Voleur HTB Walkthrough

Hello and welcome to another Hack the Box walkthrough. In this blog post, I am going to show you how I pwned the Voleur machine on hack the box. If you are new to this channel, please don’t forget to like, comment, and subscribe to my YouTube channel for more awesome content. Also, don’t forget to follow me on LinkedIn and X for more HTB walkthrough and cybersecurity related contents.

About the Machine

Voleur is a medium Windows machine

The first step in pwning the Voleur machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, you need to run the following command in your terminal:

sudo openvpn voleur.ovpn     
[sudo] password for boltech: 
2025-07-15 12:10:48 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2025-07-15 12:10:48 Note: --data-ciphers-fallback with cipher 'AES-128-CBC' disables data channel offload.
2025-07-15 12:10:48 OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-07-15 12:10:48 library versions: OpenSSL 3.5.0 8 Apr 2025, LZO 2.10
2025-07-15 12:10:48 DCO version: N/A
2025-07-15 12:10:49 TCP/UDP: Preserving recently used remote address: [AF_INET]154.57.165.191:1337
2025-07-15 12:10:49 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-07-15 12:10:49 UDPv4 link local: (not bound)
2025-07-15 12:10:49 UDPv4 link remote: [AF_INET]154.57.165.191:1337
2025-07-15 12:10:49 TLS: Initial packet from [AF_INET]154.57.165.191:1337, sid=773740af a1f75992
2025-07-15 12:10:49 VERIFY OK: depth=2, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: Root Certificate Authority
2025-07-15 12:10:49 VERIFY OK: depth=1, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: eu-free-2 Issuing CA
2025-07-15 12:10:49 VERIFY KU OK
2025-07-15 12:10:49 Validating certificate extended key usage
2025-07-15 12:10:49 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
2025-07-15 12:10:49 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
2025-07-15 12:10:49 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-07-15 12:10:49 VERIFY EKU OK
2025-07-15 12:10:49 VERIFY OK: depth=0, C=GR, O=Hack The Box, OU=Systems, CN=eu-free-2
2025-07-15 12:10:49 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: ED25519, peer temporary key: 253 bits X25519
2025-07-15 12:10:49 [eu-free-2] Peer Connection Initiated with [AF_INET]154.57.165.191:1337
2025-07-15 12:10:49 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-07-15 12:10:49 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-07-15 12:10:50 SENT CONTROL [eu-free-2]: 'PUSH_REQUEST' (status=1)
2025-07-15 12:10:51 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.254.0,route 10.129.0.0 255.255.0.0,route-ipv6 dead:beef::/64,explicit-exit-notify,tun-ipv6,route-gateway 10.10.14.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 dead:beef:2::1104/64 dead:beef:2::1,ifconfig 10.10.15.6 255.255.254.0,peer-id 2,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-07-15 12:10:51 OPTIONS IMPORT: --ifconfig/up options modified
2025-07-15 12:10:51 OPTIONS IMPORT: route options modified
2025-07-15 12:10:51 OPTIONS IMPORT: route-related options modified
2025-07-15 12:10:51 OPTIONS IMPORT: tun-mtu set to 1500
2025-07-15 12:10:51 net_route_v4_best_gw query: dst 0.0.0.0
2025-07-15 12:10:51 net_route_v4_best_gw result: via 192.168.196.2 dev eth0
2025-07-15 12:10:51 ROUTE_GATEWAY 192.168.196.2/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:6f:b7:ac
2025-07-15 12:10:51 GDG6: remote_host_ipv6=n/a
2025-07-15 12:10:51 net_route_v6_best_gw query: dst ::
2025-07-15 12:10:51 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-07-15 12:10:51 ROUTE6: default_gateway=UNDEF
2025-07-15 12:10:51 TUN/TAP device tun0 opened
2025-07-15 12:10:51 net_iface_mtu_set: mtu 1500 for tun0
2025-07-15 12:10:51 net_iface_up: set tun0 up
2025-07-15 12:10:51 net_addr_v4_add: 10.10.15.6/23 dev tun0
2025-07-15 12:10:51 net_iface_mtu_set: mtu 1500 for tun0
2025-07-15 12:10:51 net_iface_up: set tun0 up
2025-07-15 12:10:51 net_addr_v6_add: dead:beef:2::1104/64 dev tun0
2025-07-15 12:10:51 net_route_v4_add: 10.10.10.0/23 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-07-15 12:10:51 net_route_v4_add: 10.129.0.0/16 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-07-15 12:10:51 add_route_ipv6(dead:beef::/64 -> dead:beef:2::1 metric -1) dev tun0
2025-07-15 12:10:51 net_route_v6_add: dead:beef::/64 via :: dev tun0 table 0 metric -1
2025-07-15 12:10:51 Initialization Sequence Completed
2025-07-15 12:10:51 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 2, compression: 'lzo'
2025-07-15 12:10:51 Timers: ping 10, ping-restart 120
2025-07-15 12:10:51 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
2025-07-15 20:13:21 [eu-free-2] Inactivity timeout (--ping-restart), restarting
2025-07-15 20:13:21 SIGUSR1[soft,ping-restart] received, process restarting
2025-07-15 20:13:21 Restart pause, 1 second(s)
2025-07-15 20:13:22 TCP/UDP: Preserving recently used remote address: [AF_INET]154.57.165.191:1337
2025-07-15 20:13:22 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-07-15 20:13:22 UDPv4 link local: (not bound)
2025-07-15 20:13:22 UDPv4 link remote: [AF_INET]154.57.165.191:1337
2025-07-15 20:13:23 TLS: Initial packet from [AF_INET]154.57.165.191:1337, sid=7c5d509e 92bd1f22
2025-07-15 20:13:23 VERIFY OK: depth=2, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: Root Certificate Authority
2025-07-15 20:13:23 VERIFY OK: depth=1, C=GR, O=Hack The Box, OU=Systems, CN=HTB VPN: eu-free-2 Issuing CA
2025-07-15 20:13:23 VERIFY KU OK
2025-07-15 20:13:23 Validating certificate extended key usage
2025-07-15 20:13:23 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
2025-07-15 20:13:23 ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
2025-07-15 20:13:23 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-07-15 20:13:23 VERIFY EKU OK
2025-07-15 20:13:23 VERIFY OK: depth=0, C=GR, O=Hack The Box, OU=Systems, CN=eu-free-2
2025-07-15 20:13:23 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: ED25519, peer temporary key: 253 bits X25519
2025-07-15 20:13:23 [eu-free-2] Peer Connection Initiated with [AF_INET]154.57.165.191:1337
2025-07-15 20:13:23 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-07-15 20:13:23 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-07-15 20:13:24 SENT CONTROL [eu-free-2]: 'PUSH_REQUEST' (status=1)
2025-07-15 20:13:25 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.254.0,route 10.129.0.0 255.255.0.0,route-ipv6 dead:beef::/64,explicit-exit-notify,tun-ipv6,route-gateway 10.10.14.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 dead:beef:2::1104/64 dead:beef:2::1,ifconfig 10.10.15.6 255.255.254.0,peer-id 60,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-07-15 20:13:25 OPTIONS IMPORT: --ifconfig/up options modified
2025-07-15 20:13:25 OPTIONS IMPORT: route options modified
2025-07-15 20:13:25 OPTIONS IMPORT: route-related options modified
2025-07-15 20:13:25 OPTIONS IMPORT: tun-mtu set to 1500
2025-07-15 20:13:25 Preserving previous TUN/TAP instance: tun0
2025-07-15 20:13:25 Initialization Sequence Completed
2025-07-15 20:13:25 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 60, compression: 'lzo'
2025-07-15 20:13:25 Timers: ping 10, ping-restart 120
2025-07-15 20:13:25 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
^C2025-07-15 20:35:55 event_wait : Interrupted system call (fd=-1,code=4)
2025-07-15 20:35:55 SIGTERM received, sending exit notification to peer
2025-07-15 20:35:55 SENT CONTROL [eu-free-2]: 'EXIT' (status=1)
2025-07-15 20:35:56 net_route_v4_del: 10.10.10.0/23 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-07-15 20:35:56 net_route_v4_del: 10.129.0.0/16 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-07-15 20:35:56 delete_route_ipv6(dead:beef::/64)
2025-07-15 20:35:56 net_route_v6_del: dead:beef::/64 via :: dev tun0 table 0 metric -1
2025-07-15 20:35:56 Closing TUN/TAP interface
2025-07-15 20:35:56 net_addr_v4_del: 10.10.15.6 dev tun0
2025-07-15 20:35:56 net_addr_v6_del: dead:beef:2::1104/64 dev tun0
2025-07-15 20:35:56 SIGTERM[soft,exit-with-notification] received, process exiting

After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.76. Then I performed reconnaissance using Nmap to find all the open port and services associated with the target machine. Using the following command, I found all the services and port running at 10.10.11.76:

nmap -sCV -A 10.10.11.76
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-15 12:11 EDT
Nmap scan report for 10.10.11.76
Host is up (0.18s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2025-07-16 00:11:31Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
2222/tcp open  ssh               OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
|   256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_  256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
5985/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 7h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-16T00:11:54
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   175.13 ms 10.10.14.1
2   176.55 ms 10.10.11.76

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.72 seconds

sudo nano /etc/hosts
[sudo] password for boltech:

timedatectl set-ntp off                                                                                                                                            
sudo ntpdate 10.10.11.76
2025-07-15 20:13:17.614887 (-0400) +28800.504350 +/- 0.088812 10.10.11.76 s1 no-leap
CLOCK: time stepped by 28800.504350

impacket-getTGT voleur.htb/'ryan.naylor':'HollowOct31Nyt'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in ryan.naylor.ccache

impacket-getTGT voleur.htb/'ryan.naylor':'HollowOct31Nyt'

export KRB5CCNAME=/home/boltech/Desktop/VoleurHTB/ryan.naylor.ccache

export KRB5CCNAME=/home/boltech/Desktop/VoleurHTB/ryan.naylor.ccache

nxc ldap voleur.htb -u ryan.naylor -p HollowOct31Nyt -k
LDAP        voleur.htb      389    DC               [*] None (name:DC) (domain:voleur.htb)
LDAP        voleur.htb      389    DC               [+] voleur.htb\ryan.naylor:HollowOct31Nyt

nxc ldap voleur.htb -u ryan.naylor -p HollowOct31Nyt -k

nxc smb dc.voleur.htb -u ryan.naylor -p HollowOct31Nyt -k

bloodhound-python -u ryan.naylor -p HollowOct31Nyt -k -ns 10.10.11.76 -c All -d voleur.htb --zip

netexec smb dc.voleur.htb -u ryan.naylor -p 'HollowOct31Nyt' -k --shares --smb-timeout 500                 
SMB         dc.voleur.htb   445    dc               [*]  x64 (name:dc) (domain:voleur.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc.voleur.htb   445    dc               [+] voleur.htb\ryan.naylor:HollowOct31Nyt 
SMB         dc.voleur.htb   445    dc               [*] Enumerated shares
SMB         dc.voleur.htb   445    dc               Share           Permissions     Remark
SMB         dc.voleur.htb   445    dc               -----           -----------     ------
SMB         dc.voleur.htb   445    dc               ADMIN$                          Remote Admin
SMB         dc.voleur.htb   445    dc               C$                              Default share
SMB         dc.voleur.htb   445    dc               Finance                         
SMB         dc.voleur.htb   445    dc               HR                              
SMB         dc.voleur.htb   445    dc               IPC$            READ            Remote IPC
SMB         dc.voleur.htb   445    dc               IT              READ            
SMB         dc.voleur.htb   445    dc               NETLOGON        READ            Logon server share 
SMB         dc.voleur.htb   445    dc               SYSVOL          READ            Logon server share