BlogTwitterLinkedIn

🖥️Ledger (AD)

This challenge simulates a real cyber-attack scenario where you must exploit an Active Directory.

Enumeración de Red

Nmap

autoscan 10.10.166.235

Resultado Nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-08 08:38:31Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after:  2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA
| Not valid before: 2023-05-12T07:26:00
|_Not valid after:  2028-05-12T07:35:59
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after:  2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after:  2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after:  2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Not valid before: 2025-08-07T08:33:36
|_Not valid after:  2026-02-06T08:33:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
7680/tcp  open  pando-pub?
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
49716/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows

  • Windows - Active Directory

  • DNS: labyrinth.thm.local

  • web: 80 (IIS)

  • enum: ldap,smb,rpc,kerberos

labyrinth.thm.local → /etc/hosts

Enumeración de Dominio - enum4linux-ng

  • NetBIOS computer name: LABYRINTH

  • NetBIOS domain name: THM

  • DNS domain: thm.local

  • FQDN: labyrinth.thm.local

Enumeración de Usuarios - LDAP (Anon Bind)

AS-REP Roasting

Enumeración - UF_DONT_REQUIRE_PREAUTH

Hash cracking

  • Ningún resultado válido

Enumeración de Dominio - netexec LDAP

Password Spraying

[+] thm.local\SUSANNA_MCKNIGHT:CHANGEME2023!

  • Sin permisos

Acceso Remoto - RDP

Intrusión en el Sistema

Sesión Remota: Susanna

Enumeración Autenticada de Dominio - BloodHound

Enumeración Post-Intrusión

BUILTIN\Certificate Service DCOM Access

Recurso

LogoExploiting Active Directory Certificate Services (AD CS)Redfox Security - Pen Testing Services

C:\Users\.

  • Administrator

  • BRADLEY_ORTIZ

Información de BloodHound

BRADLEY_ORTIZ → MemberOf[email protected]

Escalada de Privilegios: Domain Admin Impersonation (Misconfigured Certificate Templates - ESC1)

ERROR → KDC_ERR_PADATA_TYPE_NOSUPP (KDC has no support for padata type)

Recurso

LogoKDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type) [Need Urgent Help] · Issue #205 · ly4k/CertipyGitHub

The domain controller that does not support PKINIT authentication (kerberos authentication with a certificate). It could be because the DC does not have an installed certificate from your ADCS component. You can still authenticate though LDAPS (authentication through TLS) with the command: "certipy auth -ldap-shell" and then exploit RBCD.

Explotación mediante LDAP-Shell

Compromiso del Sistema

Shell: Domain Admin

Última actualización