1
00:00:00,090 --> 00:00:07,140
So we're going to walk through a box called active now active relates to Active Directory it's one of

2
00:00:07,140 --> 00:00:09,500
my favorite machines on Hack the box.

3
00:00:09,510 --> 00:00:12,540
Because of this so active lives.

4
00:00:12,540 --> 00:00:19,950
At ten ten ten dot one hundred and I want you to go ahead and boot up your machine log in to hack the

5
00:00:19,950 --> 00:00:20,370
box.

6
00:00:20,370 --> 00:00:22,600
If you are going to follow along.

7
00:00:22,650 --> 00:00:26,070
So this is going to be kind of a two part video.

8
00:00:26,100 --> 00:00:30,510
The first part I'm going to show you how we scan and enumerate this machine.

9
00:00:30,510 --> 00:00:35,520
What we're looking for when it comes to GBP and then the second part is just going to be a bonus.

10
00:00:35,520 --> 00:00:40,140
We're going to actually have to print ask this machine and we're going to figure out how we're going

11
00:00:40,140 --> 00:00:45,900
to prevent this machine based on an attack that we've already done in the past in this cause.

12
00:00:45,900 --> 00:00:52,530
So once you're all loaded up here go ahead and go into your terminal and get scanning.

13
00:00:52,530 --> 00:00:54,640
So this one lives at 10 dot ten.

14
00:00:54,650 --> 00:01:00,450
That ten THAT ONE HUNDRED AND I'M JUST GOING TO MAKE THIS A quick scan and map and then will this do

15
00:01:00,960 --> 00:01:04,070
I'm actually gonna do a t five on ten ten ten.

16
00:01:04,100 --> 00:01:11,520
One hundred and this should pull back pretty fast on the ports what we're going to be after.

17
00:01:11,750 --> 00:01:17,200
And so what we're going to do here is you can see that we are running a domain.

18
00:01:17,210 --> 00:01:24,340
So when when we scan against a domain controller we expect to see something like fifty three open and

19
00:01:24,350 --> 00:01:26,420
that could be a router as well.

20
00:01:26,420 --> 00:01:33,080
But we also expect to see 88 open because 88 is curb gross and if running cobras on that ports that

21
00:01:33,080 --> 00:01:38,270
kind of tells us along with all that and all that secure or all that SSL.

22
00:01:39,170 --> 00:01:44,510
So now we kind of have an idea that this is probably a domain controller based on all the things that

23
00:01:44,510 --> 00:01:45,930
we're seeing here.

24
00:01:45,950 --> 00:01:49,670
So on top of this we have four forty five open.

25
00:01:49,670 --> 00:01:54,740
So we want to enumerate for forty five on this machine and we're going to take a look at four forty

26
00:01:54,740 --> 00:01:55,900
five for this attack.

27
00:01:55,910 --> 00:01:57,950
Why are we looking at four forty five.

28
00:01:57,950 --> 00:02:08,750
Because the attack involves utilizing SMB and in SMB when you connect to it there are six ball folders

29
00:02:08,750 --> 00:02:08,960
right.

30
00:02:08,960 --> 00:02:09,710
Let's take a look.

31
00:02:09,740 --> 00:02:10,550
This will be easier.

32
00:02:10,550 --> 00:02:18,840
So let's say SMB client and we'll do a dash L to list this out and I'll go ahead and just say 10 10

33
00:02:18,950 --> 00:02:20,490
10 one hundred.

34
00:02:20,630 --> 00:02:25,880
I'll take a quick look at this and we'll try anonymous connection here and you can see that there are

35
00:02:25,940 --> 00:02:26,930
different folders.

36
00:02:26,940 --> 00:02:33,680
There's the admin A C folder IPC net log on replication system all and users.

37
00:02:33,680 --> 00:02:38,960
Now we can try to connect to each one of these but it's going to deny us access to all of these.

38
00:02:38,990 --> 00:02:46,310
However there is this replication folder where we do have anonymous access as no user right.

39
00:02:46,310 --> 00:02:52,460
So we're just gonna say replication enter this in and we have access to this machine and I'm kind of

40
00:02:52,460 --> 00:03:00,680
speeding along here just so that we can get through this and we can actually work on the the machine

41
00:03:00,680 --> 00:03:08,240
itself with the exploit itself as opposed to working on methodology and why we're doing this the exploit

42
00:03:08,240 --> 00:03:12,830
is more related to SMB than it is enumerating.

43
00:03:12,860 --> 00:03:16,250
So this isn't a walk through box more so than showing you the exploit.

44
00:03:16,850 --> 00:03:25,010
So the way this file works is it's storing this groups dot excel file and in that groups the excel file

45
00:03:25,010 --> 00:03:30,890
is where you find that c password and this is where that GP that group policy preferences came into

46
00:03:30,890 --> 00:03:31,640
play.

47
00:03:31,760 --> 00:03:38,630
And so let's go ahead and turn on my turn prompt off which is just going to like a type it which is

48
00:03:38,630 --> 00:03:43,730
just going to tell us not to prompt when we tell it to download all of our files.

49
00:03:43,750 --> 00:03:50,730
So what I'm going to say is I want rehearse on so recurs on means it's going to download all the files

50
00:03:50,730 --> 00:03:51,500
that I tell it to.

51
00:03:51,530 --> 00:03:56,990
So if the outlets here you can see there's a bunch of different folders and files in here and there's

52
00:03:56,990 --> 00:04:00,890
actually you can see there's a groups that excel and this is kind of what we're gonna be interested

53
00:04:00,890 --> 00:04:02,330
in.

54
00:04:02,330 --> 00:04:08,930
So what we're gonna do is we're just going to say and get star like this and this is going to get all

55
00:04:08,930 --> 00:04:14,390
the files and as we see these come across we can know if we're interested in anything we see this GP

56
00:04:14,410 --> 00:04:22,100
to iron eye we see groups that X AML a registry policy GP t template.

57
00:04:22,760 --> 00:04:26,140
So we're really interested in this groups that X AML.

58
00:04:26,150 --> 00:04:32,100
And this is something to no take groups of X most the file you're looking for when it comes to GP.

59
00:04:32,390 --> 00:04:35,470
Now you don't have to do this again.

60
00:04:35,480 --> 00:04:41,290
There is the GP enumerate when it comes to interpreter or if you want to use power shell.

61
00:04:41,300 --> 00:04:43,860
There are power shell scripts out there as well.

62
00:04:43,910 --> 00:04:51,110
I believe one is called invoke GP and that will search through through the system fall for you as a

63
00:04:51,110 --> 00:04:54,920
user and look for this exploit.

64
00:04:54,920 --> 00:05:00,090
So in this situation I should note too that we had anonymous access to this replication folder.

65
00:05:00,140 --> 00:05:01,580
That's not a realistic scenario.

66
00:05:01,580 --> 00:05:07,490
This is most definitely a post exploit scenario where we have a user account once we have that user

67
00:05:07,490 --> 00:05:10,380
account we'll be able to access that source file folder.

68
00:05:10,990 --> 00:05:11,270
Ok.

69
00:05:11,300 --> 00:05:14,180
So from here we see that we have this groups that excel.

70
00:05:14,180 --> 00:05:21,750
So what I'm gonna do is I'm actually gonna go to files and we are here an active HDTV.

71
00:05:21,750 --> 00:05:25,890
It should download to that and we can just kind of look where it went.

72
00:05:25,890 --> 00:05:35,730
So I went policies 3 1 be ready to go to 3 1 b folder and then we're going to go to preferences or machine

73
00:05:35,730 --> 00:05:41,650
preferences groups and there's the groups that excel.

74
00:05:41,770 --> 00:05:47,470
So this is why I also did the M get star is so that we can see what came through and we don't have to

75
00:05:47,470 --> 00:05:52,990
just sit there and C D and navigate around just to see if there's something in a folder or not in a

76
00:05:52,990 --> 00:05:57,190
folder it's much easier to sit down with everything in it and look through what comes through.

77
00:05:57,190 --> 00:06:06,530
So when we come into here and we open this up you can see now that we have our C password on top of

78
00:06:06,530 --> 00:06:07,400
this.

79
00:06:07,550 --> 00:06:15,530
We have active the HDTV which is the domain name and we have service ticket granting service.

80
00:06:15,530 --> 00:06:19,520
T.J. yes that should ring a bell right ticket granting service.

81
00:06:19,970 --> 00:06:22,310
So this is the TGA s account.

82
00:06:23,060 --> 00:06:24,020
So what are we going to do.

83
00:06:24,020 --> 00:06:29,010
We're going to copy this bad boy here and we can go right into.

84
00:06:29,040 --> 00:06:31,290
Let's just go ahead and go to a new tab.

85
00:06:31,290 --> 00:06:32,510
Make this bigger.

86
00:06:32,670 --> 00:06:40,150
And we could just say something along lines of GBP decrypt paste that in just like that and look what

87
00:06:40,150 --> 00:06:46,370
happens GBP still standing strong to K 18 so that's the password.

88
00:06:46,390 --> 00:06:48,240
Look how long this password is.

89
00:06:48,320 --> 00:06:49,890
It doesn't really matter right.

90
00:06:50,060 --> 00:06:56,600
What matters here is that we are able to reverse or decrypt this GDP because we know the encryption

91
00:06:57,590 --> 00:07:01,430
so here we now have a user name and a password.

92
00:07:01,430 --> 00:07:05,720
We have active HDTV service.

93
00:07:05,950 --> 00:07:07,550
Yes.

94
00:07:07,730 --> 00:07:13,620
And the password of GP still standing strong to K 18.

95
00:07:13,700 --> 00:07:18,260
So I'm going to pause the video here or I'm going to actually cut the video off.

96
00:07:18,260 --> 00:07:23,550
This isn't to be considered part one part two is going to be a challenge to you.

97
00:07:23,600 --> 00:07:29,060
We can now go log in with this account and you're going to find that when you log in with this account

98
00:07:29,330 --> 00:07:31,450
you are actually a lower level user.

99
00:07:31,460 --> 00:07:34,550
This account is not a high level user.

100
00:07:34,550 --> 00:07:35,660
This is not a system.

101
00:07:35,750 --> 00:07:36,200
OK.

102
00:07:36,770 --> 00:07:43,640
So because this is not a system level user what is an attack that we can run on this to try to escalate

103
00:07:44,090 --> 00:07:49,020
and you can use anything and everything that has been taught to you so far.

104
00:07:49,100 --> 00:07:51,860
Once you think through it think if you find the answer.

105
00:07:51,860 --> 00:07:52,970
Go ahead and attempt it.

106
00:07:53,060 --> 00:07:57,360
If you're just watching and not following along with the hack of ok that's ok as well just go ahead

107
00:07:57,360 --> 00:07:59,320
and meet me next video and we'll cover this.

108
00:07:59,690 --> 00:08:02,330
So a brief review as well.

109
00:08:02,330 --> 00:08:05,780
We are after the GP right the groups dot excel.

110
00:08:05,780 --> 00:08:07,370
This is an older exploit.

111
00:08:07,430 --> 00:08:15,250
We're targeting Windows 2012 server 2012 usually with these and you're going to see these in environments.

112
00:08:15,260 --> 00:08:20,150
When you when you come across it it's going to look pretty much like what I showed you.

113
00:08:20,150 --> 00:08:24,260
It's going to be something like this where you either get the username and the password right off the

114
00:08:24,260 --> 00:08:30,710
bat with return fritter or you're going to run something along the lines of invoke GBP and you're going

115
00:08:30,710 --> 00:08:34,190
to try to search for that as well the power shell module.

116
00:08:34,220 --> 00:08:35,360
But this is what you're after.

117
00:08:35,360 --> 00:08:37,940
And this is what you're decrypting here with that password.

118
00:08:38,300 --> 00:08:40,060
So now you've got to use and password.

119
00:08:40,070 --> 00:08:41,780
How are we going to abuse this.

120
00:08:41,780 --> 00:08:45,370
I love this machine so I'll meet you over in the next video with the solution.