Forest
Forest HTB 2023 Walkthrough
Scanning
A number of ports appear in initial nmap scan.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.161 -oA initialforest.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 11:04 EDT
Nmap scan report for 10.10.10.161
Host is up (0.22s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-28 15:11:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/28%OT=53%CT=1%CU=42947%PV=Y%DS=2%DC=I%G=Y%TM=64C3D91
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TS=A)SEQ(SP=101%GCD=1%I
OS:SR=10D%TI=RD%II=I%TS=A)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11
OS:%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=2000%W
OS:4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q=)T1(
OS:R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=
OS:%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W
OS:=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h26m48s, deviation: 4h02m30s, median: 6m47s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2023-07-28T15:11:32
|_ start_date: 2023-07-28T12:12:18
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-07-28T08:11:30-07:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.67 seconds
The nmap scan reveals the domain and hostname: htb.local and FOREST.htb.local. Similarly, the SMB OS nmap scan leaks the operating system: Windows Server 2016 Standard 14393.
Full Nmap scan
Port 5985 is open which which windows WINRM service. It means we can get shell, if we have credentials.
DNS Enumeration
As port 53 is open, we can try zone transfer but it failed.
SMB Enumeration
We were unable to list any shares.
Now, let's try enum4linux. We got a bunch of users.
Let's filter the users to extract only users that are pertinent and useful to us.
We also get group memberships which may be useful at some stage.
RPC Enumeration
Connect with null authentication
Now enumerate users
So, we have our usernames.
I can list the groups as well:
I can also look at a group for it’s members. For example, the Domain Admins group has one member, rid 0x1f4:
That’s the Administrator account:
we can also use port 88 to enumerate users using tools like
Shell with kerberosting
If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a dummy request for authentication. The Key Distribution Center (KDC) will then return a TGT that is encrypted with the user’s password. From there, we can take the encrypted TGT, run it through a password cracker and brute force the user’s password. We can directly run it without providing username and we get the hash.
If we have potential usernames, we can also use that wordlist to fetch hash value.
Cracking hash
We can use john to crack the hash.
So, we got the credentials.
Checking smb shares
Now, we can get smbclient to connect to shares with newly found credentials.
We, don't have any special shares available.
Let's check if we have access through winrm.
And we can exploit it. So, lets get the shell.
Now move to the desktop and get the user flag.
Bloodhound
Now, to gather domain info, we can use bloodhound-python to remotely collect information.
Now, import the loot file in bloodhound. Now search your user and mark it as owned.
Now select the analysis tab and select shortest path from owned users.
2nd method - sharphound
Locate sharp-hound location and copy it to desktop
Transfer the file
Now execute it, we will get the zip file
Now, download the files
And import it in Bloodhound and generate the graph again.
Exploiting DCSync
From the above figure, we can see that svc-alfresco is a member of the group Service Accounts which is a member of the group Privileged IT Accounts, which is a member of Account Operators. which we can see by checking the "shortest path to domain admins" and then cheking the node properties.
Moreover, the Account Operators group has GenericAll permissions on the Exchange Windows Permissions group, which has WriteDacl permissions on the domain.
This was a mouthful, so let’s break it down.
svc-alfresco is not just a member of Service Accounts, but is also a member of the groups Privileged IT Accounts and Account Operators.
The Account Operators group grants limited account creation privileges to a user. Therefore, the user svc-alfresco can create other users on the domain.
The Account Operators group has GenericAll permission on the Exchange Windows Permissions group. This permission essentially gives members full control of the group and therefore allows members to directly modify group membership. Since svc-alfresco is a member of Account Operators, he is able to modify the permissions of the Exchange Windows Permissions group.
The Exchange Windows Permission group has WriteDacl permission on the domain HTB.LOCAL. This permission allows members to modify the DACL (Discretionary Access Control List) on the domain. We’ll abuse this to grant ourselves DcSync privileges, which will give us the right to perform domain replication and dump all the password hashes from the domain.
Putting all the pieces together, the following is our attack path.
Create a user on the domain. This is possible because svc-alfresco is a member of the group Account Operators.
Add the user to the Exchange Windows Permission group. This is possible because svc-alfresco has GenericAll permissions on the Exchange Windows Permissions group.
Give the user DcSync privileges. This is possible because the user is a part of the Exchange Windows Permissions group which has WriteDacl permission on the htb.local domain.
Perform a DcSync attack and dump the password hashes of all the users on the domain.
Perform a Pass the Hash attack to get access to the administrator’s account.
Now add a new user and add it to the exchange group
Now to check the aval modules you can use the command
Now run the following commands before executing anything on target.
Abusing write dacl
First, we need to create a credential object
Now, need PowerView, so locate it and upload it.
Now import PowerView
Now execute one of the following to grant dcsync rights.
You can also use the following syntax
Dumping hashes
Now, we can use impacket to dump all hashes.
Pass the Hash
Now, we can simply pass the hash to get shell.
Pass the hash with evil-winrm
You can also use evil-winrm. Remember to use only NT hash(last part).
Root Flag
The root flag is located on the desktop.
Last updated