{"id":47,"date":"2020-11-02T23:59:32","date_gmt":"2020-11-02T23:59:32","guid":{"rendered":"http:\/\/dextersec.xyz\/?p=47"},"modified":"2020-11-15T22:27:02","modified_gmt":"2020-11-15T22:27:02","slug":"active-directory-101-forest","status":"publish","type":"post","link":"https:\/\/dextersec.xyz\/?p=47","title":{"rendered":"Active Directory 101: Forest"},"content":{"rendered":"\n

Introduction<\/strong><\/h2>\n\n\n\n

For my second machine in the Hackthebox Active Directory 101 track, I\u2019ll be pwning Forest. Forest is another active directory machine that teaches the basics of ASREPROASTING and abusing Discretionary Access Control Lists (DACL). The attack path to domain admin was quite new to me as I learnt another AD privilege escalation technique. For this box, initial access was gained by sending a dummy TGT request to obtain the credentials of a Non-preauthenticated user. Following post compromise enumeration, I was able to become domain admin by first abusing access control rights to a domain object then launching a DC SYNC attack to obtain NTLM hashes for all domain users and administrators. <\/p>\n\n\n\n

Reconnaissance<\/strong><\/h2>\n\n\n\n\n\n\n\n

I ran a simple nmap scan with the command: <\/p>\n\n\n\n

nmap -sV -sC -oN forest_scan.txt 10.10.10.161<\/code><\/pre>\n\n\n\n
sV \u2013 Specifies the service version for each port<\/p>\n\n\n\n
sC \u2013 Specifies that nmap nse scripts should be run on each discovered port<\/p>\n\n\n\n
oN \u2013 Specifies the format the scan result is save in, here we use the nmap format<\/p>\n\n\n\n
\"\"
Figure 1: Nmap Scan Output<\/figcaption><\/figure>\n\n\n\n
From the Nmap scan above we can gather the following:<\/p>\n\n\n\n
  1. Port 53 indicates that DNS is running on this machine<\/li>
  2. Port 88 is running the Kerberos authentication service<\/li>
  3. Ports 389 & 3628 have LDAP running<\/li>
  4. The host scripts reveal that SMBv2 is running on port 445<\/li>
  5. The host is a Domain Controller<\/li>
  6. LDAP provides us with the domain name htb.local<\/li><\/ol>\n\n\n\n
    Enumeration<\/strong><\/h2>\n\n\n\n
    In enumerating this box the easiest attack vector would be through SMB, I tried using anonymous credentials but failed woefully, So i proceed to try enum4linux to see if i could gather information about the domain users and it worked! <\/p>\n\n\n\n
    Enum4linux, can be used to discover valid users on the domain;<\/p>\n\n\n\n
    enum4linux 10.10.10.161<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 2: Shows running the enu4linux command <\/figcaption><\/figure>\n\n\n\n
    We get the following results.<\/p>\n\n\n\n
    \"\"
    Figure 3: Shows <\/em>a full list of accounts retrieved by enum4inux<\/figcaption><\/figure>\n\n\n\n
    Ideally you want to sanitize the enum4linux result by filtering for only accounts. This can be achieved by using the cut<\/strong> command from your terminal. I’ve gone ahead to do this and saved all account names into the userlist.txt file.<\/p>\n\n\n\n
    \"\"
    Figure 4: Enum4linux output, sanitized and saved it into userslist.txt<\/figcaption><\/figure>\n\n\n\n
    Now that we have a list of valid users we can proceed to the next stage of our attack.<\/p>\n\n\n\n
    Initial Access<\/strong><\/h2>\n\n\n\n
    Since we are working with windows active directory we can leverage on a technique called ASREPROASTING (i.e Authentication Server Response Roasting) to gain initial foothold on this machine. <\/p>\n\n\n\n
    The ASREPRoast attack looks for users without Kerberos pre-authentication enabled attribute (<\/strong>DONT_REQ_PREAUTH<\/em><\/strong><\/a>)<\/em><\/strong>.<\/p>\n\n\n\n
    That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This message contains a chunk of data encrypted with the original user hash, derived from its password. Then, by leveraging this flaw, the hash could be cracked offline to obtain a valid password.<\/p>\n\n\n\n
    harmj0y<\/a> has an awesome article <\/a>that explains this attack in depth.<\/p>\n\n\n\n
    The GetUserSPNs binary from impacket suite is the tool of choice for this step.<\/p>\n\n\n\n
    If you don\u2019t have impacket installed simply run the command:<\/p>\n\n\n\n
    apt-get install python3-impacket<\/code><\/pre>\n\n\n\n
    Next we execute the GetNPUsers.py script to obtain a TGT and hash for non-preauthenticated users <\/p>\n\n\n\n
    python3 \/usr\/share\/doc\/python3-impacket\/examples\/GetNPUsers.py htb.local\/ -request<\/code><\/pre>\n\n\n\n
    -request <\/strong> Requests TGT for users and output them in JtR\/hashcat format<\/p>\n\n\n\n
    \"\"

    Figure 5: ASREPROASTING with GetNPUsers.py<\/figcaption><\/figure>\n\n\n\n
    We’ve successfully obtained a hash for the domain user svc-alfresco, if a weak password is in use we can easily decrypt it with john the ripper. <\/p>\n\n\n\n
    Save the hash into a file and attempt cracking with john to obtain a password in plain text for the domain user.<\/p>\n\n\n\n
    john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hashes.txt<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 6: offline cracking of svc-alfresco password with john<\/figcaption><\/figure>\n\n\n\n
    We got a plaintext password!<\/p>\n\n\n\n
    Enter Evil-Winrm…<\/strong><\/h2>\n\n\n\n
    With all the resources at our disposal we can obtain a shell on our target using evil-winrm, this tool comes preinstalled on Kali 2020.3 and is capable of provisioning access to a remote machine shell by connecting through port 5985 open for Microsoft Windows<\/em> Remote Management.<\/p>\n\n\n\n
    To get a fully interactive shell with evil-winrm run<\/p>\n\n\n\n
    evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice<\/code><\/pre>\n\n\n\n
    -i  <\/strong>IP Remote host IP or host name.<\/p>\n\n\n\n
    -U<\/strong> Username<\/p>\n\n\n\n
    -P <\/strong>Password<\/p>\n\n\n\n
    \"\"
    Figure 7: Initial Access With Evil-winrm<\/figcaption><\/figure>\n\n\n\n
    Grab the user flag and proceed to carry out post exploitation enumeration.<\/p>\n\n\n\n
    cd ..\/desktop<\/code><\/pre>\n\n\n\n
    Evil-WinRM* PS C:\\Users\\svc-alfresco\\desktop> download user.txt\nInfo: Downloading C:\\Users\\svc-alfresco\\desktop\\user.txt to user.txt\n\n                                                             \nInfo: Download successful!\n<\/code><\/pre>\n\n\n\n
    \"\"

    Figure 8: Grabbing the user flag<\/figcaption><\/figure>\n\n\n\n
    Post Compromise Enumeration<\/strong><\/h2>\n\n\n\n
    We have successfully established initial foothold on the domain controller, let’s learn more about svc-alfresco and his privileges<\/p>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc-alfresco\\desktop> net user svc-alfresco<\/code><\/pre>\n\n\n\n
    we get back the following details about svc-alfresco<\/p>\n\n\n\n
    \"\"
    Figure 9: We learn that svc-alfresco is a domain user and a member of the service accounts group<\/figcaption><\/figure>\n\n\n\n
    There’s still no clear cut attack vector or path we can leverage towards elevating our privilege on the domain, We need to enumerate further….<\/p>\n\n\n\n
    Bloodhound to the rescue…<\/strong><\/h2>\n\n\n\n
    BloodHound<\/a> is a active directory enumeration tool that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. We can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.<\/p>\n\n\n\n
    If you don\u2019t have BloodHound installed on your machine, use the following command to install it.<\/p>\n\n\n\n
    apt-get install bloodhound<\/code><\/pre>\n\n\n\n
    Next, we need to upload and execute bloodhound’s data ingestor, SharpHound.exe on our target. the executable can be downloaded here<\/a>. <\/p>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> upload SharpHound.exe\nInfo: Uploading SharpHound.exe to C:\\Users\\svc-alfresco\\Documents\\SharpHound.exe\n\n                                                             \nData: 1111380 bytes of 1111380 bytes copied\n\nInfo: Upload successful!\n<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 10: Uploading SharpHound.exe to our target<\/figcaption><\/figure>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> .\/SharpHound.exe<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 11: Executing SharpHound.exe on our target<\/figcaption><\/figure>\n\n\n\n
    Download the zip file to our attacking machine for analysis with the BloodHound GUI<\/p>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> download 20201107150607_BloodHound.zip\n<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 12: Downloading the scan results for analysis<\/figcaption><\/figure>\n\n\n\n
    Before we start analyzing the data ingested by SharpHound, we need to fire up the neo4j database and BloodHound on our attacking machine. find a detailed guide on how to install neo4j<\/a> here.<\/p>\n\n\n\n
    Run the commands;<\/p>\n\n\n\n
    neo4j console<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 13: initializing the neo4j database<\/figcaption><\/figure>\n\n\n\n
    bloodhound<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 14: Initializing Bloodhound’s GUI<\/figcaption><\/figure>\n\n\n\n
    Login using the credentials you created while installing neo4j, and upload the zipped file to bloodhound.<\/p>\n\n\n\n
    \"\"
    Figure 15:  Bloodhound User Login page<\/figcaption><\/figure>\n\n\n\n
    \"\"
    Figure 16: Uploading the zipped file onto bloodhound<\/figcaption><\/figure>\n\n\n\n
    Next, we search for the user svc-alfresco<\/strong> to make him our starting node then right-click and mark  as owned.<\/p>\n\n\n\n
    \"\"
    Figure 17: Querying for the compromised user to be made our starting node<\/figcaption><\/figure>\n\n\n\n
    \"Image
    Figure 18: Marking the compromised user as owned<\/figcaption><\/figure>\n\n\n\n
    In the Bloodhound Queries <\/em>tab, select \u201cShortest Path from Owned Principals<\/em>\u201d. This graphs out the quickest path to domain admin from svc-alfresco<\/p>\n\n\n\n
    \"Image<\/figure>\n\n\n\n
    The resulting query should look something like this.<\/p>\n\n\n\n
    \"\"
    Figure 19: provides a clear view of our path to pwning the domain<\/figcaption><\/figure>\n\n\n\n
    From the above image we deduce that svc-alfresco is a member of the following domain groups; Service Accounts, Privileged IT Accounts and Account Operators. Also, members of the of the Account Operators group have a “GenericAll” rights to the Exchange Windows Permissions group. Finally members of the Exchange Windows Permission group have “WriteDacl” rights to the domain. <\/p>\n\n\n\n
    What does this imply:<\/p>\n\n\n\n
    1. As members of the Account Operators group we have permissions to create new users on the domain<\/li>
    2. The “GenericAll” relationship between the account operators group and Exchange Windows Permission group allows us to add newly created users to the Exchange windows permissions group<\/li>
    3. Members of the  Exchange Windows Permissions group have “WriteDacl” rights to the domain, this allows our new user modify the domain’s access control entry (ACE) to grant domain replication permissions, leading to a DCSYNC attack.<\/li><\/ol>\n\n\n\n
      ired.team breaks down each of these object permissions in this well written article<\/a><\/p>\n\n\n\n
      <\/p>\n\n\n\n
      Privilege Escalation<\/strong><\/h2>\n\n\n\n
      In escalating our privilege to domain admin we’ll take the following steps;<\/p>\n\n\n\n