Crazy 8s gold Hack

Welcome!

About the Game:
This is an intermediate box from HackTheBox where you must exploit a vulnerable domain controller. It is really great becuase it is really rare that you get this opportunity. I found this really easy, because I did half of it earlier (Jan 20) , but couldn’t finish it because all my requests kept timing out because HackTheBox was undergoing maintenance (I think), so I felt like I knew exactly what to do.

Click Here for Crazy 8s gold Hack

HackTheBox: Active. This is an intermediate box from HackTheBox where you must exploit a vulnerable domain controller. It is really great becuase it is really rare that you get this opportunity. I found this really easy, because I did half of it earlier (Jan 20) , but couldn’t finish it because all my requests kept timing out because HackTheBox was undergoing maintenance (I think), so I felt like I knew exactly what to do. This would be a good box for beginners to learn about Active Directories. It could probably be rated easy not medium. Note: I am working on explaining my steps more. I don’t know how good I am at doing that. Scanning: Finding open ports and running services: Starting by checking for null shares. Using smbmap we can list shares, and what permissions we have for them. We can see that we have read access to the Replication share: Use smbclient to access the Replication share: The folder active.htb suggests the domain is active.htb, so for efficiency we can add the following line to /etc/hosts: Check each directory for information, download all files that might be helpful: We find file Groups.xml in the folder. This file contains the following: The group policy file contains credentials: Group Policies for account management are stored on the Domain Controller in “Groups.xml” files buried in the SYSVOL folder. The tool gpp-decrypt was found to decrypt the cpassword in Groups.xml file. Run the tool to retrieve the credentials from groups file: With these credentials we can check for further available shares: We now have access to NETLOGON, Replication, SYSVOL, and Users. The Users share sounds promising. Use smbclient to access the share Users. We can find the user flag in the folder SVC_TGS\Desktop: We know have user.txt: Use rpcclient to enumerate domain users, and groups: The next step is to get the Administrator’s password. We can use the impacket script GetUserSPN.py which gets service principal names that are associated with a normal user account. If we can get a valid TGS for SPNs, then a TGS request encrypts the ticket with the account that the SPN is running under, which allows for bruteforcing of SPNs account NTLM hash. We can copy and paste the Administrator hash to a text file and then use john to crack it. Now we have the credentials for the domain Administrator. We can now check which shares the Administrator can access. Using smbmap to list shares and permissions: Lets check the share C$: We now have access to the C drive.

Crazy 8s gold hack