Another infosec blog

Hack the Box - Active


  • nmap uncovered what appeared to be a domain controller based upon the open ports
nmap -vv -sC -sV -oA initial


  • tested and confirmed that SMB null session could be established using:
smbclient // -U '' -W ACTIVE -p ''
  • found what appeared to be GPO preference files with encrypted password in a file groups.xml
python edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
  • got the password: GPPstillStandingStrong2k18

  • researched kerberos based upon the username “TGS” and the fact that it is a domain controller.

  • found and more specifically the reference to impacket at the bottom of the page

  • cloned impacket from here

  • ran the following command using the above credentials, and got the output below

./ -request active.htb/SVC_TGS


  • checked the Hashcat example hashes page for $krb5tgs$23$ format and found that it matched mode 13100

  • added the entire $krb5tgs$23$ string above to a file called active.krb, and used hashcat along with the rockyou.txt wordlist to get the password

./hashcat -m 13100 active.krb /pentest/wordlists/rockyou.txt
  • after only a few seconds I had the password: Ticketmaster1968

  • ran the following command with the new credentials to connect to the users share

smbclient // -U Administrator -W ACTIVE -p Ticketmaster1968
  • browsed to Administrator/Desktop and ran the following to get the flag
get root.txt
  • to get a shell as Administrator you can simply use the impacket script with the same credentials