HACK THE BOX (ACTIVE)

Sanoj Withanage

https://www.linkedin.com/in/sanoj-withanage-17950a198
  • MACHINE — ACTIVE
  • IP — 10.10.10.100
  • OS — WINDOWS

This Windows machine I used to practice the windows SMB(Server Message Block) environment and to keberos key exchanges. Interesting to understand the key exchanges and it is used to authenticate with SMB(Server Message Block) users.

1. Identifying the target using ‘nmap’.

First I used nmap towards 10.10.10.100 to enumerate and identify the target as the first step.

Command used

sudo nmap — sV -sT -O -A -oN Active 10.10.10.100

  • -sV = Probe open ports to determine service/version info
  • -sT = TCP /SYN/Connect()/ACK/Window/Maimon scan
  • -O = Enable OS detection
  • -A= Enable OS detection, version detection, script scanning, and traceroute
  • -oN= simply saving the nmap result to respective file name in local host

2. Analyzing ports 139 and 445.

I found that 10.10.10.100 is running a windows OS with results came up.Specially I saw port 139 and 445 are used for Server Message Blocking protocol (SMB). Port 139/TCP has windows “netbios-ssn” and port 445/TCP has Microsoftds? But not much sure about the system running there. Port 88/TCP shows result on “keberos-sec” which means this system using active directory facility. So, I decided to run a smb server enumeration to the target as the next step.

What is SMB server?

Simply SMB server is a protocol made for transferring TCP/IP packets in local network involving port 139 and 445. Default 139 is commonly used for printers, scanners and default port 445 is used to connect other nodes. This protocol is constructing under session layer in OSI model. From the beginning Common Internet File Services (CIFS) protocol was used abbreast the SMB protocol, by the time SMB has become popular among network setups.

More reference

https://nordvpn.com/blog/what-is-smb/

What is Active Directory?

Active directory is a Microsoft Windows domain system which is developed for controlling and managing the domain network with the administrator privilege. Active directory is a reliable metjod to authenticate users with token tranferring by keberos protocol.

More reference

https://searchwindowsserver.techtarget.com/definition/Active-Directory#:~:text=Active%20Directory%20(AD)%20is%20Microsoft's,device%2C%20such%20as%20a%20printer.

3. Identifying SMB network clusters by Smbmap

Used command

smbmap -H 10.10.10.100

  • -H = Host specified

You can see all the Permissions denied except Replication. The only way of getting in the SMB server is trying Replication which has Read only permission.

Then I used some more syntaxes to be more specify to the target by using

Smbmap -R Replication -H 10.10.10.100

  • -R = Recursively list dirs, and files
  • -H = specifying target host

WOW Amazing!! I found that active.htb contains group policy folder which made me easy to get access to user token somehow.Group policy Object is a control management for restrictions, access controls, domain controls etc. when an Active Directory (AD) implemented first time in a Domain.

There are many ways to enumerate smb servers. This is another way I used to enumerate. Using kali built in tool “enum4linux” .

Command used

enum4linux 10.10.10.100

This tool gives you all the information which is possible to take out from the target server in detail within a well-organized structure.

4. Connecting to smb server

I used smbclient command entering as a no pass user through Replication directory.

Used command

smbclient -N //10.10.10.100/Replication

My goal is to somehow find the user authentication token to access the system through microsoft policy as a user reverse shell .

5. Finding group policies

As default of listing, Default group policy comes up first and the rest lines up under it.

{31B2F340–016D-11D2–945F-00C04FB984F9} -Default Domain Policy

{6AC1786C-016F-11D2–945F-00C04fB984F9}

While analysing I could not find any useful information from second Domain Policy so I went all the way to the first policy till I get .xml file which usually contains user token.

FINALLY I found Groups.xml file in \active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\

What is group policy?

Group policy is using to deploy additional controls in Microsoft Windows Active Directory for users and computer accounts.

6. Import Group.xml into local host.

In order to open the file, I imported Groups.xml file to my local host.

Used command

get Groups.xml

After importing I could find the file in my local host as shown in the image below.

7. Finding user “svc_tgs” cpassword, encrypted with AES.

So, I took some time to read the Groups.xml file carefully. Then I realized This file is used to authenticate users among the network. According to the file, user is SVC_TGS, cpassword is encrypted by AES encryption.

What is CPASSWORD ?

It is an authentication protocol used to share set of files and folders in domain a controller which is called SYSVOL in File Replication Service (Microsoft Windows file sharing Group Policy.)

8. Decrypting cpassword

I copied the cpassword from Groups.xml and decrypted by using tool gpp-decrypt.

Used command

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Then you will get the SVC_TGS password as GPPstillStandingStrong2k18

9. Gaining access user database

Now I have the User access key and only I have to do is request to login the smb server.

Used command

smbclient -U svc_tgs //10.10.10.100/Users

And use GPPstillStandingStrong2k18 as the password.

10. Finding user.txt

After gain access you can find the user.txt file in \SVC_TGS\Desktop

GOOD JOB YOU FOUND USER FLAG NOW….

NOW ITS TIME TO FIND THE ROOT FLAG.

GAINING ROOT PRIVILEGE

11. Locating local host in local host

In order to connect remotely and get the administrator, I used Kerberos involvement and built target ip in local host at /etc/hosts

12. Setting up the smb ip in local host

I inserted 10.10.10.100 as the IP Address and name of the directory as “active.htb” to connect directly to “active.htb” without using remote ip address.

Used command

nano /etc/hosts (to edit file)

Inserted command = 10.10.10.100 active.htb

13. Locating impacket-GetUserSPNs

Used command “locate impacket SPN” to find the GetUserSPNs script to use to request the Administrator token.

Impacket-GetUserSPNs Bash script

14. Getting Administrator token

GetUserSPN is a kali built in bash script, developed to request Service Principal Name token.

What is SPN?

SPN is named as Service Principal Name which is used as a unique identifier for Keberos authentication.

Used command

./impacket-GetUserSPN -request active.htb/svc_tgs

Standard command format for

./impacket-GetUserSPN <syntax> < user name directory as in the Groups.xml>

15. Decrypting hash value as ACTIVEADMIN.txt

Read the result carefully…

It is mentioned that name is Administrator, which means we have requested the administrator authentication. Then I copied the hash to another file as ACTIVEADMIN.txt .

16. Brute forcing the hash.

Then I used John the Ripper tool to bruteforce the ACTIVEADMIN.txt to get the administrator password.

Used command

sudo John ACTIVEADMIN.txt -wordlist=/home/kali/Downloads/rockyou.txt

Format of command –

Sudo John <bruteforcing target file location> wordlist=<location for the dictionarylist (rockyou.txt)>

I got the dictionary text file online from github —

https://github.com/brannondorsey/naivehashcat/releases/download/data/rockyou.txt

Finally, I got the password as Ticketmaster1968

17. Gaining access to smbserver as an administrator

I used smbclient request specifying as an administrator towards 10.10.10.100/Users. And used password as Ticketmaster1968.

THERE YOU GO!!!!! YOU ARE IN ROOT ACCESS NOW…

18. Getting the root.txt

I found the root flag in \Administrator\Desktop

THANK YOU

SEE YOU IN THE NEXT MACHINE …..

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store