Saturday, February 2, 2019

Active


ACTIVE

- Layout for this exercise:



1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine Active, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

Active's IP is 10.10.10.100:




- Scanning with Nmap:



- So we have a Microsoft Windows Server 2008 R2 SP1 running an Active Directory with a domain active.htb

- Also, as we will see later it is of crucial importance the fact that Active has a Kerberos server running at port 88.

- Because port 445 is open we run enum4linux to enumerate SMB and detect potential shared folders:






- The share Replication allows Anonymous login, and it is probably a replication of SYSVOL


SYSVOL stores the Group Policy Preferences holding information about users and groups of the network, so it will be a promising vector attack.



3 - EXPLOITATION


- Let's access /Replication with smbclient and Anonymous login:




- Listing content:







- Inside Policies there are two folders:




- Going with the first one:




- Inside /MACHINE/Preferences/Groups there is the file Groups.xml associated with the Group Policy Preferences (GPP):













- Also, /Replication 
could be explored recursively in this way:

 

- Anyway, downloading and reading Groups.xml:






- So we have found the username and the cpassword atributes.

cpassword is the name of the attribute that stores passwords in a Group Policy Preferences item:






- Let's store these credentials for later usage:




- The script Gpprefdecrypt.py decrypts local user password cpassword:










- Applying gpprefdecrypt.py over cpassword:





- Connecting again with smbclient, now with the recently achieved credentials:




- Listing content:




ldapsearch and this complicated command yields active accounts for Active Directory:


https://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html






- Also, GetADUsers.py is useful to enumerate the Active Directory user accounts:


https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py









4 - CAPTURING THE 1st FLAG

- Going to the user SVC_TGS home folder:




- Getting and reading user.txt we are able to read the 1st flag:











5 - PRIVILEGE ESCALATION

- However, access to the Administrator home folder is denied, so we need Privilege Escalation:





- The Nmap scan yielded the result that Kerberos service was running at port 88, as we saw before.

- The Kerberoasting attack was the subject of Tim Medin’s presentation Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades at Derbycon 2014. 

https://www.scip.ch/en/?labs.20181011


- The attack involves an effective method that allows normal domain users to get their hands on credentials for service accounts. 

- This attack is most likely to succeed when service accounts have weak passwords.

Kerberoasting works by extracting the hash of the Kerberos TGS (Ticket Granting Service) ticket reply, what is encrypted with the NTLM password hash of the account.

- Kerberos uses Service Principal Names (SPN) to identify an account associated with a service instance.

- The Python script GetUserSPNs.py is able to extract hashes of Service Principal Names that are associated with normal user accounts:

https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py




- Downloading the script and giving execution permissions:





- Options -request and -dc-ip will be used: 








- After launching GetUserSPNs.py the hash for user Administrator is extracted:






- Storing the hash at a text file:




- Now, to decrypt the hash it could be used both John The Ripper and hashcat (locally or online):





- Finally  we have a decrypted password Ticketmaster1968 for the Administrator:




- The Metasploit psexec exploit is able to get a System shell:









- An alternative to Metasploit for getting a System shell is the Python script wmiexec.py:


https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py





6 - CAPTURING THE 2nd FLAG

- Reading root.txt: