Machine Creator: eks & mrb3n
Task: To find User.txt and Root.txt
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.100
The nmap scan shows us some impressive results. We can see port 53 Microsoft DNS, port 88 Kerberos, and port 389,3268 LDAP. From all these ports we can expect this server to be a domain controller for the domain active.htb.
SMB port 445 is also on this box lets see if we can access any open shares.
smbclient -L //10.10.10.100
After going through the shares from the domain controller, we can see the directory “Policies” this share holds all the group policies. In this directory, there is Groups.xml file this file can contain some vital information.
The groups.xml file is used in older versions of windows to modify accounts via group policy. In this file, we can see this will update the user active.htb\SVC_TGS and will change the password. The cpassword is an encrypted version of the password.
smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100