Active machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

After a network scan, I realize that the target machine is an AD machine and we detect the active.htb, domain address. We saved this domain in the /etc/hosts file.
First we performed a dns enumeration using nslookup and dnsrecon tools but we didn’t get any results

We proceed to the smb enumeration step.

As a result of smb enumerat’on we saw the ADMIN$ C$ IPC$ NETLOGON Replication SYSVOL Users sharing areas where we could connect to the replication area.
Here we enumerate the doses.
Groups.xml file draws our attention, we download this file with get command.
In previous versions of Windows, Group Policy Preferences allows you to store passwords and other sensitive information about local groups in an XML file called “Groups.xml”.

We obtained a hashed password for the user active.htb\SVC_TGS and searched online how to crack it.

Let’s break the hash using the gpp-decrypt tool

We got the password GPPstillStandingStrong2k18
active.htb/SVC_TGS : GPPstillStandingStrong2k18
Let’s connect using credential information

This is how we got the user flag
The next step here is to run the bloodhound tool to detect the vulnerability that exists on AD.

Then we load these json files in bloodhounda

We didn’t get any valuable information.
We have a username and password, let’s try kerberosting using GetUserSPNs.py.

Let’s save this hash here and try to crack it with john

We cracked the password of the administartor user as Ticketmaster1968.
Here we connect using the psexec.py tool
psexec.py active.htb/Administrator:Ticketmaster1968@active.htb

This is how we got the root flag.


  1. sklep

    Wow, fantastic blog layout! How long have you
    been blogging for? you made running a blog look easy. The whole look of your site
    is excellent, as smartly as the content! You can see similar here ecommerce

  2. sklep online

    Hi! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains.

    If you know of any please share. Cheers! You can read similar art here: E-commerce

  3. Suivre Téléphone

    Lorsque vous avez des doutes sur les activités de vos enfants ou sur la sécurité de leurs parents, vous pouvez pirater leurs téléphones Android à partir de votre ordinateur ou appareil mobile pour assurer leur sécurité. Personne ne peut surveiller 24 heures sur 24, mais il existe un logiciel d’espionnage professionnel qui peut secrètement surveiller les activités des téléphones Android sans les en informer.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir