Introduction

For my third machine in the Hackthebox AD 101 track, I’ll be pwning Sauna. Sauna is an easy active directory machine that teaches the basics of ASREPROASTING and Domain Replication Attacks . The attack path to domain admin wasn’t complicated and was a good test of how much I’ve learned so far. Initial access was achieved by obtaining and cracking the TGT of a non-preauthenticated user. Upon discovery and compromise of a user with DC Sync rights I was able to escalate privileges by dumping and passing the NTLM hash of the domain administrator.

Introduction

For my second machine in the Hackthebox Active Directory 101 track, I’ll be pwning Forest. Forest is another active directory machine that teaches the basics of ASREPROASTING and abusing Discretionary Access Control Lists (DACL). The attack path to domain admin was quite new to me as I learnt another AD privilege escalation technique. For this box, initial access was gained by sending a dummy TGT request to obtain the credentials of a Non-preauthenticated user. Following post compromise enumeration, I was able to become domain admin by first abusing access control rights to a domain object then launching a DC SYNC attack to obtain NTLM hashes for all domain users and administrators.

Reconnaissance

Introduction

For my first machine in the Hackthebox Active Directory 101 track, I’ll be pwning Active. Active is an active directory machine that teaches the basics of GPP attacks and kerberoasting. The attack path to domain admin was quite straightforward following a brief introduction to AD hacking by TCM, for this box, initial access was gained via a poorly configured SMB share containing a windows group policy preference configuration file (groups.xml), then kereberoasting was leveraged to escalate privileges.