Active
SMB info leak, GPP, Kerberoast
IP
LHOST: 10.10.14.15
RHOST: 10.129.135.20
Nmap
Port scan:
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknownScript scan:
Full scan:
User Flag (SMB Info Leak, GPP)
SMB Null Session
Enumerate SMB shares:
Recursively list directories and files in the share \Replication:
Note that the --depth flag is needed, otherwise we won't find the thing we want. Here we found an interesting file named Groups.xml:
Download Groups.xml to Kali:
In Groups.xml, we found a username active.htb\SVC_TGS and a GPP password in the cpassword field:
GPP Password Decryption
GPP password can be easily decrypted with Kali built-in gpp-decrypt tool:
The plaintext password is GPPstillStandingStrong2k18. To learn the theory of this attack, read the following post:
SMB Enumeration with Credential
Enumerate the SMB shares again with the credential we just obtained:
Recursively list directories and files in the share \Users:
Here we found user.txt. Download it to Kali:
Root Flag (Kerberoast)
Now we have a valid username SVC_TGS and its plaintext password GPPstillStandingStrong2k18. In such scenario, we can try Kerberoast in order to get a TGS ticket and crack it offline. To learn the theory behind Kerberoast, read the following post:
Do kerberoast with GetUserSPNS:
Save the TGS ticket to a file named hash.txt:
Crack the TGS ticket with John:
The plaintext password is Ticketmaster1968:
PsExec to SYSTEM shell:
Last updated