💥️ Breaking Active Directory with Timeroast & RBCD | HackSmarter Past

In this video, I solve the Past box from HackSmarter, a Windows Active Directory machine that focuses on SMB enumeration, Kerberos abuse, and delegation attacks. The box starts with no credentials, so I begin with reconnaissance using Nmap and discover an exposed SMB service. Using a guest account, I’m able to access a shared folder and download a file containing some information about machines on the network. From there, I enumerate the domain further by performing a RID brute force attack to identify users and machine accounts, since normal user enumeration was restricted. With the discovered RIDs, I perform a Kerberos Timeroast attack to retrieve NTLM hashes for computer accounts. After cracking one of the machine account passwords, I gain access to another SMB share containing credentials for a domain user. The account has login restrictions, but I bypass this by requesting a Kerberos TGT and authenticating through Kerberos instead. Using BloodHound, I discover that the compromised user has GenericAll permissions over the target machine. This allows me to perform a Resource-Based Constrained Delegation (RBCD) attack, ultimately obtaining the Administrator hash for the target host. With Administrator access, I connect through WinRM and retrieve the root flag. As an extra challenge, the box creator also requested another user’s password, which I recover from the user’s history file. 🔹 Topics covered: SMB enumeration with guest access RID brute forcing Kerberos Timeroasting Cracking machine account hashes Kerberos authentication bypass BloodHound privilege analysis Resource-Based Constrained Delegation (RBCD) Windows privilege escalation Active Directory exploitation If you enjoy walkthroughs, HackSmarter machines, and Active Directory attacks, make sure to subscribe for more! Timeroast python script: https://github.com/bvcyber/Timeroast 00:03:25 - NMAP scans 00:08:10 - Checking NMAP results 00:13:00 - Enumerating Null Sessions 00:14:57 - Enumerating Guest Logon Shares 00:16:00 - Access the shared folder 00:18:10 - Enumerating Users 00:25:00 - Timeroast 00:26:45 - Crack the password 00:29:28 - Found readable shares for the computer account 00:30:27 - Get users list 00:31:52 - Collect data for BloodHound 00:34:15 - Start BloodHound 00:38:20 - Access shared folder for the computer account 00:40:15 - Found user credentials 00:43:20 - Request TGT to bypass account restriction 00:48:00 - Resource-Based Constrained Delegation 01:02:25 - Checking the Service Ticket for the Administrator account 01:05:45 - Get hashes for all users in the target machine 01:09:02 - Connect via WinRm as Administrator 01:09:55 - Get the root.txt flag 01:10:30 - Looking for Ryan's password 01:13:20 - Alternative way of getting the history file 01:16:08 - Option to save the history files for all users 01:17:12 - Note about the options for the powershell_history module #HackSmarter #OSCP #ActiveDirectory #CyberSecurity #Pentesting