# Active

## Active - 10.10.10.100

### Target Enumeration:

OS: Windows

IP: 10.10.10.100

User: 86d67d8ba232bb6a254aa4d10159e983

Root: b5fc76d1d6b91d77b2fbf2d54d0f708b

### Ports / Services / Software Versions Running

53/tcp    open domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)

88/tcp    open kerberos-sec  Microsoft Windows Kerberos (server time: 2018-12-17 17:16:59Z)

135/tcp   open msrpc         Microsoft Windows RPC

139/tcp   open netbios-ssn   Microsoft Windows netbios-ssn

389/tcp   open ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)

445/tcp   open microsoft-ds?

464/tcp   open kpasswd5?

593/tcp   open ncacn\_http    Microsoft Windows RPC over HTTP 1.0

636/tcp   open tcpwrapped

3268/tcp  open ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)

3269/tcp  open tcpwrapped

5722/tcp  open msrpc         Microsoft Windows RPC

9389/tcp  open mc-nmf        .NET Message Framing

47001/tcp open  http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

49152/tcp open  msrpc Microsoft Windows RPC

49153/tcp open  msrpc Microsoft Windows RPC

49154/tcp open  msrpc Microsoft Windows RPC

49155/tcp open  msrpc Microsoft Windows RPC

49157/tcp open  ncacn\_http Microsoft Windows RPC over HTTP 1.0

49158/tcp open  msrpc Microsoft Windows RPC

49169/tcp open  msrpc Microsoft Windows RPC

49171/tcp open  msrpc Microsoft Windows RPC

49182/tcp open  msrpc Microsoft Windows RPC

### Vulnerability Exploited:

Anonymous SMB login to Replication

Decrypt cpassword from Groups.xml

Login with low priv user.

### Privilege Escalation:

GetUserSPN.py allows you to grab the admins kerberos hash

Decrypting the hash allows you to login with psexec as the administrator

### Exploiting the host:

Nmap

![](https://lh4.googleusercontent.com/Cryyt5rjC86vg1wvDbx8ywq32b7h2LNu9YOzhRxRBT2LNPx_HOOXr-zy_de9AJYmbfyGE75upQOb0uil8qwEzkDXjRry3q1tihC0q8PcUKW_iLC67dL3JlPAPm-QXBAlM5OWSxVu)

Ldap, kerberos & DNS means it could be an AD box.

SMB Map

<div align="left"><img src="https://lh4.googleusercontent.com/n07uTIFUEsqp3mkSSV7H63A1kwrA9kczPRFFOhBBGeqou_1SAdtbNPUAR1lfhK8Uxk5OL1zWM7cUNn4SGGm4GtqCy1f6fHGCuuvZzejQReu20OrgLW4tYpnAwynvkcduCkNkCFrF" alt=""></div>

Logging in with smbclient to “replication”

![](https://lh5.googleusercontent.com/WDH11XCDZBZ6xPtBDyhqYxehOBrLWtMtUdkkKnzdLhdjNpx0ixdA0bDJbRnRjg5NC6ItCC6q-8_wJqneNvVUmy30PUt1MtBzGrrHzIBnvamHYArzjleDxV4uqzn_oqIcpgb7GnSY)

Grab the groups.xml file which can contain a cpassword on 2008 systems

![](https://lh6.googleusercontent.com/jVie4I6BNU6Us5pKBI7sqcs8gLl5dW1vM7Tv11LB4BGEOyFFKIbEjBEjhKx4cpCxgO7UzILWxeZrYrsJGOVkj-gi-QVHmy8n_vG0NE6hkBF_Ri5yPZ0HVAnVIYMv9LmBUQk3qhd_)

Cat the file to get the hash

![](https://lh4.googleusercontent.com/o9Tl8fZnhny4pbLShHhgH6nlRUwYgBDpg0480yAoTvOUALg7_nLPkwjTKcvH11BAM40NPgI0y_CCGU3CGocVxnZxtv7tQfQviioHBEYK93fv78YJ0WJttuvDeEnVKbUyg1sZXut8)

Grep the password and pipe into gpp-decrypt

![](https://lh4.googleusercontent.com/Qj_rRKfSKI0BmKWCEm54jhOFssUYsnuVRoq6j3rOViC0nLVaUNgZ03tbGZMr4qNK0Qx8pem8J391gydFm2453mKLSfi-pH7_TQducs-TFrfQbhmvCMcZWXjWfa5SHf7j6ZwRUf6J)

User is active.htb\SVC\_TGS:GPPstillStandingStrong2k18

Login with smb with psexec does not work

![](https://lh6.googleusercontent.com/WzcjeiMnrIBHgsfii-LCpzeiosQQsvaFEdxEZ2GaYuVW2ns5TdyAaqhEl4akThq0jwGUlh4mkLtqmlK4diGm0XmJ_SzcWjqzDWbyUG0RowMgPoKszTFClyIUhtBWSxI8FvwPsMcM)

Try enumerating other shares as the user

Can login and download the user.txt

<div align="left"><img src="https://lh6.googleusercontent.com/9eBO5XQug6fc10EHlKZjuz0XPCP7kyf2eGmM0Yezvi6KTtAG-3LqjdWs5_m0hkBsnSP88_08hl7mWJ3fe0qkT1nygRYdOrXTeWAijrJEPvdJmzWz6OmVtfVUMAsCiwk-JZ2QW_cp" alt=""></div>

Grab the admins hash using GetUserSPNs.py from impacket.

![](https://lh3.googleusercontent.com/S1E-lgTzpOW6deUXQFiwPFesCOmtbCnx5teX7AJAci_dZdzd_nYIvnUOuZFdCZqBquu2O75is-QsSMDljxZZi_wIQ9qAngR2xOaCzJdzoga-9JdP_4xQ02HPj8j4P1duGjb6UVlA)

Crack it with hashcat

![](https://lh3.googleusercontent.com/gn8pqdcq_GrHhm_0Kaf4ERs1kWUXV21YWYuUsE32j2IiEbg3KrbvHcdyHSBmBQk2Z6q3MZOB9crQ0JQbwqPiCWMlaZ2kl7EgAOzkVK0Bs-a4Vy9zub7VrfUh42FY8nQ5cM14ZR3M)

Admin's password is Ticketmaster1968

Once Admins password discovered login with psexec and grab the root flag

![](https://lh5.googleusercontent.com/c_tE5zXTpPq1BHsD6Fgldht-wy4lWnFlPDlL6EgHHdKGTjDDZ6obFtSijnfehElozbpZN4A9sGsnLMSSI2jk6TaYd6mPRaqBwVnYVG2Ns2e-gl40kK4j3zeFiVmYBgPkjkYYWMEy)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/active.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.