by right clicking the node > ‘Mark User as Owned’).
Understanding the Path to PrivEscu
There are a lot of edges, so I took some time to understand them:
the MemberOf edge means a node is a member of another node. For example, svc-alfresco is a member of the ‘PRIVILEDGE IT ACCOUNTS’ group, which is a sub-group of ‘ACCOUNT OPERATORS’.
the GenericAll edge, in our case, means that svc-alfresco can do a lot of things to ‘EXCHANGE WINDOWS PERMISSIONS’, including adding users to that group.
the WriteDacl edge is exploitable and I’ll focus on it later.
the Contains edge means that a group/sub-group contains another sub-group or user. In our case, the HTB.LOCAL domain contains the Administrator account.
Also, I created and switched to another account named yakuhito for two reasons:
if there are other users on the box, I shouldn’t spoil the fun
svc-alfresco couldn’t add himself to the ‘EXCHANGE WINDOWS PERISSIONS’ group for some reason
Let’s get that root proof!
EXCHANGE WINDOWS PERMISSIONS
For the next few steps, I used PowerView. I started by first creating a new user named yakuhito:
I then added yakuhito to ‘Exchange Windows Permissions’, as well as the ‘Remote Management Users’ group so I’ll be able to connect to the new account via evil-winrm:
The next step was to connect as yakuhito using evil-winrm and re-upload my PowerShell shell:
I was logged in as yakuhito, so I had WriteDACL permissions over the whole HTB.LOCAL domain. WriteDACL stands for Write Discretionary Access Control List. This right allowed me to perform a DcSync attack that got me Administrator’s NTLM hash. To perform this attack, I also used Invoke-Mimikatz.ps1.
Connecting as Administrator
After getting Administrator’s NTLM hash, I got stuck again. Fortunately, one of my friends reminded me that evil-wirm can also perform pass-the-hash attacks: