Quick Summary

Active was a great box and very realistic , Kinda easy if you’re familiar with windows active directory security. But if you’re not … then this box will teach you something. It’s a windows box and its ip is 10.10.10.100 so let’s jump right in .



Nmap

As Always we will start with nmap to scan for TCP ports and Services

nmap -sV -sT 10.10.10.100

And we see many ports open but we will focus on the important ports only.

Kerberos on 88 , netbios-ssn on 139 , ldap on 389 and 3268.



SMB Enumeration

Since we have netbios-ssn open on port 139 let’s run smbmap and see what we get.

If you’re not on kali you can get smbmap from here

smbmap -H 10.10.10.100

And we see that we can only access the share Replication anonymously

smbclient //10.10.10.100/Replication

After we access the share we will find a file called Groups.xml in \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

By looking at the file we will find a username and an encrypted password.



Decrypting GPP

So if you don’t know what’s that cpassword … it’s called gpp (Group Policy Password) And I won’t talk about it in the write-up. If you’re interested here’s a great resource to read about it

To decrypt it there’s a tool called gpp-decrypt. If you’re not on kali get it from here

And we got the password GPPstillStandingStrong2k18



User

Now we have the credentials SVC_TGS:GPPstillStandingStrong2k18 and we can own user

smbclient //10.10.10.100/Users -U SVC_TGS


Kerberoasting

Now if we return to our nmap scan.

We will see that we have kerberos running on port 88 and we have owned a user on the box so we will go for kerberoasting and if you don’t know what kerberoasting technique is you can read this great series about it


Part 1

Part 2

Part 3


First we will add 10.10.10.100 to our /etc/hosts

Then We will use GetUserSPNs.py from impacket to get administrator Kerberos ticket

./GetUserSPNs.py -request active.htb/SVC_TGS

And we got the ticket in john format so it’s ready for cracking.

We will just add the option -outputfile to save the ticket in a file and we’re ready to go.



Cracking The Ticket

We will use john to crack the ticket with rockyou.txt

And one of the problems that I faced when I was trying to crack the ticket is that john wasn’t recognizing the format so make sure you’re using an updated version of both impacket and john because impacket also had problems with the hash format output. For me the problem was with john so I solved it by using jumbo version of john.

./john admin.txt --wordlist=/usr/share/wordlists/rockyou.txt

And we got the administrator password : Ticketmaster1968



Root

Now we can easily get a root shell using psexec.py from impacket

./psexec.py administrator@active.htb

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.



Previous Hack The Box write-up : Hack The Box - Hawk

Next Hack The Box write-up : Hack The Box - Waldo