Hack The Box: Active

Written By Alexander Commodore

What will you learn? This is a retired Windows machine with an easy-rated difficulty. It has ample opportunity to enumerate SMB shares with and without credentials. It also features some good practice for asreproasting to obtain a list of usernames on the target and kerberoasting to obtain a hash for cracking to access other more privileged users.

Let’s start enumerating the box:

Ports of interest that are open: 53, 88, 135/139, 389, 445

The open SMB port (445) is very interesting. We can run SMBCLIENT (or other tools) against it to see if there is anonymous listing available.

We’re able to connect to the ‘Replication’ share and pull all of its contents into a directory we create.

We have seven files that we need to read through. These could reveal cleartext credentials, encrypted credentials, usernames, or any information that could indicate a path forward for how we could obtain our initial foothold.

We can open the directory we have containing all of this content to speed up our workflows (visual studio code) by typing: code . for the current working directory.

Going through all of the files we can see that on file named Groups.xml has a username and encoded password for us. We can figure out how to decrypt that password under the cpassword field but having the username svc_tgs is great.

After looking up “How to decrypt cpassword” I realized that we’re able to decrypt this using a tool called GPP-DECRYPT: https://github.com/t0thkr1s/gpp-decrypt

Kali may by default come with this. We can point it to our groups.xml file or the cpassword directly and we should be able to return a cleartext password to utilize elsewhere. Note, I used the Kali Linux tool that was installed already, you can use the tool from GitHub too.

We can run netexec (crackmapexec but better) against the target machine with our credential pair svc_tgs:GPPStillStandingStrong2k18 to see if we can login. We will notice that it fails but we can try other things. There is no RDP, WINRM, or SSH ports running so that disqualifies those.

If we use Impacket-GetADUsers.py we can obtain a list of users on the domain (Target).

We can also attempt to use these credentials to see if we have access to anymore shares using netexec.

We can do the same thing as before. Pull the share contents into our directory and examine the contents after using visual studio.

We are able to obtain the user.txt file from these directories/files we pulled down.

Having this credential pairing we’re able to attempt it to Kerberoast against the domain controller. This will reveal the hash of the local administrator user.

We’re able to crack the hash with mode 13100 and obtain the cleartext password Ticketmaster1968

Remembering we have no access through RDP, SSH, WINRM, we can still attempt to access a session through SMBEXEC, WMIEXEC, or PSEXEC- and we’re able to become the NT AUTHORITY\ SYSTEM user on the box and root it.

Alexander Commodore
Previous

Hack The Box: Stacked (AWS)
Next

Hack The Box: Aero