# Active Walkthrough

Hey Everyone! We have a great machine today from **HackTheBox** which will let us deal with *Active Directory* and *Kerberos* so let’s start with its info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*r5L6y9P7zZnRlEqSVN8svw.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ZwwbHQ0UHDzzhM9SDFn5Ig.png" alt=""><figcaption></figcaption></figure>

As you can see it’s near to real-life challenges, so it’s really great :) Let’s get started…

## **Nmap scan**

At the first, we will check its open ports and services to know more about our target by using `namp -A -T4 -oG active.gnmap 10.10.10.100`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Ya5MLmbo16Gc6XuIKMqiig.png" alt=""><figcaption></figcaption></figure>

We have a bunch of open ports here and also more services. Note that we have more services related to Active Directory like Kerberos, so we should figure out that this machine is a Domain Service.

Also, note that we don’t have `port 80` is open, so we will deal with only servers, we don’t have any website here so let us focus on `smb ports 139/445`

## **SMB Enumeration**

At first, we will try to list all directories from `smb` server by using **`smbclient`**` ``or`` `**`smbmap`** → `smbmap -H 10.10.10.100`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*wNJghiyFAni5syBc_y9NpQ.png" alt=""><figcaption></figcaption></figure>

And as you can see here we have only anonymous login and access to `READ ONLY` the `Replication` Disk

Let us use `smbmap` again to list all files and directories content from this Disk `Replication` → `smbmap -H 10.10.10.100 -R Replication`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*RCUk13zjfaiKhYQFSaTs-A.png" alt=""><figcaption></figcaption></figure>

And at the end of this list, you will find this directory `Groups`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*FZW8NOZScj2XGa36JB5evw.png" alt=""><figcaption></figcaption></figure>

Now we will log in to the server and discover it’s content by using `smbclient` → `smbclient //10.10.10.100/Replication`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*J-d1yQtiMV6E0qxe1wIsWw.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*2H0dlGfnWqCOZ84Z3fJ89Q.png" alt=""><figcaption></figcaption></figure>

Into the `Groups` the directory you will find `Groups.xml` a file which we need to know it’s content, but you’re into `smb` the server doesn’t manage you to read files, so we will download them to our local machine by using `get <file-name>`

Let’s open it…

<figure><img src="https://cdn-images-1.medium.com/max/800/1*g_2iOKaI7ra1Qde5amczXg.png" alt=""><figcaption></figcaption></figure>

Good, we have a username and password, but the password is hashed, so we will use `gpp-decrypt` to crack the hash, and we have the password now :)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*FEUPWOaplEiWU7EFFXxu1g.png" alt=""><figcaption></figcaption></figure>

Okay, let’s use the username and the password to know the user privileges → `smbmap -u username -p password -H server-ip`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*MWPBk5pKafS63W8IGTKQ4g.png" alt=""><figcaption></figcaption></figure>

We have `READ ONLY` access over 4 disks, so let’s list the `Users` disk using the same method we listed the `Replication` disk → `smbmap -H 10.10.10.100 -u username -p password -R Users`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*DBrdh-KWjiH7kbT3_ry-4Q.png" alt=""><figcaption></figcaption></figure>

And you will find at the end of the results

<figure><img src="https://cdn-images-1.medium.com/max/800/1*t3p2He5F5gSypDwr71YqIQ.png" alt=""><figcaption></figcaption></figure>

Also, you should notice that the `SVF-TGS` the directory is accessible to us, but the Administrator is getting `ACCESS_DENIED`

Let’s download this file with the new method without getting into the server by using `smbmap` → `smbmap -H 10.10.10.100 -u username -p password -R Users -A user.txt -q` and you will get it into your local directory

<figure><img src="https://cdn-images-1.medium.com/max/800/1*4-lNO1KfP-XD_GagiivAOA.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*UbUpXb7mkb7Uek2oqqb5Jw.png" alt=""><figcaption></figcaption></figure>

Good, now we get `user.txt` Let’s search for `root.txt`

If you return to the `nmap` results, you should notice that we have `kereros` service is running on an open port

> **Kerberos** is the authentication system for the Active Directory system, knwo more about it from [**here**](https://www.varonis.com/blog/kerberos-authentication-explained/)

Now we need to grab the admin account’s password to access the `Administrator` directory and to do that we should know about **Kerberoasting**

At the first, let us use `GetUserSPN` python script to get the TGS which is used by Kerberos to give the user permission to access the custom service

`python3 GetUserSPN.py -request -dc-ip <server-ip> domain/username:password`

> You must understand **Kerberosting** to know why we want this ticket

<figure><img src="https://cdn-images-1.medium.com/max/800/1*OjWa9U7MGf60fLbC8epDVA.png" alt=""><figcaption></figcaption></figure>

Here we get the ticket, but it’s hashed and the type of the hash is `Kerberos 5 TGS-REP etype 23` as you can see

<figure><img src="https://cdn-images-1.medium.com/max/800/1*9lRuP-mSaXetw7uoGEeliA.png" alt=""><figcaption><p>source: <a href="https://hashcat.net/wiki/doku.php?id=example_hashes">https://hashcat.net/wiki/doku.php?id=example_hashes</a></p></figcaption></figure>

So we will crack it by using `hashcat` → `hashcat -m 13100 -a 0 hashed_password /path/to/wordlist`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*fznbCQIpaG7j4ji5htITww.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*dFsJj3z5iKhudXM01C3r5Q.png" alt=""><figcaption></figcaption></figure>

So now we have the password of the admin account, let us use it to list all files from `Users` directory

I’ll log in to the server and grab it manually → `smbclient \\\\10.10.10.100\\Users Administrator`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Du8N5jDCuRFDfvt_msa_Tw.png" alt=""><figcaption></figcaption></figure>

When you find `root.txt` download it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*IQKT2QxNyLZ3TnIBleab2g.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*IEbc7Y5KiPoDP2YIsPeW3g.png" alt=""><figcaption></figcaption></figure>

And now we have the `root.txt`

**Congrats ❤**

**Stay in touch**

[LinkedIn ](https://www.linkedin.com/in/eslam3kl/)| [GitHub](https://github.com/eslam3kl) | [Twitter](https://twitter.com/eslam3kll)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/hack-the-box-machines/active-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.