CTF Walkthroughs, Hack The Box

Hack The Box – Active Walkthrough

February 1, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box which involved accessing an open SMB share, decrypting a Group Policy Preference password found on the share to obtain the Administrator user’s hash which is then cracked to authenticate to the machine as SYSTEM.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

Enumerating SMB

Using the SMBClient utility to enumerate open shares in the machine:

Accessing the “Replication” share using SMBClient:

Found a groups.xml file, which often contains Active Directory credentials:

The file, it seems to contain an encrypted password:

The gpp-decrypt tool can be used to decrypt the cpassword attribute stored in the Group Policy Preferences XML file.

Using gpp-decrypt to obtain the clear-text password from groups.xml:

Active Directory Enumeration

Adding the Active machine to the /etc/hosts file so that active directory enumeration steps can be performed:

The GetADUsers.py script can be used to gather data about the domain’s users extra information about last logon and last password set attributes.

Running the script against the domain specifying the IP address as well:

Using ldapsearch to search for users with an active Service Principal Names, using the following flags:

  • -x to use simple authentication instead of SASL.
  • -h to specify the host
  • -p to specify the port
  • -D to use the Distinguished Name binddn to bind to the LDAP directory
  • -w to specify the password to be used for the authentication
  • -b to use searchbase as the starting point for the search instead of default
  • -s to specify the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or children search.

Command used:

ldapsearch -x -h 10.10.10.100 -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’ -b "dc=active,dc=htb" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.1 13556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName

The same results can be achieved with the GetUsersSPNs.py script:

Using the GetUsersSPN.py script to obtain the Administrator Kerberos ticket hash, using the -request flag:

Cracking Kerberos Ticket Hashes

Saving the ticket hash to a text file to crack it later on:

Cracking the ticket using hashcat, specifying the hash type(Kerberos 5 TGS-REP etype 23) and the wordlist to be used (rockyou in this case):

It looks like the hash was cracked successfully:

Using PSExec to authenticate to the machine as the Administrator user with the password cracked earlier:

Conclusion

This was a really interesting machine, although it was quite easy it included Active Directory/Kerberos enumeration, which isn’t very common in easy boxes.

It is a good way to start practicing AD enumeration for users that are not familiar with this service