ACTIVE
- Layout for this exercise:

1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Active, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Active's IP is 10.10.10.100:

- Scanning with Nmap:

- So we have a Microsoft Windows Server 2008 R2 SP1 running an Active Directory with a domain active.htb
- Also, as we will see later it is of crucial importance the fact that Active has a Kerberos server running at port 88.
- Because port 445 is open we run enum4linux to enumerate SMB and detect potential shared folders:


- The share Replication allows Anonymous login, and it is probably a replication of SYSVOL
- SYSVOL stores the Group Policy Preferences holding information about users and groups of the network, so it will be a promising vector attack.
3 - EXPLOITATION
- Let's access /Replication with smbclient and Anonymous login:

- Listing content:


- Inside Policies there are two folders:

- Going with the first one:

- Inside /MACHINE/Preferences/Groups there is the file Groups.xml associated with the Group Policy Preferences (GPP):



- Also, /Replication could be explored recursively in this way:

- Anyway, downloading and reading Groups.xml:


- So we have found the username and the cpassword atributes.
- cpassword is the name of the attribute that stores passwords in a Group Policy Preferences item:


- Let's store these credentials for later usage:

- The script Gpprefdecrypt.py decrypts local user password cpassword:



- Applying gpprefdecrypt.py over cpassword:

- Connecting again with smbclient, now with the recently achieved credentials:

- Listing content:

- ldapsearch and this complicated command yields active accounts for Active Directory:
https://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html

- Also, GetADUsers.py is useful to enumerate the Active Directory user accounts:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetADUsers.py


4 - CAPTURING THE 1st FLAG
- Going to the user SVC_TGS home folder:

- Getting and reading user.txt we are able to read the 1st flag:



5 - PRIVILEGE ESCALATION
- However, access to the Administrator home folder is denied, so we need Privilege Escalation:

- The Nmap scan yielded the result that Kerberos service was running at port 88, as we saw before.
- The Kerberoasting attack was the subject of Tim Medin’s presentation Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades at Derbycon 2014.
https://www.scip.ch/en/?labs.20181011
- The attack involves an effective method that allows normal domain users to get their hands on credentials for service accounts.
- This attack is most likely to succeed when service accounts have weak passwords.
- Kerberoasting works by extracting the hash of the Kerberos TGS (Ticket Granting Service) ticket reply, what is encrypted with the NTLM password hash of the account.
- Kerberos uses Service Principal Names (SPN) to identify an account associated with a service instance.
- The Python script GetUserSPNs.py is able to extract hashes of Service Principal Names that are associated with normal user accounts:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py

- Downloading the script and giving execution permissions:

- Options -request and -dc-ip will be used:


- After launching GetUserSPNs.py the hash for user Administrator is extracted:

- Storing the hash at a text file:

- Now, to decrypt the hash it could be used both John The Ripper and hashcat (locally or online):

- Finally we have a decrypted password Ticketmaster1968 for the Administrator:

- The Metasploit psexec exploit is able to get a System shell:


- An alternative to Metasploit for getting a System shell is the Python script wmiexec.py:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py


6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
