Active is an easy box on the HacktheBox platform, featuring anonymous SMB shares leading to cached credentials through a Group Policy Preferences (GPP) file, Kerberoasting all Service Principal Names (SPNs), including cracking the credentials embedded in a TGS, and authenticating to the box as Administrator.
Enumeration
First off, utilize a Nmap scan to enumerate the machine, utilizing default NSE scripts and version enumeration.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 13:04 CST
Nmap scan report for 10.10.10.100
Host is up (0.066s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-12 19:04:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-12-12T19:04:59
|_ start_date: 2023-12-12T03:28:11
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -5s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.93 seconds
A few services indicate that this is a Microsoft Windows Active Directory Domain Controller, including the Kerberos, LDAP, and Microsoft DNS services.
Now that we know this is a DC, we can use crackmapexec to learn a little more about the domain, including the DC hostname and domain name. We can also use crackmapexec to test for anonymous SMB bindings, and sure enough, this DC accepts anonymous bindings and gives us read access to a backup share called “Replication”.
We can then authenticate to the backup share:
smbclient -N \\\\10.10.10.100\\Replication
And dump all the files onto our host system with smbclient
recurse ON
prompt OFF
mget *
We quickly find this backup share contains group policy files, including a Group Policy Preferences (GPP) file. We enumerated the Windows Server version, Windows Server 2008 R2 SP1. Windows Server 2016 R2 and before, have a “cpassword” entry inside of their GPP xml file tied to the “active.htb\SVC_TGS” user. This field is encrypted with a publicly disclosed AES-32bit key, allowing us to decrypt the field with public tools. In our case we’ll use “gppdecrypt”.
We were able to successfully decrypt the password for the SVC_TGS user. We can use the domain user credentials to test for common AD authentication attacks: including AS-REProasting attacks, and Kerberoasting attacks.
The Administrator user is registered as a Service Principal Name (SPN), meaning we can request a Kerberos ticket for an SPN. The retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN, meaning we can crack the hash offline.
And we cracked the Administrator hash! We can now authenticate to the domain controller using PsExec, WmiExec, or some other form of remote administrative command execution.