018#:HTB - Active
It’s been a little since I did one of the rooms on TJ Null’s OSCP prep list, so today I made a return with the Active room from Hack the Box. Got an nmap scan going to start things off.
Well, we have all sorts of open ports to check out here, so let’s just dive in. I listed the SMB shares out and tried accessing each of them. Under the Replication share there are some files we can grab. These files appear related to GPO’s in the environment. We can see a username and password hash inside of Groups.xml.
We also have this Registry.pol file. When I tried to read the contents it is a bit garbled but I can see it mentions an Administrator user. I did a quick search and it looks like registry.pol files may contain sensitive info. I saw online you can use the program reglookup to read pol files on Linux but this failed to open for me. I made a note to loop back to this file and moved on to trying to crack that user hash we found. I couldn’t seem to find a way to crack this hash type though.
I didn’t notice one on Hashcat’s list that seemed like it would work. I tried identifying it with dCode’s cypher identifier which thought it could be base64 encoded, but that wasn’t the case. I started searching different things trying to figure out what to do with this password when I stumbled across this article. They mention using a tool called gpp-decrypt.
This worked to get us the SVC_TGS account password. I decided to try to use these credentials to finish checking out the SMB shares, starting with the Users folder this time. We were able to get in and take note that the only other user is Administrator. Moving into our account’s User folder we can find our first flag on their desktop.
That’s cool, but now I’m feeling a bit stuck. I spent some time reviewing the nmap results and looking into various things. I noticed I hadn’t added active.htb to my /etc/hosts file yet so I did that but the domain still didn’t resolve to a site. I did some of the Guided Questions to help get me on track. Task 6 mentions kerberoasting, which I don’t have much experience with. They say to check out GetUserSPN.py from Impacket though, so let’s start there.
This ended up being a bit of a rabbit hole for me. I am very new to python (just started Codecademy’s Learn Python 3 course a few weeks ago) and wasn’t entirely sure how to use all the impacket modules. These two articles helped me though, The Hacker Tools and this one from Dahiya-Aj. Now that its installed we can start using GetUserSPN. After quite a bit of tweaking there too I finally got it to run and discovered the Administrator user’s hash.
The output file contains a really long hash type I wasn’t familiar with, so I began by looking at Hashcat’s reference sheet. Based on this and some quick googling I think we are working with an NTLM hash. I discovered this was wrong after hashcat modes 5500 and 5600 didn’t work. I changed my google search and tried again. This time I found this post in a hashcat forum where I see they used module 13100 for a has that looks very similar to ours. After checking the description for this mode, “Kerberos 5, etype 23, TGS-REP”, I’m kicking myself that I missed that originally. But its all learning so thats good.
Sure enough, using the right hashcat mode gets us the password! Earlier we saw that SMB was sharing the Administrator User’s folder, so let’s try smbclient again with our new credentials. There we find our final flag. This room was really fun and a good introduction to using Impacket tools and Kerberoasting. Especially since Windows AD environments are a weaker area for me at the moment.
