Bloodhound

Machine #72 on the Lain Kusanagi list. Every step in this box is intentional - no guesswork, just clean AD attack chaining from zero creds to domain admin. One of the better Hard-rated machines for learning the full lifecycle. Machine Info Name Blackfield Platform HackTheBox OS Windows Difficulty Hard IP 10.129.229.17 Domain BLACKFIELD.local TL;DR RID brute via null session gets a user list. ASREPRoast support, crack the hash, collect BloodHound data as support. BloodHound shows support can ForceChangePassword on audit2020. Change the password, enumerate SMB - forensic share has an lsass.zip in memory_analysis. pypykatz extracts svc_backup’s NT hash. PTH as svc_backup into WinRM - SeBackupPrivilege is enabled. Try SAM dump first (admin hash is stale). Use wbadmin to back up and restore ntds.dit, dump it with secretsdump, get the real admin hash, PTH to root. ...

Sauna is an Easy Windows box from HackTheBox built around a classic Active Directory attack chain. From open-source name enumeration to ASREPRoasting, autologon credential exposure, and a DCSync to finish it off - this one hits all the fundamentals. Machine Info Name Sauna Platform HackTheBox OS Windows Difficulty Easy IP 10.129.95.180 TL;DR Scraped employee names off the bank’s “About” page, ran them through username-anarchy to generate AD-style usernames, and ASREPRoasted fsmith whose account had Kerberos pre-auth disabled. Cracked the hash with rockyou.txt and logged in via WinRM. Found autologon credentials for svc_loanmanager stored in plaintext in the registry. BloodHound showed that account has DCSync rights over the domain - used secretsdump to pull the Administrator hash and psexec to get SYSTEM. ...

Forest is one of those boxes that feels like a guided tour through Active Directory attack fundamentals. No CVEs, no fancy exploits - just proper AD enumeration, a misconfigured service account, and a BloodHound-mapped path straight to domain admin. Machine Info Field Details Name Forest Platform HackTheBox OS Windows Difficulty Easy IP 10.129.5.64 TL;DR SMB user enumeration reveals a service account with no Kerberos pre-auth required. AS-REP roasting gives us a crackable hash. Shell as svc-alfresco via WinRM. BloodHound maps a path through Exchange groups giving WriteDacl on the domain. We abuse that to grant DCSync, dump the Administrator hash, and psexec our way to SYSTEM. ...

Machine Information Field Details Name Certified Platform HackTheBox OS Windows Difficulty Medium You start this box with valid low-privilege domain credentials: judith.mader / judith09. The path to Administrator is a chain of ACL abuses through Active Directory — no CVE, no exotic exploit, just misplaced permissions and the right tooling. TL;DR judith.mader has WriteOwner on the Management group. That lets us take ownership, grant ourselves FullControl via DACL edit, and add judith to the group. Management has GenericWrite on management_svc, so we use pywhisker to inject shadow credentials and retrieve the NTLM hash via PKINITtools. With management_svc on the box we find GenericAll on ca_operator in BloodHound, reset its password, then exploit ESC9 with certipy to forge an Administrator certificate. Final step: psexec as SYSTEM. ...

This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...