Myles Nieman
← All writeups

AS-REP Roasting

3 writeups

Sauna

Easy

Staff names harvested from Egotistical Bank’s website yield an AS-REP roastable account; cracking the hash gives fsmith, whose WinRM session …

Windows

Forest

Easy

Anonymous RPC enumeration yields a user list for AS-REP Roasting; the svc-alfresco hash cracks to a password that enables a BloodHound-guided DCSync …

Windows

Blackfield

Hard

Anonymous SMB access to a profiles share leaks hundreds of domain usernames; AS-REP roasting cracks the support account’s hash, and BloodHound …

Windows