Great tool (GetNPUsers.py) from Impacket to check out the TGT from users. Lastly, it was the WriteDacl permission to grant a user with DCSync right to dump secrets (using DRSUAPI) that got me the root flag
Nice concise write up, but one slight issue I have is that you changed the group membership and domain permissions for the svc-alfresco account that everyone else is also using. So if anyone else attacks the machine at the same time as you, they get those creds and instantly are a member of groups they shouldn’t be a member of.
I assume the reason the box author allowed svc-alfresco to create new user accounts was for this exact reason. So that we could create a new account and grant permissions to that, so it doesn’t affect the experience of others.
I guess if you’re on VIP and hardly anyone else was attacking that box at the same time, not such a big deal. But on the free servers this would definitely mess with a lot of other people
Yes, I noted that too that’s why I reset the box immediately after getting root.txt
. Another advantage I had is that I’m based in Asia so most of the time, it’s off-peak hours for many in Europe, UK or North America. Cheers.
ah fair enough, not too bad then. Tbh I thought there was actually something stopping the svc-alfresco account from doing the DC sync attack, as a lot of people said they couldn’t do it and HAD to create a new user. Maybe its just a scheduled task or something that resets the group membership and you did it quick enough for that not to have any effect.
Thx for the writeup! I could’nt get root in time All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary?
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist
@101001101029A said:
Thx for the writeup! I could’nt get root in time All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary?
Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums
@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist
Sounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”
@VbScrub said:
@101001101029A said:
Thx for the writeup! I could’nt get root in time All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary?Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums
@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not existSounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”
@VbScrub said:
@101001101029A said:
Thx for the writeup! I could’nt get root in time All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary?Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums
@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not existSounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”
I put that and went I got this error, I think its something in my vpn because I cant use nslookup in none of the htb machines
I always got [Errno Connection error (HTB:88)] [Errno -2] Name or service not known
@systemcheater said:
I always got [Errno Connection error (HTB:88)] [Errno -2] Name or service not known
It’ll go out to the internet and try to look it up. I’m assuming you’re already adding the domain to the hostfile though?