Active | HTB Writeup
Active is an easy based windows machine in HackTheBox
Started with the Nmap scan found many ports are open.
So I checked SMB and I can read files in Replication.
While enumerating the SMB, I found an interesting file is Groups.xml which has a username and encrypted password.
I googled about how to decrypt and found gpp-decrypt can.
Using that I decrypted the password.
Now I checked SMB with smbmap and I have more privilege.
now I can read the user flag.
Using GetUserSPNs.py I got Kerberos account credentials of Administrator
I used hashcat to crack the password.
I already cracked as shown below.
Using crackmapexec i got the root flag