LoginHack The Box: Voleur Machinen Walkthrough β Medium Difficulty
Introduction to Voleur:
In this write-up, we will explore the βVoleurβ machine from Hack The Box, categorised as a medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βVoleurβ machine from Hack The Box by achieving the following objectives:
User Flag:
I found a password-protected Excel file on an SMB share, cracked it to recover service-account credentials, used those credentials to obtain Kerberos access and log into the victim account, and then opened the userβs Desktop to read user.txt.
Root Flag:
I used recovered service privileges to restore a deleted administrator account, extracted that userβs encrypted credential material, decrypted it to obtain higher-privilege credentials, and used those credentials to access the domain controller and read root.txt.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial -Pn 10.10.11.76Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/voleur]
ββββΌ $nmap -sC -sV -oA initial -Pn 10.10.11.76
# Nmap 7.94SVN scan initiated Thu Oct 30 09:26:48 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.76
Nmap scan report for 10.10.11.76
Host is up (0.048s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-30 20:59:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-10-30T20:59:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h32m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 30 09:27:43 2025 -- 1 IP address (1 host up) scanned in 55.54 secondsAnalysis:
- 53/tcp: DNS (Simple DNS Plus) β domain name resolution
- 88/tcp: Kerberos β Active Directory authentication service
- 135/tcp: MSRPC β Windows RPC endpoint mapper
- 139/tcp: NetBIOS-SSN β legacy file and printer sharing
- 389/tcp: LDAP β Active Directory directory service
- 445/tcp: SMB β file sharing and remote administration
- 464/tcp: kpasswd β Kerberos password change service
- 593/tcp: RPC over HTTP β remote procedure calls over HTTP
- 636/tcp: tcpwrapped β likely LDAPS (secure LDAP)
- 2222/tcp: SSH β OpenSSH on Ubuntu (remote management)
- 3268/tcp: Global Catalog (LDAP GC) β forest-wide directory service
- 3269/tcp: tcpwrapped β likely Global Catalog over LDAPS
Machine Enumeration:
impacket-getTGT voleur.htb/ryan.naylor:HollowOct31Nyt (Impacket v0.12.0) β TGT saved to ryan.naylor.ccache; note: significant clock skew with the DC may disrupt Kerberos operations.
impacket-getTGT used ryan.naylorβs credentials to request a Kerberos TGT from the domain KDC and saved it to ryan.naylor.ccache; that ticket lets anyone request service tickets and access AD services (SMB, LDAP, HTTP) as ryan.naylor until it expires or is revoked, so inspect it with KRB5CCNAME=./ryan.naylor.ccache && klist and, if the request was unauthorized, reset the account password and check KDC logs for suspicious AS-REQs.
Setting KRB5CCNAME=ryan.naylor.ccache tells the Kerberos libraries to use that credential cache file for authentication so Kerberos-aware tools (klist, smbclient -k, ldapsearch -Y GSSAPI, Impacket tools with -k) will present the saved TGT; after exporting, run klist to view the ticket timestamps and then use the desired Kerberos-capable client (or unset the variable when done).
nxc ldap connected to the domain controllerβs LDAP (DC.voleur.htb:389) using Kerberos (-k), discovered AD info (x64 DC, domain voleur.htb, signing enabled, SMBv1 disabled) and successfully authenticated as voleur.htb\ryan.naylor with the supplied credentials, confirming those credentials are valid for LDAP access.
nxc smb connected to the domain controller on TCP 445 using Kerberos (-k), enumerated the host as dc.voleur.htb (x64) with SMB signing enabled and SMBv1 disabled, and successfully authenticated as voleur.htb\ryan.naylor with the supplied credentials, confirming SMB access to the DC which can be used to list or mount shares, upload/download files, or perform further AD discovery while the accountβs privileges allow.
Bloodhound enumeration
Runs bloodhound-python to authenticate to the voleur.htb domain as ryan.naylor (using the provided password and Kerberos via -k), query the specified DNS server (10.10.11.76) and collect all AD data (-c All) across the domain (-d voleur.htb), then package the resulting JSON data into a zip file (βzip) ready for import into BloodHound for graph-based AD attack path analysis; this gathers users, groups, computers, sessions, ACLs, trusts, and other relationships that are sensitive β only run with authorization.
ryan.naylor is a member of Domain Users and First-line Technicians β Domain Users is the default domain account group with standard user privileges, while First-line Technicians is a delegated helpdesk/tech group that typically has elevated rights like resetting passwords, unlocking accounts, and limited workstation or AD object management; combined, these memberships let the account perform routine IT tasks and makes it a useful foothold for lateral movement or privilege escalation if abused, so treat it as sensitive and monitor or restrict as needed.
SMB enumeration
Connected to dc.voleur.htb over SMB using Kerberos authentication; authenticated as voleur.htb\ryan.naylor and enumerated shares: ADMIN$, C$, Finance, HR, IPC$ (READ), IT (READ), NETLOGON (READ), and SYSVOL (READ), with SMB signing enabled and NTLM disabled.
If impacket-smbclient -k dc.voleur.htb failed, target a specific share and provide credentials or use your Kerberos cache. For example, connect with Kerberos and no password to a known share: impacket-smbclient -k -no-pass //dc.voleur.htb/Finance after exporting KRB5CCNAME=./ryan.naylor.ccache, or authenticate directly with username and password: impacket-smbclient //dc.voleur.htb/Finance -u ryan.naylor -p HollowOct31Nyt; specifying the share usually succeeds when the root endpoint refuses connections.
Shares need to be selected from the enumerated list before accessing them.
The SMB session showed available shares (including hidden admin shares ADMIN$ and C$, domain shares NETLOGON and SYSVOL, and user shares like Finance, HR, IT); the command use IT switched into the IT share and ls will list that shareβs files and directories β output depends on ryan.naylorβs permissions and may be empty or restricted if the account lacks write/list rights.
Directory listing shows a folder named First-Line Support β change into it with cd First-Line Support and run ls to view its contents.
Inside the First-Line Support folder, there is a single file named Access_Review.xlsx with a size of 16,896 bytes, along with the standard . and .. directories.
Retrieve or save the Access_Review.xlsx file from the share to the local system.
Saved the file locally on your machine.
The file Access_Review.xlsx is encrypted using CDFv2.
The file is password-protected and cannot be opened without the correct password.
Extracted the password hash from Access_Review.xlsx using office2john and saved it to a file named hash.
The output is the extracted Office 2013 password hash from Access_Review.xlsx in hashcat/John format, showing encryption type, iteration count, salt, and encrypted data, which can be used for offline password cracking attempts.
Hashcat could not identify any supported hash mode that matches the format of the provided hash.
CrackStation failed to find a viable cracking path.
After researching the hash, itβs confirmed as Office 2013 / CDFv2 (PBKDF2βHMACβSHA1 with 100,000 iterations) and maps to hashcat mode 9600; use hashcat -m 9600 with targeted wordlists, masks, or rules (GPU recommended) but expect slow hashing due to the high iteration count β if hashcat rejects the format, update to the latest hashcat build or try Johnβs office2john/output path; only attempt cracking with proper authorization.
I found this guide on Medium that explains how to extract and crack the Office 2013 hash we retrieved
After performing a password enumeration, the credential football1 was identified, potentially belonging to the svc account. It is noteworthy that the Todd user had been deleted, yet its password remnants were still recoverable.
The Access_Review.xlsx file contained plaintext credentials for two service accounts: svc_ldap β M1XyC9pW7qT5Vn and svc_iis β N5pXyV1WqM7CZ8. These appear to be service-account passwords that could grant LDAP and IIS access; treat them as sensitive, rotate/reset the accounts immediately, and audit where and how the credentials were stored and used.
svc_ldap has GenericWrite over the Lacey user objects and WriteSPN on svc_winrm; next step is to request a service ticket for svc_winrm.
impacket-getTGT used svc_ldapβs credentials to perform a Kerberos AS-REQ to the domain KDC, received a valid TGT, and saved it to svc_ldap.ccache; that TGT can be used to request service tickets (TGS) and access domain services as svc_ldap until it expires or is revoked, so treat the ccache as a live credential and rotate/reset the account or investigate KDC logs if the activity is unauthorized.
Set the Kerberos credential cache to svc_ldap.ccache so that Kerberos-aware tools will use svc_ldapβs TGT for authentication.
Attempt to bypass the disabled account failed: no krbtgt entries were found, indicating an issue with the LDAP account used.
Run bloodyAD against voleur.htb as svc_ldap (Kerberos) targeting dc.voleur.htb to set the svc_winrm objectβs servicePrincipalName to HTTP/fake.voleur.htb.
The hashes were successfully retrieved as shown previously.
Cracking failed when hashcat hit a segmentation fault.
Using John the Ripper, the Office hash was cracked and the password AFireInsidedeOzarctica980219afi was recovered β treat it as a live credential and use it only with authorization (e.g., to open the file or authenticate as the associated account).
Authenticate with kinit using the cracked password, then run evil-winrm to access the target.
To retrieve the user flag, run type user.txt in the compromised session.
Another way to retrieve user flag
Request a TGS for the svc_winrm service principal.
Use evil-winrm the same way as before to connect and proceed.
Alternatively, display the user flag with type C:\Users\<username>\Desktop\user.txt.
Escalate to Root Privileges Access
Privilege Escalation:
Enumerated C:\ and found an IT folder that warrants closer inspection.
The IT folder contains three directories β each checked next for sensitive files.
No relevant files or artifacts discovered so far.
The directories cannot be opened with the current permissions.
Runs bloodyAD against dc.voleur.htb as svc_ldap (authenticating with the given password and Kerberos) to enumerate all Active Directory objects that svc_ldap can write to; the get writable command lists objects with writable ACLs (e.g., GenericWrite, WriteSPN) and βinclude-del also returns deleted-object entries, revealing targets you can modify or abuse for privilege escalation (resetting attributes, writing SPNs, planting creds, etc.).
From the list of writable AD objects, locate the object corresponding to Todd Wolfe.
Located the object; proceed to restore it by assigning sAMAccountName todd.wolfe.
Runs bloodyAD against dc.voleur.htb as svc_ldap (Kerberos) to restore the deleted AD object todd.wolfe on the domain β this attempts to undelete the tombstoned account and reinstate its sAMAccountName; success depends on svc_ldap having sufficient rights and the object still being restorable.
The restoration was successful, so the next step is to verify whether the original password still works.
After evaluating options, launch runascs.exe to move forward with the attack path.
Execute RunasCS.exe to run powershell as svc_ldap using password M1XyC9pW7qT5Vn and connect back to 10.10.14.189:9007.
Established a reverse shell session from the callback.
Successfully escalated to and accessed the system as todd.wolfe.
Ultimately, all previously restricted directories are now visible.
You navigated into the IT share (Second-Line Support β Archived Users β todd.wolfe) and downloaded two DPAPI-related artefacts: the Protect blob at AppData\Roaming\Microsoft\Protect<SID>\08949382-134f-4c63-b93c-ce52efc0aa88 and the credential file at AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3; these are DPAPI master-key/credential blobs that can be used to recover saved secrets for todd.wolfe, when combined with the appropriate user or system keys, should be them as highly sensitive.
DPAPI Recovery and Abuse: How Encrypted Blobs Lead to Root
Using impacket-dpapi with todd.wolfeβs masterkey file and password (NightT1meP1dg3on14), the DPAPI master key was successfully decrypted; the output shows the master key GUID, lengths, and flags, with the decrypted key displayed in hex, which can now be used to unlock the userβs protected credentials and recover saved secrets from Windows.
The credential blob was decrypted successfully: itβs an enterprise-persisted domain password entry last written on 2025-01-29 12:55:19 for target Jezzas_Account with username jeremy.combs and password qT3V9pLXyN7W4m; the flags indicate it requires confirmation and supports wildcard matching. This is a live domain credential that can be used to authenticate to AD services or for lateral movement, so handle it as sensitive and test access only with authorization.
impacket-getTGT used jeremy.combsβs credentials to request a Kerberos TGT from the domain KDC and saved it to jeremy.combs.ccache; that TGT can be used to request service tickets (TGS) and authenticate to AD services (SMB, LDAP, WinRM, etc.) as jeremy.combs until it expires or is revoked, so inspect it with KRB5CCNAME=./jeremy.combs.ccache && klist and treat the cache as a live credential β rotate/reset the account or review KDC logs if the activity is unauthorized.
Set the Kerberos credential cache to jeremy.combs.ccache so Kerberos-aware tools will use jeremy.combsβs TGT for authentication.
Run bloodhound-python as jeremy.combs (password qT3V9pLXyN7W4m) using Kerberos and DNS server 10.10.11.76 to collect all AD data for voleur.htb and save the output as a zip for BloodHound import.
Account jeremy.combs is in the Third-Line Technicians group.
Connected to dc.voleur.htb with impacket-smbclient (Kerberos), switched into the IT share and listed contents β the directory Third-Line Support is present.
Downloaded two files from the share: the private SSH key id_rsa and the text file Note.txt.txt β treat id_rsa as a sensitive private key (check for a passphrase) and review Note.txt.txt for useful creds or instructions.
The note indicates that the administrator was dissatisfied with Windows Backup and has started configuring Windows Subsystem for Linux (WSL) to experiment with Linux-based backup tools. They are asking Jeremy to review the setup and implement or configure any viable backup solutions using the Linux environment. Essentially, itβs guidance to transition or supplement backup tasks from native Windows tools to Linux-based tools via WSL.
The key belongs to the svc_backup user, and based on the earlier port scan, port 2222 is open, which can be used to attempt a connection.
The only difference in this case is the presence of the backups directory.
There are two directories present: Active Directory and Registry.
Stream the raw contents of the ntds.dit file to a remote host by writing it out over a TCP connection.
The ntds.dit file was transferred to the remote host.
Stream the raw contents of the SYSTEM file to a remote host by writing it out over a TCP connection.
The SYSTEM file was transferred to the remote host.
That command runs impacket-secretsdump in offline mode against the dumped AD database and system hive β reading ntds.dit and SYSTEM to extract domain credentials and secrets (user NTLM hashes, cached credentials, machine account hashes, LSA secrets, etc.) for further offline analysis; treat the output as highly sensitive and use only with proper authorization.
Acquire an Administrator service ticket for WinRM access.
Authenticate with kinit using the cracked password, then run evil-winrm to access the target.
To retrieve the root flag, run type root.txt in the compromised session.
The post Hack The Box: Voleur Machinen Walkthrough β Medium Difficulty appeared first on Threatninja.net.
