Active, the 28th machine I attempted on HackTheBox, is a relatively easy box but with some bits that you can learn if you don’t know much about exploiting Active Directory and Kerberos.
User Access
I started, as I always do, with the nmapautomator script that the wonderful 21yfd made available on GitHub and shared in the HTB forums. It’s a great timesaving tool and gives you a good start on your scans (Available here).
We can guess from the name of the machine that this will likely be an Active Directory based machine, perhaps with some Kerberos involvement.
The initial scan confirmed that the Kerberos server port is in use, as well as DNS, SMB, LDAP and a few others. Our suspicions may well have been correct.
As the scan continues, it searches for available documents/pages on ports that may be serving web services, but finds nothing. The automated vulnerability scanning also returns nothing. On this occasion, nothing obvious jumping out from nmapautomator.
EXCEPT
smbmap returns the following:
After looking through folder after folder, eventually we stumble across groups.xml in the folder Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
This xml file provides us with a username and a password, though the password is encrypted.
This can be decrypted using gpp-decrypt which comes as standard with Kali Linux.
Taking a guess based on the available shares, we can try the Users SMB share with these new credentials. Access is granted, and the user flag is attainable from within here.
Privilege Escalation
Going back to the beginning where we spoke about the name of the box and the fact it would likely be Active Directory based with some Kerberos involvement, the PrivEsc is the Kerberos part.
The first thing we need to do is add the line “10.10.10.100 active.htb” to our /etc/hosts file. This will allow us to directly reference active.htb without needing to use its IP address. Then we will use the GetUserSPNs part of impacket to gain an administrator token.
Using the command “locate impacket” returns the result we need (amongst a huge amount of others).
We then run “./impacket-GetUserSPNs -request active.htb/SVC_TGS” (for more info on this, run “./impacket-GetUserSPNs” which will show you different switches available) and enter the password we gained earlier (GPPstillStandingStrong2k18) to get our admin token.
We can then save this to a file and run it through a password cracker. In this case, it was saved to admin.txt and then John was used as the password cracker with the infamous “rockyou.txt” was used as the wordlist.
This returns the plaintext password “Ticketmaster1968”. This can then be used in smbclient to access different shares with the admin user, or can be used with a tool such as psexec.py to gain a shell.
The root flag can then be reached at C:\Users\Administrator\root.txt
And that’s it! I learnt about Kerberos token hijacking while doing this machine and I hope it has been helpful for you too. Get in touch and let me know.
Tales from the Encrypt 