Nmap
Like always, I’m going to scan the IP Address by using nmap but I’m going to scan the full port first. Then, I’m going to scan the only open ports.
# Nmap 7.95 scan initiated Sun Feb 2 22:53:51 2025 as: /usr/lib/nmap/nmap -sCV -p135,139,3268,3269,389,445,464,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168,53,5722,593,636,88,9389 -oN nmap/scripts.txt 10.10.10.100Nmap scan report for 10.10.10.100Host is up (0.042s latency).
PORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid:|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-02 14:37:32Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)3269/tcp open tcpwrapped5722/tcp open msrpc Microsoft Windows RPC9389/tcp open mc-nmf .NET Message Framing47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.049152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49155/tcp open msrpc Microsoft Windows RPC49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049158/tcp open msrpc Microsoft Windows RPC49165/tcp open msrpc Microsoft Windows RPC49166/tcp open msrpc Microsoft Windows RPC49168/tcp open msrpc Microsoft Windows RPCService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:| smb2-time:| date: 2025-02-02T14:38:27|_ start_date: 2025-02-02T14:31:50| smb2-security-mode:| 2:1:0:|_ Message signing enabled and required|_clock-skew: -16m26s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Sun Feb 2 22:55:02 2025 -- 1 IP address (1 host up) scanned in 71.08 seconds
The Nmap scan was completed, revealing a large number of open ports on the target machine. Based on the ports, it appears that this machine is part of an Active Directory
environment.
Nmap also identified the domain name as active.htb
, which I added to my /etc/hosts
file.
add domain to /etc/hosts
SMB: Smbmap
Next, I enumerated SMB
. The first step was to check share permissions using smbmap
with anonymous access. It turned out that the Replication
share had READ ONLY
permissions.
smbmap check share permission
SMB: Smbclient-ng
I connected to the share using smbclient-ng. Inside the share, I ran the tree
command, which showed a large number of directories. To avoid manually browsing, I downloaded all the files using the get -r
command.
smbclient-ng download files
Groups.xml
After examining the downloaded files, I found credentials in a file named Groups.xml
. At first, I wasn’t sure what this file was for.
After some research, I came across this blog, which explained that it is a configuration file for domain-attached machines using Group Policy
. The file contained a cpassword
field with an encrypted string (Microsoft encrypts it using AES
).
group policy file
Gpp-decrypt
I continued researching and found a blog about decrypting GPP
. Using gpp-decrypt
, I successfully decrypted the password.
gpp-decrypt
Now that I had valid credentials, I went back to SMB
to check whether I could log in. Surprisingly, I was able to access many additional shares.
mbmap with creds
After enumerating all accessible shares, I didn’t find anything particularly interesting. However, I did find the first flag, which is user.txt
.
found user flag
LDAP: Ldapsearch
Since I found nothing valuable on SMB
, I moved on to LDAP
. I enumerated all users and found that there weren’t many accounts on the machine.
ldapsearch enum users
At this point, I got stuck. Since this machine was retired, I checked the official writeup, which showed that I could enumerate users using impacket-GetADUsers
. As a reference for myself, here’s the screenshot:
impacket-GetADUsers
Kerberoasting
I wasn’t familiar with kerberoasting
, but I found this article explaining it. Based on my understanding (I could be wrong):
Explanation
When a domain user requests a TGS
ticket from the KDC
for a service registered with an SPN
, the KDC
responds with KRB_TGS
. This ticket can be cracked offline.
The official writeup showed how to find users with SPN
using ldapsearch
. I ran the following command:
ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' -b "dc=active,dc=htb" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalName
ldapsearch enum SPN
The results showed that the Administrator
account was configured with an SPN
. I used impacket-GetUserSPNs
to request a TGS
ticket and saved the output to kerberoast.hash
.
However, I encountered an error: "KRB_AP_ERR_SKEW (Clock skew too great)"
. To fix this, I synchronized my machine’s time with the target using sudo ntpdate -u 10.10.10.100
command. After that, I reran the command, and it was successful.
request TGS
PsExec
I cracked the hash using hashcat
with the rockyou.txt
wordlist. It successfully cracked the password.
hashcat crack TGS
Finally, I logged into the administrator account using impacket-psexec
. I was now inside as NT AUTHORITY\SYSTEM
.
login as administrator