HTB [Active]
#windows#AD
Recon
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-01-18 05:48:32Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5722/tcp open msrpc syn-ack Microsoft Windows RPC
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack Microsoft Windows RPC
49165/tcp open msrpc syn-ack Microsoft Windows RPC
49166/tcp open msrpc syn-ack Microsoft Windows RPC
49168/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -5h30m00s
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-01-18T05:49:27
|_ start_date: 2023-01-18T05:45:01
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 38772/tcp): CLEAN (Couldn't connect)
| Check 2 (port 40109/tcp): CLEAN (Couldn't connect)
| Check 3 (port 10997/udp): CLEAN (Timeout)
| Check 4 (port 38631/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
- It’s an Active directory machine
- No web servers are running, let’s enum the smb
- Let’s download everything from that share
- This post from adsecurity explains about exploiting this groups policy files
➜ active gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
- use
gpp-decryptto decrypt this password - creds
active.htb\SVC_TGS:GPPstillStandingStrong2k18
More Shares
- We can access more shares by using the creds
- Grab the user.txt
- Let’s use bloodhound-python with these user creds
bloodhound-pythonis a Python based ingestor for BloodHound, based on Impacket.
- Now start
neo4jand runbloodhoundto import these files
- Shortest Paths from Kerberoastable Users
- Looks like the Administrator is kerberoastable
- So let’s try kerberoasting to request a ticket
- I’m gonna use a script called
GetUserSPNs.pyfrom impacket
- If you get this error, then most likely we need to sync our time to the machine time
- So run
ntpdate 10.10.10.100
- Let’s crack this using john
- Now we have the Administrator creds
Administrator:Ticketmaster1968
- Now we have write permissions to the shares, so let’s use
psexec.pyto get a shell
- rooted!!
It would be appreciated if you give me a respect+ on HTB