# Active ## 1. Scanning We start with a scan to identify which ports are open ```bash # Nmap 7.94SVN scan initiated Thu Jan 16 14:02:25 2025 as: /usr/lib/nmap/nmap --privileged -sV -sC -T4 -Pn -p- -oN nmap.info -vvvv 10.10.10.100 Nmap scan report for 10.10.10.100 Host is up, received user-set (0.097s latency). Scanned at 2025-01-16 14:02:25 EST for 381s Not shown: 65512 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open tcpwrapped syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5722/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49165/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49171/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49173/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2:1:0: |_ Message signing enabled and required |_clock-skew: -1s | smb2-time: | date: 2025-01-16T19:08:36 |_ start_date: 2025-01-16T17:51:40 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 40109/tcp): CLEAN (Couldn't connect) | Check 2 (port 21553/tcp): CLEAN (Couldn't connect) | Check 3 (port 38631/udp): CLEAN (Timeout) | Check 4 (port 40991/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jan 16 14:08:46 2025 -- 1 IP address (1 host up) scanned in 380.75 seconds ``` ## 2. Enumeration * SMB Anonymous login detected on SMB.

\ Bash out of shares: ```bash [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS ``` We access the Replication directory and by enumerating we find the Groups.xml file.

We found the encrypted password for the SVC\_TGS user.

\ We decrypt with gpp-decrypt, as the encryption is AES-256 (typical in Windows Server 2008 for Group Policy Preferences). More information: Tool used:

\ With the credential obtained we proceed to enumerate with that account: ``` [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) [+] active.htb\svc_tgs:GPPstillStandingStrong2k18 [+] Enumerated shares Share Permissions Remark --- ADMIN$ Remote Admin C$ Default share IPC$ Remote IPC NETLOGON READ Logon server share Replication READ SYSVOL READ Logon server share Users READ [+] Enumerated sessions [+] Enumerated loggedon users [+] Enumerated domain user(s) active.htb\SVC_TGS badpwdcount: 0 desc: active.htb\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account active.htb\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain active.htb\Administrator badpwdcount: 0 desc: Built-in account for administering the computer/domain [+] Enumerated domain group(s) DnsUpdateProxy membercount: 0 DnsAdmins membercount: 0 Enterprise Read-only Domain Controllers membercount: 0 Read-only Domain Controllers membercount: 0 Denied RODC Password Replication Group membercount: 8 Allowed RODC Password Replication Group membercount: 0 Terminal Server License Servers membercount: 0 Windows Authorization Access Group membercount: 1 Incoming Forest Trust Builders membercount: 0 Pre-Windows 2000 Compatible Access membercount: 1 Account Operators membercount: 0 Server Operators membercount: 0 RAS and IAS Servers membercount: 0 Group Policy Creator Owners membercount: 1 Domain Guests membercount: 0 Domain Users membercount: 0 Domain Admins membercount: 1 Cert Publishers membercount: 0 Enterprise Admins membercount: 1 Schema Admins membercount: 1 Domain Controllers membercount: 0 Domain Computers membercount: 0 Certificate Service DCOM Access membercount: 0 Event Log Readers membercount: 0 Cryptographic Operators membercount: 0 IIS_IUSRS membercount: 1 Distributed COM Users membercount: 0 Performance Log Users membercount: 0 Performance Monitor Users membercount: 0 Network Configuration Operators membercount: 0 Remote Desktop Users membercount: 0 Replicator membercount: 0 Backup Operators membercount: 0 Print Operators membercount: 0 Guests membercount: 2 Users membercount: 3 Administrators membercount: 3 [+] Enumerated local groups ... [+] Dumping password info for domain: ACTIVE Minimum password length: 7 Password history length: 24 Maximum password age: 41 days 23 hours 53 minutes Password Complexity Flags: 000001 Domain Refuse Password Change: 0 Domain Password Store Cleartext: 0 Domain Password Lockout Admins: 0 Domain Password No Clear Change: 0 Domain Password No Anon Change: 0 Domain Password Complex: 1 Minimum password age: 1 day 4 minutes Reset Account Lockout Counter: 30 minutes Locked Account Duration: 30 minutes Account Lockout Threshold: None Forced Log off Time: Not Set [+] Brute forcing RIDs 498: ACTIVE\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: ACTIVE\Administrator (SidTypeUser) 501: ACTIVE\Guest (SidTypeUser) 502: ACTIVE\krbtgt (SidTypeUser) 512: ACTIVE\Domain Admins (SidTypeGroup) 513: ACTIVE\Domain Users (SidTypeGroup) 514: ACTIVE\Domain Guests (SidTypeGroup) 515: ACTIVE\Domain Computers (SidTypeGroup) 516: ACTIVE\Domain Controllers (SidTypeGroup) 517: ACTIVE\Cert Publishers (SidTypeAlias) 518: ACTIVE\Schema Admins (SidTypeGroup) 519: ACTIVE\Enterprise Admins (SidTypeGroup) 520: ACTIVE\Group Policy Creator Owners (SidTypeGroup) 521: ACTIVE\Read-only Domain Controllers (SidTypeGroup) 553: ACTIVE\RAS and IAS Servers (SidTypeAlias) 571: ACTIVE\Allowed RODC Password Replication Group (SidTypeAlias) 572: ACTIVE\Denied RODC Password Replication Group (SidTypeAlias) 1000: ACTIVE\DC$ (SidTypeUser) 1101: ACTIVE\DnsAdmins (SidTypeAlias) 1102: ACTIVE\DnsUpdateProxy (SidTypeGroup) 1103: ACTIVE\SVC_TGS (SidTypeUser) ``` ## 3. Exploitation ### Kerberoasting We look for service accounts with SPNs to attempt Kerberoasting.

\ We obtain the encrypted ticket for the Administrator user. We then decrypt the hash with hashcat to recover the password and gain access to the system with elevated privileges. ## 4. Post-Exploitation ### Decryption We decrypt the hash with hashcat.

With the password obtained we log in as Administrator.