💥️ Breaking Active Directory with Timeroast & RBCD | HackSmarter Past
In this video, I solve the Past box from HackSmarter, a Windows Active Directory machine that focuses on SMB enumeration, Kerberos abuse, and delegation attacks. The box starts with no credentials, so I begin with reconnaissance using Nmap and discover an exposed SMB service. Using a guest account, I’m able to access a shared folder and download a file containing some information about machines on the network. From there, I enumerate the domain further by performing a RID brute force attack to identify users and machine accounts, since normal user enumeration was restricted. With the discovered RIDs, I perform a Kerberos Timeroast attack to retrieve NTLM hashes for computer accounts. After cracking one of the machine account passwords, I gain access to another SMB share containing credentials for a domain user. The account has login restrictions, but I bypass this by requesting a Kerberos TGT and authenticating through Kerberos instead. Using BloodHound, I discover that the compromised user has GenericAll permissions over the target machine. This allows me to perform a Resource-Based Constrained Delegation (RBCD) attack, ultimately obtaining the Administrator hash for the target host. With Administrator access, I connect through WinRM and retrieve the root flag. As an extra challenge, the box creator also requested another user’s password, which I recover from the user’s history file. 🔹 Topics covered: SMB enumeration with guest access RID brute forcing Kerberos Timeroasting Cracking machine account hashes Kerberos authentication bypass BloodHound privilege analysis Resource-Based Constrained Delegation (RBCD) Windows privilege escalation Active Directory exploitation If you enjoy walkthroughs, HackSmarter machines, and Active Directory attacks, make sure to subscribe for more! Timeroast python script: https://github.com/bvcyber/Timeroast 00:03:25 - NMAP scans 00:08:10 - Checking NMAP results 00:13:00 - Enumerating Null Sessions 00:14:57 - Enumerating Guest Logon Shares 00:16:00 - Access the shared folder 00:18:10 - Enumerating Users 00:25:00 - Timeroast 00:26:45 - Crack the password 00:29:28 - Found readable shares for the computer account 00:30:27 - Get users list 00:31:52 - Collect data for BloodHound 00:34:15 - Start BloodHound 00:38:20 - Access shared folder for the computer account 00:40:15 - Found user credentials 00:43:20 - Request TGT to bypass account restriction 00:48:00 - Resource-Based Constrained Delegation 01:02:25 - Checking the Service Ticket for the Administrator account 01:05:45 - Get hashes for all users in the target machine 01:09:02 - Connect via WinRm as Administrator 01:09:55 - Get the root.txt flag 01:10:30 - Looking for Ryan's password 01:13:20 - Alternative way of getting the history file 01:16:08 - Option to save the history files for all users 01:17:12 - Note about the options for the powershell_history module #HackSmarter #OSCP #ActiveDirectory #CyberSecurity #Pentesting

Foundations of Web App Pentesting – Final Capstone Challenge | HackSmarter.org

Don't Hang Up On AI Scammers. Do THIS Instead.

Oracle PL/SQL Injection to Root | HackSmarter Talisman

Crash Course, Active Directory, DHCP & DNS for Entry Level Tech Support

Null Session to Domain Admin: Kerberoasting, Password Reuse & DCSync | HackSmarter MartiniAD

Their Junior Tech Destroyed This $2000 Gaming Laptop In 60 Seconds!

🔥 GOD UNLEASHES the Truth | Psalms 23, 35, 91 and 112 To Break Curses and Activate Abundance

The Local AI Hardware Mistake Everyone Makes

Using NMAP Like a Red Team Operator (OPSEC Matters!)

Something is jamming GPS over Europe. Here's what we found

Best Hacking Laptop 2023

How Hackers Actually Chain Tools Together (Nmap, Dirb, Wireshark)

Politics Chat, July 7, 2026

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!

I Built a Virus for this Cocky Scammer

Learn Microsoft Active Directory (ADDS) in 30mins

NestJS Full Course for Beginners in 2026 | Build a Production-Ready API

How they use Bluetooth to target your car

He Built a Privacy Tool. Now He’s Going to Prison.

