Today I explore Active from HTB; an OSCP like box featuring a great approach to SMB enumeration with SMBClient and CrackMapExec (cme). I started by running an AutoRecon scan which showed me LDAP, Kerberos and SMB running.

I have mentioned AutoRecon in (every) guide so look at my previous posts for more information.

SMBClient shows a share, Replication available as Read. I use CME to verify:

Running CME shows I can read Replication with null authentication.

I log in to SMBClient with the --no-pass flag and look around the directories. Eventually, I find Groups.xml which I pull to my local machine. Inside is a cpassword which I decrypted with the help of gpp-decrypt. For more information regarding cpasswords go HERE.

Finding Groups.xml and a password.

Using the password found I use GetUserSPNs.py to find the Administrator hash. I crack this hash with the help of john.

GetUserSPNs.py grabbing the Administrator accounts hash.

Using john to grab the krb5tgs password.

Using the Administrator password, CME and Invoke-PowerShellTCP.ps1 from nishang I get a shell onto the box and root:

Using the Admin creds alongside CME and Invoke-PowerShellTCP to launch a shell.

HTB Active proof (not clean) as & param kept dropping the shell.