Hello everyone , in this post I will be sharing my write up for the retired Windows Active Directory machine , it was an easy box except for the part where we need to escalate to Administrator, first we needed to enumerate the users which could been done through LDAP for that I used both windapsearch and enum4linux , after getting a list of users the only user which seemed odd was the service user account and usually they have per-authenitcatioin disabled so this led us to AS-REP roasting that doesn’t need any authentication when requesting for TGT for a service , after cracking the hash we can either get a shell and run SharpHound.ps1 or we could use bloodhound python injestor (implentaion of sharphound on python) to get an overview of AD environment and seeing what we can do.
NMAP
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open spark syn-ack ttl 127 Apache Spark
135/tcp open msrpc? syn-ack ttl 127
139/tcp open netbios-ssn? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl? syn-ack ttl 127\
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: HEAD
9389/tcp open adws? syn-ack ttl 127
Host script results:
|_clock-skew: mean: 3h40m48s, deviation: 4h57m02s, median: 10m45s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-05-11T11:43:01-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
|_smb2-time: Protocol negotiation failed (SMB2)Here we port 88 open which is for Kerberos and port 3268 for ldap which tells that this is an Active Directory machine , we also have smb port open on the machine so we can check if there are any smb shares or not
PORT 139/445 (SMB)
We get an authentication error means that Anonymous login is disabled so let’s move to ldap
PORT 3268 (LDAP)
LDAP stands for Lightweight Directory Access Protocol , it is used for querying /locating data about organizations, individuals and other resources such as files and devices in a network so there is a tool for performing searches for users ,groups and etc.
https://github.com/ropnop/go-windapsearch
This is the tool that I found was working , there is no need to clone this simply go to releases and download the compiled binary
windapsearch-linux-amd64 -d 'htb.local' --dc 10.10.10.161 -m users
Let’s break down the syntax of this tool
-d — -> This specifies the domain name which htb.local
— dc — -> This specifies domain controller ip (machine ip)
-m — -> This is for specifying module to use in this case we are using users module which will try to query information about users
These are the available modules . We know that service accounts are usually kerberoastable so we are going to search for a service account , in order to that we need to run a custom module in which we are going to use a filter (objectclass=*) when executing this query, we will be presented with all objects and all attributes available in the tree
This will show a lot of output so start searching for Service Accounts till you find a service account name
Alternatively we can use enum4linux which can enumerate smb shares and query LDAP and look for users and shares.
We can see this service account svc-alfresco as the prefix svc is for service, so we will use impacket GetNPUsers.py since this service account won't require kerberos pre-authentication this is know nas AS-REP Roasting you'll see the hash will be different than normal kerberos hash
So we can crack this hash either with john or hashcat, I will be using hashcat and we may need to know the type of hash in hashcat so going to hashcat examples we can find which mode we need to supply
Perfect we have the password , now we can use bloodhound-injestor to collection information about the AD environment
https://github.com/fox-it/BloodHound.py
python3 bloodhound.py -d 'htb.local' -u 'svc-alfresco' -p 's3rvice' -gc 'FOREST.htb.local' -c all -ns 10.10.10.161We’ll have these json files so we put all these files in an archive and launch bloodhound and import that archive file
We can ran query Find All Domain Admins and can see the result
Run the query Find AS-REP Kerbroastable Users
And mark the account as owned , click on the account and on the left side you can see in how may groups this account has permissions
Select Reachable Higher Targets
Exaplain about WriteDACL
Login with the credentials with evil-winrm and upload PowerView.ps1 powershell script
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Now we need to create a new user , so I am going to create a user named arz, then add it to the Exchange Windows Permissions group which is a domain group. After that we will create variable having arz's password which should converted it to a secure form and create a powershell object through that ,lastly we will use powerview's Add-DomainObjectAcl function that will allow us to give this user DCSync rights which are replication rights which will allows us to rrequest password hashes from the Domain Controller.
Now we need to run impacket’s secretsdump.py which will dump password hashes from NTDS.dit file
We could have also done this we service account as well
