Active machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
After a network scan, I realize that the target machine is an AD machine and we detect the active.htb, domain address. We saved this domain in the /etc/hosts file.
First we performed a dns enumeration using nslookup and dnsrecon tools but we didn’t get any results
We proceed to the smb enumeration step.
As a result of smb enumerat’on we saw the ADMIN$ C$ IPC$ NETLOGON Replication SYSVOL Users sharing areas where we could connect to the replication area.
Here we enumerate the doses.
Groups.xml file draws our attention, we download this file with get command.
In previous versions of Windows, Group Policy Preferences allows you to store passwords and other sensitive information about local groups in an XML file called “Groups.xml”.
We obtained a hashed password for the user active.htb\SVC_TGS and searched online how to crack it.
Let’s break the hash using the gpp-decrypt tool
We got the password GPPstillStandingStrong2k18
active.htb/SVC_TGS : GPPstillStandingStrong2k18
Let’s connect using credential information
This is how we got the user flag
The next step here is to run the bloodhound tool to detect the vulnerability that exists on AD.
Then we load these json files in bloodhounda
We didn’t get any valuable information.
We have a username and password, let’s try kerberosting using GetUserSPNs.py.
Let’s save this hash here and try to crack it with john
We cracked the password of the administartor user as Ticketmaster1968.
Here we connect using the psexec.py tool
psexec.py active.htb/Administrator:Ticketmaster1968@active.htb
This is how we got the root flag.