Let’s get started!

Level: medium


This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -oN forest


masscan -e tun0 -p1-65535,U:1-65535 –rate=100

SMB Enumeration

Let’s see if we can enumerate list of users using rpcclient

COMMAND: rpcclient -U “” -N

AS-REP Roasting

AS-REP Roasting is an attack against Kerberos for user accounts that do not require
preauthentication. This is explained in pretty thorough detail in Harmj0y’s post
Performing AS-REP Roasting with GetNPUsers

COMMAND: GetNPUsers.py htb/ -usersfile users -format john -dc-ip

Before doing it we need to save all the usernames in a file called users.

we got a hash value.let’s crack it.


Cracking the Hash

As you can see, we could grab the John the Ripper compatible hash and crack it with John.

COMMAND: john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Earlier during our enumeration, we noticed that port 5985 is open so we can use WinRM to
connect to the box. I used EvilWinRM and also, I used Get-DomainUser -UACFilter
DON’T_REQ_PREAUTH (PowerView.ps1)to verify which users do not need pre authentication


Please enter your comment!
Please enter your name here