πββοΈActive Writeup
Hack the Box Active Writeup
Last updated
Hack the Box Active Writeup
Last updated
We started off with the usual nmap scan using:
Once this completes and we open our notes we can see that there are a whole lot of ports open. Does this mean we go check every single one? Hell no. Lets look and see what the ports are for and we can see how they are working together.
We can see that this is a Windows Server 2008 machine and it has SMB, ports 445 and 139 are open. We can also see that it is probably a domain controller because it has AD LDAP running along with Kerberos, AD's authentication ticketing system.
So we know its Windows so we can't approach it the same way we would a Linux machine. To enumerate some more lets run enum4linux.
After running this we can see that there are a few shares that are up, after testing for NULL sessions we know that we only have access to one share, Replication.
Because there was a bunch of random directories and files in this share I went ahead and downloaded them all using this one-liner:
After looking through a bit we can see there is interesting data in 'active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml'
In this we can see that this contains a username for an account on the box plus a variable called cpassword. After some research we can see that its a Group Policy Preference file and cpassword can be decrypted very easily by a tool called gpp-decrypt, its built into Parrot and Kali OSs.
After running:
We get the password 'GPPstillStandingStrong2k18'. Lets use it to try to connect to other shares...Bingo. We now have access to the Users share.
We can get the user.txt file from here.
Side Note: I couldn't get the user.txt file for some reason with smbclient so I ended up using smbmap to grab it.
Ok so back on track now. We need to get Administrator now. After running through a few possible options I realized we are going to need to utilize kerberoasting to get the Administrator account.
For this we are going to use the all might impacket repo. GetUserSPNs.py to be exact. With this we are going to try to grab the Administrator ticket and crack it with Hashcat.
YES!!
Now that we got the Administrator ticket saved we are going to run Hashcat and crack it open like an egg.
And bingo. The password is 'Ticketmaster1968'. Now we can just login and grab the root.txt file and we are done.
PWNED!!
