Active

This is an easy Windows box which involved accessing an open SMB share, decrypting a Group Policy Preference password found on the share to obtain svc_tgs user's password and then request a kerberos ticket on behalf of the Administrator and then crack it offline to obtain the administrator's password to authenticate to the machine as SYSTEM.

Reconnaisance :

nmap

As usual starting by scanning all the open ports and running services using nmap

• -sC: run default nmap scripts

• -O: detect OS

• -sV: detect service version

• -oA: output all formats and store in file initial

• Port 53: running DNS 6.1.7601

• Port 88: running Kerberos

• Ports 135, 593, 49152, 49153, 49154, 49155, 49157, 49158: running msrpc

• Ports 139 & 445: running SMB

• Port 389 & 3268: running Active Directory LDAP

• Port 464: running kpasswd5. This port is used for changing/setting passwords against Active Directory

Enumeration

Enumerating SMB Shares :

Using the SMBClient utility to enumerate open shares in the machine:

The Replication share has READ ONLY permission on it. Let’s try to login anonymously to view the files of the Replication share.

After looking through all the files on this share, I found a Groups.xml file which often contains Active Directory credentials in the following directory :

cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

this is the content of Groups.xml file which contains a cpassword for the user SVC_TGS and it's encrypted

Gain an Initial Foothold

using gpp-decrypt tool which can be used to decrypt the cpassword attribute stored in the Group Policy Preferences XML file.

The domain account SVC_TGS has the password GPPstillStandingStrong2k18

accessing the USERS share using the username and password found using smbclient ($ADMIN share is not accessible using domain user account)

smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

get the flag in /Users/SVG_TGS/Desktop/user.txt

Privilege Escalation

kerberoasting :

Since we’re working with Active Directory and using Kerberos as an authentication protocol, let’s try a technique known as Kerberoasting. To understand how this attack works, you need to understand how the Kerberos authentication protocol works.

If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure.

A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it!

Kerberos authentication uses Service Principal Names (SPNs) to identify the account associated with a particular service instance

Impacket’s GetUserSPNs can be used to identify accounts that are configured with SPNs and is also able to request the TGS and extract the hash for offline cracking.

impacket-GetUserSPNs -dc-ip 10.10.10.100 -request active.htb/SVC_TGS

• target: domain/username:password

• -dc-ip: IP address of the domain controller

• -request: Requests TGS for users and outputs them in JtR/hashcat format

We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges!

let's crack it using john the ripper

i copied the TGS to a file called hashes.kerberoast

john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast

the password is Ticketmaster1968

To login as the administrator, we’ll use another Impacket script known as psexec since as administrator we have write permissions over the smb shares

we can also use smbclient

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara