Active — HTB Walkthrough

Nmap scan

LDAP Enumeration

Got nothing juicy in ldapsearch.

Enum4Linux

We see replication share in SMB enum done by enum4linux.

Directly smbclient login doesn’t work, so we will try to access replication using smbclient

Now we know, Groups.xml if left unattended can store passwords . Lets get the file to our system and see contents

On smbclient
On attacker machine

Great we see we have password of svc-tgs, ticket granting system may be ?? So I first tried to pass it to winrm directly as Hash, but it didn’t work so we need to decrypt it anyhow

1) You can do this using kali tool gpp-decrypt for Kali

OR

2) Get-GPPassword.ps1 for windows

I did using kali as follows

Username: SVC_TGS && Password : GPPstillStandingStrong2k18

Trying SMB login worked

It gave us User.txt

get user.txt to your machine

Now as hinted by name it is service ticket granting service account. Why not just try kerberoasting ???

Let’s crack the administrator hash we got using john

use rockyou.txt as wordlist

Password is Tickermaster1968 for Administrator

I used psexec.py from impacket

we are root , you can get root flag at C:/Users/Administrator/Desktop/root.txt

ROOTED!!!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store