Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Active

Active - 10.10.10.100

Target Enumeration:

OS: Windows
IP: 10.10.10.100
User: 86d67d8ba232bb6a254aa4d10159e983
Root: b5fc76d1d6b91d77b2fbf2d54d0f708b

Ports / Services / Software Versions Running

53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2018-12-17 17:16:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
49182/tcp open msrpc Microsoft Windows RPC

Vulnerability Exploited:

Anonymous SMB login to Replication
Decrypt cpassword from Groups.xml
Login with low priv user.

Privilege Escalation:

GetUserSPN.py allows you to grab the admins kerberos hash
Decrypting the hash allows you to login with psexec as the administrator

Exploiting the host:

Nmap
Ldap, kerberos & DNS means it could be an AD box.
SMB Map
Logging in with smbclient to “replication”
Grab the groups.xml file which can contain a cpassword on 2008 systems
Cat the file to get the hash
Grep the password and pipe into gpp-decrypt
User is active.htb\SVC_TGS:GPPstillStandingStrong2k18
Login with smb with psexec does not work
Try enumerating other shares as the user
Can login and download the user.txt
Grab the admins hash using GetUserSPNs.py from impacket.
Crack it with hashcat
Admin's password is Ticketmaster1968
Once Admins password discovered login with psexec and grab the root flag
Hack The Box last updated - 2019 - Previous
Access
Next - Hack The Box last updated - 2019
Netmon
Last modified 3yr ago
Copy link
Contents
Active - 10.10.10.100
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: