ACTIVE
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Active, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Active's IP is 10.10.10.100:
- Scanning with Nmap:
- So we have a Microsoft Windows Server 2008 R2 SP1 running an Active Directory with a domain active.htb
- Also, as we will see later it is of crucial importance the fact that Active has a Kerberos server running at port 88.
- Because port 445 is open we run enum4linux to enumerate SMB and detect potential shared folders:
- The share Replication allows Anonymous login, and it is probably a replication of SYSVOL
- SYSVOL stores the Group Policy Preferences holding information about users and groups of the network, so it will be a promising vector attack.
3 - EXPLOITATION
- Let's access /Replication with smbclient and Anonymous login:
- Listing content:
- Inside Policies there are two folders:
- Going with the first one:
- Inside /MACHINE/Preferences/Groups there is the file Groups.xml associated with the Group Policy Preferences (GPP):
- Also, /Replication could be explored recursively in this way:
- Anyway, downloading and reading Groups.xml:
- So we have found the username and the cpassword atributes.
- cpassword is the name of the attribute that stores passwords in a Group Policy Preferences item:
- Let's store these credentials for later usage:
- The script Gpprefdecrypt.py decrypts local user password cpassword:
- Applying gpprefdecrypt.py over cpassword:
- Connecting again with smbclient, now with the recently achieved credentials:
- Listing content:
- ldapsearch and this complicated command yields active accounts for Active Directory:
https://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html
- Also, GetADUsers.py is useful to enumerate the Active Directory user accounts:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py
4 - CAPTURING THE 1st FLAG
- Going to the user SVC_TGS home folder:
- Getting and reading user.txt we are able to read the 1st flag:
5 - PRIVILEGE ESCALATION
- However, access to the Administrator home folder is denied, so we need Privilege Escalation:
- The Nmap scan yielded the result that Kerberos service was running at port 88, as we saw before.
- The Kerberoasting attack was the subject of Tim Medin’s presentation Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades at Derbycon 2014.
https://www.scip.ch/en/?labs.20181011
- The attack involves an effective method that allows normal domain users to get their hands on credentials for service accounts.
- This attack is most likely to succeed when service accounts have weak passwords.
- Kerberoasting works by extracting the hash of the Kerberos TGS (Ticket Granting Service) ticket reply, what is encrypted with the NTLM password hash of the account.
- Kerberos uses Service Principal Names (SPN) to identify an account associated with a service instance.
- The Python script GetUserSPNs.py is able to extract hashes of Service Principal Names that are associated with normal user accounts:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py
- Downloading the script and giving execution permissions:
- Options -request and -dc-ip will be used:
- After launching GetUserSPNs.py the hash for user Administrator is extracted:
- Storing the hash at a text file:
- Now, to decrypt the hash it could be used both John The Ripper and hashcat (locally or online):
- Finally we have a decrypted password Ticketmaster1968 for the Administrator:
- The Metasploit psexec exploit is able to get a System shell:
- An alternative to Metasploit for getting a System shell is the Python script wmiexec.py:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
