Hack The Box —Active Writeup without Metasploit
Active is my favorite HTB box so far due to the fact that this machine is based on Active Directory. This machine basically teaches you on how to enumerate Active Directory, crack Group policy preference password and obtain domain admin Kerberos 5 hash to escalate privileges. There are a lot learn while doing this box which is based around a common vulnerabilities associated with Windows Server Active Directory.
Began with usual Nmap scan.
There were a bunch of ports open. Ports like LDAP,Kerberos and SMB certainly got my attention. When both LDAP & Kerberos are open, you obviously know that you are dealing with a box that has Active Directory installed.
Used Nmap vuln script to see whether there were any vulnerabilities associated with listed ports above.
Used the LDAP script to further enumerate the Active Directory. Nothing!
I then moved onto SMB ports since i didn’t find anything from the Nmap scan.
Used Smbclient and Enum4linux to view the SMB shares.
According to the above scans, Replication share can be accessed anonymously.
Accessed the Replication share and found this file below.
Downloaded the file to my host and viewed it.
Groups.xml came into the picture with an interesting feature called “Group Policy Preference” which was introduced with Windows Server 2008. GPP is considered quite useful due it’s ability to store and user credentials in several occasions.
GPP has been useful for administrators as it has provided an automated mechanism. It provides useful capability to leverage
Group Policy to deploy scheduled tasks with explicit credentials and change the local admin passwords on large number of computer at once.When a new GPP is created, there is an associated XML file created in SYSVOL with relevant configuration and and a password if provided. That stored password is AES-256 encrypted. Later on, Microsoft published a AES private key which can be used to decrypt the password. With access to This XML file, There are a few ways that an attacker can use to de-crypt the hash.
Microsoft later on released a patch MS14–025 that could prevent privilege escalation.This patch needs to be installed on all systems that administer Group Policy using the Remote Server Administration Tools (RSAT). This patch prevents admins from putting password data into a Group Policy Preference.
I used a tool called GPP-Decrypt which can be found in the Kali repository to decrypt the hash.
Now up to this point, i have both the username and the password.
There was another share named User found during the enumeration.
This share doesn’t have anonymous access. So how about using the credentials that i discovered to login to that share. I accessed the shared using the username SVC_TGC and the password GPPstillStandingStrong2k18.
Credentials worked and i was able to get the user.txt file. User file had to be copy over the local machine where i read it.
After having discovered the user credentials, the next goal was to find out the admin credentials to escalate privileges. This is where the term Kerberoasting comes into the picture.
Kerberoasting attack in the nutshell, When the user wants to authenticate to some service with the use of Kerberos, User initially contacts and informs the Domain Controller, which system service that the user needs to authenticate.
Domain controller then encrypts and delivers the user a response that contains the service user’s password hash. This response is sent to the service that decrypts the response with it’s password and check the user identity before granting the permission. In the Kerberoasting attack, the password which is encrypted with NT hash associated with the service in the response sent by the Domain controller will be cracked using offline brute force tools instead of sending the encrypted ticket to the service for authentication.
Windows uses Service Principal Names (SPNs) to identify which service account is being used to encrypt the TGS. Each domain user can request a TGS from a domain controller for any service that has a registered SPN. when the TGS is created, the DC doesn't check whether the requesting user is authorized to access the resource. It is being done by the service.
In another sense, a Kerberoasting attack allows any valid domain account to request a service ticket for any service and the use the ticket for offline password cracking attempts.
There are many ways to request a TGS, The Powershell Empire project offers module called Invoke-Kerberoast,which identifies all SPNs for a certain domain and requests a TGS for every service account. This output can directly used to crack the password but in this case we don’t have the access to Powershell hence we have to use another method which is Impacket’s GetUserSPN.py, that is a Python script that can be executed on Linux .GetUserSPN.py requires the user name and password of a domain user.
Output of GetUserSPN.py can be used to crack the password. I saved the password hash (highlighted by the arrow into a new file called hashkerber and used it with John)
I managed to crack the password as mentioned above.
Since i have the administrator credentials, i can use them to login via Psexec.
Replication share was available for anonymous access, where i found a GPP file that contained encrypted credentials.Since the AES key has been publicly available, it was easy to crack the password and login as low privileged user, Anonymous access shouldn’t have been permitted to a shared folder where it contained the sensitive data and files.
Microsoft has released MS14–025 patch to prevent any privilege escalations. This patch will no longer allow the administrator to save user names and credentials while setting up group policies.
Kerberoasting attack could have been prevented if the administrator had used strong credentials which makes it impossible for attackers to crack the password although the TGS was retrieved.
10 boxes are down!