Dcsync

Sauna is an Easy Windows box from HackTheBox built around a classic Active Directory attack chain. From open-source name enumeration to ASREPRoasting, autologon credential exposure, and a DCSync to finish it off - this one hits all the fundamentals. Machine Info Name Sauna Platform HackTheBox OS Windows Difficulty Easy IP 10.129.95.180 TL;DR Scraped employee names off the bank’s “About” page, ran them through username-anarchy to generate AD-style usernames, and ASREPRoasted fsmith whose account had Kerberos pre-auth disabled. Cracked the hash with rockyou.txt and logged in via WinRM. Found autologon credentials for svc_loanmanager stored in plaintext in the registry. BloodHound showed that account has DCSync rights over the domain - used secretsdump to pull the Administrator hash and psexec to get SYSTEM. ...

Forest is one of those boxes that feels like a guided tour through Active Directory attack fundamentals. No CVEs, no fancy exploits - just proper AD enumeration, a misconfigured service account, and a BloodHound-mapped path straight to domain admin. Machine Info Field Details Name Forest Platform HackTheBox OS Windows Difficulty Easy IP 10.129.5.64 TL;DR SMB user enumeration reveals a service account with no Kerberos pre-auth required. AS-REP roasting gives us a crackable hash. Shell as svc-alfresco via WinRM. BloodHound maps a path through Exchange groups giving WriteDacl on the domain. We abuse that to grant DCSync, dump the Administrator hash, and psexec our way to SYSTEM. ...

This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...