Active-Directory

Machine #73 on the Lain Kusanagi list. Flight earns its Hard rating not through any single clever trick, but through sheer chain length - each hop unlocks exactly one new thing, and you have to string six or seven of them together to reach SYSTEM. It’s a patience test as much as a technical one. Machine Info Name Flight Platform HackTheBox OS Windows Difficulty Hard IP 10.129.7.136 Domain flight.htb TL;DR Nmap shows a full AD port set. Gobuster vhost finds school.flight.htb, a PHP app with a ?view= parameter vulnerable to LFI. UNC path inclusion leaks svc_apache’s NTLMv2 hash via Responder - john cracks it to S@Ss!K@*t13. Password spray finds S.Moon reuses the same password. S.Moon has WRITE on the Shared share - use ntlm_theft to drop a desktop.ini coercion file, Responder captures C.Bum’s hash, john cracks it to Tikkycoll_431012284. C.Bum has WRITE on the Web share - upload a PHP webshell, get a reverse shell as svc_apache. Generate a msfvenom payload, catch it in msfconsole, upload RunasCs via meterpreter, run as C.Bum to get a second session. Port-forward port 8000 (internal IIS dev site) through the C.Bum session, discover C:\inetpub\development is writable, upload an ASPX webshell, get a shell as IIS AppPool\DefaultAppPool. That account has SeImpersonatePrivilege - msfconsole getsystem uses Named Pipe Impersonation (EfsPotato variant) to land NT AUTHORITY\SYSTEM. ...

Machine #72 on the Lain Kusanagi list. Every step in this box is intentional - no guesswork, just clean AD attack chaining from zero creds to domain admin. One of the better Hard-rated machines for learning the full lifecycle. Machine Info Name Blackfield Platform HackTheBox OS Windows Difficulty Hard IP 10.129.229.17 Domain BLACKFIELD.local TL;DR RID brute via null session gets a user list. ASREPRoast support, crack the hash, collect BloodHound data as support. BloodHound shows support can ForceChangePassword on audit2020. Change the password, enumerate SMB - forensic share has an lsass.zip in memory_analysis. pypykatz extracts svc_backup’s NT hash. PTH as svc_backup into WinRM - SeBackupPrivilege is enabled. Try SAM dump first (admin hash is stale). Use wbadmin to back up and restore ntds.dit, dump it with secretsdump, get the real admin hash, PTH to root. ...

Sauna is an Easy Windows box from HackTheBox built around a classic Active Directory attack chain. From open-source name enumeration to ASREPRoasting, autologon credential exposure, and a DCSync to finish it off - this one hits all the fundamentals. Machine Info Name Sauna Platform HackTheBox OS Windows Difficulty Easy IP 10.129.95.180 TL;DR Scraped employee names off the bank’s “About” page, ran them through username-anarchy to generate AD-style usernames, and ASREPRoasted fsmith whose account had Kerberos pre-auth disabled. Cracked the hash with rockyou.txt and logged in via WinRM. Found autologon credentials for svc_loanmanager stored in plaintext in the registry. BloodHound showed that account has DCSync rights over the domain - used secretsdump to pull the Administrator hash and psexec to get SYSTEM. ...

Machine #48 on the Lain Kusanagi list. Active Directory, a forgotten config file, and the Azure AD Sync service doing what it really shouldn’t. Machine Info Field Details Name Monteverde Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.111 Domain MEGABANK.LOCAL TL;DR Null session via nxc gives a full user list. A password spray with username=password lands SABatchJobs:SABatchJobs. Listing SMB shares reveals users$ is readable - spider_plus finds mhope/azure.xml, a leftover Azure AD Connect config file with a cleartext password. Spray again, get mhope via WinRM. mhope is in the Azure Admins group and the ADSync service is running locally. A public PoC decrypts the ADSync credentials from the local MSSQL database, handing us domain administrator. ...

Forest is one of those boxes that feels like a guided tour through Active Directory attack fundamentals. No CVEs, no fancy exploits - just proper AD enumeration, a misconfigured service account, and a BloodHound-mapped path straight to domain admin. Machine Info Field Details Name Forest Platform HackTheBox OS Windows Difficulty Easy IP 10.129.5.64 TL;DR SMB user enumeration reveals a service account with no Kerberos pre-auth required. AS-REP roasting gives us a crackable hash. Shell as svc-alfresco via WinRM. BloodHound maps a path through Exchange groups giving WriteDacl on the domain. We abuse that to grant DCSync, dump the Administrator hash, and psexec our way to SYSTEM. ...

Machine Info Field Value Name Escape Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.253 TL;DR An unauthenticated SMB Public share exposes a PDF that contains SQL Server credentials. Connecting to MSSQL with those creds, we abuse xp_dirtree to capture the NTLMv2 hash of sql_svc via Responder and crack it with John. From there, SQL Server error logs left cleartext credentials for Ryan.Cooper lying around. As Ryan, certipy reveals an ESC1-vulnerable certificate template that allows anyone in Domain Users to request a cert on behalf of Administrator. One certificate later, we get the Administrator NT hash and land a SYSTEM shell via psexec. ...

Machine Information Field Details Name Certified Platform HackTheBox OS Windows Difficulty Medium You start this box with valid low-privilege domain credentials: judith.mader / judith09. The path to Administrator is a chain of ACL abuses through Active Directory — no CVE, no exotic exploit, just misplaced permissions and the right tooling. TL;DR judith.mader has WriteOwner on the Management group. That lets us take ownership, grant ourselves FullControl via DACL edit, and add judith to the group. Management has GenericWrite on management_svc, so we use pywhisker to inject shadow credentials and retrieve the NTLM hash via PKINITtools. With management_svc on the box we find GenericAll on ca_operator in BloodHound, reset its password, then exploit ESC9 with certipy to forge an Administrator certificate. Final step: psexec as SYSTEM. ...

GPP credentials. Still out there in the wild. Active is one of those machines that aged into a legend - the technique it teaches was patched in 2014, but the lesson sticks forever. Classic AD box, clean attack path, zero fluff. Machine info Name Active Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes the Replication share, which contains a Groups.xml file with a GPP-encrypted password for SVC_TGS gpp-decrypt recovers the plaintext: GPPstillStandingStrong2k18 Authenticated as SVC_TGS, the Users share is readable - user flag sitting in SVC_TGS\Desktop Kerberoasting as SVC_TGS returns an Administrator TGS ticket; John cracks it to Ticketmaster1968 impacket-psexec with Administrator creds gives a SYSTEM shell Recon Port scan The scan reveals a textbook Domain Controller fingerprint - DNS on 53, RPC on 135 and 593, SMB on 445, LDAP Global Catalog on 3269, Active Directory Web Services on 9389, and a pile of dynamic RPC ports in the high range. ...

This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...

Cicada is a textbook Active Directory enumeration chain. Each step surfaces something that unlocks the next user - a default password in an HR notice, a credential in a PowerShell script description field, a privilege that lets you dump the SAM. Good practice for the AD portion of OSCP. Machine info Name Cicada Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes an HR onboarding notice with a default password Password spraying with nxc identifies michael.wrightson as the matching user Listing users without RID brute reveals david.orelious has his password in his description field David can access the DEV share, which contains a PowerShell script with emily.oscars credentials Emily has SeBackupPrivilege via WinRM - used to dump SAM/SYSTEM and pass-the-hash as Administrator Recon RustScan 1 rustscan -a 10.129.231.149 ...