svc-alfresco, which has Kerberos pre-authentication disabled —
AS-REP Roasting captures a crackable hash. WinRM lands a shell. BloodHound maps the path:
svc-alfresco is in Account Operators, which can add members to
Exchange Windows Permissions, which holds WriteDACL on the domain root.
That lets us grant DCSync rights to ourselves and dump the Administrator NT hash.
A cleanup task races to revert group membership — chain the commands to beat it.
Full port scan returns the standard DC fingerprint. Domain is htb.local, hostname is FOREST. Notably, port 5985 is open — WinRM is available, so evil-winrm will work once we have credentials.
Null session auth works. Share enumeration is denied, but user enumeration via RID cycling succeeds — 31 accounts are returned. Most are Exchange health mailboxes and system accounts. The interesting ones:
svc-alfresco stands out — the svc- prefix signals a service account. Service accounts are high-value AS-REP/Kerberoast targets because they often have weaker passwords and sometimes have pre-authentication disabled.Kerberos pre-authentication forces users to prove they know their password before the DC issues a ticket. When it's disabled on an account, anyone can request an encrypted AS-REP blob for that user — no credentials required — and crack it offline. This is AS-REP Roasting.
-m 13100 (Kerberoasting) here. AS-REP hashes start with $krb5asrep$ and require -m 18200. Using the wrong mode gives "Signature unmatched" and no crack.svc-alfresco:s3rvice — cracked in ~2 seconds.BloodHound maps all AD relationships — group memberships, ACL rights, sessions — and highlights attack paths visually. Always run it as a first step after getting any domain credentials.
Import the zip into BloodHound and run Shortest Path to Domain Admin from svc-alfresco. The path:
Exchange Windows Permissions has WriteDACL on the domain root — a leftover from Exchange installation. WriteDACL lets you rewrite the domain's ACL, including granting yourself DCSync rights. This misconfiguration has been known since the "PrivExchange" research (2018) and still appears in real environments with Exchange history.The race: Forest runs a scheduled task that periodically resets Exchange Windows Permissions group membership. If you pause between adding the group and writing the DACL, your membership gets stripped and the DACL write fails with INSUFF_ACCESS_RIGHTS. Chain the commands with && so they fire back-to-back.
Step 1 — from your evil-winrm shell, add svc-alfresco to Exchange Windows Permissions using Account Operators privileges:
Step 2 — immediately from Kali, grant DCSync rights and dump NTDS in one chained command before the cleanup task fires:
32693b11e6aa90eb43d32c72a07ceea6. DCSync impersonates a DC replication request — the real DC responds with credentials for any account you ask for, including NT hashes and Kerberos keys, without touching LSASS or any files on disk.· AS-REP Roasting requires no credentials — pre-auth disabled accounts are exposed to anyone on the network
· AS-REP =
-m 18200; Kerberoast = -m 13100 — know the difference before you crack· Exchange Windows Permissions + WriteDACL on domain root = DCSync path; present in any AD with Exchange history
· WriteDACL on the domain object lets you grant yourself any right, including replication rights
· DCSync leaves no LSASS touch, no file drop — hard to detect without monitoring for rogue replication requests
· Chain exploit steps with
&& when a cleanup task can revert your changes between commands· BloodHound should be your first move after getting any domain credentials