ActiveDirectory

Overview Scepter is a Hard-rated Active Directory machine on HackTheBox. The path to root is a long and winding one, involving multiple pivots through different user accounts and abuse of various Active Directory features. We start off with no credentials and enumerate an exposed NFS share, where we find several certificate files. After cracking the password for the certificates, we find that most of the associated user accounts are revoked. However, one certificate for the user d.baker is valid, and we use it to authenticate and get an NTLM hash. ...

Overview Fusion corp is a hard rated box on tryhackme. After some basic enumeration fails, we find a backup file on the web server that contains a list of usernames. One of these users, lparker, is vulnerable to AS-REP Roasting because they have Kerberos pre-authentication disabled. We get their hash, crack it, and get a shell on the box. From there, post-exploitation enumeration reveals another user, jmurphy, with their password stored in the user account’s comment field. This user is a member of the Backup Operators group. We abuse this privilege to create a shadow copy of the C: drive and exfiltrate the ntds.dit and SYSTEM hives. Finally, we use secretsdump.py to dump all the domain hashes, get the administrator’s hash, and use it to get the final flag. ...