Since you have a list of usernames, check for accounts that do not require Kerberos pre-authentication. Use Impacket’s GetNPUsers.py Request a TGT for the discovered users. If a user has DONT_REQ_PREAUTH set, you will receive a hash. (Mode 18200) or John the Ripper rockyou.txt wordlist to crack the svc-alfresco Phase 3: Post-Exploitation (BloodHound) Once you have a low-privileged shell (via evil-winrm ), you need to map out the domain. Collection: SharpHound.exe on the target to collect AD data. Import the data into BloodHound on your local machine. Pathfinding: Use the "Find Shortest Paths to Domain Admins" query. Discovery: You will likely see that your user belongs to a group (like Service Accounts ) that has specific rights over others. 🚀 Phase 4: Privilege Escalation The BloodHound graph usually reveals a path involving Exchange Windows Permissions Account Operators Group Membership: You may find you can add users to the Exchange Windows Permissions DCSync Attack: Members of this group can often grant themselves DS-Replication-Get-Changes Final Step: Use Impacket’s secretsdump.py to perform a attack and dump the NTLM hash for the Administrator Pass-the-Hash evil-winrm to log in as the Domain Admin. If you're stuck on a specific step, let me know: Are you having trouble cracking the hash BloodHound not showing a clear path? Do you need the specific for one of the Impacket tools?
ldapsearch -x -H ldap://10.10.10.161 -b "CN=Users,DC=htb,DC=local" | grep sAMAccountName forest hackthebox walkthrough best