HackTheBox Writeup — Forest

Image for post
Image for post

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.161

Running masscan on it , we get

masscan -p1-65535,U:1-65535 10.10.10.161 --rate=1000 -e tun0

Image for post
Image for post

Whole loads of ports were discovered open , so moving onto running regular NMAP scan against the target

Image for post
Image for post

So we have alot of Ports Open, we move onto enumerating users

Using rpcclient as we have have Port 135 and Port 593 running Microsoft Windows RPC

Image for post
Image for post

Now we enumerate domain users using enumdomusers command

Image for post
Image for post

We got bunch of Users, so now we will now run an Impacket tool named GetNPUsers which will attempt to list and get TGTs for those users that have the property

Image for post
Image for post

We got a hash for user svc-alfresco,trying to crack it using john

Image for post
Image for post

We got the password cracked and use this creds to login through Evil-WinRM

Image for post
Image for post

Since Port 5985 is open , we can use WinRM to connect

Image for post
Image for post

We got logged in successfully and now move onto getting User Flag

Image for post
Image for post

Now its time for priv esc part

We will use Bloodhound for the privilege escalation part

Image for post
Image for post

Here we run our python server and get the SharpHound.ps1 script to the remote machine

Image for post
Image for post

By using the above command, we upload the powershell script from our local machine to the remote box

Image for post
Image for post

We ran the Invoke-Bloodhound command along with the arguments as seen above and got the Bloodhound zip file which we will bring on my local machine

Image for post
Image for post

Since Evil-WinRM is full of functionalities, it provides us with a download option too

We first start our neo4j console

Image for post
Image for post

We can access it on localhost:7474

Image for post
Image for post

We put our password and then

Image for post
Image for post

Now we run Bloodhound

Image for post
Image for post

We click on Login and then

Image for post
Image for post

Now we will drag the bloodhound zip file we got here

Image for post
Image for post

We can see that we have WriteDACL permission enabled on Exchange Windows Permissions so we can modify object’s ACEs and give attacker full control right over the object

Image for post
Image for post

Here we add the user svc-alfresco to the group Exchange Windows Permissions

Image for post
Image for post

Here we use ntlmrelayx from Impacket which performs the SMB Relay attacks originally discovered by cDc extended to many target protocols (SMB, MSSQL, LDAP, etc). It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.

Image for post
Image for post

We now go to our localhost /privexchange and see the ntlmrelayx server

Image for post
Image for post

We see that we got authentication against the ldap and also it relayed user’s privileges and now we use another Impacket tool named secretsdump to dump the hash

Image for post
Image for post
Image for post
Image for post

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store