Active
Active HTB Machine walkthrough 2023. Active directory Basics.
Scanning
First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.100 -oX active.nmap
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-21 08:58 EDT
Nmap scan report for 10.10.10.100
Host is up (0.21s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-07-21 12:59:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/21%OT=53%CT=1%CU=33509%PV=Y%DS=2%DC=I%G=Y%TM=64BA817
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=S%TS=
OS:7)SEQ(SP=107%GCD=1%ISR=10F%TI=I%CI=I%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8S
OS:T11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=200
OS:0%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53
OS:CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=
OS:)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 210:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-21T13:00:27
|_ start_date: 2023-07-21T06:34:56
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.35 secondsA number of ports are open. The machine is domain controller. We also get the domain active.htb. Add it to /etc/hosts.
SMB Enumeration
Les use smbclient to enumerate shares
Running enum4linux gives us information that we do have access to replication share.
The same could have been done with submap. The tool has been updated and it was not working and I have to git clone it from the main GitHub page.
So, we have access to Replication. We can use smbmap to recursively list files as there are so many files.
We can see group.xml file. A quick google search tells us that Groups.xml file is a Group Policy Preference (GPP) file. GPP was introduced with the release of Windows Server 2008 and it allowed for the configuration of domain-joined computers. A dangerous feature of GPP was the ability to save passwords and usernames in the preference files. While the passwords were encrypted with AES, the key was made available.
Therefore, if you managed to compromise any domain account, you can simply grab the groups.xml file and decrypt the passwords.
Now that we know how important this file is, let’s download it to our attack machine.
We could have used smb client to download it as well.
Cracking groups.xml file
Viewing the downloaded file, we get the username." userName="active.htb\SVC_TGS"
Now let's decrypt it with gpp-decrypt
Exploiting smb (user flag)
Try accessing different shares with the credentials we found and we are in users.
Now cat out the user flag.
Enumerating AD Users
Lets use some Impacket scripts to Enumerate users
Kerberoasting
Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.
When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.
In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.
Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.
Now let's get the SPNs. The script identified a user, Administrator:
So, we have a ticket. Now, lets crack it with john.
So, we have our password.
SMB exploitation as admin
We can try connecting to other shares as admin user. As now we have credentials.
So, we got the root flag.
Getting Shell
Now we have writable shares and credentials so, we can use psexec to get the shell as well.
Last updated