Nmap scan
At the first we will check its open ports and services to know more about our target by using namp -A -T4 -oG active.gnmap 10.10.10.100
We have a bunch of open ports here and also more services. Note that we have more services which related to Active Directory like Kerberos, so we should figure out that this machine is Domain Service.
Also, note that we don’t have port 80 is open, so we will deal with only servers, we don’t have any website here so let us focus on smb ports 139/445
SMB Enumeration
At first, we will try to list all directories from smb server by using smbclient or smbmap → smbmap -H 10.10.10.100
And as you can see here we have only anonymous login and access to READ ONLY the Replication Disk
Let us use smbmap again to list all files and directories content from this Disk Replication → smbmap -H 10.10.10.100 -R Replication
And at the end of this list you will find this directory Groups
Now we will login to the server and discover it’s content by using smbclient → smbclient //10.10.10.100/Replication
Into the Groups directory you will find Groups.xml file which we need to know it’s content, but you’re into smb server which don’t managed you to read files so we will download it to our local machine by using get <file-name>
Let’s open it…
Good, we have username and password but the password is hashed, so we will use gpp-decrypt to crack the hash, and we’ve the password now :)
Okay, let’s use the username and the password to know the user privileges → smbmap -u username -p password -H server-ip
We have READ ONLY access over 4 disks so let’s list the Users disk using the same method we listed the Replication disk → smbmap -H 10.10.10.100 -u username -p password -R Users
And you will find at the end of the results
Also, you should notice that the SVF-TGS directory is accessible for us but the Administrator is getting ACCESS_DENIED
Let’s download this file with new method without getting into the server by using smbmap → smbmap -H 10.10.10.100 -u username -p password -R Users -A user.txt -q and you will get it into your local directory
Good, now we get user.txt Let’s search for root.txt
If you return to the nmap results you should notice that we have kereros service is running on open port
Kerberos is the authentication system for the Active Directory system, knwo more about it from here
Now we need to grab the admin account’s password to access the Administrator directory and to do that we should know about Kerberoasting
At the first let us use GetUserSPN python script to get the TGS which used by the Kerberos to give the user a permission to access custom service
python3 GetUserSPN.py -request -dc-ip <server-ip> domain/username:password
You must understand Kerberosting to know why we want this ticket
Here we get the ticket, but it’s hashed and the type of the hash is Kerberos 5 TGS-REP etype 23 as you can see
So we will crack it by using hashcat → hashcat -m 13100 -a 0 hashed_password /path/to/wordlist
So now we have the password of the admin account, lets use it to list all files from Users directory
I’ll login to the server and grab it manually → smbclient \\\\10.10.10.100\\Users Administrator
When you find root.txt download it
And now we have the root.txt
