HTB: Administrator - OSCP Prep Write-up
This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...