Interesting snippet of the smbmap output showing an interesting file called Groups.xml.SHORT SUMMARY HERE
Active is an easy Windows box. The main objective of this box is to enumerate and exploit several open ports of the target Domain Controller. First, by enumerating the SMB shares, we were able to obtain an interesting file, which led us to valid credentials of a user. These credentials were then used to perform a Kerberoast attack on the target. This gave us access to another, high privilege user, which we could use to obtain the root flag.
As always, we start by scanning the target machine’s open ports:
1
2
3
4
rustscan --ulimit 5000 active.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
PORT SUMMARY HERE
BEISPIEL BILDER
Interesting snippet of the smbmap output showing an interesting file called Groups.xml.
PROMPT INFO/TIP/WARNING/DANGER
can search the SYSVOL share for XML files containing “cpassword” which is the value that contains the AES encrypted password.
(Source: https://adsecurity.org/?p=2288)