Active Walkthrough

Hey Everyone! We have a great machine today from HackTheBox which will let us deal with Active Directory and Kerberos so letโ€™s start with its info

As you can see itโ€™s near to real-life challenges, so itโ€™s really great :) Letโ€™s get startedโ€ฆ

Nmap scan

At the first, we will check its open ports and services to know more about our target by using namp -A -T4 -oG active.gnmap 10.10.10.100

We have a bunch of open ports here and also more services. Note that we have more services related to Active Directory like Kerberos, so we should figure out that this machine is a Domain Service.

Also, note that we donโ€™t have port 80 is open, so we will deal with only servers, we donโ€™t have any website here so let us focus on smb ports 139/445

SMB Enumeration

At first, we will try to list all directories from smb server by using smbclient or smbmap โ†’ smbmap -H 10.10.10.100

And as you can see here we have only anonymous login and access to READ ONLY the Replication Disk

Let us use smbmap again to list all files and directories content from this Disk Replication โ†’ smbmap -H 10.10.10.100 -R Replication

And at the end of this list, you will find this directory Groups

Now we will log in to the server and discover itโ€™s content by using smbclient โ†’ smbclient //10.10.10.100/Replication

Into the Groups the directory you will find Groups.xml a file which we need to know itโ€™s content, but youโ€™re into smb the server doesnโ€™t manage you to read files, so we will download them to our local machine by using get <file-name>

Letโ€™s open itโ€ฆ

Good, we have a username and password, but the password is hashed, so we will use gpp-decrypt to crack the hash, and we have the password now :)

Okay, letโ€™s use the username and the password to know the user privileges โ†’ smbmap -u username -p password -H server-ip

We have READ ONLY access over 4 disks, so letโ€™s list the Users disk using the same method we listed the Replication disk โ†’ smbmap -H 10.10.10.100 -u username -p password -R Users

And you will find at the end of the results

Also, you should notice that the SVF-TGS the directory is accessible to us, but the Administrator is getting ACCESS_DENIED

Letโ€™s download this file with the new method without getting into the server by using smbmap โ†’ smbmap -H 10.10.10.100 -u username -p password -R Users -A user.txt -q and you will get it into your local directory

Good, now we get user.txt Letโ€™s search for root.txt

If you return to the nmap results, you should notice that we have kereros service is running on an open port

Kerberos is the authentication system for the Active Directory system, knwo more about it from here

Now we need to grab the admin accountโ€™s password to access the Administrator directory and to do that we should know about Kerberoasting

At the first, let us use GetUserSPN python script to get the TGS which is used by Kerberos to give the user permission to access the custom service

python3 GetUserSPN.py -request -dc-ip <server-ip> domain/username:password

You must understand Kerberosting to know why we want this ticket

Here we get the ticket, but itโ€™s hashed and the type of the hash is Kerberos 5 TGS-REP etype 23 as you can see

source: https://hashcat.net/wiki/doku.php?id=example_hashes

So we will crack it by using hashcat โ†’ hashcat -m 13100 -a 0 hashed_password /path/to/wordlist

So now we have the password of the admin account, let us use it to list all files from Users directory

Iโ€™ll log in to the server and grab it manually โ†’ smbclient \\\\10.10.10.100\\Users Administrator

When you find root.txt download it

And now we have the root.txt

Congrats โค

Stay in touch

LinkedIn | GitHub | Twitter

PreviousReel2 WalkthroughNextPopCorn Walkthrough

Last updated