Introduction to Administrator:
In this writeup, we will explore the “Administrator” machine from Hack The Box, categorized as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective for Administrator:
The goal of this walkthrough is to complete the “Administrator” machine from Hack The Box by achieving the following objectives:
User Flag:
Olivia’s credentials unlock a web portal, where CrackMapExec maps domain users like Michael and Benjamin. BloodHound shows Olivia can hijack Michael’s account, and Michael can reset Benjamin’s password. We chain these resets to steal Benjamin’s FTP access, nabbing a Password Safe file. A found combination cracks it open, revealing Emily’s credentials. With these, we hit WinRM and grab the user flag from Emily’s desktop. This exploits sloppy Active Directory permissions—no CVE, just a domain misstep letting users control others.
Root Flag:
The escalation starts with Emily’s access, launching a Kerberoasting attack on Ethan. We grab his Kerberos ticket, crack it with Hashcat to get his password, and log in via WinRM. The root flag sits in the Administrator’s desktop, ours for the taking. Kerberoasting, not a CVE, hits Active Directory’s weak password flaw, amplified by Emily’s rights over Ethan.
Enumerating the Administrator Machine:
Reconnaissance:
Credentials get us in:
Username: Olivia
Password: ichliebedichNmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.42Nmap Output:
┌──[dark@parrot]─[~/Documents/htb/administrator]
└──╼ $nmap -sC -sV -oA initiall 10.10.11.42
# Nmap 7.94SVN scan initiated Fri Mar 28 00:27:11 2025 as: nmap -sC -sV -oA initiall 10.10.11.42
Nmap scan report for 10.10.11.42
Host is up (0.16s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-28 04:52:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 25m00s
| smb2-time:
| date: 2025-03-28T04:52:46
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 28 00:27:58 2025 -- 1 IP address (1 host up) scanned in 46.73 secondsAnalysis:
- Port 21 (FTP): Running Microsoft ftpd, indicating a potential file transfer service. This could be a vector for retrieving sensitive files if credentials are valid.
- Port 53 (DNS): Simple DNS Plus suggests the host is a Domain Controller handling DNS queries for the administrator.htb domain.
- Port 88 (Kerberos): Microsoft Windows Kerberos confirms Active Directory authentication, critical for credential-based attacks like Kerberoasting.
- Ports 135, 139, 445 (RPC, NetBIOS, SMB): Standard Windows services for remote procedure calls and file/printer sharing, useful for SMB enumeration and lateral movement.
- Ports 389, 636, 3268, 3269 (LDAP): LDAP services indicate Active Directory, enabling the enumeration of users, groups, and permissions.
- Port 464 (kpasswd5): Kerberos password change service, potentially abusable with sufficient privileges.
- Port 593 (RPC over HTTP): Supports remote management, another avenue for privileged access.
Exploitation
Web Application Exploration:
The FTP service appears to be accessible on port 21. We should attempt to authenticate using the previously obtained credentials.
However, authentication to the FTP service failed with the provided credentials (olivia:ichliebedich), returning an error indicating an inaccessible home directory
CrackMapExec
Given this, we pivot to explore other services. Testing the credentials against SMB reveals readable shares (NETLOGON, SYSVOL) but no writable access:
WinRM proves more fruitful, allowing successful authentication:
We establish a remote session using evil-winrm:
Inside Olivia’s account, no immediate flags or sensitive files are found, so we shift focus to Active Directory enumeration to uncover privilege escalation paths.
Analysis
- User Context: Olivia’s SID (S-1-5-21-…-1108) confirms she’s a standard domain user in administrator.htb. No immediate signs of elevated privileges.
- Group Membership:
- Remote Management Users (S-1-5-32-580): Explains why WinRM access worked, as this group allows remote management via tools like PSRemoting.
- Users (S-1-5-32-545): Standard user group, granting basic domain access.
- Pre-Windows 2000 Compatible Access (S-1-5-32-554): Typically allows legacy compatibility but can expose sensitive data if misconfigured (e.g., anonymous LDAP queries).
- Everyone, Authenticated Users, etc.: Default groups with no special privileges in this context.
Privileges:
- SeMachineAccountPrivilege: Allows adding workstations to the domain, potentially abusable for creating rogue machine accounts, but not immediately useful here.
- SeChangeNotifyPrivilege: Common, enables bypassing directory traversal checks, not escalatable.
- SeIncreaseWorkingSetPrivilege: Permits increasing process memory, low impact for escalation.
Integrity Level: Medium Plus. Mandatory Level indicates a standard user session, not elevated.
There are a few users that we access and investigate further
The output lists user accounts and their corresponding Security Identifier (SID) types:
The command is crackmapexec smb administrator.htb -u Olivia -p ichliebedich –rid-brute | grep SidTypeUser is like using Olivia’s key to unlock an employee directory in an office (the system). It lists names and ID numbers (Security Identifiers or SID’s) of users like Michael and Benjamin, with grep SidTypeUser filtering to show only real people, not groups
Bloodhound analysis on the Administrator machine
To map the Active Directory environment, BloodHound-python was utilised with Olivia’s credentials. The tool systematically analysed privilege relationships within the domain, effectively identifying potential pathways for privilege escalation.
This generates a ZIP file we load into BloodHound (start Neo4j with sudo neo4j console and drag the ZIP in). Time to hunt for privilege escalation paths.
Using BloodHound CE for post-collection analysis, I examined potential domain privilege escalation paths. The analysis revealed that the user Olivia holds GenericAll permissions over the account, Michael. This level of access enables several attack vectors, including:
- Assigning a Service Principal Name (SPN) to facilitate a targeted Kerberoasting attack
- Resetting the user’s password to gain direct access
- Abusing shadow credentials, provided PKINIT authentication is supported in the environment
Bloodhound Analysis Findings:
- Olivia possesses full control over Michael’s account, granting her the ability to perform any action on it.
- Michael has the authority to reset the password for Benjamin’s account.
Owning Michael
BloodHound shows Olivia has GenericAll rights over Michael, meaning we can reset his password. From the Winrm session:
We verify the new creds (michael:password) with crackmapexec
Success! Michael’s account is ours.
Owning Benjamin
Checking Michael in BloodHound, we see he has ForceChangePassword on benjamin. We use rpcclient to reset Benjamin’s password:
- Reset Benjamin’s Password using Michael’s Credentials:
FTP account
Verified the password reset and used the updated credentials to log in to the FTP service with Benjamin’s account:
Explanation on the Psafe tool
PSafe is a cybersecurity company specialising in mobile security solutions, particularly for Android devices. Its flagship product, dfndr security, offers comprehensive protection by detecting malware, blocking phishing attempts, securing personal data, and optimising device performance. PSafe’s tools are designed to enhance user privacy and safeguard against common mobile threats in real time.
We snag a Backup.psafe3 file (Password Safe 3 format).
It’s password-protected, so we crack it with Hashcat
All failed, but we managed to obtain the password
The password tekieromucho unlocks the file, revealing creds for Alexander, emily, and emma.
In the end, let’s use pwsafe to open the database
The first interface will look something as shown above
Therefore, let’s enter the safe combination that we found earlier.
We should be able to gather all the password from all the user above
After a while, we have successfully obtain the credentials for emily with the password
We also can get the winrm work for those creds
We can read the user flag by typing the command above.
Escalation to Root Privileges Access on Administrator machine
Privilege Escalation:
What is TargetedKerberoast?
Kerberoasting is an attack that exploits how Active Directory handles service tickets. Attackers request encrypted tickets for accounts linked to services and attempt to crack them offline to reveal passwords. targetedKerberoast.py focuses on specific users, making the attack stealthier and more efficient.
Owning Ethan
BloodHound shows Emily has GenericWrite on ethan. Ethan has no SPN, so we use targetedKerberoast.py to set one and grab a Kerberos ticket:
The TGS-REP hash is cracked with Hashcat
The password limpbizkit gives us Ethan’s account.
Domain Controller Dump
Ethan has DCSync rights on the Domain Controller—a goldmine. We use secretsdump.py to pull all domain hashes:
This hands us the Administrator’s NTLM hash.
With the Administrator hash, we get a domain admin shell via WinRM
We can read the root flag by typing the command above