Reconnaissance
Enumeration
Exploitation
Windows Privilege Escalation
________________________________________
Reconnaissance
Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.
We can see there are number of ports are open but smbmap scan reveal that Replication share have read access
Enumeration
we can connect Replication through Smbclient that is pre install in our attacking machine we can see interesting file name “Group.xml” in “\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\”, we can download this file by using get command
lets see what we have inside the file
it has username and encrypted password, if we google cpassword we get know it is gpp (Group Policy Password). To decrypt gpp password we can use pre install gpp-decrypt tool or Gpprefdecrypt.py tool, now lets decrypt the password
Exploitation
lets login with username and password and grep the user flagIn nmap scan we can see port 88 was open kerberos. Since we owned user so we can go for kerberoasting, if you don’t know about kerberoast here is a explanation link, we will need GetUserSPNs.py to get administrator Kerberos ticket
we can put the output into hash.txt file
lets crack with hashcat tool to look what type of hash it is link is here
Windows Privilege Escalation
we get the Administrator password “Ticketmaster1968”. To get administrator access we can use psexec.py from impacketwe got the shell root flag is in “C:\Users\Administrator\Desktop”