✅ Active - Easy
Last updated
Last updated
The "Active" machine on is categorized as an easy-level target, designed to put various techniques to the test, such as SMB Enumeration, exploitation of GPP Passwords, and Kerberoasting attacks for privilege escalation within a domain. It is an excellent starting point for those embarking on the journey of learning about Active Directory.
Crackmapexec
SMBMap
SMBClient
gpp-decrypt
Psexec
The initial phase entails verifying the target machine's connectivity. A simple ping can yield essential details, such as the TTL (Time To Live), which often hints at the operating system. For instance, a TTL of 64 or less usually signifies a Linux system, whereas a TTL of 128 or less indicates a Windows system. Here, we're dealing with a Windows system.
Following the connectivity check, a Nmap scan is initiated to identify open ports on the machine. I typically start by scanning for open ports using the -sS flag for a Stealth Scan, coupled with additional flags to expedite the scan.
After pinpointing the open ports, I conduct a more detailed scan using Nmap's built-in recon scripts to determine the versions and technologies associated with each port.
Given the plethora of open ports on the machine, a strategic approach is to begin with the most common ones, such as 445 (SMB), 135 (RPC), and 53 (DNS).
The first step in enumeration involved SMB shares to identify accessible directories and potential user accounts. Various tools, including smbclient, smbmap, and ackmapexec, are commonly utilized for this purpose.
I started with Crackmapexec to gather information such as the domain and available shares.
With the compiled information about the shares, we learned that we have access to the Replication share. To further explore this directory, we'll switch to smbclient, enabling us to establish a guest session to access and download the contents of this share.
Download Replication folder recursively:
Use mget to Download the Folder (SMB)
Once, we have the files locally we can exit from smbclient and apply a tree to visualize the folders and files. As you can see have several folders and files, but something that looks interesting is the file called Groups.xml that usually contain encrypted credentials that we can get in plain-text.
Optional:
if you have struggle to get into the directory you can use the following command to display the contents.
Upon securing the files locally, I executed a tree command to visualize the structure, where a file named Groups.xml stood out. Typically, this file contains credentials that, despite being encrypted, can be decrypted to plain text.
With the username and now-decrypted password in hand, we can proceed to verify these credentials using tools such as crackmapexec, moving one step closer to gaining meaningful access to the domain.
Now that we possess valid credentials, the logical next step is to attempt a Kerberoasting attack. This technique targets service accounts by requesting service tickets, which can then be cracked offline to reveal service account passwords.
Performing a Kerberoasting Attack:
Important Considerations:
Ensure that your local system clock is synchronized with the Domain Controller (DC) to prevent potential time-skew issues which could cause the attack to fail.
Confirm that the domain active.htb is correctly mapped in your local /etc/hosts file. This step is crucial as it allows your system to properly resolve the domain and communicate with the DC, avoiding common network resolution problems during the attack.
Following the Kerberoasting attack, we have successfully acquired the password hash associated with the Administrator account. The subsequent phase involves cracking this hash to obtain the plaintext password. For this purpose, one can employ potent tools like Hashcat or John The Ripper. In this instance, I opted for John The Ripper, running on a local Windows machine and utilizing the comprehensive rockyou wordlist.
Upon obtaining the plaintext password from the hash, it's prudent to validate this password to ensure its legitimacy. This can be accomplished using the crackmapexec utility, which is a versatile tool for testing authentication over various protocols, including SMB.
With the output confirming that we indeed have the Administrator credentials, the next objective is to gain interactive access to the system. One common method to achieve this is by using psexec, which allows us to execute processes on another system, in this case, to obtain a shell. Once the shell is secured, we can navigate the system and retrieve any flags or data necessary to complete the challenge.
An error occurred while trying to enumerate the file shares, prompting me to switch to , an effective alternative for this task. Smbmap provides detailed file permissions, and in this case, I simply passed the -H flag to specify the host and IP address, not providing a username or password since I utilized a null or guest session.
The contents of Groups.xml revealed a cpassword field with encrypted data. In the context of Group Policy Preferences, such passwords were once used to deliver settings and credentials across a domain. Despite being encrypted, the method was flawed—Microsoft published the decryption key, making it possible to convert such encrypted passwords to plain text using tools like .
