Hercules

Technical Walkthrough

Hercules Walkthrough

Raw flags, <password redacted>, hashes, tickets, PFX/key material, and private loot remain under loot/ only.

Current Status

• State: COMPLETE
• User flag: previously captured
• Root flag: captured into loot/root.txt
• Strict htbctl complete --strict-local-loot passed on 2026-06-13.

Root Chain Progress

The 2026-06-10 run crossed the prior missing-transition blocker. The live chain now reaches a validated Forest Management operator:

ken.w rebuild
-> natalie.a
-> Shadow Credentials on bob.w
-> bob.w LDAP ModifyDN move of stephen.m into Web Department
-> Shadow Credentials on stephen.m
-> reset auditor
-> auditor TGT
-> Fernando ESC3 setup

The remaining blocker is not the bridge anymore. It is ADCS OBO certificate identity/retrieval: the existing Administrator-named PFX candidates validate as Fernando identity and do not produce Administrator authentication.

See checkpoint-root-blocker-20260610.md for the latest sanitized checkpoint.

Final Root Path

The final root path was not another Administrator OBO attempt. The working route was the public-source Ashley/IIS bridge, corrected against live evidence:

fernando.r EnrollmentAgent PFX
-> ESC3 OBO for ashley.b
-> Ashley Kerberos/pypsrp execution
-> run C:\Users\ashley.b\Desktop\aCleanup.ps1
-> grant IT SUPPORT control over Forest Migration
-> rerun cleanup and validate write rights over IIS_Administrator
-> enable/reset IIS_Administrator
-> IIS_Administrator TGT
-> reset <secret redacted>$
-> RC4-backed <secret redacted>$ TGT and session-key/hash alignment
-> getST -u2u as Administrator to cifs/dc.hercules.htb
-> SMB C$ read of C:\Users\Admin\Desktop\root.txt

Key sanitized evidence:

• enum/pypsrp-ashley-defaultcache-retry-20260613.txt
• enum/ashley-cleanup-and-iis-bridge-validation-20260613.txt
• enum/post-it-support-cleanup-iis-admin-validation-summary-20260613.txt
• enum/iis-administrator-enable-reset-summary-20260613.txt
• enum/iis-administrator-gettgt-summary-20260613.txt
• enum/iis-webserver-reset-gettgt-summary-20260613.txt
• enum/iis-webserver-u2u-rbcd-root-summary-20260613.txt

Raw flags, tickets, hashes, and <password redacted> remain under loot/ only.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target: Hercules

Active IP: <TARGET>

OS/Difficulty: Windows / Insane

Active Pwnbox: <TARGET> (profex0r)

Attacker VPN IP: <TARGET>

Started: 2026-05-07T18:19:10Z

Scope: Authorized HackTheBox machine only

Evidence Ledger

Validation Gate

Gate decision: 6+ core anchors matched. Public research is credible enough to use as advisory guidance, but every exploitation step still requires live proof.

Coordinator Update - 2026-06-10

• User supplied fresh Pwnbox profex0r@<TARGET> and active target IP <TARGET>.
• target-state.json was rebound to the new Pwnbox/target and marked pending_revalidation for route/attacker IP.
• New research checkpoint added: narrow-hint-research-2026-06-10.md.
• Fresh execution handoff added: agent-handoff-root-resume-2026-06-10.md.
• Current root strategy is to act on the narrow hint: recover Web Support or Helpdesk Admin material, or prove direct <secret redacted>$ control. Reopen RBCD only for the specific <secret redacted>$ / SPN-less U2U session-key path.
• htbctl check passed and lint_htb_state_secrets.py found no likely raw secrets in state files before agent launch.

Root Attempt Checkpoint - 2026-06-10

• The upstream operator bridge was recovered live on target <TARGET>.
• Proven chain: ken.w rebuild -> public candidate validation -> natalie.a -> Shadow Credentials on bob.w -> raw Kerberos LDAP ModifyDN move of stephen.m into Web Department -> Shadow Credentials on stephen.m -> auditor password reset -> Auditor TGT.
• Auditor-driven ESC3 setup progressed through Forest Migration DACL grant, fernando.r enable/reset/TGT, and Fernando enrollment-agent PFX issuance.
• <secret redacted>$ direct reset with Auditor was tested and failed with LDAP insufficientAccessRights; that narrow RBCD branch is not available from Auditor alone.
• Existing Administrator-named PFX candidates were authenticated with bounded Certipy checks. All three failed as Administrator because their certificate identity is Fernando, not Administrator.
• Current blocker is narrow ADCS OBO/PFX identity or retrieval tooling, not web/oracle/BloodHound rediscovery.
• Sanitized checkpoint: checkpoint-root-blocker-20260610.md.

Pause / Resume Update - 2026-06-10

• Work paused intentionally because the remaining ADCS tooling issue is likely more than a 30-minute task unless request retrieval immediately works.
• Resume handoff added: resume-root-adcs-blocker-2026-06-10.md.
• session-resume.md, memory-summary.md, attack-map.md, custom-exploit-notes.md, and dead-ends.md were updated so future work resumes from the ADCS OBO blocker only.
• Resume target is not broad enumeration. Resume target is: produce a real Administrator identity/SID certificate, authenticate, and capture C:\Users\Administrator\Desktop\root.txt into loot/root.txt.

Root Capture Update - 2026-06-13

• Sonnet 4.6 research was useful as an advisory chain, but local evidence corrected one point: Ashley OBO/certificate authentication had already been proven. The missing live bridge was the Forest Migration / IT SUPPORT delegation step before taking over IIS_Administrator.
• Revalidated Ashley execution with pypsrp default-cache Kerberos: hercules\ashley.b, host dc, and aCleanup.ps1 on Ashley's Desktop. Evidence: enum/pypsrp-ashley-defaultcache-retry-20260613.txt.
• Ran the intended cleanup path, granted IT SUPPORT control over Forest Migration through the already controlled operator path, reran cleanup, and validated Ashley/IT SUPPORT write rights over IIS_Administrator. Evidence: enum/ashley-cleanup-and-iis-bridge-validation-20260613.txt, enum/post-it-support-cleanup-iis-admin-validation-summary-20260613.txt.
• Enabled/reset IIS_Administrator and validated a Kerberos TGT. Evidence: enum/iis-administrator-enable-reset-summary-20260613.txt, enum/iis-administrator-gettgt-summary-20260613.txt.
• Reset <secret redacted>$, generated a suitable RC4-backed TGT, aligned the account hash to the ticket session key, and obtained an Administrator CIFS ticket through U2U/RBCD. Evidence: enum/iis-webserver-reset-gettgt-summary-20260613.txt, enum/iis-webserver-u2u-rbcd-root-summary-20260613.txt.
• Captured C:\Users\Admin\Desktop\root.txt through the Administrator CIFS ticket. Raw flag is stored only at loot/root.txt and validates as a 32-character hexadecimal flag.

Attack Map

Hosts

Services

Credentials

Attack Paths

Trust Edges

• natalie.a can abuse Shadow Credentials on bob.w and, after the move, stephen.m.
• bob.w can move stephen.m into Web Department by Kerberos LDAP ModifyDN.
• stephen.m can reset auditor.
• auditor can prepare the Forest Migration / fernando.r ESC3 finish.
• ashley.b can execute the cleanup script after ESC3 OBO/cert auth.
• IT SUPPORT / Forest Migration delegation enables the IIS_Administrator bridge.
• IIS_Administrator can reset <secret redacted>$; <secret redacted>$ is the RBCD delegatee on the DC.

Memory Summary

Scope

• Platform: Hack The Box
• Machine: Hercules
• Difficulty/OS: Insane / Windows
• Domain: hercules.htb
• DC: dc.hercules.htb
• Latest active target IP tracked locally: <TARGET>
• Current completion state: <secret redacted>

This summary is sanitized. Raw flags, <password redacted>, hashes, tickets, PFX files, private keys, cookies, forged tokens, and credential material remain under loot/ only.

Current State

• User flag was previously captured from the live target and stored under loot/ only.
• Root flag has not been captured; loot/root.txt is missing.
• The previous missing operator/control-group bridge is now solved for the 2026-06-10 run.
• The current blocker is only the final ADCS ESC3 on-behalf-of certificate identity/retrieval step.

Validated 2026-06-10 Chain

The live chain reached the ADCS finish stage:

ken.w
-> natalie.a
-> Shadow Credentials on bob.w
-> bob.w Kerberos LDAP ModifyDN move of stephen.m into Web Department
-> Shadow Credentials on stephen.m
-> stephen.m resets auditor
-> auditor TGT
-> fernando.r enable/reset/TGT
-> fernando.r EnrollmentAgent PFX

High-signal evidence:

• loot/public-priority-validation-20260610.txt
• loot/shadow-bob-from-natalie-20260610b.txt
• loot/live-bob-tgt-20260610b.txt
• loot/move-stephen-to-web-20260610.json
• loot/shadow-stephen-from-natalie-20260610.txt
• loot/live-stephen-tgt-20260610.txt
• loot/<password redacted>
• loot/live-auditor-tgt-20260610.txt
• loot/fernando-ea-cert-retry-dynamic-20260610.txt

Current Blocker

The remaining missing proof is:

real Administrator certificate/ccache/hash -> Administrator-equivalent access -> root.txt

Certipy on-behalf-of requests reached the CA but hit <secret redacted> during RPC retrieval. Some private-key artifacts were saved, but no confirmed Administrator PFX resulted from those attempts.

certi.py produced Administrator-named PFX files, but validation showed the contained identity was fernando.r, not administrator, so those files cannot be used for Administrator PKINIT.

Reference evidence:

• checkpoint-root-blocker-20260610.md
• loot/admin-pfx-auth-summary-20260610.json
• loot/admin-pfx-auth-validation-20260610.txt
• loot/remote-admin-artifact-list-20260610b.txt

Do Not Repeat

Do not repeat without contradictory evidence:

• broad /Login oracle sweeps,
• note-style LDAP attributes for controlling groups,
• extensionAttribute1-15 sweeps,
• mail, url, wWWHomePage, physicalDeliveryOfficeName, department, and title coverage,
• phone-number extraction as credential guesses,
• authenticated LDAP secret-attribute audit across controlling groups,
• FormsAuth ticket-name validation against priority users,
• fresh BloodHound drift from the same foothold,
• forged-admin /Home/Forms upload plus Bad-ODF/coerced-auth canary,
• web/LFI branch as a primary route,
• stale prior-respawn johnathan.j material,
• password spraying old candidates,
• broad document macro/callback payload families,
• old RBCD-to-DC branch,
• issuing more Administrator-named PFX variants without changing the CMC/request-generation method.

Resume Guidance

Resume only from the narrow ADCS blocker:

1. Confirm whether a Certipy request ID can be retrieved and paired with the saved Administrator private key.
2. If not, use PForgeCert / pyForgeCert-style CMC generation, or Windows-native certreq/Certify.exe + Rubeus.
3. Validate that the resulting PFX identity is actually Administrator before attempting root access.
4. Capture C:\Users\Administrator\Desktop\root.txt to loot/root.txt.

Realistic remaining time: 45-90 minutes unless the retrieve-and-pair path works immediately.

Session Resume

Last updated: 2026-06-13T11:30:00Z

Current State

• Completion state: COMPLETE.
• Phase: COMPLETE.
• Active target: <TARGET> / dc.hercules.htb / hercules.htb.
• Active Pwnbox: profex0r@<TARGET>.
• User flag: previously captured; raw value remains under loot/ only.
• Root flag: captured and mirrored to local loot/root.txt; raw value remains under loot/ only.

2026-06-13 Root Capture

The old ADCS Administrator OBO blocker was bypassed by following the Ashley/IIS bridge and validating every transition:

fernando.r EnrollmentAgent PFX
-> ESC3 OBO for ashley.b
-> Ashley pypsrp Kerberos execution
-> aCleanup.ps1
-> IT SUPPORT / Forest Migration delegation
-> IIS_Administrator enable/reset/TGT
-> <secret redacted>$ reset/TGT
-> RC4 session-key/hash alignment
-> getST -u2u Administrator CIFS ticket
-> SMB C$ root.txt capture

Key evidence:

• enum/pypsrp-ashley-defaultcache-retry-20260613.txt
• enum/ashley-cleanup-and-iis-bridge-validation-20260613.txt
• enum/post-it-support-cleanup-iis-admin-validation-summary-20260613.txt
• enum/iis-administrator-enable-reset-summary-20260613.txt
• enum/iis-administrator-gettgt-summary-20260613.txt
• enum/iis-webserver-reset-gettgt-summary-20260613.txt
• enum/iis-webserver-u2u-rbcd-root-summary-20260613.txt
• loot/root.txt

Strict htbctl complete --strict-local-loot passed on 2026-06-13. Do not reopen exploitation branches unless a cleanup or writeup issue appears.

What Changed On 2026-06-10

The old missing-transition blocker was crossed. The live chain now reaches the ADCS finish stage:

ken.w access rebuilt
-> natalie.a recovered/validated
-> natalie.a Shadow Credentials on bob.w
-> bob.w Kerberos LDAP ModifyDN move of stephen.m into Web Department
-> natalie.a Shadow Credentials on stephen.m
-> stephen.m reset auditor
-> auditor TGT validated
-> Forest Migration DACL / fernando.r enable-reset-TGT
-> fernando.r EnrollmentAgent PFX issued

Important evidence:

• loot/public-priority-validation-20260610.txt
• loot/shadow-bob-from-natalie-20260610b.txt
• loot/live-bob-tgt-20260610b.txt
• loot/move-stephen-to-web-20260610.json
• loot/shadow-stephen-from-natalie-20260610.txt
• loot/live-stephen-tgt-20260610.txt
• loot/<password redacted>
• loot/live-auditor-tgt-20260610.txt
• loot/fernando-ea-cert-retry-dynamic-20260610.txt

Current Narrow Blocker

Administrator-equivalent authentication is still missing.

The remaining issue is ADCS ESC3 on-behalf-of certificate identity/retrieval tooling, not the exploit chain.

Observed behavior:

• Certipy RPC on-behalf-of requests reached the CA and produced request IDs, but retrieval failed with <secret redacted>.
• Certipy saved private-key artifacts for Administrator-named requests, but no usable Administrator PFX was produced from those attempts.
• certi.py generated Administrator-named PFX files, but validation showed the certificate identity is fernando.r, not administrator.
• No Administrator ccache/hash was produced.
• No root flag was read.

Latest blocker checkpoint:

• checkpoint-root-blocker-20260610.md
• loot/admin-pfx-auth-summary-20260610.json
• loot/admin-pfx-auth-validation-20260610.txt
• loot/remote-admin-artifact-list-20260610b.txt

Do Not Repeat

Do not reopen these unless new contradictory live evidence appears:

• broad web/LFI work,
• FormsAuth ticket-name validation,
• /Login oracle sweeps,
• BloodHound drift checks from the same foothold,
• forged-admin upload / Bad-ODF / coerced-auth branch,
• old bob.w-to-DC RBCD branch,
• password spraying,
• document macro/callback branches,
• more Administrator-named PFX variants without a distinct CMC/request encoding change.

Resume Plan

Resume only from the ADCS OBO finish stage.

1. Revalidate current artifacts and cleanup state:

- Pwnbox route and /etc/hosts.

- loot/auditor.ccache.

- loot/fernando.r.ccache.

- loot/fernando.r.pfx.

- saved Administrator private keys and request IDs from the Certipy logs.

1. Try the shortest finish first:

- Retrieve issued request IDs only if the paired saved private key exists.

- Pair the retrieved certificate with the correct saved key.

- Validate the resulting PFX identity before authentication.

1. If retrieval still fails:

- Replace the CMC/on-behalf-of generator with PForgeCert / pyForgeCert-style tooling, or equivalent, so the request explicitly produces an Administrator identity/SID certificate.

- Use fernando.r.pfx as the enrollment-agent certificate.

- Target hercules\administrator on template SmartcardLogon.

1. If Linux-side CMC tooling remains unreliable:

- Use a stable Windows-native path (certreq/Certify.exe + Rubeus) through RDP or wmiexec.

- Avoid evil-winrm for certificate signing operations because prior evidence showed memory/runtime instability there.

1. Once a real Administrator PFX or ccache exists:

- Authenticate via PKINIT.

- Read C:\Users\Administrator\Desktop\root.txt into loot/root.txt.

- Update target-state.json to <secret redacted>, then COMPLETE after docs and checks.

Time Estimate

• Fast case: 15-30 minutes if request retrieval plus saved-key pairing works.
• Realistic case: 45-90 minutes if a new CMC generator is needed.
• Bad case: 2+ hours if Windows-native tooling has to be staged and stabilized.

Checks Before Stopping

Run:

python3 scripts/htbctl.py check <TARGET>-Hercules
python3 scripts/lint_htb_state_secrets.py <TARGET>-Hercules

Latest known check status: both passed after the 2026-06-10 checkpoint.

Notes

State-Mutating Actions

Raw secrets and flags stay under loot/ only. This table records target-impacting actions without secret values.

Exploit Iterations

Dead Ends