Forest

Gaining Access

Nmap scan:

Lots of ports as per normal DC scanning.

SMB Null Session

Using enum4linux with no credentials, we find that it accepts null credentials and we can enumerate some users.

With a user list, we can attempt to do AS-REP Roasting before moving on, and we would find a hash for the svc-alfresco user.

Then, we can use john to crack the hash easily.

Afterwards, we can evil-winrm in as this user.

Privilege Escalation

Bloodhound Enum

I ran SharpHound on the machine to do collection and enumeration of the domain for me. After loading up Bloodhound and uploading the data, this is what we find:

The user we have control over seems to have GenericAll permissions over the Exchange Windows Permissions group, which has WriteDacl permissions over the DC.

The attack is as follows:

  • Add a user to the domain and into the Exchange Windows Permissions user group

  • Add DCSync permissions for that user

This can be achieved using some Windows commands and Powerview:

net user hello hello@123 /add /domain
net group "Exchange Windows Permissions" /add hello
$pass = convertto-securestring 'hello@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\hello', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hello -Rights DCSync

Afterwards, we would basically have a new user to dump the administrator hash using secretsdump.py thanks to DCSync permissions.

Then, we can Pass The Hash easily to gain access as the Administrator.

PreviousExploreNextFriendZone