Hack The Box — Active

Eslam Akl
5 min readDec 20, 2020

Hey folks, we have a great machine today form HackTheBox which will let us deal with Active Directory and Kerberos so let’s start with its info

As you can see it’s near to real life challenges, so it’s really great :) Let’s get started…

Nmap scan

At the first we will check its open ports and services to know more about our target by using namp -A -T4 -oG active.gnmap

We have a bunch of open ports here and also more services. Note that we have more services which related to Active Directory like Kerberos, so we should figure out that this machine is Domain Service.

Also, note that we don’t have port 80 is open, so we will deal with only servers, we don’t have any website here so let us focus on smb ports 139/445

SMB Enumeration

At first, we will try to list all directories from smb server by using smbclient or smbmapsmbmap -H

And as you can see here we have only anonymous login and access to READ ONLY the Replication Disk

Let us use smbmap again to list all files and directories content from this Disk Replicationsmbmap -H -R Replication

And at the end of this list you will find this directory Groups

Now we will login to the server and discover it’s content by using smbclientsmbclient //

Into the Groups directory you will find Groups.xml file which we need to know it’s content, but you’re into smb server which don’t managed you to read files so we will download it to our local machine by using get <file-name>

Let’s open it…

Good, we have username and password but the password is hashed, so we will use gpp-decrypt to crack the hash, and we’ve the password now :)

Okay, let’s use the username and the password to know the user privileges → smbmap -u username -p password -H server-ip

We have READ ONLY access over 4 disks so let’s list the Users disk using the same method we listed the Replication disk → smbmap -H -u username -p password -R Users

And you will find at the end of the results

Also, you should notice that the SVF-TGS directory is accessible for us but the Administrator is getting ACCESS_DENIED

Let’s download this file with new method without getting into the server by using smbmapsmbmap -H -u username -p password -R Users -A user.txt -q and you will get it into your local directory

Good, now we get user.txt Let’s search for root.txt

If you return to the nmap results you should notice that we have kereros service is running on open port

Kerberos is the authentication system for the Active Directory system, knwo more about it from here

Now we need to grab the admin account’s password to access the Administrator directory and to do that we should know about Kerberoasting

At the first let us use GetUserSPN python script to get the TGS which used by the Kerberos to give the user a permission to access custom service

python3 GetUserSPN.py -request -dc-ip <server-ip> domain/username:password

You must understand Kerberosting to know why we want this ticket

Here we get the ticket, but it’s hashed and the type of the hash is Kerberos 5 TGS-REP etype 23 as you can see

source: https://hashcat.net/wiki/doku.php?id=example_hashes

So we will crack it by using hashcathashcat -m 13100 -a 0 hashed_password /path/to/wordlist

So now we have the password of the admin account, lets use it to list all files from Users directory

I’ll login to the server and grab it manually → smbclient \\\\\\Users Administrator

When you find root.txt download it

And now we have the root.txt

Congrats ❤

Stay in touch

LinkedIn | GitHub | Twitter



Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll