Post

Voleur - Medium - Windows

Starting Credentials

The author of the challenge has provided a set of starting credentials.

1
As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

Nmap Scan

The port scan discovered a domain controller. No web service is active. SSH is active on port 2222.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Nmap 7.95 scan initiated Mon Jul  7 20:42:58 2025 as: /usr/lib/nmap/nmap -sCV -p- -v -oN portscan.log 10.10.11.76
Nmap scan report for 10.10.11.76
Host is up (0.030s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-08 08:44:49Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
2222/tcp  open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
60995/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
60996/tcp open  msrpc         Microsoft Windows RPC
61008/tcp open  msrpc         Microsoft Windows RPC
61024/tcp open  msrpc         Microsoft Windows RPC
63716/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-08T08:45:40
|_  start_date: N/A
|_clock-skew: 7h59m58s

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul  7 20:46:20 2025 -- 1 IP address (1 host up) scanned in 202.22 seconds

Enumerating Shares (ryan.naylor)

Using the starting credentials it was possible to enumerate the shares of the domain controller. ryan.naylor has access to the IT share.

a961487017e8b4f59987bae4b964585a.png

Gathering Bloodhound Data (ryan.naylor)

It was also possible to gather bloodhound data as shown below.

4b217f2b855c9ceb4410fa858a4d7493.png

Obtaining TGT (ryan.naylor)

Since the domain controller is not accepting NTLM authentication and forcing Kerberos it will be necessary to obtain a TGT. The below screenshot shows the process.

de6544285a0693703c8475ce3250a0c2.png

Inspecting IT Share

The IT share contained a number of folders. ryan.naylor has access to the folder which contains an excel document. The below screenshot shows the excel document being downloaded onto my local machine.

f8e218469ce06670e3f984a3c8378789.png

Inspecting Excel Document

The excel document is password protected and will need further work to recover the password.

97cba605d1fa42d88c46358fe13f97b4.png

Extracting Password Hash (Excel Document)

office2john was used to extract the password hash of the document in order to crack it.

edb04987b387575fec561a8c17ff5daa.png

Cracking Hash

The password cracked successfully and the password was recovered as shown below.

c82c2160dfd923dc508dfe74157b6f77.png

Inspecting Excel Document

After inputting the correct password it opened a spreadsheet which contains several usernames and passwords. It also has a notes field which gives various helpful hints to solving the challenge.

ec2107359346d64345d41dda28dc5d32.png

Password Spraying

I collected all the usernames and passwords from the excel document and saved them into separate lists. These lists were used to perform a password spray in hopes of unlocking another set of valid credentials. In the end two sets of new credentials were discovered. svc_ldap and svc_iis.

6cbdf57d148985087d4b7bb9672809b9.png f5309bfda283ba1f5e0129df59190367.png a45dcb56451bd648e25695d8e3633bae.png

Reviewing Bloodhound Data

Since I now have access to more accounts the logical step to take would be to check what each of the users can do. After looking at the bloodhound data the only user of interest was svc_ldap. svc_ldap can WriteSPN to svc_winrm which means it should be possible to perform a targeted kerberoast attack.

svc_ldap is also a member of RESTORE_USERS which is a strong indication they might be able to restore user accounts. The excel document listed a deleted user called todd.wolfe. It may be possible to recover todd.wolfe using svc_ldap. However svc_ldap is not a member of Remote Management Users which means it will not be possible to remote onto the domain controller as them.

Thankfully the svc_winrm user will have the correct permissions to remote onto the domain controller. Targeting svc_winrm will be the next logical step.

6171d6c38e6a60bf3c4ec790d4a2f771.png

WriteSPN - svc_winrm

In order to kerberoast the svc_winrm user there first needs to be a service principal name set. The below screenshot shows how to set the SPN.

c084f45067aa4e7ff7e194134548086b.png

Targeted Kerberoast

With the SPN set it should now be possible to perform a kerberoast attack. There are several ways to do this and for the below example I used netexec. The hash was successfully recovered as shown below.

e6b9db3a900de1e6d8e666f41a23904c.png

Cracking Hash (svc_winrm)

The hash cracked successfully as shown below.

cd072c9b0c4bc84917746122fd118957.png

Obtaining TGT (svc_winrm)

The below screenshot shows obtaining a TGT for the svc_winrm user. It should now be possible to remote onto the domain controller.

2e4cf6feaa0a1a816e20239e6a1bf23e.png

User Flag Captured

evil-winrm was used along with the TGT to authenticate onto the domain controller. The user flag was found on the desktop of the svc_winrm user.

5fa144fe7ab5abfb7029a83dc865d9d2.png

RunasCs.exe (svc_ldap)

After checking the file system svc_ldap does not have access to anything interesting. After reviewing all known information so far it looks like the way forward is restoring a deleted account.

Only svc_ldap has access to restore accounts and its not possible to create normal remote session to the domain controller as them. To workaround this I decided to use RunasCs.exe. This tool will accept the credentials of a user and then return a reverse shell as them.

The below screenshot shows how the tool was used to do the above.

ff493341846c463546b8219ac84d1738.png

Reverse Shell Obtained (svc_ldap)

The reverse shell returned successfully. Now I have an interactive session as svc_ldap which means its now possible to issue PowerShell commands as the user.

6fa47ec09ff2244d8ce176e122a9202c.png

Inspecting Deleted Objects (todd.wolfe)

The below command snippet shows the PowerShell command used to to view all deleted objects on the domain controller. The results show that todd.wolfe is listed which is good news. This looks promising because it will probably be possible to recover that user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
PS C:\Windows\system32> Get-ADObject -Filter 'IsDeleted -eq $True' -IncludeDeletedObjects -Properties *

Get-ADObject -Filter 'IsDeleted -eq $True' -IncludeDeletedObjects -Properties *


CanonicalName                   : voleur.htb/Deleted Objects
CN                              : Deleted Objects
Created                         : 1/29/2025 12:42:27 AM
createTimeStamp                 : 1/29/2025 12:42:27 AM
Deleted                         : True
Description                     : Default container for deleted objects
DisplayName                     : 
DistinguishedName               : CN=Deleted Objects,DC=voleur,DC=htb
dSCorePropagationData           : {12/31/1600 4:00:00 PM}
instanceType                    : 4
isCriticalSystemObject          : True
isDeleted                       : True
LastKnownParent                 : 
Modified                        : 1/29/2025 4:44:42 AM
modifyTimeStamp                 : 1/29/2025 4:44:42 AM
Name                            : Deleted Objects
ObjectCategory                  : CN=Container,CN=Schema,CN=Configuration,DC=voleur,DC=htb
ObjectClass                     : container
ObjectGUID                      : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8
ProtectedFromAccidentalDeletion : 
sDRightsEffective               : 0
showInAdvancedViewOnly          : True
systemFlags                     : -1946157056
uSNChanged                      : 13005
uSNCreated                      : 5659
whenChanged                     : 1/29/2025 4:44:42 AM
whenCreated                     : 1/29/2025 12:42:27 AM

accountExpires                  : 9223372036854775807
badPasswordTime                 : 0
badPwdCount                     : 0
CanonicalName                   : voleur.htb/Deleted Objects/Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
CN                              : Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
codePage                        : 0
countryCode                     : 0
Created                         : 1/29/2025 1:08:06 AM
createTimeStamp                 : 1/29/2025 1:08:06 AM
Deleted                         : True
Description                     : Second-Line Support Technician
DisplayName                     : Todd Wolfe
DistinguishedName               : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted 
                                  Objects,DC=voleur,DC=htb
dSCorePropagationData           : {5/13/2025 4:11:10 PM, 1/29/2025 4:52:29 AM, 1/29/2025 4:49:29 AM, 1/29/2025 1:08:06 
                                  AM...}
givenName                       : Todd
instanceType                    : 4
isDeleted                       : True
LastKnownParent                 : OU=Second-Line Support Technicians,DC=voleur,DC=htb
lastLogoff                      : 0
lastLogon                       : 133826301603754403
lastLogonTimestamp              : 133826287869758230
logonCount                      : 3
memberOf                        : {CN=Second-Line Technicians,DC=voleur,DC=htb, CN=Remote Management 
                                  Users,CN=Builtin,DC=voleur,DC=htb}
Modified                        : 5/13/2025 4:11:17 PM
modifyTimeStamp                 : 5/13/2025 4:11:17 PM
msDS-LastKnownRDN               : Todd Wolfe
Name                            : Todd Wolfe
                                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : 
ObjectClass                     : user
ObjectGUID                      : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid                       : S-1-5-21-3927696377-1337352550-2781715495-1110
primaryGroupID                  : 513
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 133826280731790960
sAMAccountName                  : todd.wolfe
sDRightsEffective               : 0
sn                              : Wolfe
userAccountControl              : 66048
userPrincipalName               : todd.wolfe@voleur.htb
uSNChanged                      : 45088
uSNCreated                      : 12863
whenChanged                     : 5/13/2025 4:11:17 PM
whenCreated                     : 1/29/2025 1:08:06 AM



PS C:\Windows\system32> 

Restoring Deleted Object (todd.wolfe)

The below screenshot shows the command used to recover the user. It was successful as proven by the net users command output.

21dd4c29d6c7eb97bce79dbf8b3f4fce.png

Recollecting/Reviewing Bloodhound Data

Now todd.wolfe is an active user on the domain controller it will make sense to recollect bloodhound data while they are active. Beforehand bloodhound did not collect any data on todd.wolfe since they were deleted.

The bloodhound data shows that todd.wolfe is a member of SECOND-LINE TECHNICIANS and also a member of Remote Management Users.

f2148eb610733a4d4e75cf799ef71b61.png

Obtaining TGT (todd.wolfe)

The below screenshot shows the successful outcome of obtaining a TGT for todd.wolfe.

a8a2779f3cc7af560b37960a95b55bb8.png

WinRM Failure

For some reason I could not create a remote session to the domain controller as todd.wolfe. They are a member of Remote Management Users and the TGT was obtained without any errors. Yet whenever they try to create a session via WinRM it would complain that the token supplied was invalid. I suspect there is some intentional restriction in place and unfortunately I do not fully understand how to enumerate it further yet.

8f1884851e39f26ae47f612518644bb9.png

RunasCs.exe

To workaround the restriction I decided to keep things simple and use RunasCs.exe to return a reverse shell which will grant an interactive session as the todd.wolfe user.

94abce421d844d7fa7f3becc2d009557.png

Reverse Shell Obtained (todd.wolfe)

The below screenshot shows the successful call-back of the reverse shell as todd.wolfe.

e4285074add1c315836c666664705640.png

Inspecting IT Share (Locally)

It was possible to access the Second-Line Support share to check if todd.wolfe has access to any interesting files. The share contained a folder which stored archived user profile data. The %APPDATA% directory contained a Protect and Credentials folder which was of interest.

The below screenshots show the files of interest. It should be possible to extract passwords from the below files.

8b0f1830d83aae93b66f0cbe25ed50fe.png

7ae06a83e33acd27082a8132328da1b9.png

pypykatz - Decrypting Credentials

pypykatz was used to create a prekey using the SID and the users password. The prekey was then used to decrypt the masterkey. Once the master key was decrypted it could then be used to decrypt the contents of the credentials file. All of the steps are outlined in the below screenshot.

8ccc2cd0f066775a21a777e925737b3c.png

Decoding Password

pypykatz output the stored password in HEX. Python was used to decode the HEX as shown below.

9ae26dce98d0436b6ccfa7c4a9404bb7.png

Password Spraying

The password which was discovered in the previous step belonged to a user called jemery.combs. To cover all bases I tested it against all known users to see if it was reused anywhere else.

In this case the password was only valid for jemery.combs. The excel document mentioned that jemery.combs had access to the software share.

46d48f74bb9c6f763eba08974a81ed24.png

Inspecting Bloodhound Data

Bloodhound shows that jemery.combs is a member of THIRD-LINE TECHNICIANS. This means they might have access to the third folder in the IT share which has been restricted so far.

a4a72eb00b2838c785ba166f6dff2515.png

RunasCs.exe

As before RunasCs.exe was used to obtain a reverse shell as the jemery.combs user.

ea9ae6e9aeb5098e5c552ad6895704ef.png

Reverse Shell Obtained (jeremy.combs)

The below screenshot shows the successful call-back of the reverse shell.

112b4cb3cfdd929150671f56149e46ed.png

Inspecting IT Share (Locally)

jemery.combs was able to access the Third-Line Support folder on the IT share. This folder contained several interesting files. The most interesting is an id_rsa key. The port scan revealed that SSH was active on port 2222. There is also a note which says they have configured WSL for backup purposes.

The excel document and the bloodhound data shows that svc_backup is a valid user so it would make sense to focus on that user moving forward.

The below screenshots show the contents of the shared folder.

e74d68f06184a6b8b342e5b0ebd8f4d8.png

a3da217682849e6fed77cbf3f746afe9.png

d95fb8680272457b3fe2bab21cd78085.png

Access to Backups - Restricted

There is a backups folder which jemery.combs cannot access.

635be11b4b89d93aa504c4bda8ed3f78.png

Logging in via SSH (svc_backup)

I took an educated guess and assumed the private key was probably for svc_backup. This turned out to be the case as shown below.

2ddbcee40ede5eadc74fa59cace8f186.png

Accessing Backups via /mnt

Since jemery.combs could not access the backups folder I was curious to see if any directories were mounted within the Linux container. After checking /mnt the C drive was mapped. The drive contained the IT share and it was possible to access the backups folder as svc_backup.

The backups folder contained a backup of sensitive files such as ntds.dit and SYSTEM. I downloaded these files onto my local machine using scp.

1cc9d8487b27ac6c13ab54e1a1f4c093.png

pypykatz - Extracting Secrets

pypykatz was used to extract the hashes of the ntds.dit database as shown below. The administrator hashes are now known and hopefully they are still valid.

f36bb22999869020891009b623c6c26f.png

SMBExec - Administrator

The domain controller is not accepting NTLM authentication. After testing various methods I found the easiest solution was to use the AES key with smbexec as shown below. Root flag captured.

1121017066bd67005422794e4f193a23.png

This post is licensed under CC BY 4.0 by the author.