HTB-Forest

Find open ports

Discover the domain name (htb.local)

Taken from the above Nmap scan:

Use rpcclient to list all domain users

It appears anonymous authentication is allowed, and rpcclient enumeration is allowed (via port 445).

-N no password -U username -c command to execute (rather than entering the rpcclient terminal)

rpcclient -N -U "" 10.10.10.161 -c enumdomusers

![Pasted image 20240829090857](Images/Pasted%20image%2020240829090857.png)

Extract the usernames and paste into a list:

![Pasted image 20240829104946](Images/Pasted%20image%2020240829104946.png)

Foothold

Obtain password hash for svc-alfresco account

Using the list of users obtained from the rpcclient enumeration, see whether any have Kerberos Pre-authentication disabled, and if so if, whether we can obtain that accounts password hash.

Crack the password hash for the svc-alfresco account

Find which hash type to use (18200):

Crack the hash using rockyou (s3rvice):

Access

Obtain a shell as svc-alfresco using WinRM protocol (port 5985)

The Nmap scan showed port 5985 was open. If the svc-alfresco account has admin privileges on the victim machine, we can use the WinRM protocol to obtain a remote session.

Obtain user.txt

Privilege Escalation

Find a possible compromise chain that leads to root (set SPN for su user then perform a DCSync attack)

svc-alfresco owns su:

Set an SPN for su user

Kerberoast su user (obtain su hash)

Crack the password for the su account (abc123!)

Find Hashcat mode:

Crack:

Obtain a session as su

Privilege Escalation

Find su has suitable privileges on htb.local to perform a DCSync attack

Perform a DCSync attack and obtain Administrator hash

Obtain shell as Administrator

Obtain root.txt