# HackTheBox-Active ## Rustscan ```bash PORT STATE SERVICE REASON VERSION 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-05-14 04:03:39Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC ``` ## PORT 139/445 (SMB) We can try to anonnmyously login to see how many smb shares are there So let's try one by one which share we can access We have access to `Replication` share Using `smbget` download everything I spend time going over to directories here and there and found a XML file called `Groups.xml` Here we can see service account `SVC_TGS` and a encrypted password so I searched for Groups.xml file and straight away the results came for decrypting password , referring to this article https://myexploit.wordpress.com/groups-xml/ So this file is called Group policy preference file which has the stored encrypted password for a user at the of user creation and it's encrypted with AES256 but it's public is available in the documentation so there are many tools and scripts that can decrypt this password ,I used the command `gpp-decrypt ` which is a built in tool found in kali linux We can see it's a valid password but it didn't showed the status "Pwned!" so I think we can't get a shell with this so we can use `Python bloodhound injestor` to gather information about AD environment https://github.com/fox-it/BloodHound.py ``` python3 bloodhound.py -d 'active.htb' -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -gc 'active.htb' -c all -ns 10.10.10.100 ``` Put all these json files in an archive and import it to Bloodhound GUI, drag and drop the archive file into GUI Running the query `Find all Domain Admins` we can see the results which means those json files are imported On running the query `List All Kerberoastable Users` we can see there's an Administrator account so using the credentials we found we can get the TGT(Ticket Granting Ticket) hash To crack this hash I will be using `hashcat ` , since we need to specify the mode of hash I am going to search for krb5tgs hash mode https://hashcat.net/wiki/doku.php?id=example_hashes And we will just for the hash to be cracked Now again let's check this password with crackmapexec We get a "Pwned" status it means we can get a shell now , but before that let's see if we can dump hashses as `Administrator` has DCsync rights meaning to replicate AD information so we can dump hashes from file called NTDS.dit which holds hashes of all users in AD And it looks like we can ,so let's just get a shell with `psexec.py` as SYSTEM