kerberoasting

MACHINE Windows

HackTheBox: Administrator

A Windows DC compromised by chaining ACL misconfigurations: from Olivia, BloodHound maps GenericAll and ForceChangePassword edges to Michael and Benjamin, an FTP-hosted Password Safe backup cracks open, a password spray lands Emily over WinRM, then targeted Kerberoasting of Ethan and DCSync rights dump the Administrator hash.

MACHINE Windows

HackTheBox: TombWatcher

A Windows DC of pure AD permission abuse: from henry, WriteSPN targets alfred for Kerberoasting, INFRASTRUCTURE membership reads a gMSA password, a ForceChangePassword/WriteOwner/GenericAll chain reaches john over WinRM, then restoring a deleted cert_admin from the AD Recycle Bin and an ESC15 certificate template give Administrator.

MACHINE Windows

HackTheBox: Voleur

An assumed-breach Windows AD box where NTLM is disabled so everything is Kerberos: a password-protected Excel file on the IT share yields service creds, targeted Kerberoasting via WriteSPN lands svc_winrm, a restored AD user and a decrypted DPAPI blob pivot to jeremy.combs, and a WSL svc_backup grabs NTDS backups to dump the Administrator hash.