HackTheBox Endgame Xen Writeup Part 4 – Owned (Flag 06 /06)

HackTheBox EndGame Xen Writeup Series

When it comes to windows exploit, it is my favorite and the active directory exploit is always comes the first. This final part of the Xen writeup of Owned Flag is something I always love to do.

Enabling RDP and RDPing The Domain Controller

I can see the flag in the corner of the road, I’m taking a bit of time to fully understand attack vectors. I made some enumeration and found the backup-svc user is able to RDP to the domain controller however, I wasn’t able to connect even after several tries.

So to make sure my attempts are corect I decided to use Carlos Perez’s getgui script, which enables Remote Desktop and so that I can log into to the system.

Then I made a port foraward my local port 3389 to domain controller ( RDP port 3389.

Using Remmina To Get RDP on The Domain Controller

Ok everything is ready to be RDP the Domain controller on, I fired up the Remmina and use the port forwarded IP and RDP port. I immediately got back the connection.

And I’m in. I run the whomai/ priv to to display the privilege, I can see only SeChaneNotifyPrivilege permission is enabled for the user svc-backup.

As I was backing up the things, I realized that I need a shell to download the files I backed up, I tried PowerShell but it didn’t work. So the only way I thought would work is Evil-WinRM. I copied the copy of Evil-WinRM to XEN directory. Then I made a port forward to DC WinRM port.

Then, update the WinRM and saved it and running the script I got the shell as backup-svc.

Preparing A System Copy Using Diskshadow Command

With referring this article (https://docs.datacore.com/WIK-WebHelp/VSS/DiskShadow_Commands_Example.htm) I made a copy of the system so that I could copy ntds.dit and SAM Hash.

Then enabled the privilege with the help of this article:https://github.com/giuliano108/SeBackupPrivilege. First, I import both files into a temp directory. And run the invoke Module command. Then enabled SeBackupPrivilege

Then I made a dump of HKLM\SAM

Once all done, I run tEvil-WinRM download feature to download the files.

Cracking NTDS.dit

Using the SecretsDump.py I manage to crack the hash. Now I have complete list of hashes of the users in the htb.local domain.

After obtaining the hash, I tried to crack the hash using John, but john failed me forthe first time.

My next approch is to use XFreeRDP to RDP the box suing PassTheHash method.

So thats the end of the story of Endgame Xen. What a great journey. Thank you for dropping by and reading.


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

View all posts by Navin →
Notify of
Inline Feedbacks
View all comments
Sorry, that action is blocked.