> For the complete documentation index, see [llms.txt](https://angellm.gitbook.io/hacknotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angellm.gitbook.io/hacknotes/htb/2022/active.md).

# Active

**Date**: 27/06/2022

**Difficulty**: Easy

**CTF**: <https://app.hackthebox.com/machines/148>

***

Let’s start with the classic ping to test the connection with the target machine:

<figure><img src="/files/j55badR6zogQmu7r0ADE" alt=""><figcaption></figcaption></figure>

1 packet emitted, 1 packet received. The ttl shows a value of 127 which in HTB means that we are probably against a Windows machine.

Let’s do a scan of the TCP ports to find which ones are open:

<figure><img src="/files/aNknkV3uqmkj7ytB4clZ" alt=""><figcaption></figcaption></figure>

Wow, it shows a bunch of open TCP ports. Let’s do a further scan in these ports:

<figure><img src="/files/IvZarUJSgvc9E66L6rqU" alt=""><figcaption></figcaption></figure>

We have much information here. First of all we have kerberos, RPC and ldap services. We also have a DNS service in port 53 and a http service running on port 47001.

Let’s see if we can any info from the DNS service:

<figure><img src="/files/owUodxNIoyQpwgz6mZNW" alt=""><figcaption></figcaption></figure>

Apparently nothing… Let’s see the http service:

<figure><img src="/files/MulFA4Z0JBPNP4eUu3xM" alt=""><figcaption></figcaption></figure>

Ok, we also have the port 445 open which is usually used by SMB… Let’s try to obtain more info using crackmapexec:

<figure><img src="/files/tg1XaiNkWjSZa8M5XGce" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/S1gh2rbRY790HiOq7pdK" alt=""><figcaption></figcaption></figure>

If we search the Build version, we can find that the target server is a Windows Server 2008 R2, SP1.

Now we know that the domain is `active.htb` let’s add it to the `/etc/hosts`.

<figure><img src="/files/arcq0pl4RD5GKzSixVeX" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ViLkLunLhC0Szx4GBcsc" alt=""><figcaption></figcaption></figure>

But the http service looks the same.

Let’s try to enumerate the smb:

<figure><img src="/files/7MrOTd02TEmnGaPZSQEe" alt=""><figcaption></figcaption></figure>

We have READ permissions to the folder Replication. Let’s look inside!

<figure><img src="/files/SEdPzPpeU2gwsEbl4Tgm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/qObR9hF7HZ2idaN4rdTh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9D41BjryufyE29vLSZV4" alt=""><figcaption></figcaption></figure>

Every folder at this level was empty.

<figure><img src="/files/PmcKJ6LDZE8Q1kWsTXGF" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/IRKnHuEAPFZatGRt123o" alt=""><figcaption></figcaption></figure>

It seems like it may have interesting files… let’s download all the folder to navigate more quickly:

`smbget -R smb://10.129.81.48/Replication`

<figure><img src="/files/8fiyEwDcxnz2iKDBxVCP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/x2EeyuyLbUZ8sIQUWYEr" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/tRgb5CS7HHHK2IrVCGIz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XTPZ66mgoOPZDrHzvPsP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/D1CVpeWvezCMJdBAW6v5" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VG9mSyMimFpV7VHI5641" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/YNOJMBUI4wqlVaScBXlK" alt=""><figcaption></figcaption></figure>

Maybe we have credentials here?

`active.htb\SVC_TGS : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ`

<figure><img src="/files/RceZ5RLo4UjDlWajPEeD" alt=""><figcaption></figcaption></figure>

Is not that simple… Let’s see if the username at least is valid using kerbrute:

<figure><img src="/files/qiI9nhZgNhyElp1O9tll" alt=""><figcaption></figcaption></figure>

Yes, it is. So we have a valid username but not its password I guess.

Doing some research, I found [this](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/):

<figure><img src="/files/SJxIcC4dyf9z6dEWUInE" alt=""><figcaption></figcaption></figure>

So the password seems to be encrypted in AES-256 and we can crack it using gpp-decrypt.

<figure><img src="/files/k0WmsE5zaHGzQtTetWMa" alt=""><figcaption></figcaption></figure>

Let’s save this credential in a file.

<figure><img src="/files/F4lwvannUy7os85j6zMP" alt=""><figcaption></figcaption></figure>

And now let’s test it:

<figure><img src="/files/ZKV4Hglbpre4nLIKoCC3" alt=""><figcaption></figcaption></figure>

Yes, it’s valid!

<figure><img src="/files/u6mAwRBpYiCB5SzEE8mV" alt=""><figcaption></figcaption></figure>

Now, using this credentials we have access to more folders. Let’s look into `Users`:

<figure><img src="/files/pCgABwGUBivfKRd0ChI2" alt=""><figcaption></figcaption></figure>

Can we list the Administrator folder?

<figure><img src="/files/AEl206iOJybLwH6EfhIl" alt=""><figcaption></figcaption></figure>

Nope. Let’s try with the rest:

<figure><img src="/files/LcGo6bz4BlSPsEDcXk01" alt=""><figcaption></figcaption></figure>

Apparently the userflag is in `Users/SVC_TGS/Desktop` path. Let’s download it!

<figure><img src="/files/XUToh4R5HZl2ntwsnLHJ" alt=""><figcaption></figcaption></figure>

After enumerate the SMB I have found nothing else interesting, let’s try to do a `ldapdomaindumpH`

<figure><img src="/files/CbdUGoFaii7XxARVtY4y" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/krv9iJQFneSXC6g1PH5s" alt=""><figcaption></figcaption></figure>

As we saw earlier it is a Windows Server 2008 R2 SP1.

<figure><img src="/files/6pp7ZgaWxPz9enb12tVP" alt=""><figcaption></figcaption></figure>

Apparently there are only 4 users

* SVC\_TGS: we have its credentials
* krbtgt: Key Distribution Center Service Account
* Guest
* Administrator

Let’s try a Kerberoast attack:

`❯ sudo python3 /home/angellm/THM/CTF/Relevant/impacket/build/scripts-3.9/GetUserSPNs.py active.htb/SVC_TGS:GP#################18 -dc-ip 10.129.104.47 -request`

<figure><img src="/files/ycxPKdaQnAEurWXUS46y" alt=""><figcaption></figcaption></figure>

Let’s now try to crack the hash using hashcat:

`hashcat -m 13100 -a 0 kerberoast_result /usr/share/wordlists/rockyou.txt`

<figure><img src="/files/FTcFU09rgYZCoCYjk06E" alt=""><figcaption></figcaption></figure>

Cracked!

Let’s see if this credentials are correct:

<figure><img src="/files/GIjCKaA6fUCFs7VpG6U5" alt=""><figcaption></figcaption></figure>

Yeah, Pwned! Let’s go for the root flag:

<figure><img src="/files/tuaJJieakoY61YSgDIdj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/uzy3STnlwVA9nNmea8Tv" alt=""><figcaption></figcaption></figure>

Done!
