Active was a great box and very realistic , Kinda easy if you’re familiar with windows active directory security. But if you’re not … then this box will teach you something. It’s a windows box and its ip is 10.10.10.100 so let’s jump right in .
As Always we will start with nmap to scan for TCP ports and Services
nmap -sV -sT 10.10.10.100
And we see many ports open but we will focus on the important ports only.
Kerberos on 88 , netbios-ssn on 139 , ldap on 389 and 3268.
Since we have netbios-ssn open on port 139 let’s run smbmap and see what we get.
If you’re not on kali you can get smbmap from here
smbmap -H 10.10.10.100
And we see that we can only access the share Replication anonymously
After we access the share we will find a file called Groups.xml in
By looking at the file we will find a username and an encrypted password.
So if you don’t know what’s that cpassword … it’s called gpp (Group Policy Password) And I won’t talk about it in the write-up. If you’re interested here’s a great resource to read about it
To decrypt it there’s a tool called gpp-decrypt. If you’re not on kali get it from here
And we got the password
Now we have the credentials SVC_TGS:GPPstillStandingStrong2k18 and we can own user
smbclient //10.10.10.100/Users -U SVC_TGS
Now if we return to our nmap scan.
We will see that we have kerberos running on port 88 and we have owned a user on the box so we will go for kerberoasting and if you don’t know what kerberoasting technique is you can read this great series about it :
First we will add 10.10.10.100 to our /etc/hosts
Then We will use GetUserSPNs.py from impacket to get administrator Kerberos ticket
./GetUserSPNs.py -request active.htb/SVC_TGS
And we got the ticket in john format so it’s ready for cracking.
We will just add the option
-outputfile to save the ticket in a file and we’re ready to go.
We will use john to crack the ticket with rockyou.txt
And one of the problems that I faced when I was trying to crack the ticket is that john wasn’t recognizing the format so make sure you’re using an updated version of both impacket and john because impacket also had problems with the hash format output. For me the problem was with john so I solved it by using jumbo version of john.
./john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt
And we got the administrator password : Ticketmaster1968
Now we can easily get a root shell using psexec.py from impacket