# ✅ Active - Easy
***
> The "Active" machine on [HackTheBox ](https://app.hackthebox.com/machines/148)is categorized as an easy-level target, designed to put various techniques to the test, such as SMB Enumeration, exploitation of GPP Passwords, and Kerberoasting attacks for privilege escalation within a domain. It is an excellent starting point for those embarking on the journey of learning about Active Directory.
#### Tools:
* Crackmapexec
* SMBMap
* SMBClient
* gpp-decrypt
* Psexec
### Reconnaissance
The initial phase entails verifying the target machine's connectivity. A simple ping can yield essential details, such as the TTL (Time To Live), which often hints at the operating system. For instance, a TTL of 64 or less usually signifies a Linux system, whereas a TTL of 128 or less indicates a Windows system. Here, we're dealing with a Windows system.
```bash
ping -c 3 10.129.234.245
```
Following the connectivity check, a Nmap scan is initiated to identify open ports on the machine. I typically start by scanning for open ports using the **-sS** flag for a Stealth Scan, coupled with additional flags to expedite the scan.
```bash
nmap -sS -p- -Pn -n --min-rate 5000 10.129.234.245 -oG nmap/allports -vvv
```
After pinpointing the open ports, I conduct a more detailed scan using Nmap's built-in recon scripts to determine the versions and technologies associated with each port.
```bash
nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49173,49174 10.129.234.245 -oN nmap/targeted -vvv
```
Given the plethora of open ports on the machine, a strategic approach is to begin with the most common ones, such as 445 (SMB), 135 (RPC), and 53 (DNS).
#### Enumerating SMB Shares:
The first step in enumeration involved SMB shares to identify accessible directories and potential user accounts. Various tools, including **smbclient**, **smbmap**, and [C**r**](#user-content-fn-1)[^1]**ackmapexec**, are commonly utilized for this purpose.
I started with Crackmapexec to gather information such as the domain and available shares.
An error occurred while trying to enumerate the file shares, prompting me to switch to [**smbmap**](https://www.kali.org/tools/smbmap/), an effective alternative for this task. Smbmap provides detailed file permissions, and in this case, I simply passed the -H flag to specify the host and IP address, not providing a username or password since I utilized a null or guest session.
```bash
smbmap -H 10.129.234.24
```
With the compiled information about the shares, we learned that we have access to the Replication share. To further explore this directory, we'll switch to smbclient, enabling us to establish a guest session to access and download the contents of this share.
Download Replication folder recursively:
```bash
smbclient //10.129.234.245/Replication -N
```
Use `mget` to Download the Folder (SMB)
```bash
recurse
prompt off
mget *
```
Once, we have the files locally we can exit from smbclient and apply a tree to visualize the folders and files. As you can see have several folders and files, but something that looks interesting is the file called Groups.xml that usually contain encrypted credentials that we can get in plain-text.
***
**Optional:**
if you have struggle to get into the directory you can use the following command to display the contents.
```bash
tree -faus | grep Groups.xml | awk 'NF{print $NF}' | xargs cat
```
***
Upon securing the files locally, I executed a `tree` command to visualize the structure, where a file named `Groups.xml` stood out. Typically, this file contains credentials that, despite being encrypted, can be decrypted to plain text.
#### Decrypt the password
The contents of `Groups.xml` revealed a `cpassword` field with encrypted data. In the context of Group Policy Preferences, such passwords were once used to deliver settings and credentials across a domain. Despite being encrypted, the method was flawed—Microsoft published the decryption key, making it possible to convert such encrypted passwords to plain text using tools like [gpp-decrypt](https://www.kali.org/tools/gpp-decrypt/).
```bash
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
```
```bash
GPPstillStandingStrong2k18
```
With the username and now-decrypted password in hand, we can proceed to verify these credentials using tools such as `crackmapexec`, moving one step closer to gaining meaningful access to the domain.
```bash
crackmapexec smb 10.129.234.245 -u SVC_TGS -p GPPstillStandingStrong2k18
```
### Exploitation
Now that we possess valid credentials, the logical next step is to attempt a Kerberoasting attack. This technique targets service accounts by requesting service tickets, which can then be cracked offline to reveal service account passwords.
**Performing a Kerberoasting Attack:**
```bash
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
```
**Important Considerations:**
* Ensure that your local system clock is synchronized with the Domain Controller (DC) to prevent potential time-skew issues which could cause the attack to fail.
* Confirm that the domain `active.htb` is correctly mapped in your local `/etc/hosts` file. This step is crucial as it allows your system to properly resolve the domain and communicate with the DC, avoiding common network resolution problems during the attack.
#### Cracking Password Hash
Following the Kerberoasting attack, we have successfully acquired the password hash associated with the Administrator account. The subsequent phase involves cracking this hash to obtain the plaintext password. For this purpose, one can employ potent tools like Hashcat or John The Ripper. In this instance, I opted for John The Ripper, running on a local Windows machine and utilizing the comprehensive `rockyou` wordlist.
```PowerShell
.\john.exe -w:.\rockyou1.txt .\hash
```
Upon obtaining the plaintext password from the hash, it's prudent to validate this password to ensure its legitimacy. This can be accomplished using the `crackmapexec` utility, which is a versatile tool for testing authentication over various protocols, including SMB.
### Getting Access
With the output confirming that we indeed have the Administrator credentials, the next objective is to gain interactive access to the system. One common method to achieve this is by using `psexec`, which allows us to execute processes on another system, in this case, to obtain a shell. Once the shell is secured, we can navigate the system and retrieve any flags or data necessary to complete the challenge.
```bash
psexec.py active.htb/Administrator:'Ticketmaster1968'@10.129.234.245
```
[^1]:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alejandros-organization-8.gitbook.io/active/write-ups/active-easy.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.