# Lessons Learned - It's most efficient to `tree` a directory to scan through its contents for goodies - When it comes to SMB shares, use`nxc smb [..] -M spider_plus --share "share_name"`, then view the output `.json` file - Look for low hanging fruit: SMB null auth, GPP, kerberoasting - If `psexec.py` doesn't work, try `wmiexec.py` or `smbexec.py` - **Always have backup tools** --- # After-Action Attack Sequence - BLUF: `groups.xml` for `gpp-decrypt` attack and kerberoasting - Use SMB null authentication to gain access to `replication` share - We find `groups.xml` in the `replication` share - Leverage `gpp-decrypt` to disclose creds for `svc_tgs` - Confirm creds for `svc_tgs`, then perform normal AD checks: users, password policy, asreproasting, kerberoasting, ADCS, etc. - Kerberoasting check reveals a `krb5tgs$23` for `administrator` - Crack with `hashcat -m 13100` - Gain shell as `administrator` using `wmiexec.py` --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260610184016.png]] - `nmap` scan - light ![[images/Pasted image 20260610184131.png]] - create comma separated `ports.list` ![[images/Pasted image 20260610184138.png]] - `nmap` scan - detailed ![[images/Pasted image 20260610184343.png]] - HTTP on port 47001 - No RDP; No Winrm --- # Service Enum ## Port 47001 (HTTP) - visit `http://active.htb:47001` ![[images/Pasted image 20260610192202.png]] - visit `http://ip_addr:47001` ![[images/Pasted image 20260610192220.png]] ## Port 445 (SMB) ### Null Auth - we have some active with ` : ` ![[images/Pasted image 20260610192505.png]] ### Shares - we have read access to a `replication` share![[images/Pasted image 20260610192458.png]] - we need to `tree` or `spider` this share for better visibility ![[images/Pasted image 20260610192827.png]] - run `spider_plus` ```bash nxc smb 10.129.12.178 -u '' -p '' -M spider_plus --share 'replication' cat /home/jacob/.nxc/modules/nxc_spider_plus/10.129.12.178.json ``` - this reveals `groups.xml` used by **Group Policy Preferences (GPP)** ![[images/Pasted image 20260610193157.png]] --- # Pillage `groups.xml` - `get` the file via `smbclient` ![[images/Pasted image 20260610193751.png]] - next, let's grab `gpp-decrypt` for this task ![[images/Pasted image 20260610193506.png]] - install with `pipx` and figure out how to run the tool ![[images/Pasted image 20260610193614.png]] - running the tool reveals creds for `svc_tgs` ![[images/Pasted image 20260610193851.png]] - confirm creds > confirmed! ![[images/Pasted image 20260610194032.png]] --- # Revisit Port 445 (SMB) ## Users - very interesting that there aren't any other non-default users ![[images/Pasted image 20260610194151.png]] ## Password Policy - no worries ![[images/Pasted image 20260610194237.png]] --- # AD Enum ## ASREP Roasting - nothing ![[images/Pasted image 20260610194309.png]] ## Kerberoasting - we have a `krb5tgs$23` for `administrator` ![[images/Pasted image 20260610195313.png]] - determine mode using `hashcat --example-hashes` > we need to use `-m 13100` ![[images/Pasted image 20260610195236.png]] - we have a hit! ![[images/Pasted image 20260610195611.png]] --- # Shell as `administrator` - we cannot user `evil-winrm` because 5985 and 5986 are closed ![[images/Pasted image 20260610205143.png]] - try `psexec.py` ![[images/Pasted image 20260610195852.png]] ```bash psexec.py active.htb/[email protected] ``` - we are in as `NT AUTHORIT/SYSTEM`, but we have an unstable shell - try with `wmiexec.py` ```bash wmiexec.py active.htb/[email protected] ``` - that's better ![[images/Pasted image 20260610200239.png]]