HTB Series - Active
We start by scanning the target with nmap to find open ports
nmap -sC -sV -oA active 10.10.10.100
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Since we can see dns (53), ldap and smb (445) we are likely on a windows server.
Inspecting the output, there are no shares listed, so we can try to connect via smbclient with null authentication to enumerate them.
smbclient -L //10.10.10.100
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
The IPC$ and SYSVOL shares are expected of a domain controller.
Smbmap offers similar results
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
The output depicts the presence of the Groups.xml file which is of interest to us so we can download it.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
From the downloaded file we identify the credentials as follows:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We decrypt the password as shown:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
An alternate way to get this would be to use smbclient
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We then use impacket to view the users on the Domain
GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We try further enumeration using the given user account as follows:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We utilize the credentials gathered as follows:
On a windows box, open up a session as the user
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We can use bloodhound to proceed as follows:
Use sharphound on the windows box
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Verify the connection is working okay
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Turns out we just needed to add the DC as the primary DNS in the ethernet settings.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
From Bloodhound we query which accounts are susceptible to kerberoasting
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Attempt at Kerberoasting
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We can then proceed to attempt to crack the hash with hashcat
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
We then proceed to use the credentials acquired to login as the Administrator via Psexec
psexec.py domain/User@ip
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ
Own the root flag
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More โ