Posts tagged with

GetNPUsers.py

HackTheBox - Sauna Writeup

Sauna is an easy Hack The Box Windows machine focused on Active Directory exploitation. Usernames are gathered from a company site and used in an ASREPRoasting attack, revealing a crackable hash. The recovered credentials enable WinRM access. WinPEAS uncovers autologon credentials for another user, who has remote access and DCSync privileges. A successful DCSync attack retrieves the domain admin hash, which is used with Impacket’s psexec.py for SYSTEM access.

S SH∆FIQ∆IM∆N
March 16, 2025
1 min read

ldap ldapsearch username-anarchy crackmapexec-smb ASREPRoast GetNPUsers.py evil-winrm bloodhound sharphound printnightmare printer DCSync-attack winpeas secretsdump.py psexec.py psexec-hash hashcat msfvenom kerberos CVE-2021-1675 CVE-2021-34527
HackTheBox - Forest Writeup

Forest is an easy Hack The Box Windows Domain Controller with Exchange Server installed. Anonymous LDAP binds allow domain enumeration, revealing a service account with Kerberos pre-authentication disabled. Cracking its hash grants a foothold. As a member of the Account Operators group, the user can add accounts to privileged Exchange groups. This access is leveraged to gain DCSync privileges and dump NTLM hashes, resulting in full domain compromise.

S SH∆FIQ∆IM∆N
February 27, 2024
1 min read

ldapsearch GetNPUsers.py rpcclient ASREPRoast evil-winrm bloodhound account-operators-group writedacl powerview.ps1 secretsdump.py DCSync-attack psexec.py psexec-hash hashcat kerberos sharphound ldap
HackTheBox - Pathfinder Writeup

Starting Point Machine

S SH∆FIQ∆IM∆N
July 21, 2021
1 min read

ldap ldapsearch ldapdomaindump kerberos ASREPRoast GetNPUsers.py DCSync-attack secretsdump.py john evil-winrm psexec.py