Active

Scanning

First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.100 -oX active.nmap
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-21 08:58 EDT
Nmap scan report for 10.10.10.100
Host is up (0.21s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-07-21 12:59:14Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/21%OT=53%CT=1%CU=33509%PV=Y%DS=2%DC=I%G=Y%TM=64BA817
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=107%GCD=1%ISR=10F%TI=I%CI=I%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8S
OS:T11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=200
OS:0%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53
OS:CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=
OS:)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-07-21T13:00:27
|_  start_date: 2023-07-21T06:34:56

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.35 seconds

A number of ports are open. The machine is domain controller. We also get the domain active.htb. Add it to /etc/hosts.

SMB Enumeration

Les use smbclient to enumerate shares

Running enum4linux gives us information that we do have access to replication share.

The same could have been done with submap. The tool has been updated and it was not working and I have to git clone it from the main GitHub page.

So, we have access to Replication. We can use smbmap to recursively list files as there are so many files.

We can see group.xml file. A quick google search tells us that Groups.xml file is a Group Policy Preference (GPP) file. GPP was introduced with the release of Windows Server 2008 and it allowed for the configuration of domain-joined computers. A dangerous feature of GPP was the ability to save passwords and usernames in the preference files. While the passwords were encrypted with AES, the key was made available.

Therefore, if you managed to compromise any domain account, you can simply grab the groups.xml file and decrypt the passwords.

Now that we know how important this file is, let’s download it to our attack machine.

We could have used smb client to download it as well.

Cracking groups.xml file

Viewing the downloaded file, we get the username." userName="active.htb\SVC_TGS"

Now let's decrypt it with gpp-decrypt

Exploiting smb (user flag)

Try accessing different shares with the credentials we found and we are in users.

Now cat out the user flag.

Enumerating AD Users

Lets use some Impacket scripts to Enumerate users

Kerberoasting

Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.

When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.

In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.

Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.

Now let's get the SPNs. The script identified a user, Administrator:

So, we have a ticket. Now, lets crack it with john.

So, we have our password.

SMB exploitation as admin

We can try connecting to other shares as admin user. As now we have credentials.

So, we got the root flag.

Getting Shell

Now we have writable shares and credentials so, we can use psexec to get the shell as well.

impacket-scripts | Kali Linux ToolsKali Linux