Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
In this HTB series, I will be sharing my write-ups on all the retired machines that I have attempted. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here
This box is pretty cool and I immediately wanted to do a write up right after I finish this machine.
What is interesting about this box is probably more of a personal challenge. I am not usually the most comfortable when it comes to penetrating a windows OS machine and especially enumerating the SMB service and figuring out the right file or location to find the files I need. This machine really challenged me in that aspect and also to put into practice kerberoasting which I also learnt in OSCP.
Recon
As per usual, I begin my enumeration with AutoRecon which is developed and scripted by Tib3rius. Check out his course on his twitter account for voucher codes on his privilege escalation course as well! Now looking at the screenshots of what I got:
This is one of the reasons why I am not usually fond of Windows OS. Many RPC ports and sometimes ports that I do not have very strong knowledge of. However, looking at this, some of the things we can tell is that this machine is operating with Active Directory and there is Kerberos service on this machine as well. UDP Port 53 is open on this machine which also might indicate and give light that this machine might be a Domain Controller.
Information Gathering
Using smbmap, AutoRecon also presented several interesting findings within the SMB Service. We see that as an anonymous user, we have Read access to the Replication share. smbmap also reveals the contents within the share that is readable:
We see there are a couple of folders and files that we can look at. So let’s go in with smbclient to manually enumerate the share:
As we enumerate through the share, we come across several interesting files like GPT.INI GPE.INI GPTTmpl.inf Groups.xml . Googling more about these files give us the readings below:
We then google more about Groups.xml and we find that the cpassword found in the file can be cracked to obtain a password for the user in the Groups.xml file. Using the following link as reference:
We then use the gpp-decrypt in our Kali:
We then obtained the password for SVC_TGS:GPPstillStandingStrong2k18
Using the credentials we obtained, we use it to enumerate with smbmap further:
Now, we have read access to more shares! In the course of our enumeration with smbmap , we will find user.txt :
While it is tempting to just pull and read it, I really do not want to do that because in OSCP, it is a requirement to obtain shell when we read the flags. So let’s keep to that practice for the sake of OSCP exam preparation.
Now we need to find a way to escalate from here! If we can gain write access to shares, we will be able to use psexec.py from Impacket.
Privilege Escalation
Now that we have password to a user on this Machine. Let’s try to see if we can get password of Administrator . To do this, since we know this machine uses Kerberos as authentication method, we can try to obtain the Service Principal (SPN) values. In doing so, we might obtain the ticket that will allow us to carry out Kerberoasting to obtain a password to an account with higher privileges.
Using GetUserSPNs.py :
We obtain a ticket of the Administrator. Let’s transfer this to an output file:
Then, we want to clean up and make sure that the text file is ready for use for John The Ripper to crack the ticket:
cat JtR | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'Then using the rockyou.txt wordlist and John the Ripper:
Now we know the password of the Administrator:Ticketmaster1968 .
Using smbmap to check our permissions on the share:
We have read and write access! This means we can use psexec.py to obtain a remote shell on the machine:
We have successfully gain a shell with Administrator privileges. Grabbing the root.txt :
Learning Points
I learnt more about the Windows Feature of Group Policy Preferences and how it is used in Windows Server 2008. I also saw how when the preference items are not secured properly, passwords can easily be stolen as in the case of how we obtained password as we could read the Groups.xml file which contains the cpassword that can be decrypted to obtain plaintext passwords. I also had a chance to practice Kerberoasting and recalled about the use cases of psexec to obtain shell. Overall, I really enjoy this machine!
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!
