☢️Active
https://app.hackthebox.com/machines/148
After our nmap we see an SMB share, after trying out a few things we spot the replication share has anonymous enabled
after a recursive search we find a Groups.xml file with interesting details
after looking it up, we found this was a gpp file and to decrypt it was very easy:
now we need to access the share as SVC_TGS user to see if we have more privileges
smbclient
: This is the command-line tool for interacting with SMB servers.-W 10.129.217.86
: The-W
option is used to specify the workgroup or domain. In this case, the workgroup or domain is set to "10.129.217.86."-U SVC_TGS
: The-U
option is used to specify the username for the authentication. In this case, the username is set to "SVC_TGS."//10.129.217.86/USERS
: This part specifies the target SMB server and the share or directory on that server. In this case://10.129.217.86
: This is the IP address (or hostname) of the SMB server./USERS
: This is the name of the shared resource or directory on the server that you are trying to access.
Now let's look for some juicy files:
use john over hashcat for it to work:
or another way to play it would've been to us GetUserSPN.py from impacket:
put it in a hash.txt file and use john again:
Now we have 100 ways of going root but let's use psexec for this time:
Last updated