Hello everyone , I hope you are doing well. In this post I will be sharing my walk through of HTB Active machine , which as a Active Directory machine where we were given given access to a share from where we can read a file called “Groups.xml” which holds the information of a service account with an encrypted password which we could decrypt and with that account gather information about AD and perform kerberoasting.
Rustscan
PORT STATE SERVICE REASON VERSION
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-05-14 04:03:39Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCPORT 139/445 (SMB)
We can try to anonymously login to see how many smb shares are there
So let’s try one by one which share we can access
We have access to Replication share
Using smbget download everything
I spend time going over to directories here and there and found a XML file called Groups.xml
Here we can see service account SVC_TGS and a encrypted password so I searched for Groups.xml file and straight away the results came for decrypting password , referring to this article
https://myexploit.wordpress.com/groups-xml/
So this file is called Group policy preference file which has the stored encrypted password for a user at the of user creation and it’s encrypted with AES256 but it’s public is available in the documentation so there are many tools and scripts that can decrypt this password ,I used the command gpp-decrypt <encrypted_password> which is a built in tool found in kali linux
We can see it’s a valid password but it didn’t showed the status “Pwned!” so I think we can’t get a shell with this so we can use Python bloodhound injestor to gather information about AD environment
https://github.com/fox-it/BloodHound.py
python3 bloodhound.py -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -gc 'active.htb' -c all -ns 10.10.10.100Put all these json files in an archive and import it to Bloodhound GUI, drag and drop the archive file into GUI
Running the query Find all Domain Admins we can see the results which means those json files are imported
On running the query List All Kerberoastable Users we can see there's an Administrator account so using the credentials we found we can get the TGT(Ticket Granting Ticket) hash
To crack this hash I will be using hashcat , since we need to specify the mode of hash I am going to search for krb5tgs hash mode
https://hashcat.net/wiki/doku.php?id=example_hashes
And we will just for the hash to be cracked
Now again let’s check this password with crackmapexec
We get a “Pwned” status it means we can get a shell now , but before that let’s see if we can dump hashes as Administrator has DCsync rights meaning to replicate AD information so we can dump hashes from file called NTDS.dit which holds hashes of all users in AD
And it looks like we can ,so let’s just get a shell with psexec.py as SYSTEM
