Active HTB - Writeup
doing some AD practice, so here's a write up for an easy box from HTB - Active! here we enumerate the ports, very typical of an AD machine: the most interesting here is the SMB, as we can try to authenticate a null session and potentially access a share.
enum4linux shows that there is an anonymously enabled share:
through further enumeration, we find an xml file in the smb share that contains credentials for SVC_TGS (a service account)
in there, we can simply use gpp-decrypt (already included in Kali) to parse the password in the XML file and find the password to the service account
using these credentials, we can now access more shares of the SMB
smbclient //active.htb/Users -U active.htb/svc_tgs
in here we find the user.txt
as we've compromised an account but don't have access to the machine, we can try Kerberoasting and abusing a service ticket to provide us with hashes of Kerberoastable accounts that we can try and crack
the clock skew prevented the kerberoast from working normally, so i use ntpdate to set it to the machine's time
and we've found a hash for the Administrator user!
now all that's left is to put it into hashcat
sudo hashcat -m 13100 Administrator.hash /usr/share/wordlists/rockyou.txt --force
and there we have it! now we just have to access the Users share with the Administrator user and grab root.txt.