Nmap scan report for10.10.10.100Host is up (0.079s latency).PORTSTATESERVICEVERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008R2 SP1)| dns-nsid:|_bind.version:Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec MicrosoftWindowsKerberos (server time:2023-04-2101:39:19Z)135/tcp open msrpc MicrosoftWindowsRPC139/tcp open netbios-ssn MicrosoftWindows netbios-ssn445/tcp open microsoft-ds?464/tcp open kpasswd5?636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
5722/tcp open msrpc MicrosoftWindowsRPC49152/tcp open msrpc MicrosoftWindowsRPC49153/tcp open msrpc MicrosoftWindowsRPC49154/tcp open msrpc MicrosoftWindowsRPC49155/tcp open msrpc MicrosoftWindowsRPC49158/tcp open msrpc MicrosoftWindowsRPC49165/tcp open msrpc MicrosoftWindowsRPC49174/tcp open msrpc MicrosoftWindowsRPCService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:|_clock-skew:-4h58m51s| smb2-time:| date:2023-04-21T01:40:18|_ start_date:2023-04-21T01:33:39| smb2-security-mode:|210:|_Message signing enabled and required
Exploitation
SMB - Port 445
Enumerating the SMB, you'll find that the replication directory is a copy of the SYSVOL folder, what we are going to take advantage of? we are going to take advantage of the GPP Vulnerability.
The most interesting (and dangerous) feature of GPP is the ability to set passwords for the Local Administrator account. Group Policies for account management are stored on the Domain Controller in "Groups.xml" files buried in the SYSVOL folder.
So, download the Groups.xml from the route you see in the image above to decrypt the password and see a user.
Once you decrypt the password, we can try to do ASREP-Roasting but, it will not work : (
Kerberoasting
Doing a kerberoasting attack we see that the administrator user it's vulnerable.
Grab the hash and start brute-forcing it with john the ripper.
Once you get the users password you can get inside the machine as administrator user so, you officially pwned the machine.