Pentesting on rchitect

gpp-decrypt for password de-crypt

Thu, 15 Sep 2022 00:00:00 +0000

Usage of gpp-decrypt Link to heading

“gpp-decrypt” is a tool built of python3 which can be used for decrypting AD related passwords.

During some of the active directory labs, I could see a “groups.xml” which contain the local admininistartor password in encrypted format. I have used the “gpp-decrypt” to decrypt the password.

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
 . D 0 Sat Jul 21 06:37:44 2018
 .. D 0 Sat Jul 21 06:37:44 2018
 Groups.xml A 533 Wed Jul 18 16:46:06 2018

 5217023 blocks of size 4096. 278651 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit

┌──(rocky㉿kali)-[~/hckbox/Active-1/smb]
└─$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Why this password was shown in this folder: Link to heading

This was due to the Microsoft group policy preference. Due to this settings a sysvol is created with encrypted password of admin. More can be read here.

John the ripper as passowrd cracking tool

Wed, 13 Apr 2022 00:00:00 +0000

John the Ripper for Bruteforcing Link to heading

Case1: The zip passowrd cracking Link to heading

In below case there is zip file which require password to open.

──(rocky㉿kali)-[~/hckbox/node]
└─$ unzip newbackup.zip 
Archive: newbackup.zip
 creating: var/www/myplace/
[newbackup.zip] var/www/myplace/package-lock.json password:

This requires a password and we need to crack the zip with john to get passowrd.

As this is a zip file we need to use the script from John for converting this to a hash value. The scripts are usually located under /usr/share/john

Directory scan to identify the sub domains of website

Tue, 29 Mar 2022 00:00:00 +0000

Directory Scanning to identify the sub domains Link to heading

Using the gobuster fing the sub directories

gobuster dir -u http://10.10.10.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.88
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/23 20:44:04 Starting gobuster in directory enumeration mode
===============================================================
/webservices (Status: 301) [Size: 316] [--> http://10.10.10.88/webservices/]
/server-status (Status: 403) [Size: 299] 

===============================================================
2022/03/23 21:01:06 Finished
===============================================================###### Login Credentials and Rabithole

As we found one sub directory, always run one more gobuster scan with new subdirectory url to find if any more sub directories are present.

Bruteforce using Hydra

Sun, 20 Mar 2022 00:00:00 +0000

Bruteforce using Hydra Link to heading

To use Hydra we need to mainly identify 4 Parameters:

<IP Address> = ""

<Login Page> = ""

<Request Body> = ""

<Error Message> =""

To identify these parameters, lets intercept the request with Burp.

Based on the intercepted values, I have filled the values for HTTPS site subdomain

= “10.10.10.43”

= “/db/index.php”

= “^PASS^&login=Log+In&proc_login=true”

=“Incorrect password.”

Now Formulate the bruteforce command using hydra. For using hydra always username is required. In this case we can give any fixed value. Remember to use “https-post-form” as its a ssl website.