Overview

Active is a beginner-friendly Active Directory machine that demonstrates how misconfigured Group Policy Preferences can expose domain credentials.

Using an accessible SMB share, it is possible to recover a service account password, perform Kerberoasting against the domain, and ultimately obtain Domain Administrator credentials.


Attack Path Summary

Reconnaissance
Anonymous SMB Access
GPP Credential Discovery
Service Account Access
Kerberoasting
TGS Hash Extraction
Offline Password Cracking
Domain Administrator Access

Reconnaissance

Nmap Scan

Initial enumeration revealed a Windows Domain Controller hosting several Active Directory services.

nmap -sVC -Pn -oA nmap/active 10.129.38.84

Relevant services:

53/tcp   open  domain
88/tcp   open  kerberos-sec
389/tcp  open  ldap
445/tcp  open  microsoft-ds
3268/tcp open  ldap

The presence of Kerberos, LDAP, SMB, and DNS strongly suggested that the target was functioning as an Active Directory Domain Controller.


SMB Enumeration

Enumerating SMB shares revealed that anonymous authentication was enabled.

smbclient -L //10.129.38.84/
Anonymous login successful

NETLOGON
Replication
SYSVOL
Users

Anonymous access to SMB shares is often a valuable finding in Active Directory environments.

The Replication share was accessible and contained Group Policy files that could be inspected without authentication.


Initial Foothold

Group Policy Preferences Discovery

While browsing the Replication share, a Group Policy Preferences XML file was discovered.

active.htb/Policies/.../Groups.xml

The file contained a cpassword value associated with the account:

active.htb\SVC_TGS

Group Policy Preferences (GPP) historically stored passwords using a reversible encryption mechanism.

Because Microsoft’s encryption key became public, any exposed cpassword value can be decrypted by attackers.


Password Recovery

The encrypted password was decrypted using gpp-decrypt.

gpp-decrypt <cpassword>

Output:

GPPstillStandingStrong2k18

Recovered credentials:

SVC_TGS:GPPstillStandingStrong2k18

These credentials provided a valid domain account and enabled further Active Directory enumeration.


Privilege Escalation

Kerberoasting

After authenticating as SVC_TGS, enumeration revealed that the Administrator account had a Service Principal Name (SPN) configured.

This made the account vulnerable to Kerberoasting.

impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -request

The command successfully returned a Kerberos TGS service ticket hash for the Administrator account.

Kerberoasting abuses Kerberos service tickets by requesting a ticket associated with an SPN-enabled account.

Because the ticket is encrypted using the service account’s password hash, it can be cracked offline without interacting with the domain controller.


Cracking the TGS Hash

The extracted TGS hash was saved and cracked using Hashcat.

hashcat -m 13100 Administrator.hash /usr/share/wordlists/rockyou.txt

Hashcat successfully recovered the password:

Ticketmaster1968

Recovered credentials:

Administrator:Ticketmaster1968

Domain Administrator Access

Using the recovered Administrator credentials provided full administrative access to the domain.

At this point the machine was fully compromised.


Skills & Concepts

  • SMB Enumeration
  • Active Directory Enumeration
  • Group Policy Preferences Abuse
  • Password Recovery
  • Kerberoasting
  • Hash Cracking
  • Active Directory Privilege Escalation

Tools Used

  • Nmap
  • SMBClient
  • GPP-Decrypt
  • Impacket
  • Hashcat

Lessons Learned

Active is an excellent introductory Active Directory machine because it demonstrates two classic attack techniques frequently encountered during internal penetration tests.

Key takeaways include:

  • Enumerating SMB shares thoroughly
  • Identifying exposed Group Policy Preference files
  • Recovering credentials from GPP passwords
  • Enumerating SPNs in Active Directory
  • Performing Kerberoasting attacks
  • Cracking Kerberos ticket hashes offline

The machine also highlights how a seemingly low-privileged service account can ultimately lead to complete domain compromise.