{"id":249,"date":"2025-10-18T19:09:00","date_gmt":"2025-10-18T19:09:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=249"},"modified":"2025-12-28T17:42:29","modified_gmt":"2025-12-28T17:42:29","slug":"administrator-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=249","title":{"rendered":"Administrator- Hackthebox lab"},"content":{"rendered":"\n

This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next I ran Bloodhound-ce-python to collect Active Directory data for Bloodhound. Looking at the user “Olivia” that was provided, I noticed they had an outbound “GenericAll” object control over the “Michael” user.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I then used the command below to change the password for the “Michael” account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using Netexec, I check the new credentials to confirm they are working.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Looking at the “Michael” user in Bloodhound, I see that he has the “ForceChangePassword” outbound object control over the “Benjamin” user.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I changed the password for “Benjamin” with the command below.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then confirmed the new creds worked.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Having access to the three accounts, I enumerated their groups and settings. I saw that Michael was part of the “Remote Management Users” group.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using evil-winrm I connected as “Michael” and looked for privilege escalation opportunities such as looking for files and running WinPEAS. I did not find anything good here.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After getting stuck, I realized I forgot to do a port scan! I got too excited about the Active Directory stuff.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I was able to get access to FTP with the “Benjamin” account credentials and pulled down a file called “Backup.psafe3”. This is a database for a password manager called Password Safe.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using pwsafe2john I got the hash for the master password for the vault.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used john to crack the password hash and got the cleartext master password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the vault, I found credentials for the “Emily” account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I performed a targeted Kerberost attack with the targetedKerberost.py tool. This provided the kerberos hash for the “Ethan” user.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I cracked their password hash with Hashcat.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then I ran a DC-Sync attack with impacket-secretsdump and got the output below including the “Administrator” accounts password hash.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used the “Administrator” accounts password hash to connect to the box with evil-winrm and gained full administrative access.<\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked. Next I ran Bloodhound-ce-python to collect Active Directory data for Bloodhound. Looking at the user “Olivia” that was provided, I noticed they had an outbound […]<\/p>\n","protected":false},"author":1,"featured_media":250,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=249"}],"version-history":[{"count":4,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/249\/revisions"}],"predecessor-version":[{"id":304,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/249\/revisions\/304"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/250"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}