Active
Last updated
Was this helpful?
Last updated
Was this helpful?
This is an easy Windows box which involved accessing an open SMB share, decrypting a Group Policy Preference password found on the share to obtain svc_tgs user's password and then request a kerberos ticket on behalf of the Administrator and then crack it offline to obtain the administrator's password to authenticate to the machine as SYSTEM.
As usual starting by scanning all the open ports and running services using nmap
-sC: run default nmap scripts
-O: detect OS
-sV: detect service version
-oA: output all formats and store in file initial
Port 53: running DNS 6.1.7601
Port 88: running Kerberos
Ports 135, 593, 49152, 49153, 49154, 49155, 49157, 49158: running msrpc
Ports 139 & 445: running SMB
Port 389 & 3268: running Active Directory LDAP
Port 464: running kpasswd5. This port is used for changing/setting passwords against Active Directory
Using the SMBClient
utility to enumerate open shares in the machine:
The Replication share has READ ONLY permission on it. Let’s try to login anonymously to view the files of the Replication share.
After looking through all the files on this share, I found a Groups.xml file which often contains Active Directory credentials in the following directory :
this is the content of Groups.xml file which contains a cpassword for the user SVC_TGS and it's encrypted
using gpp-decrypt
tool which can be used to decrypt the cpassword attribute stored in the Group Policy Preferences XML file.
The domain account SVC_TGS
has the password GPPstillStandingStrong2k18
accessing the USERS share using the username and password found using smbclient ($ADMIN share is not accessible using domain user account)
get the flag in /Users/SVG_TGS/Desktop/user.txt
Since we’re working with Active Directory and using Kerberos as an authentication protocol, let’s try a technique known as Kerberoasting. To understand how this attack works, you need to understand how the Kerberos authentication protocol works.
If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure.
A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!
Kerberos authentication uses Service Principal Names (SPNs) to identify the account associated with a particular service instance
Impacket’s GetUserSPNs
can be used to identify accounts that are configured with SPNs and is also able to request the TGS and extract the hash for offline cracking.
target: domain/username:password
-dc-ip: IP address of the domain controller
-request: Requests TGS for users and outputs them in JtR/hashcat format
We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges!
let's crack it using john the ripper
i copied the TGS to a file called hashes.kerberoast
the password is Ticketmaster1968
To login as the administrator, we’ll use another Impacket script known as psexec since as administrator we have write permissions over the smb shares
we can also use smbclient
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara