Administrator

Writeup for Administrator lab on HackTheBox

Enumeration

  • We start by using the credentials given by the challenge
    f4fbb4815b5da07b30f337cc974902c27ea88316.png
  • nmap scan :
    aade32252c68101eeedc42403643c32b0dfff416.png
  • BloodHound extract :
    38bd7c1e5be119f41d0f79b14de5c49ffb37425b.png

Successive ACLs abuses

  • Olivia has a GenericAll ACL over Michael
    42adb9e8eaf43723c7f5443f53a82b81240f8f05.png
  • This means we can change Michael’s password (other alternatives are possible in case of a real case scenario where stealth is required) :
    7f1472c79a147561f6aa285fbdf9d2d81bc370b7.png
  • Michael can change Benjamin’s password :
    4e8bfa79db03a4bdd8b025356dfb76fc70bb400a.png
    9d7ccb1e05f02ecbd5525b96280a7548a499d820.png
  • Benjamin can connect to the server via FTP
    5ef6566be48f247b3738bb3a887784faf8e955c3.png
  • Now let’s try to crack this vault :
    ae42a3b34d1689b6ae562b7463cfbcb3312277b0.png

User Flag

  • Download Password Safe, then open the database with the password you just found :
    089281b80c9696d64ff412bd7045aaf59b9a1007.png
    Emily is an interesting target because she has a GenericWrite ACL on Ethan (which has DCSync rights) :
    beed7787cc738c65cc4e5fa521af48e89c71d4f5.png
    fdbe58d64627a10a960db11e2f17ed7f2f3fab3d.png

System Flag

  • Let’s use targeted kerberoasting to abuse the GenericWrite on Ethan :
    921edd3876b175cc476e91a517af7dfdcf8397de.png
  • Now crack this :
    bfa43cce1bb2971bf27809ccc68ce53ba1328846.png
  • Then use Ethan’s DCSYNC rights :
    d8ba65e24bbf0a6121f13f8472a9f4d6fc91e3cb.png
    0971a896a7f4c5ac28f04748ae9cba5aa19d9773.png