Active - Hack The Box
Enumeration
Nmap
Nmap scan results showed services like LDAP, which are commonly used in Active Directory. This indicates the target is likely a Domain Controller.
SMB
Performed SMB enumeration without credentials (SMB NULL session) and discovered a readable share, which could contain useful information for further access.
Inside the accessible SMB share, I found a Groups.xml file. It contained a user account name along with an encrypted password—commonly associated with Group Policy Preferences (GPP) in older Windows environments.
Exploitation
After researching, I learned that Group Policy Preferences (GPP) passwords are encrypted with a well-known key. This makes them easy to decrypt using publicly available tools or simple Python scripts. More details can be found on: https://attack.mitre.org/techniques/T1552/006/
After decrypting the GPP password, I re-ran smbmap using the recovered credentials. This granted read access to the Users share, where I found the user’s desktop folder containing the user flag.
Privilege Escalation
To escalate privileges, I used the GetUserSPN script with the discovered user credentials. This allowed me to request a Ticket Granting Service (TGS) ticket for the administrator account, opening the door for offline password cracking. More details on this technique can be found in CrowdStrike’s Kerberoasting overview: https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/kerberoasting/
I used Hashcat with module 13100 (Kerberos 5 TGS-REP etype 23) to crack the captured TGS ticket and successfully recovered the administrator’s password.
With the administrator credentials in hand, I gained full control over the machine — the target was completely pwned.