The below notes contains the list of writeups accross Hackthebox, Proving grounds and PEN200. This included notes/screenshots from various resources.

https://www.jdksec.com/hack-the-box/haircut

High‑Level Decision Tree

1. Do I have no valid credentials or only low‐privileged access?
   • Yes → Try GetNPUsers.py. If you find any “DONT_REQ_PREAUTH” accounts, you can harvest AS‑REPs with no password guess attempts.
   • No → You need a real Kerberos login for any other attack (WinRM, Kerberoast, etc.).
2. Do I have at least one domain user (even just a normal user)?
   • Yes → You can use GetUserSPNs.py to trigger Kerberoasting. You’ll get a lot of TGS hashes to crack offline.
   • Need to double‐check: You may need LDAP read rights to enumerate SPNs. If SPNs are hidden or you lack LDAP read, you may have to move laterally or escalate first.
3. Is “preauth disabled” common in this environment?
   • Yes → Lean on AS‑REP Roasting (GetNPUsers.py) because it often yields quick wins.
   • No → Go with Kerberoasting (GetUserSPNs.py) because most modern AD’s have preauth enforced on all user accounts—but SPNs always exist.

TL;DR

• GetNPUsers.py → AS‑REP Roasting
  • Use when you suspect (or find) accounts with Kerberos preauth disabled. You don’t need any password to request an AS‑REP.
• GetUserSPNs.py → Kerberoasting
  • Use whenever you have at least domain‐user credentials. You request TGS for service accounts (SPNs) and crack them offline—works even if preauth is enabled.

PowerView is primarily an enumeration and ACL‐manipulation module in PowerShell (part of PowerSploit) that lets you discover, inspect, and—even in some cases—modify Active Directory ACLs. In the context of DCSync, you can use PowerView to:

1. Find which accounts already have the “Replicate Directory Changes” (and “Replicate Directory Changes All”) rights on your domain.
2. Grant those rights to a user you control (if you have the privileges to modify ACLs).
3. Verify that the ACL changes took effect.