Active Walkthrough
Hey Everyone! We have a great machine today from HackTheBox which will let us deal with Active Directory and Kerberos so let’s start with its info
As you can see it’s near to real-life challenges, so it’s really great :) Let’s get started…
Nmap scan
At the first, we will check its open ports and services to know more about our target by using namp -A -T4 -oG active.gnmap 10.10.10.100
We have a bunch of open ports here and also more services. Note that we have more services related to Active Directory like Kerberos, so we should figure out that this machine is a Domain Service.
Also, note that we don’t have port 80 is open, so we will deal with only servers, we don’t have any website here so let us focus on smb ports 139/445
SMB Enumeration
At first, we will try to list all directories from smb server by using smbclient or smbmap → smbmap -H 10.10.10.100
And as you can see here we have only anonymous login and access to READ ONLY the Replication Disk
Let us use smbmap again to list all files and directories content from this Disk Replication → smbmap -H 10.10.10.100 -R Replication
And at the end of this list, you will find this directory Groups
Now we will log in to the server and discover it’s content by using smbclient → smbclient //10.10.10.100/Replication
Into the Groups the directory you will find Groups.xml a file which we need to know it’s content, but you’re into smb the server doesn’t manage you to read files, so we will download them to our local machine by using get <file-name>
Let’s open it…
Good, we have a username and password, but the password is hashed, so we will use gpp-decrypt to crack the hash, and we have the password now :)
Okay, let’s use the username and the password to know the user privileges → smbmap -u username -p password -H server-ip
We have READ ONLY access over 4 disks, so let’s list the Users disk using the same method we listed the Replication disk → smbmap -H 10.10.10.100 -u username -p password -R Users
And you will find at the end of the results
Also, you should notice that the SVF-TGS the directory is accessible to us, but the Administrator is getting ACCESS_DENIED
Let’s download this file with the new method without getting into the server by using smbmap → smbmap -H 10.10.10.100 -u username -p password -R Users -A user.txt -q and you will get it into your local directory
Good, now we get user.txt Let’s search for root.txt
If you return to the nmap results, you should notice that we have kereros service is running on an open port
Kerberos is the authentication system for the Active Directory system, knwo more about it from here
Now we need to grab the admin account’s password to access the Administrator directory and to do that we should know about Kerberoasting
At the first, let us use GetUserSPN python script to get the TGS which is used by Kerberos to give the user permission to access the custom service
python3 GetUserSPN.py -request -dc-ip <server-ip> domain/username:password
You must understand Kerberosting to know why we want this ticket
Here we get the ticket, but it’s hashed and the type of the hash is Kerberos 5 TGS-REP etype 23 as you can see
So we will crack it by using hashcat → hashcat -m 13100 -a 0 hashed_password /path/to/wordlist
So now we have the password of the admin account, let us use it to list all files from Users directory
I’ll log in to the server and grab it manually → smbclient \\\\10.10.10.100\\Users Administrator
When you find root.txt download it
And now we have the root.txt
Congrats ❤
Stay in touch
Last updated
