Use hashcat with mode 18200 to crack the retrieved AS-REP hash using the rockyou.txt wordlist.
We use the smbclient tool to enumerate the SMB shares.
10.10.10.161 (Replace with your spawned instance IP) forest hackthebox walkthrough best
Since we are in a constrained CTF environment, the classic route is to use secretsdump or mimikatz directly after gaining DC Sync permissions.
WinRM is open (port 5985). Connect:
Result (after 30 seconds):
ldapsearch -x -H ldap://10.10.10.161 -b "DC=htb,DC=local" | grep -i "sAMAccountName" | awk 'print $2' > users.txt Use hashcat with mode 18200 to crack the
With anonymous LDAP access granted, we need to enumerate valid domain users. We will use a fantastic tool called windapsearch (or equivalent ldapsearch scripts):