HackTheBox Active Writeup

Reconnaissance

Enumeration

Exploitation

Windows Privilege Escalation

________________________________________

Reconnaissance

Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.

We can see there are number of ports are open but smbmap scan reveal that Replication share have read access

Enumeration

we can connect Replication through Smbclient that is pre install in our attacking machine we can see interesting file name “Group.xml” in “\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\”, we can download this file by using get commandlets see what we have inside the file it has username and encrypted password, if we google cpassword we get know it is gpp (Group Policy Password). To decrypt gpp password we can use pre install gpp-decrypt tool or Gpprefdecrypt.py tool, now lets decrypt the password

Exploitation

lets login with username and password and grep the user flagIn nmap scan we can see port 88 was open kerberos. Since we owned user so we can go for kerberoasting, if you don’t know about kerberoast here is a explanation link, we will need GetUserSPNs.py to get administrator Kerberos ticketwe can put the output into hash.txt filelets crack with hashcat tool to look what type of hash it is link is here

Windows Privilege Escalation

we get the Administrator password “Ticketmaster1968”. To get administrator access we can use psexec.py from impacketwe got the shell root flag is in “C:\Users\Administrator\Desktop”           

Leave a Reply

Your email address will not be published. Required fields are marked *