dcsync

MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

MACHINE Windows

HackTheBox: Redelegate

A Windows DC: anonymous FTP exposes a KeePass vault cracked to a season password, MSSQL RID brute-forcing enumerates users, a password spray lands Marie.Curie, ForceChangePassword reaches Helen.Frost, and SeEnableDelegationPrivilege plus GenericAll over FS01$ set up constrained delegation (S4U2Proxy) to impersonate the DC and DCSync the Administrator hash.

MACHINE Windows

HackTheBox: VulnCicada

A Windows DC where the first credential hides in an image on a public NFS share, and with NTLM disabled an ESC8 (ADCS HTTP web enrollment) attack requires Kerberos relaying: coerce the DC, relay to /certsrv for a machine-account certificate, then DCSync the Administrator hash. Covers both the Linux (bloodyAD/certipy) and Windows (RemoteKrbRelay) methods.