# Active This is an easy Windows box which involved accessing an open SMB share, decrypting a Group Policy Preference password found on the share to obtain svc\_tgs user's password and then request a kerberos ticket on behalf of the Administrator and then crack it offline to obtain the administrator's password to authenticate to the machine as SYSTEM.

## Reconnaisance : ### nmap As usual starting by scanning all the open ports and running services using nmap

* **-sC**: run default nmap scripts * **-O**: detect OS * **-sV**: detect service version * **-oA**: output all formats and store in file *initial* * **Port 53:** running DNS 6.1.7601 * **Port 88:** running Kerberos * **Ports 135, 593, 49152, 49153, 49154, 49155, 49157, 49158:** running msrpc * **Ports 139 & 445:** running SMB * **Port 389 & 3268:** running Active Directory LDAP * **Port 464:** running kpasswd5. This port is used for changing/setting passwords against Active Directory ## Enumeration ### Enumerating SMB Shares : Using the `SMBClient` utility to enumerate open shares in the machine:

The Replication share has READ ONLY permission on it. Let’s try to login anonymously to view the files of the Replication share.

After looking through all the files on this share, I found a Groups.xml file which often contains Active Directory credentials in the following directory : ```python cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ ```

this is the content of Groups.xml file which contains a cpassword for the user SVC\_TGS and it's encrypted

## Gain an Initial Foothold using `gpp-decrypt` tool which can be used to decrypt the cpassword attribute stored in the Group Policy Preferences XML file.

The domain account `SVC_TGS` has the password `GPPstillStandingStrong2k18` accessing the USERS share using the username and password found using smbclient ($ADMIN share is not accessible using domain user account) ```python smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18 ```

get the flag in `/Users/SVG_TGS/Desktop/user.txt` ## Privilege Escalation ### kerberoasting : Since we’re working with Active Directory and using Kerberos as an authentication protocol, let’s try a technique known as Kerberoasting. To understand how this attack works, you need to understand how the Kerberos authentication protocol works.

If you compromise a user that has a valid kerberos ticket-granting ticket (TGT), then you can request one or more ticket-granting service (TGS) service tickets for any Service Principal Name (SPN) from a domain controller. An example SPN would be the Application Server shown in the above figure. A portion of the TGS ticket is encrypted with the hash of the service account associated with the SPN. Therefore, you can run an offline brute force attack on the encrypted portion to reveal the service account password. Therefore, if you request an administrator account TGS ticket and the administrator is using a weak password, we’ll be able to crack it! Kerberos authentication uses Service Principal Names (SPNs) to identify the account associated with a particular service instance `Impacket’s GetUserSPNs` can be used to identify accounts that are configured with SPNs and is also able to request the TGS and extract the hash for offline cracking. ```python impacket-GetUserSPNs -dc-ip 10.10.10.100 -request active.htb/SVC_TGS ```

* **target:** domain/username:password * **-dc-ip**: IP address of the domain controller * **-request**: Requests TGS for users and outputs them in JtR/hashcat format We were able to request a TGS from an Administrator SPN. If we can crack the TGS, we’ll be able to escalate privileges! let's crack it using john the ripper i copied the TGS to a file called hashes.kerberoast ```bash john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast ```

the password is `Ticketmaster1968` To login as the administrator, we’ll use another Impacket script known as psexec since as administrator we have write permissions over the smb shares

we can also use smbclient

hope you found this walkthrough easy to understand and follow Greeting From [**Sayonara**](https://github.com/ismail-arame) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/hackthebox/machines/active.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.