Active | HTB Writeup

Overview

Active is an easy based windows machine in HackTheBox 

User Part

Started with the Nmap scan found many ports are open.

So I checked SMB and I can read files in Replication.

While enumerating the SMB, I found an interesting file is Groups.xml which has a username and encrypted password. 

I googled about how to decrypt and found gpp-decrypt can.

Using that I decrypted the password.

Now I checked SMB with smbmap and I have more privilege.

now I can read the user flag.

Root Part

Using GetUserSPNs.py I got Kerberos account credentials of Administrator

 

I used hashcat to crack the password.

I already cracked as shown below.

Using crackmapexec i got the root flag

Share on facebook
Share on twitter
Share on linkedin