We start with the usual 'nmap -sC -sV -oA ./Active 10.10.10.100':
Ok. This thing has everthing open. The 4 that jump out at me are 389/3268 running LDAP and 139/445 running SMB. Add DNS and the fact that nmap says this is a Windows Server 2008 R2 SP1 and we are looking at a Domain Controller.
All KINDS of scenarios are running through my head. Pass-the-Hash attacks, Kerberoasting, and Golden Tickets raining down from the Heavens! Ok. Enough day dreaming. Back to work!! If we SMB to the box, we are given 6 directories.
We can only get to one of them. smb://10.10.10.100/Replication Navigating around in there, we eventually come to a Groups.xml file.
Great! Now we have a password hash for SVC_TGS, which in Windows domains is Ticket Granting Service. This is definitely going to be a Kerberos exploit box. A little bit of Google-Fu and we find https://pentestlab.blog/tag/cpassword/ for cracking the hash
Running that nice little Ruby script, we get the TGS password of GPPstillStandingStrong2k18
The TGS has some pretty max level privileges. Let's see if we can SMB to some of the other shares now.
Great! We can SMB to the Users folder. On the Desktop of SVC_TGS is the User flag. 1 down; 1 to go. We still can't get into the Administrator's folder. A little bit more Google-Fu and we come across a Knock and Pass Kerberos Exploit - ms14-068 https://wizard32.net/blog/knock-and-pass-kerberos-exploitation.html or we can trust impacket. In the examples folder of impacket is a GetUserSPNs.py script. Before we run that script, we need to make sure our attacking machine can acknowlege that active.htb exists. To do this, we modify our /etc/hosts file. EDIT: If you are running the Kali 2020.1 VM, you will need to sudo vi instead of just vi. vi /etc/hosts and then add these lines.
From there, we can run Impacket.
Ladies and gents, we have an Administrator hash. From here, we can either try to impersonate the user, we can try to pass the hash (not sure if that would work in this case), or we can try and crack the hash. I'm lazy. Let's take the easy route and crack it with hashcat.
hashcat -a 0 -m 13100 [hash] rockyou.txt
Ticketmaster1968. Let's get this root flag. It can be done with smbclient or directly from the File Manager. I used Flie Manager. The Domain field is pretty irrelevant. For me, it worked with both WORKGROUP and ACTIVE.HTB. However, when I went back to grab screenshots, only WORKGROUP would work. So, watch out for that little "gotcha" moment.