The first step in penetration is to perform reconnaissance, this will allow me to learn more about our target systems services and versions the services are running; this form of information gathering is refer to as fingerprinting. Knowing what version a service is running will allow me to later check which versions of the service are potentially vulnerable to a known exploit.
I will be using the tool NMap to perform an active reconnaissance scan. Listed below are a couple of command variations that I use depending on the information I want NMap to grab.
nmap -V -sS -A -Pn -T5 -p- -oN Forest.txt 10.10.10.161
nmap -sC -sV 10.10.10.161 -p-
namp -v -sU -T5 -oN Forest_noport.txt 10.10.10.161
Once the NMap scan completed. I was able to determine that the operating system of this IP address was Windows Server, being used as a domain controller. The information leading me to this conclusion is highlighted below.
Now that I have a list of available ports, services and their versions. I began digging for more information. The rpcclient tool is great for gathering further information, I was able to successfully connect a null session using the following command. This proves that I can use limited privilege's to gather more information about our target system.
rpcclient 10.10.10.161 -U “” -N
It’s now time to dig for user accounts and domain groups. To do this I used my existing null session rpcclient terminal with limited privilege's and used the command enumdomusers. Below I have highlighted the commands, along with the user accounts that I find interesting.
From the same rpcclient terminal I then populated a list of domain groups. At the moment I am not sure whether this list will be of any use. However, for the sake of never having too much information, I will keep this list in mind if need be. Command used enumdomgroups.
From the previous user account list, I noticed that one account was named differently compared to the others, svc-alfresco. Since this account sticks out, I decided to query information on this account alone by using the command queryuser. I was able to determine the groups that this account was associated with by comparing it to the groups list above. User account svc-alfresco has a group_rid of 201. The group list above states that 201 is a domain user account.
I wanted to attempt to grab this users password. To do this I took advantage of a vulnerability in Kerberos by using an attack called Kerberoasting. To initiate this attack I first needed to hijack the kerberos ticket for this user account. I did this by using the tool GetNPUser developed by Impacket.
I began by creating a text document, calling it users. I then added the user svc-alfresco to the text document. The command used to initiate the Kerberoasting attack points to our user text document so that the command knows which user it’s attacking.
GetNPUsers.py htb.local/ -no-pass -usersfile /root/Desktop/HTB_Forest/users -dc-ip 10.10.10.161
I was able to successfully take advantage of this vulnerability. The highlighted section below is the hash of the users password. Next, I will attempt to decrypt this hash. If success, I will know the users password.
I created another text document called alfresco and copied the hash into the text document. I then used the a password dictionary called rockyou to decrypt the hash that was previously discovered. The tool being used to decrypt the hash is called hashcat, below is the command.
hashcat -m 18200 -force -a -0 /root/Desktop/alfresco /usr/share/wordlist/rockyou.txt
Haschcat successfully determined the password for svc-alfresco is s3rvice. Now that I have a username and password, it’s time to see what resources I can log into.
Going back to my previous NMap scan. I noticed that port 5985/tcp was open. After researching this port online, I discovered this port is used for a service called Winrm and we know from our NMap scan that it is version 2.0. From my understanding we can attempt to brute force this service by providing it with our known credentials. To do this I will use a tool called Evil-Winrm
Launch evil-winrmevil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-Winrm was able to log into the Winrm service for the user account svc-alfresco, this validates that the decrypted password hash of s3rvice was indeed correct. I am now logged into 10.10.10.161 remotely as user svc-alfresco and can use the command prompt to my advantage.
In this next section I will demonstrate privilege escalation by taking advantage of weak Exchange permissions and grabbing the password hash for the Administrators account.
Download the following tools and install:
git clone https://github.com/BloodhoundAD/Bloodhoundgit clone https://github.com/fox-it/bloodhound.py
Launch neo4j using the command:
After loading connect to neo4j ‘s remote interface via web browser and create a password.
python setup.py install
Launch Bloodhound with the command Bloodhound. Login with the credentials created previously for neo4j. It will load into a blank Bloodhound screen.
We will begin grabbing all of users, groups and computers from the target domain controller. Bloodhound will compile this data into a web of information showing us how everything is linked and connected together.
Once the script finishes, change directories to /root/ there should be a hand full of files present labeled JSON. Inside of Bloodhound, click Upload and select the JSON files from the root directory. I used the query Shortest Paths to Unconstrained Delegation Systems.
After reviewing the compiled data it was obvious that the user svc-alfresco had GenericAll permissions on most of the paths and WriteDACL on the htb.local domain, which will allow me to modify object’s ACEs and give full control over an object.
Specifically, “Exchange Windows Permissions” group looks like a great path to take advantage of. I checked to make sure that svc-alfresco was a current user of the group by running the following command in evil-winrm.
Next I downloaded aclpwn to provide svc-alfresco user permissions to DCsync for administrator credentials. FYI, in order for this to run, neo4j must still be running and the data in Bloodhound must be uploaded.
Now that aclpwn was able to grant the permissions needed to svc-alfresco. We can move forward with dumping the password hashes of the accounts. This was done by using a tool by impacket called secretsdump. Highlighted below is the password hash for the Administrators account.
I then copied the hash and plugged into a tool called wmiexec. This allowed me the ability to log in remotely as Administrator. Below is the command with an active shell, I now have full control over this Windows server domain controller.