Active
Kerberos Exploit | gpp decrypt | SMB enumeration | Ticket Exploit
Last updated
Kerberos Exploit | gpp decrypt | SMB enumeration | Ticket Exploit
Last updated
We start off with a basic initial scan on Nmap.
We find port 53 open and ports for LDAP and Kerberos open which means we are almost certainly dealing with a domain controller.
I started off checking SMB for any quick and easy wins by attempting to authenticate without credentials against the domain controller.
We can use smbmap to check what shares we have access to without credentials.
We have read access to the "Replication" share. We can run smbget against this recursively to download the entire share.
After downloading the share we can navigate to the downloaded folders on our attacking machine. When browsing through them the folder of interest is the 'Policies' folder.
When dealing with Group Policy folders the ideal information to gather would be a value called "cpassword' which is usually located in Groups.xml. Below is a great blog post regarding this.
If you go to the following location "_active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml" Y_ou will see we have the following information contained in the XML file.
We have a username of SVC_TGS and a cpassword value._ _Kali comes with a tool called gpp-decrypt. We can use this to decrypt the cpassword value into plain text.
Password: GPPstillStandingStrong2k18
Before we do anything lets confirm if the credentials work on SMB. We can use smbmap to see what we can now access quickly.
We can now run a recursive search with -R on smbmap to get a quick glance at any potential loot.
We now have access to user.txt. Nothing else interesting here so we can check out Port 88 for some Kerberoasting since we have a valid domain account.
We can use Impacket's GetSPNusers.py script to gather any Kerberos tickets.
We now have a hash for the Administrator account. I tried running the hash through John but, could not get John to recognize the format. Instead, I moved over to Hashcat and run the hash type through the examples page to find the correct mode to run it against.
Hashcat soon cracks the password as: Ticketmaster1968
Now we have valid credentials we can potentially gain further access in multiple ways. The first time I grabbed the flag using smbclient to access C$ however, if this was a real penetration test ideally we would demonstrate shell as system / administrator.
To gain shell I will use Impacket's psexec.py.
From here we can loot both the root.txt and user.txt flags.
I then tried to connect to WinRM on port 47001 with however, I had no luck with the credentials we have gained so far. We do have Kerberos on port 88 running so we have potential here to enumerate further credentials and accounts.
