Hacking through the Forest! Pwning Active Directory — HTB
First glance at the Forest!
For this write-up I am taking a break from Linux boxes and instead trying to get some more hands-on experience #pwning windows. This was easily the hardest box i’ve ever popped so be prepared for a pretty lengthy 2 part write-up as there are tons of great little “hacks” I want to cover :)
So getting started we are looking at the Forest machine (10.10.10.161) on Hack The Box! Now I had friends that didn’t run into this issue so you may not as well, but just incase you do…. It appears my go-to nmap scan was being “blocked” by the server’s firewall:
Firewalls can be configured to pickup on scanning activity and send back false information to the adversary. In our case it was telling us ALL ports were closed. I assumed that wasn’t correct and there was no way all ports would be closed, so I started looking at ways to bypass this firewall control I had assumed was in my way.
What do we know? Well not much.. Basically just that this is a windows server. Doing some light research we know any Windows server in an enterprise environment will have to use Kerberos for authentication with Active Directory. So let’s guess that this server is setup to use Kerberos and try using that to our advantage. Kerberos by default uses port 88, so if we can tell our nmap scan to use port 88 as the source of our scan then 10.10.10.161 may believe it’s kerberos traffic and finally give us some useful information:
#Boomski finally some useful information and hey I was right about Kerberos 😈. Now that I know how to bypass the firewall filtering lets pull some additional information with -A (OS detection) -sV (Version detection) and -p- (Scan all 65,535 ports):
First things that stand out is all of the Active Directory services running as well as the Windows server version 2016. We also get the Domain that is used: htb.local
Picking our Axe!
So now that we have our bearings of what kind of server we are dealing with lets look for some tools to make our job easier. After some researching around I came across Impacket (https://github.com/SecureAuthCorp/impacket) which is an amazing tool-set of python scripts used to work directly with different networking protocols. It just so happens that there are some scripts within this suite perfect for hitting Active Directory Domain Controllers :)
Be sure to spend some time reading about each script within impacket as it’s possible that a few of these could come in handy later. Here is a great resource for your reading pleasure:
https://www.secureauth.com/labs/open-source-tools/impacket
To kick it off (and with some trial & error) I decided to go with GetADUsers.py which is going to query the DC (Domain Controller) to get some basic user information. All we have to feed the script is:
- What exact information are we requesting? (All because we are greedy)
- What Domain is this request for? (htb.local which we got from our nmap scan)
- And last is the exact IP of the DC we are hitting (10.10.10.161)
NOICE! Now we have a list of users that the DC so graciously spit out for us. With this list I then peeked back at the impacket scripts to see if there was anything else there I could use before looking elsewhere…
Andddd what do you know: GetNPUsers.py
This script is going to request the TGT (Ticket Granting Ticket) for each user we feed it and then spit out those results in an output nicely formatted for cracking! Now before I just fired this bad boy up I wanted to review the code to see exactly what this script is looking for and precisely why would the DC just hand over the TGT?
This script will attempt to list and get TGTs for those users that have the property: 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH).Ah there it is, the UF_DONT_REQUIRE_PREAUTH flag. Which makes sense right? But what bothered me with this is why would any Active Directory admin ever legitimately use this setting? Doing some light googling the only thing you’ll find is “HOW TO KERBEROAST” or “IMPACKET GETS TGTS”. But it seemed impossible to actually find a legitimate use for this flag.
So I took to some of my AD admin buddies and asked them what the setting would be used for? Even they didn’t know what to tell me, just that they make sure it’s not set. BUT WHY IS THIS EVEN A THING?!?!
…. until finally after some #blackbelt #googlefoo I found the answer.
Legacy Systems. That’s the only time this flag should be set is when older systems which are unable to support kerberos need authentication to AD. FINALLY! Okay now that my compulsive itch has been scratched I can move on :)
With the knowledge of how GenNPUsers.py works in the background I start firing it at our AD server with each user. Unfortunately there was no luck… until one specific service level account:
andd again #boomski. If you are at all familiar with AD and kerberos security you probably have an idea of whats coming next… KERBEROASTING!
#RoastinKerbs bruh
What is Kerberoasting? Kerberoasting is a method used to steal service account credentials. Part of the service ticket is encrypted with the NT hash of the user. Any domain account can request Kerberos service tickets. Service tickets can be used to crack passwords offline.
Which leads us to our next step, cracking our TGT! GetNPUsers gives you many different formatting options depending which cracking suite you want to use. Since I am more familiar with Hashcat and it’s been years since i’ve touched JTR thats what I went with. One thing you have to make sure you get right with hashcat is the “hash-type” (-m switch). I will neither confirm nor deny how much time I spent failing to crack this TGT because of an incorrect hash-type code #neededcaffine
HERE is a list of all the hashcat hash-types. Since you’re stealing TGT’s from kerberos the 18200 code is what you’ll want to use. And of course you need a solid wordlist such as rockyou which comes by default on Kali 🐱💻
as always #boomgoesthedynamite now we have our service account username AND password!
svc-alfresco:s3rviceGot Creds. Now Wat Do?
While we are so close you can taste it…. we aren’t there yet. Now that we have credentials, how are you supposed to use them? This part took quite a bit of research on my part as again I’m not super familiar with #pwning windows servers. After some hardcore googling around remote services for windows I stumbled upon WinRM. If you aren’t super familiar with WinRM, it’s a remote management tool designed to allow systems to access and exchange management information across an IT infrastructure.
So this looks like it could be our answer, but how do I leverage this tool to allow for remote code execution from a Linux box? #googlingintensifies
And that’s when I discovered Evil-WinRM 😈 Now this tool has TONS of features and amazing abilities. It did take me quite some time for trial & error, youtubing, googling, and reading to finally get the shell we’ve all been waiting for!
Forest Infiltrated
Apologies for the long write up! This was hell of a fun box but also had quite a bit of a learning curve for me personally. Be sure to checkout the 2nd part as we climb up to root shell as per usual. As always thx for reading! #ByeFelicia
