Active is a windows Active Directory server which contained a
Groups.xml file in an SMB share accessible through Anonymous logon. This file contained a Group Policy Preference password for a user account which was then cracked in order to gain access to a service account with read access to the user flag.
Privileges were escalated by fetching Service Principal Names associated with the service accounts and retrieve the Administrator’s Kerberos 5 hash. This was able to be cracked and granted read/write access to the filesystem as well as an interactive shell via arbitrary service installation/execution via tools such as psexec.
I began recon on this host with an
nmap scan checking Service Versions and running Default Scripts on the top 1000 most common ports:
nmap -sV -sC 10.10.10.100
This returned a large number of ports. Due to DNS, Kerberos, and LDAP being among the myriad of services and ports on this machine, it appeared to be a Domain Controller. There weren’t many services that allowed direct user interaction and due to the lack of information gathered for SMB on port 445, that was the next target for enumeration on the host.
smbclient -L //10.10.10.100 -N
-L— list shares
-N— anonymous logon
Again, this simple enumeration step returned several findings. A quick way to view access to multiple SMB shares is through a tool called
smbmap -H 10.10.10.100
After some review, the
Replication share returned a
Groups.xml file at the path:
Reviewing the contents of this file:
There is a username
active.htb\SVC_TGS with a
cpassword value that contains an AES encrypted password. There are several tools that have been created to crack these passwords including a function that I extracted from PowerSploit in order to crack this file:
This function receives a Group Policy Preference password as a command-line argument and returns the plaintext string. This even works in PowerShell Core on macOS!
Luckily there is also a built-in tool that ships with Kali to also decrypt this password called
Either method returns the same password and from this account which is able to access the
Users share and view the
active.htb\SVC_TGS account is able to find and fetch Service Principal Names that are associated with normal user accounts using the
GetUserSPNs.py module of Impacket. The following command lists the Administrator account
./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
-dc-ip— IP Address of the domain controller
-request— Requests TGS for users and output them in JtR/hashcat format
This returned a Kerberos 5 hash which can be cracked by hashcat using the
rockyou.txtwordlist along with the arguments:
hashcat -m 13100 -d 3 -a 0 -o Active.txt Administrator.hash rockyou.dict
The cracked password is written into
Active.txt. Reading the file returns the plaintext password
Ticketmaster1968. These credentials can be used to access the
An interactive shell can be gained using tools such as
psexec. Many tools which operate similarly to
psexec such as the module in Impacket allow the service which is installed and removed to be named. Choosing a service name for something that may be expected to get deleted shortly after installation such as an update to an Antivirus Client is a simple step that may assist in avoiding detection.
./psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100 -service-name LUALL.exe