๐ณForest
Forest in an easy difficulty Windows Domain Controller (DC), for a domain in which Exchange Server has been installed.
IP
10.10.10.161Enumeration
Nmap scan reveals that we are working with a Windows Server 2016 Standard 14393 machine with domain htb.local
The netbios name of the machine is forestso i'm guessing the hostname is forest.htb.local Nothing interesting in SMB
We can enumerate LDAP if anonymous bind is enabled
We can see different users in the Exchange Administrators group, this means that Exchange is probably installed on this DC
If we grep for userPrincipalName we can get a list of 5 user accounts
There is also a different method to enumerate domain users
With rpcclient, port 135
We find a new user
svc-alfresco probably a service account
We also could have uncovered this with ldapsearch
The users are valid
We can try to request a TGT for svc-alfresco since is probably a service account and may not require kerberos preauthentication
We cracked the password
Privilege escalation
Now we enumerate the domain with bloodhound
Our account is in the Service Accounts group, that group is a member of PRIVILEGED IT ACCOUNTS, that is also a member of Account Operators
So at the endsvc-alfresco is a part of Account Operators
The Service Accounts group has generic all to Exchange Windows Permissions, that has WriteDacl permissions in the domain
If we right click on GenericAll we can see the attack path that bloodhound recommends
Now we can just follow the instructions and add a new user to the Domain Admins group or grant DCSync right to our account
Last updated