Pushing local administrators through the Group Policy Preference (GPP) on windows server 2k8 is a bad idea.(Active HTB walkthrough)

5 min readDec 19, 2019

AGENDA

Ports Scanning
Enumerating SMB
Finding & Exploiting GPP(Group Policy Preference)
Kerberoasting an administrator account
Cracking the hash and gaining Shell as authority system
References

Ports Scanning

Let’s start by scanning the box for open ports. Usually, I do what I call a staging scan.

1. I run Nmap for the defaults 1000 ports without enumerating any versions (without the use of -sC for defaults scripts, and -sV to enumerate versions).
2. I run it again with -sC and -sV.
3. I use targeted NSE scripts (Nmap Scripting Engine) for the identified services.

4. I scan all the ports (-p-) and I speed things up with -T4

I don’t want to flood the network with the traffic generated by my scans in a real-world scenario, so I am strategic when it comes to scanning the network.

The purpose of this staging scan is that I can work manually why the other scan is running, for instance, let’s say during my first ever scan I found the port 80 is open, I can start my enumeration for subdomains, content discovery, inspect the web page manually and such, while the next Nmap scan is running in the background so I am time efficient and I start mapping my attack surface strategically through mind mapping, etc.

In the following screenshot, I’ll show the stage two of my Nmap scan.

You could see that I am using the -o option to output the scan on a file and I also use -vvv option to make it verbose, so I can see open ports as it runs.

From the previous screenshot, we know that the machine is running windows server 2008 and we have port 53(DNS), 88(Kerberos), and 389(LDAP) are open. Whenever I see those three ports open I know that I am attacking a domain controller inside of an Active Directory environment.

LDAP reveals the domain name which is active.htb.

We could go now and start enumerating the services. The two interesting ones are DNS and SMB. I’ve tried getting the hostname through reverse ns lookups without any results so I jumped directly to SMB.

SMB Enumeration

When I have port 445 open, the first thing I do is to map shares. I use smbmap, smbclient, and enum4linux. My favorite one is smbmap as it gives me the permissions on those shares.

The following screenshot shows the command I ran to enumerate shares on the box.

We have read access on the Replication share, and it listed active.htb within this share. So, most likely we have null session authentication providing anonymous access.

with smbmap we could list recursively directories and files within the Replication share.

Going through the results we find a file called Groups.xml

Finding & Exploiting GPP

Let’s open this file :

Bingo, There is a cpassword tag that means this file is a Group Policy Preference(GPP) which is used in windows server 2008 to use and store credentials in different scenarios, most importantly for local administrators’ passwords.

When a new GPP is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and if there is a password provided, it is AES-256 bit encrypted which should be good enough…(oddly we found it on a Replication share).

Except at some point prior to 2012, Microsoft published the AES private key on MSDN which can be used to decrypt the password. Since authenticated users (any domain user or users in a trusted domain) have read access to SYSVOL, anyone in the domain can search the SYSVOL share for XML files containing “cpassword” which is the value that contains the AES encrypted password [1].

The cpassword found is for the account SVC_TGS

Let’s decrypt the cpassword with gpp-decrypt or use the “ Get-GPPPassword” function from powersploit

So the password is GPPstillStandingStrong2k18

Now that we have a valid user and password on the box we can try enumerating other users on the box. There are multiple tools to do so. I am going to be using impacket’s GetADUsers script

all: Return all users, including those with no email addresses and disabled acounts.
-dc-ip: our domain contoller’s ip.

We can see that we have 4 users on this machine.

If we are admin on the machine psexec should give us a shell because shares will be writable. Unfortunately, psexec fails us since we are not admin on the machine.

Kerberoasting an administrator account

At this point, I was thinking to leverage the use of ” runas /netonly” to create a session on the box as the svc_tgs user and run BloodHound…
But, since we have kerberos, and I have only few users I’ve decided to check if Service Principal Names (SPN) is associated with any user account.

Spoiler Alert, administrator has an SPN set for CIFS. We will use impacket’s GetUserSPNs functionality.[2]

If a clock skew error occurs it’s due to time differences being more than the permissible time limit at the Kerberos server.

Cracking the hash and gaining Shell as authority system

Let’s try to crack the hash using hashcat. For this I use my host box since it has a graphics card to speed things up.
We put the hash on a file, and we use the mode 13100 (You can check which mode using #hashcat — example-hashes and grep for Kerberos. I’ll be using the rockyou.txt password list as well.