This script automates the exploitation process of the Administrator machine from Hack The Box.
It is divided into three phases to simplify and control manual steps that require user interaction, such as password cracking.
impacketinstalled (pip install impacket)rdateinstalled (sudo apt install rdate)gitinstalled to clone external tools- Tools needed in PATH:
evil-winrmhashcatorjohn(manual cracking)ftpclient (for manual file download)
- Important: Phase 2 must be run with
sudobecauserdaterequires root privileges to synchronize system time.
Change the passwords for Michael and Benjamin.
python3 administrator_autopwn.py --phase 1🚩 Manual Step After Phase 1:
- Login via FTP as
benjamin(pass123), downloadBackup.psafe3.- Crack it manually with Hashcat or John.
- Extract
Emily's password using the Password Safe program.
Run a targeted Kerberoast attack using Emily's password.
python3 administrator_autopwn.py --phase 2 --emily-pass <EMILY_PASSWORD>If targetedKerberoast.py is missing, it will be automatically downloaded.
Time synchronization with the target will also be performed.
- Important: Phase 2 must be run with
sudobecauserdaterequires root privileges to synchronize system time.
🚩 Manual Step After Phase 2:
- Crack the extracted TGS hash for Ethan using Hashcat.
- Retrieve
Ethan's password.
Dump NTLM hashes from the Domain Controller using Ethan's credentials.
python3 administrator_autopwn.py --phase 3 --ethan-pass <ETHAN_PASSWORD>This will use secretsdump.py or impacket-secretsdump if available.
If Impacket is not installed, you will be prompted.
| Phase | Description | Manual Step Required |
|---|---|---|
| 1 | Password changes (Michael, Benjamin) | FTP download + crack Emily's password |
| 2 | Targeted Kerberoast (Emily ➞ Ethan) | Crack Ethan's TGS hash |
| 3 | DCSync attack (dump hashes) | None |
- Only the interactions directly related to the target machine are automated.
- Cracking steps are performed manually to maintain flexibility.
- The script is designed to be lightweight, modular, and easily extendable.