search

Forest

hashtag
Nmap Scan

$ nmap -sC -sV -Pn -oN nmap 10.10.10.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 12:53 +08
Nmap scan report for 10.10.10.161
Host is up (0.27s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-19 04:54:44Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-05-18T21:54:50-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h21m13s, deviation: 4h02m32s, median: 1m11s
| smb2-time: 
|   date: 2024-05-19T04:54:48
|_  start_date: 2024-05-16T08:50:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.16 seconds

hashtag
Getting User

hashtag
SMB Null Session

Using enum4linux with no credentials, we can see some users when the tool is enumerating.

hashtag
Getting Users that can be AS-REP Roastable

We will add all those users into a file called username.txt and run impacket-GetNPUsers to find Users that can be AS-REP Roastable.

Only svc-alfresco is AS-REP Roastable, the rest are not.

So now we have svc-alfresco with the password of s3rvice.

From there we are able to login as svc-alfresco using evil-winrm.

hashtag
Privilege Escalation

We can use BloodHound to get more information about the domain and the user information.

LogoRelease v2.4.1 · SpecterOps/SharpHoundGitHubchevron-right

After uploading SharpHound.exe, we will run it to get the zip file.

We will then extract the zip file to our local kali.

Through bloodhound, we can see that the user is part of the Account Operators group.

We also can see that Account Operators group has GenericAll permission for Exchange Windows Permissions group. We can also see that Exchange Windows Permissions group have WriteDacl permission.

We will create a new domain user account.

We will add the user into the Exchange Windows Permissions group and Remote Management Usersgroup.

We used Bypass-4MSI to ensure that we can download PowerView.ps1 into the machine.

Next, we will just download PowerView.ps1 into the target machine.

We will also run these command.

We then dump out the NTLM hashes using impacket-secretsdump.

We will then login into the administrator account using impacket-psexec with the administrator account's NTLM hash.

PreviousJeevesNextEscape

Last updated