NodeZero vs Hack the Box Active

Hack The Box – Active

NodeZero  |  September 5, 2021  |  Attack Paths

After completing a walkthrough of the Blue machine on the Hack The Box platform, feedback indicated that the analysis lacked depth. To address this and demonstrate a more advanced skill set, the next target selected was Active—a more complex and challenging machine on the same platform.

Summary

NodeZero obtained Domain Administrator privileges on Active by exploiting multiple issues common in Active Directory environments. First, it discovered cleartext credentials for the domain user SVC_TGS in a Group Policy file left in an open SMB share. Then, with domain user credentials, it escalated privileges to Domain Admin by executing a well-known Active Directory attack called Kerberoasting.

In addition, NodeZero found a second path to compromising Active using the critical vulnerability CVE-2020-1472, also known as ZeroLogon, which lets any unauthenticated attacker fully compromise a Domain Controller. This vulnerability was discovered a couple of years after the machine was released.

Timeline of Notable Events

Timestamp (UTC) Event
2021-07-02 01:30:22 AM Assessment started
2021-07-02 01:31:02 AM Identified an open SMB share called Replication accessible to any anonymous user
2021-07-02 01:31:13 AM Extracted cleartext credential for the domain user SVC_TGS in a Groups.xml file inside Replication share
2021-07-02 01:31:32 AM Identified the domain controller as vulnerable to critical vulnerablity CVE-2020-1472, a.k.a. ZeroLogon
2021-07-02 01:31:42 AM As the SVC_TGS user, performed a Kerberoasting attack to get a password hash for the Administrator user
2021-07-02 01:33:38 AM Cracked the Administrator user’s hash to recover the user’s cleartext password
2021-07-02 01:33:53 AM Logged into Active as Administrator, fully compromisng the domain

Attack Graph

This is the attack graph that represents what NodeZero did:

Walkthrough

Enumeration

01:30:22 AM UTC – NodeZero began its assessment with the IP address 10.10.10.100. It confirmed the machine was live using an nmap ping sweep.

It ran TCP and UDP port scans using nmap and found multiple open ports.

Based on the presence of LDAP, SMB, Kerberos, and DNS, NodeZero concluded the machine was likely a Windows Domain Controller.

01:30:41 AM UTC – NodeZero confirmed that SMB port 445 permitted null session authentication by verifying anonymous access to the hidden IPC$ share. While low severity on its own, null sessions can sometimes expose valuable information such as usernames, groups, password policies, and available shares.

01:31:02 AM UTC – Using crackmapexec, NodeZero listed all SMB shares and confirmed that anonymous users had read permissions on a share called Replication.

Replication share

Domain User Access

01:31:13 AM UTC – Using smbclient, NodeZero listed files in the Replication share and retrieved a file named Groups.xml. Inside, it found the password: GPPstillStandingStrong2k18 for the domain user SVC_TGS.

GPP Password

This is evidence of a known Active Directory vulnerability, CVE-2014-1812, which involves two issues:

  • Group Policy passwords stored in files accessible to all domain users (typically in the SYSVOL share)
  • Those passwords encrypted using a hard-coded AES key common across all Windows installations

Even after patching, any previously stored passwords remain unless removed manually.

In this case, the Groups.xml file was accessible to anonymous users in the Replication share, which was a replica of the SYSVOL share. NodeZero decrypted the password using the well-known AES key.

01:31:26 AM UTC – NodeZero confirmed the credentials were valid by logging in as SVC_TGS.

Domain user

Escalating to Domain Administrator

NodeZero used a well-known technique called Kerberoasting, disclosed by Tim Medin in 2014, to escalate from domain user to Domain Admin.

Kerberoasting enables any domain user to recover cleartext passwords for other domain accounts that have Service Principal Names (SPNs) assigned. If the password is weak, the encrypted Ticket Granting Service (TGS) ticket can be brute-forced offline.

01:31:42 AM UTC – NodeZero used the Impacket script GetUserSPNs.py to query for SPNs tied to domain user accounts and requested a TGS ticket for the Administrator user, who was linked to the CIFS service.

01:33:38 AM UTC – NodeZero cracked the Administrator hash using hashcat, revealing the password: Ticketmaster1968

01:33:53 AM UTC – NodeZero logged in as Administrator over SMB, fully compromising the domain.

Domain Admin

Post-Exploitation

01:35:00 AM UTC – With Domain Admin privileges, NodeZero dumped all credentials from the machine using the Administrator account. It ran the auxiliary/scanner/smb/impacket/secretsdump module in Metasploit and retrieved the NTLM hash for the krbtgt user.

An Alternate Path To Domain Compromise

01:31:32 AM UTC – During the course of the assessment, NodeZero also identified that the domain controller was vulnerable to CVE-2020-1472 (ZeroLogon) — a critical vulnerability that allows any unauthenticated user to fully compromise the domain.

Although this vulnerability was discovered after Active was released, it presents a valid alternate path to domain compromise without any prior access.

Zerologon

Conclusion

In this post, NodeZero walked through a few basic “oldie-but-goodie” techniques for attacking Active Directory environments. These techniques proved helpful for fully compromising Active. But this is the very tip of the iceberg in terms of what’s possible. Securing Active Directory environments is truly hard work.

How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero®, so you can see how to put it to work for your organization.
Get a Demo
Share: