HTB - Forest Writeup

👾 Machine Overview

This is a writeup of the machine Forest from HTB , it’s an easy difficulty Windows machine which featured anonymous LDAP access, ASREPRoasting, and AD permission misconfigurations.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC 10.129.95.210 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 15:44 EDT
Nmap scan report for 10.129.95.210
Host is up (0.019s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 19:51:18Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-29T19:51:20
|_  start_date: 2024-05-29T19:47:08
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-05-29T12:51:24-07:00
|_clock-skew: mean: 2h26m50s, deviation: 4h02m32s, median: 6m48s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.15 seconds

I tested for anonymous LDAP access using nmap

nmap -n -sV --script "ldap* and not brute" 10.129.95.210
# Output omitted for brevity

🥈 User

We did get output, so I used Impacket’s get-NPUsers to see if there were any ASREPRoastable users.

ASREPRoasting

We were able to get output for svc-alfresco, so I threw it into hashcat.

Cracking svc-alfresco

The password cracked, I was able to use it to WinRM in and grab the flag.

🥇 Root

I started off by checking out svc-alfresco‘s groups and privileges.

Groups and privs

Looks like we were able to get a pretty privileged user, we’re a member of both the Privileged IT Accounts, and Account Operators groups.

I ran SharpHound to see what targets the account could reach.

BloodHound

This path didn’t make a ton of sense to me. If the Administrator was logged into Forest, it’s possible we could dump his credentials, but this doesn’t work because svc-alfresco isn’t a local admin. I decided to keep digging through bloodhound to find any interesting permissions we might have.

BloodHound

The Account Operators group has GenericAll over the Exchange Windows Permissions group, which in turn has WriteDacl over the entire domain.

As a result of this, we’re able to first add a new user to the Exchange Windows Permissions group, and then give them permission to DCSync.

Creating a new user

Once that’s done, we’re able to use Impacket’s secretsdump to dump the Administrator’s hash.

DCSync

I then used that hash to WinRM in and grab the flag.

Shell as Administrator

I tried to exploit this a couple different ways, including adding the svc-alfresco user to the group. It specifically only seemed to work when using PowerView to create a new user and target them for the attack.

📖 Resources

🔗 Hyperlink	ℹ️ Info
ASREPRoasting	Cybersec Notes
Account Operators PrivEsc	White Oak Security