HackTheBox - Forest (Active Directory) | Noob To OSCP Episode #25

I.T Security Labs

26 Mar 202022:30

Summary

TLDRIn this video, the host demonstrates exploiting a Windows machine named 'forest' from Hectare Box, focusing on Active Directory misconfigurations, particularly Kerberos pre-authentication vulnerabilities. Using tools like `nmap`, `WinRM`, `John the Ripper`, and BloodHound, the attacker enumerates domain users, cracks Kerberos hashes, and escalates privileges to gain full administrative access. The process involves extracting password hashes via DC Sync, exploiting service accounts, and retrieving flags to confirm success. This comprehensive walkthrough provides practical insights into Active Directory exploitation and privilege escalation, ideal for penetration testers and cybersecurity enthusiasts.

Takeaways

😀 The tutorial focuses on exploiting Active Directory in a Windows machine from Hack The Box, specifically targeting misconfigurations in Kerberos authentication.
😀 The first step involves scanning the target system with Nmap to identify open ports, specifically Kerberos (88) and LDAP (53), which indicate the presence of a Windows domain controller.
😀 An anonymous login attempt is made using the RPC client to enumerate domain users, potentially identifying useful accounts for further exploitation.
😀 The tutorial highlights the importance of pre-authentication in Kerberos, explaining that if it's disabled, attackers can obtain password hashes by simply requesting a ticket from the authentication server.
😀 The `GetUsers.py` script is used to identify users whose accounts are vulnerable due to the lack of pre-authentication in Kerberos, potentially revealing valuable password hashes.
😀 Once a Kerberos hash is obtained, the hash can be cracked using John the Ripper with a wordlist like `rockyou.txt` to reveal the password.
😀 After cracking the password, the `evil-winrm` tool is used to log into the victim machine as the compromised user, demonstrating how attackers can escalate their access.
😀 BloodHound is introduced as a tool for enumerating Active Directory structures and discovering attack paths based on user permissions and group memberships.
😀 The `bloodhound.ps1` PowerShell script is used to collect data on the target system's Active Directory environment, revealing potential escalation paths.
😀 The DC Sync attack is explained, where attackers with sufficient privileges can dump password hashes from the domain controller, potentially granting access to sensitive accounts like administrators.
😀 The final step demonstrates using the obtained administrator hash to escalate privileges and access flags on the victim machine, showcasing the full exploitation process.

Q & A

What is the primary focus of this video tutorial?
-The tutorial focuses on exploiting a Windows machine from Hack the Box called 'Forest' to demonstrate Active Directory exploitation, specifically focusing on misconfigurations in Kerberos authentication and privilege escalation using various tools.
What is the significance of pre-authentication in Kerberos, and why is it important?
-Pre-authentication in Kerberos is crucial because it ensures that only legitimate users can obtain authentication tickets. Without pre-authentication, attackers can request a ticket and receive a hash that can be cracked, leading to potential unauthorized access to the domain.
How does the `nmap` scan help in identifying a potential target machine?
-The `nmap` scan helps identify open ports on the target machine, which is useful for discovering services like Kerberos (port 88), LDAP (port 389), and SMB. This reveals the presence of a Windows domain controller, making it easier to plan further exploitation steps.
What role does the service account 'SVC_Alfresco' play in this attack?
-The 'SVC_Alfresco' service account is a key point of interest because it appears to be a default service account that can be targeted. Attackers use the account to gather information and attempt to crack its password, which is part of the exploitation process.
How does the 'get_users.py' script assist in exploiting Kerberos?
-The 'get_users.py' script helps identify users that don't have pre-authentication enabled in Kerberos. By targeting these users, attackers can request Kerberos tickets and retrieve password hashes, which can then be cracked to gain access to the system.
What is the purpose of using 'John the Ripper' in this tutorial?
-'John the Ripper' is used to crack the Kerberos hashes that are retrieved during the exploitation process. After obtaining the hash for the 'SVC_Alfresco' account, 'John' helps in quickly cracking the password so that the attacker can use it to log into the system.
What is BloodHound, and how is it used in this attack?
-BloodHound is a tool used for Active Directory enumeration and privilege escalation. In this attack, BloodHound is used to identify attack paths and misconfigurations within the domain, helping the attacker escalate privileges and gain higher-level access.
What is the DC Sync attack, and how does it work in this context?
-The DC Sync attack allows attackers to dump password hashes from the Active Directory by exploiting misconfigurations in Exchange permissions. By gaining the necessary rights, attackers can synchronize domain controller data and retrieve hashed passwords for further cracking.
What is the role of the 'SecretDump' tool in this process?
-'SecretDump' is used to dump password hashes from the domain controller once the attacker has obtained the necessary permissions through the DC Sync attack. The tool extracts the hashes, which can then be cracked to gain administrative access.
How does the attacker use 'winrm' to escalate privileges after cracking the password?
-'winrm' (Windows Remote Management) is used to remotely log into the victim machine with the cracked credentials. By providing the correct user and password, the attacker gains access to the system, eventually leading to the retrieval of flags and full control over the machine.