Search
Overview
Search is a hard Windows / Active Directory box with a surprisingly long enumeration chain. An employee’s password is visible in an image on the corporate website — credentials for hope.sharp. With those in hand, SMB Kerberoasting yields the hash for web_svc, and cracking it opens the web console. A follow-on password spray catches edgar.jacobs, whose RedirectedFolders share contains an Excel spreadsheet storing passwords for fourteen staff accounts in plaintext. One of them — Sierra.Frye — has the user flag, and her backup folder holds a PFX certificate. Cracking the PFX and importing it into the browser grants access to a privileged web interface.
Path: password in webpage image → hope.sharp → Kerberoast web_svc → password spray → edgar.jacobs → spreadsheet credentials → Sierra.Frye (user flag) → crack staff.pfx → certificate import → privileged web access.
Enumeration
The scan shows the familiar domain-controller fingerprint: DNS, Kerberos, LDAP, SMB, and MSRPC — a Windows AD environment.
$ nmap -A -T4 -p- 10.10.10.233
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds

The web server is the obvious first target — directory busting turns up several endpoints, though most return nothing interesting.


One discovered path stands out; navigating to it reveals a corporate staff page with employee photos.


Examining the images closely, one of them has a password written on a sticky note or whiteboard in the background: IsolationIsKey?. Cross-referencing against the employee names listed on the page, the likely owner is hope.sharp.

Foothold — SMB and Kerberoasting
Confirming the credentials against SMB:
$ smbclient -L //search.htb/ -U "search.htb\hope.sharp%IsolationIsKey?"

The share listing includes a share full of certificates and, separately, a full user list.

With a valid domain account and a user list, running GetUserSPNs.py against the domain finds a Kerberoastable account:
$ GetUserSPNs.py search.htb/hope.sharp:"IsolationIsKey?" -dc-ip 10.10.10.233 -request


Cracking the ticket against rockyou.txt recovers the password almost immediately:
$ hashcat -m 13100 web_svc.hash /usr/share/wordlists/rockyou.txt

The cracked password is @3ONEmillionbaby, giving us web_svc:@3ONEmillionbaby.
Lateral Movement — Password Spraying to edgar.jacobs
Logging into the web console with web_svc works, but the account doesn’t have much reach. Rather than dig further into the web app immediately, spraying @3ONEmillionbaby across the domain user list with CrackMapExec catches another match:
$ crackmapexec smb search.htb -u users.txt -p "@3ONEmillionbaby" --continue-on-success



edgar.jacobs reuses @3ONEmillionbaby.

User — Spreadsheet Credentials and Sierra.Frye
The RedirectedFolders share — a roaming profile share — is accessible with edgar.jacobs’s credentials. His folder is mostly empty, but inside it there is a spreadsheet:

Column C of that spreadsheet contains plaintext passwords for fourteen domain accounts:
| Username | Password |
|---|---|
| Payton.Harmon | ;;36!cried!INDIA!year!50;; |
| Cortez.Hickman | ..10-time-TALK-proud-66.. |
| Bobby.Wolf | ??47beforeWORLDsurprise91?? |
| Margaret.Robinson | //51+mountain+DEAR+noise+83// |
| Scarlett.Parks | ++47|building|WARSAW|gave|60++ |
| Eliezer.Jordan | !!05_goes_SEVEN_offer_83!! |
| Hunter.Kirby | ~~27%when%VILLAGE%full%00~~ |
| Sierra.Frye | $$49=wide=STRAIGHT=jordan=28$$18 |
| Annabelle.Wells | ==95~~pass~~QUIET~~austria~~77== |
| Eve.Galvan | //61!banker!FANCY!measure!25// |
| Jeramiah.Fritz | ??40:student:MAYOR:been:66?? |
| Abby.Gonzalez | &&75:major:RADIO:state:93&& |
| Joy.Costa | **30_venus_BALL_office_42** |
| Vincent.Sutton | **24&moment&BRAZIL&members&66** |
Cycling through these accounts with SMB access, Sierra.Frye’s desktop holds the user flag. Her Backups folder inside RedirectedFolders also contains a PFX certificate: staff.pfx.

Privilege Escalation — Cracking the PFX Certificate
The staff.pfx is password-protected. Running pfx2john to extract a hash and cracking it:
$ pfx2john staff.pfx > staff.hash
$ john staff.hash --wordlist=/usr/share/wordlists/rockyou.txt


The password cracks successfully.
Root — Certificate Import and Privileged Web Access
With the PFX unlocked, the certificate and private key are imported into Firefox’s certificate store:





The browser presents the certificate when challenged, granting access to a privileged section of the web interface.



Takeaways
- Credentials in images are real credentials. A password visible in a staff photo is as exploitable as one in a config file — image-based OSINT is a legitimate attack vector.
- Plaintext passwords in accessible SMB shares are catastrophic. A single lateral-movement step from
web_svctoedgar.jacobsexposed fourteen accounts worth of credentials in a single spreadsheet.