HackTheBox Hacking Write Up Forest – HackingVision

Well, Forest box is related to an active directory so it’s going to be a bit hectic and more fun. For me, it’s hard to understand Active Directory thing in starting so I’m gonna explain some sort of the things. So without wasting any time let’s start!

Reconnaissance

Let’s scan the target with Nmap as we always do to find out open ports and services running on those ports. For scanning, I use command.

nmap -A -T4 -p- 10.10.10.161

Enumeration

The first thing I did is SMB enumeration with rpcclient and it gives me a list of usernames but I can’t find it helpful so I didn’t add a screenshot of it. Now from nmap result we can say that this box is related to active directory and at that time I clearly don’t have any idea related to active directory even I don’t know what does it mean :’) So one of my friends suggest VBscrub channel on Youtube to learn about the active directory. And I’m telling you guys it’s worth to watch his videos, he explained every stuff in so depth. Anyway here’s the link of his channel.

First of all, what is Active Directory? Basically Active Directory is a central system or we can say the central database. It is a service used by an administrator to manage resources.

Time to go for User Account

We are going to use GetNPUsers.py script from Impackket repositories to get username and password hash of that user.

So as we can see we found the username and password hash of that user. Now we need to crack that hash. I tried Hashcat but for some reason, it didn’t work for me so I used john. We need to specify the format of hash while using john so we will specify format – krb5asrep.

Ayy, We got the password. Now let’s use evil-winrm to get a shell with these credentials. To install evil-winrm in your machine use below mentioned commands

sudo apt-get update && sudo apt-get upgrade
sudo gem install evil-winrm

Well, It’s not necessary to upgrade your all packages but if you are using the latest version of Kali Linux then you should because in the new Kali Linux I faced a problem while installing any package with gem. So if you are using any other Linux distro then I think gem install evil-winrm works without upgrading any packages. I’m pointing it out this because I encountered that problem while doing this box.

Ayy, We got the password. Now let’s use evil-winrm to get a shell with these credentials. To install evil-winrm in your machine use below mentioned commands

sudo apt-get update && sudo apt-get upgrade
sudo gem install evil-winrm

We owned the user so now we can get the user flag from the Desktop directory of that user.

Behind the scene – How this vulnerability exist? and What GetNPUsers.py script did?

Okay, so we owned the user with the help of GetNPUsers.py, pretty fascinating. But the question arises what GetNPUsers.py script really did? and what’s the vulnerability?

First of all, Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes to communicate in an open network to prove their identity to one another in a secure manner. Kerberos is used in Active Directory. At the time of pre-authentication, a user will enter his credentials which will be used to encrypt a timestamp and then DC (Domain Controller) will decrypt it to validate that the correct credentials were used, If everything is perfect it will issue TGT with that timestamp.

If the property ‘Do not require Kerberos preauthentication’ (DONT_REQ_PREAUTH) set then anyone could request authentication data for any user and DC would return an encrypted TGT. The same scenario is there in our case for user svc-alfresco ‘Do not require Kerberos preauthentication’ is set. So we take the opportunity of this flow.

GetNPUsers.py script will build a Kerberos authentication request (AS-REQ) and sends it to the server then kerberos server responds with AS-REP and gives cipher from enc-part and we called it TGT. The hash which script provides us is TGT. TGT doesn’t contain the password, it contains a timestamp that was encrypted with user password. So that’s how the script works now remaining part is of hash cracker tool. It’s kinda confusing what sort of algorithm hash cracker used to decrypt this type of hash and provides the password which is used to encrypt that timestamp.

From a few minutes, we are referring to the contents of TGT as timestamp, It clearly sounds absurd without knowing what does it really contains in it. So here’s the screenshot which I have taken from the RFC document to show what sort of things TGT contains.

Time has come to hunt down Root

As we know this box is based on AD so now we need to do more enumeration for it for that we need AD map. We are going to use Bloodhound to get an AD map. First, we will download SharpHound.ps1 script and store it in a directory I’m going to store it in a directory named “www” and then run python simpleHTTPserver in that directory so we can download the file from our machine to target box.

As you can see in the screenshot we use the IEX command to download the file basically it not store the file in the disk but load it in memory.

To run bloodhound we need to use the Invoke-Bloodhound command and it generates the zip file for us. Now we need to send that zip file from the target box to our host machine to analyze it with bloodhound for that we will use impacket-smbserver. I’m storing zip file in “smb” directory.

Now open bloodhound and import the zip file.

Too much mess here. Let’s reduce it by querying the Shortest Paths to High-Value Targets.

Now we can see that our user can be part of EXCHANGE WINDOWS PERMISSION. Another way to know this is by seeing in which group our user belongs. Check below screenshot as we can see that our user is part of Privileged IT Accounts so we can add our user in EXCHANGE WINDOWS PERMISSION.

So let’s add our user to the EXCHANGE WINDOWS PERMISSION group.

Now we will use aclpwn script to automate our work. Now we will use aclpwn script to automate our work, Basically it’s a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths.

Everything seems good. Let’s go and run secretsdump.py script to get hashes.

Now we will take the Administrator hash and pass it to wmiexec.py script.

Hurray! We got the root after using many scripts without knowing what we really did so it’s time to understand what we really did and how this vulnerability exists in the first place.

Behind the scene – What’s the vulnerability and How this vulnerability exist? and What we did till now to get root?

I’m going to explain stuff from the bottom-up approach. So we used wmiexec to pass the hash of Administrator to get a shell. Now how we got the hash of Administrator? For that we used secretsdump.py script, basically, it’s a DC Sync attack. If a user has the permission below set

• Replicating Directory Changes
• Replicating Directory Changes All

Then we can request the password hash of any user in the domain even we can get a password hash of krbtgt account. That’s what secretsdump.py script did for us to get the hash of all users.

The interesting part comes now because our user didn’t have the above-mentioned permission at the start. So how we gave those permissions to svc-alfresco users to do DC Sync attack? If you remember we add our user in EXCHANGE WINDOWS PERMISSION group so by default EXCHANGE WINDOWS PERMISSION group have writeDACL permission which allows modifying the ACL of domain. In simple words, WriteDACL permissions allow us to modify the permissions so we set Replicating Directory permission for our user so we can carry out DC Sync attack. To ease our life we used aclpwn script to automate this task.

This stuff is kinda confusing so I explained it in reverse chronology order. Use AD map to get a visualization of things that we discussed.

That’s it!