We covered HackTheBox Active as part of CREST CRT (registered penetration tester track). We went through Exploiting Group Policy Preferences in Windows Active Directory as well as Kerebroasting to achieve administrator shell.
Active is an easy to medium difficulty machine, which features two very prevalent techniques to gain privileges within an Active Directory environment.
Initial Reconnaissance (Nmap Scan)
I started by spawning the machine and getting its IP address. Then, I performed an Nmap scan to identify open ports and services. The scan revealed several open ports, including:
- Port 53: DNS server
- Port 88: Kerberos
- Ports 135, 139: SMB (NetBIOS)
- LDAP protocol, indicating Active Directory was installed.
The operating system was identified as Windows Server 2008 R2 Service Pack 1.
Enumerating SMB Shares
Since Kerberos enumeration (like Kerberoasting or AS-REP roasting) requires usernames, I first attempted to gather information from the SMB service (Port 139). I used the smbmap tool to list available shares on the system. A share named “replication” was found to have read-only anonymous access.
Accessing the “replication” Share
I used the smbclient tool to connect to the “replication” share anonymously (with a blank password). Inside the share, I found a directory structure related to Group Policy (active.htb\Policies).
Exploiting Group Policy Preferences (GPP)
I learned that Group Policy sometimes stores encrypted passwords for users. Navigating through the Group Policy directories (Machine\Preferences\Groups), I found an XML file (groups.xml). This XML file contained a username (SVC_TGS) and an encrypted password (Cpassword). I used the gpp-decrypt tool in Kali to decrypt the Cpassword, revealing the plaintext password.
Accessing User Share and Getting User Flag
With the obtained credentials (username SVC_TGS and its password), I used smbclient again to log into the “Users” share. I navigated to the SVC_TGS user’s desktop directory and successfully retrieved the user flag.
Kerberoasting for Administrator Access
Now that I had a valid username and password, I could perform Kerberoasting. I used the GetUserSPNs.py script (part of Impacket tools) to request Service Principal Names (SPNs) and their corresponding Ticket Granting Tickets (TGTs) for users. I targeted the domain using the SVC_TGS credentials, and successfully obtained a hash for the Administrator user. I then saved the hash to a file.
Cracking the Administrator Hash
I used John the Ripper, along with the rockyou.txt wordlist, to crack the administrator’s hash. The plaintext password for the administrator was successfully recovered: “Ticketmaster1968”.
Gaining Administrator Shell and Root Flag
With the administrator credentials, I used psexec.py (also part of Impacket) to gain a shell on the target machine as the administrator. Once logged in as administrator, I retrieved the root flag.
Technical Commands Used
Here are the technical commands I used throughout this challenge:
nmap(for initial scanning)smbmap -H <IP_ADDRESS>smbclient //<IP_ADDRESS>/replicationdir(within smbclient)cd active.htb(within smbclient)cd Policies(within smbclient)cd <GUID_DIRECTORY>(within smbclient)cd Machine(within smbclient)cd Preferences(within smbclient)cd Groups(within smbclient)get groups.xml(within smbclient)exit(from smbclient)lscat groups.xmlgpp-decrypt <ENCRYPTED_PASSWORD>smbclient //<IP_ADDRESS>/users -U SVC_TGS(password entered interactively)cd SVC_TGS(within smbclient)cd Desktop(within smbclient)get user.txt(implied for user flag)GetUserSPNs.py -request <DOMAIN>/SVC_TGS(password entered interactively, output file option mentioned)john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs <HASH_FILE>psexec.py <DOMAIN>/Administrator:<PASSWORD>@<IP_ADDRESS>whoami(implied, after psexec login)type C:\Users\Administrator\Desktop\root.txt(implied for root flag)
