HackTheBox - Forest
Вставка
- Опубліковано 25 чер 2024
- 00:00 - Intro
01:15 - Running NMAP and queuing a second nmap to do all ports
05:40 - Using LDAPSEARCH to extract information out of Active Directory
08:30 - Dumping user information from AD via LDAP then creating a wordlist of users
12:10 - Creating a custom wordlist for password spraying with some bashfu and hashcat
18:30 - Using CrackMapExec to dump the password policy of Active Directory using a null authentication, then doing a Password Spray
22:00 - Enumerating information out of AD using rpcclient and null authentication
28:10 - Now that our PWSpray is running in the background, lets go through Impacket Scripts to see what works.
29:30 - Using GetNPUsers to perform an ASREP Roast (Kerberos PreAuth) with Null Authentication to extract SVC-ALFRESCO's hash. Then Cracking it.
36:20 - Using Evil-WinRM to get a shell on the box with SVC-ALFRESCO's credentials
37:30 - Setting up a SMBShare, using New-PSDRive to mount the share, then running WinPEAS
42:20 - Going over WinPEAS Output
44:20 - Downloading Bloodhound and the SharpHound Ingestor
48:50 - Importing the Bloodhound Results and finding an AD Attack Path
52:10 - Going over the Account Operators Group (will allow us to create an account)
53:30 - Using Net User to create a new user, then adding it to the Exchange Group
58:40 - Downloading the PowerSploit Dev Branch to utilize the function "Add-DomainObjectAcl"
01:01:40 - Some basic troubleshooting when the command goes wrong, then giving ippsec the DCSync Rights
01:02:30 - Performing SecretsDump to perform a DCSync and extract hashes, then PSEXEC with Administrator to gain access
01:07:10 - Going over the "--users" option in hashcat so you can easily identify whos hash was cracked
01:10:43 - Using the KRBTGT Hash to perform the GoldenTicket attack from Linux
01:35:11 - Showing it worked, Issues were we could not use IP Addresses anywhere in the command and need FQDN for the domain. Create entries in Host file if DNS is not there.
This is pure skill. I remember doing this box and being stuck on it for a few days and took me a while to complete. Loving the content keep it up :)
This is the best class/ tutorial / walkthrough for Red Team & New OSCP.!! Through the Pandemic this was an AWESOME blessing!! Thank you IppSec for feeding my brain. SALUTE!!
I have been stuck on this machine for ages. really cry when I see this. thanks so much for showing me this.
Wow! That was such a Hacking Class! I really love your videos but this one is definitely your masterpiece! Thank you a lot!
I got a bit emotional at the end ;) when you were struggling with the Kerberosting thing, made me feel like I am not alone :D you should include this sort of stuff in your videos kinda puts a reality check and doesn't totally make everyone feel dumb .
🙏
🥺
😢
Although , I was able to root this machine. This video was eye opening to me beyond belief. I can tell you go out of your way to share your knowledge with us. Some of the word list manipulation stuff was very novel to me. Kudos for the amazing content. One of the best educational content out there.
ippsec really is a solid educator... not just racing to the flag - although that can be quite amusing - (reference "vulnlab" on UA-cam for a LOT of that approach...) - but ippsec is careful and methodical and doesn't shy away from opportunities to try multiple methods, explores the real substance of the problem and the underlying methodology.
I get emotional when you upload. Content of this quality shouldn't be free but yet it is.
Very very true
LoL let it be free man!!! 🙏
true, then click adds! :)
Just support him on Patreon :D or buy him a coffe :D
@@scorpionman92 i did! But he paused patreon for now ;/
Sweet!!!!!! always love your walk through
No authencation allow domain enumeration and you can get a bunch of information. I will remember that one . Bravo
Thank you so much for the walkthrough. The golden ticket part was fantastic.
Dude. You are just awesome. Thank you for your effort.
You're AWESOME, thanks for those videos.
Excellent content 🔥
Especially the parts after privesc. 😋
This is honestly amazing. I was doing Web App pentesting and really didnt find it all that enjoyable until I found hackthebox about a week or so ago. I owned my first box Sauna yesterday which took me longer than probably a lot of people because I never really did a vuln box, just web apps. Someone on the htb forums recommended your channel to start learning and man I'm making notes lol. I learned a lot from you from this video alone. More to come I know. I can now pop other boxes with a little more confidence thanks to your detailed write ups. Thank you so much!
@starscreamm I started with learning the individual services and operating systems. Then putting those services to use on my own hosted VMs from my homelab servers (you can use VMs hostedbon Oracle VirtualBox or VMware workstation if you dont have server equipment). VBScrub goes in depth on how Active Directory, KB, and its permissions work before showing the exploits used so you get a full understanding on the service's behavior and where to look. Basically, learn how it works. Take it apart and exploit it. If you're learning CompTIA, consider their Security+ course too and maybe even the CEH. OSCP is way too difficult for just getting started. If you get stuck somewhere, google it. There is so many resources online you can learn for pentesting. BlackHat events and videos posted from panels are great to learn from too! Hak5 as well. If you wanna make some money with pentesting and Web App pentesting, consider HackerOne and Bugcrowd! I really started with just simple IT fundamentals and networking, working as an IT Specialist and doing stuff on Bugcrowd and HackerOne on the side. I run Parrot OS (Security) and sometimes I fire up Kali (Persistant USB)
@starscreamm HTB is the best place to start! My start was rough. More or less I was learning by trial, just seeing what would work on real machines by real companies on Bugcrowd and I did indeed learn a lot. But the way Hack The Box puts it together and youtubers showing the retired boxes and their approach makes you grasp the reality of pentesting. Instead of walking in blind.
Great video this is going to be very helpful!
"I guess you can have a different argument do the same two things"
LOL.
Not sure if I'm ready for windows boxes lol.
So many things I do'nt know about it.
Nice content, as always. Thank you for doing that!
same here haha,,, trying REMOTE and am already stuck haha
@@malwarepeter I was just doing a similar windows machine (Sauna). I could use many of the things he used in this video. I think if you want to practice those he used, Sauna will be a good machine.
Good luck, bro
Amazing Recon! Thanks :)
This was amazing thanks for sharing
Yeah I totally agree, this box was not easy. I luckily have a experience in attacking Active Directory so it wasn't too bad for me. But this box should have been worth more points.
Although the difficulty rating for this box was inaccurate, I really enjoyed it as it different from the usual HTB kind of boxes.
Love you Man!
Great content! Subbed!
Awesome ❤
You are amazing Thank You !
i knew you had great taste ippsec. remember the Cant.
Hey Ippsec.. one question - how did you copy bloodhound.zip from windows to kali machine?
Is powerview needed in order to execute the Add-DomainObjectAcl command ?
much thanks beratna
Expanse reference ... NICE
Why did you went to secrets dump after adding your user to exchange windows permissions group? Anyways great video !!
I am having issues mounting smb .. I get "A specified logon session does not exist.." on powershell side and "processRequest (0x73,Missing required parameter 'digestmod'.)
'" on impacket .. any hints on the possible mistake?
I didn't understand the part where you get the SID id in the notes for the GoldenTicket attack
Very Nice
57:00 Is there any reason you downloaded PowerView over http, instead of just using the SMB share that you had open already? I feel like using IEX to execute a file that's being downloaded using downloadstring would easier to fingerprint than a user executing a powershell script from a SMB share.
Prob did it just to show us the multiple ways of transferring files.
god you are awesome!!!!!!
Ippsec if you are reading this I would like to thank you for your videos they are nothing short of awesome. Probably one of the best pentesting learning resources.
Just wanted to get some more information about the last part of your video concerning the goldenticketing. So we go to the point where we can dump the dit file contents through secretsdump. And we have the admin and krgbt hashes. From there I think the most straighforward way would be to use the admin hash for access. Under which circumstances and point in time could you somehow gain access to the krgbt hash without getting to the point where you dump the hash from the DC ? Would it be possible to retrieve the krgbt hash from kerberoasting/asreproasting (I assume this would be quite unlikely in the real world) or is there another way of going about getting that hash assuming we already have access to user credentials ?
Krbtgt is kerberoastable but it’s not a replayable hash, so you’d have to crack it to get in a state for golden ticket. It’s a super long and random password, which you won’t be able to crack. AFAIK, only way to get it is dcsync/dit file
How does he do that context copy/paste in tmux @22:53 and throughout? Looks like he can highlight single words and/or lines and copy and paste with the mouse?
Figured it out, he doesn't use mouse mode so his mouse behaves differently.
ctrl+shift C or V
Nice.
Why dont you run " nmap -sC -sV -oA ..... && nmap -p- " ?
why did you try to access port 80/443 when they clearly weren't open according to nmap?
cool. but how did you make cherrtree blue completely? in normal condition the window with the tree is white. lol)
Edit >> Preferences >> Tree 1 >> Dark Background, Light Test
@@viorage2293 thk
I believe CME has a module that will look for and decrypt GPP passwords in SYSVOL
Some people memorize different operating systems TTLs , wow !
Nice. Tnx.
Can u do challanges.
Please.
I'm facing an issue with the ' - Credential' attribute while adding DCSync rights. A new user 'hacker' has been created and added to the 'Windows Exchange Permissions' Group.
$secpasswd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("htb\hacker", $secpasswd)
Add-ObjectAcl -TargetDistinguishedName "dc=htb,dc=local" -PrincipalSamAccountName hacker -Rights DCSync -Credential $cred
Error Faced:
A parameter cannot be found that matches parameter name 'Credential'.
I am a beginner. I cant't understand the concept of reverse dns lookup properly. I tried finding resources but could not understand. Can anyone please suggest some good article or video for this? Thanks in advance.
Please can you do challenges walkthrough too!
awesome,,, at least wait over
How do you open new terminal in the same page and how do you switch between them?? I’m new to Linux
And how to scroll using arrows??
Look at the tmux video on my channel
IppSec thanks!!
The more I watch. The more I realize that I do not know.
oh i can relate ...
Why did you run peas on a share instead of just copying it to the machine from winrm?
Either:
- I already had a share up, so didn't make sene to copy it.
- To show something new
- Sometimes AV Flags on the file write, and won't scan things on shares.
IppSec, thank you soo much! You motivated me to start what I was really interested of since long time ago - pentesting. Already hacked around 20 boxes on my own in HTB and got into OSCP course as well. WHOOooohooo!!! :) btw hacked forest few days ago, let see what was your method of doing this
What was your background before getting into infosec ?
May I know your methodology?
As it is easy rated, Are you doing it for the first time?
Yes, you can tell how he tries to look for a website in the beginning but doesn’t find one
This was live for the most part. I had done parts of the box a long time ago, helping people at launch but didn’t remember much.
Rooted Forest after SAUNA box, so for me it was super easy.
I would like to learn ur methodology..can we chat privately?
Hey man nice video! Sorry for the late comment, but i would like to know what's the point on creating a golden ticket? Since we have administrator NTLM hash? Love
It was a "Beyond Root" thing, not needed for this box but there are plenty of reasons for doing this in pentest.
- Many companies don't change the KRBTGT Hash, so its a long term persistence technique. Admin hash can change and you still log in.
- Hide in the logs, lots of places will monitor for odd accounts being used, if they treat Administrator as a Break-Glass account they likely have logs if its used.
- You can add groups, administrator likely doesn't have access to everything. It can add themself to access things but thats noisy, better to just add the groups in your ticket or use accounts that naturally have access so it doesn't stand out.
@@ippsec man i can't believe you just answered a 3 years ago machine in an hour. I've finished the CPTS path on hackthebox so i'm doing a lot of machines and your videos are helping me insanely, you're the number one, thank you!!!
@@poiint7798I try my best to answer all questions that seem like the person took time to ask. Hope to hear ya pass the CPTS Exam next year!
plokmijnuhb is a keyboard walk indeed (qwerty, top-right to bottom-left), but could as well have been some kind of swearing in Dutch or Afrikaans :D
1:02:41 That struggle
Im having trouble with the Add-DomainObjectAcl command. Its saying the command is not recognized :"(
Try get the dev branch of PowerSploit like he does in the video, then run PowerView.ps1 from the target machine using the IEX command. Solved the issue for me... and ippsec for that matter - check out @58:00
[-] Kerberos SessionError: KRB_AP_ERR_TKT_NYV(Ticket not yet valid)
i get error while try to login with golden ticket
Does anyone have an idea why i'm not getting the same bloddhound map?
any box video with ssh issues etc ?
Hi, how u split the terminal like in minute 20:05
MrPoita using tmux
He is using "tmux" here ua-cam.com/video/Lqehvpe_djs/v-deo.html
How do you understand what is he doing?
Can anyone help me with this? I couldnt find proper solution ! When I run evil-winrm I get following error:
Traceback (most recent call last):
2: from ./evil-winrm.rb:8:in ''
1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59 'require' /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in 'require' : cannot load such file -- winrm (LoadError)
You need to install gem it's on evil-winrm's githab if you haven't yet. It wasn't on my VM as well :)
It requires few dependencies.
Run this command -
sudo gem install winrm winrm-fs stringio
@@Organicnz2 Thank you ! I made silly mistake of not reading Installation first
@@buestrm2841 Thank you ! I made silly mistake of not reading Installation first
I see my fake account and its hash in there. Guess we crossed digital paths
chaléé
Is this Ray Romano speaking ?
Great video. So much of useful info. Btw I was unable to get into RPC using null login. Used the exact same syntax but faced with ;Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE;
Did you ever figure this out? I am getting the same thing.
I figured it out! You need to add the -N flag for no password. Not sure why it worked differently in the video.
User was easy but root was definitely not. I'm not very experienced with AD and I had to use some writeups to get through it.
464 is password change. Dc is domain context
RPC null authentication worked with -N password switch
I was waiting for this video.. interesting box. Got the user, didn't find a way to get admin .
Haha you are so bad 😜
For anyone struggling with this in 2022.. a guide round up of how I got the secrets dump to work when It didnt actually work at first. 1-reload the box, 2- us -s switch on evil win to load in powerview.ps1 script and then dial in as alfresco and create a new user and add to the priv group. 3- bring powerview on line by typing PowerView.ps1. 4. type menu to see if the modules have loaded. 5- Do the $sec password line, then $cred line, then Add-DomainObjectAcl line, just like in the video. 6- load up secretsdump and exectute as video. 7- retrieve hashes. First time around it was given me all sorts of hassle.
For some reason I can not run the command "Add-DomainObjectAcl..." as I get an error. It says that the principal does not exist, even thou if I try to add one by doing "add-domainuser..." it says I cant add an already existing principal. Dont know whats wrong, so If someone has the same issue and found a fix, comment plox.
I found the solution
@@wooshbait36 can you please explain
@@enesozdemir9973 No sorry 😐
@@wooshbait36 nevermind. instead of creating another user I added the svc account to Exchange group and went from there
@@enesozdemir9973 Used to have some intern at my company who would ask me for help like this all the time. I wanted to fire him because of how annoying that was but since his department really relied on his labor, I cut his pay by a quarter instead (lol he got so pissed).
This was in April so no other job was hiring at the time because of the Chinese virus so he had no where else to go and was forced to start lives my paycheck to paycheck. I just needed to show him what’s up and the power of a boss, ya know?
Anyways, earlier this month I checked his Facebook (he quit sometime in July) and he got hooked on Xanax (again (last time was 4 years prior)) and is living on food stamps. He had to give up custody of his 5 year old daughter to his bitchy ex-wife. I honestly feel kinda bad but oh well man. 🤷♂️
35:14 lol
why is this even in the "Easy" playlist???
21:31 the most relatable moment lol
Why did he published it before they retire it?
I think there was some reasojn why - but the box only has 4 hours to live. It's being replaced by "remote"
@@CarbonDPGYeah but people can own it in 4 hours
@@andresmoreno6162 Points disappear after retire and the box will only be live for another hour or so if it hasn't retired already (boxes tend to retire 4-5 hours before the new box goes live)
The box retired and points are removed 4 hours prior to release. Technically this was an hour early because I forgot about a Daylight Savings switch, but lots of other content creators do aswell. Checking with HTB for guidance on if we can keep hour consistent with DST
@@ippsec Oh ok! Good to know! I was just curious.
I have no idea whats going on, im legit new. Great vid tho
Same here
yes i know what all this means
Can you tell about kracken? I noticed that Raspberi PI. You bf passwords with micro pc?
Lol you don't have to create a smb share to upload a file. Evil-winrm has an upload command to just upload the executable into machine 😜
Yeah I know but I don’t like touching disk on the target machine if I can avoid it
@@ippsec Just as a means of keeping IOCs low? Eg: A habit thing when on an actual engagement?
Not for IOC. Mainly just minimize work afterwards cleaning stuff up and if I get on another box, all my previous tools are immediately available and I don’t have to reupload. Also let’s me write output directly back to my machine so I don’t have to worry about copying files back. It can create more IOC then directly to disk or less, depends completely on the environment
Not a fan of the upload command. It's efficient, but not a great security practice.
@@ippsec Ah! Thank-you for the information!! As always, your videos are amazing!
lmao "mkdir lol"
i just got user on it..root was pretty hard lmfao
I don't get the dislikes can someone tell me why they would this like this 😂😂
World is full of idiots...
35:15 fart ;)
19 90 🤣🤣🤣
Having issues with running crackmapexec. Getting the following error message - :219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
Segmentation fault
Can anybody help?
Am I the only person which doesn't know WTF is going on?
Anyone else having trouble contacting LDAP server? ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
Yeah the new ldap is fucked. You got a solution yet?
Nvm you just do this:
ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts
thanks... had to scroll to bottom for this cuz I forgot to take a note last time I was on this box. -h isn't even (apparently) an option @@cytroyd