As per usual, let us start with an aggressive NMAP scan.
NMAP output

Perfect, looks like it will be an AD-focused machine, Which is really nice. From the NMAP output we can also see the domain name, so add it to /etc/hosts for later use. Now we also need the FQDN of the domain controller, so let us use CrackMapExec for that.

CrackMapExec SMB

We can now also add the FQDN resolute.megabank.local to our /etc/hosts for later use as well.

Now we could try a null session on SMB to see if there is anything we can gather without valid credentials.

SMBClient null session

Looks like we are out of luck. As the DC doesn't seem to have any other interesting ports open, our only hope is to enumerate LDAP with ldapsearch and RPC with rpcclient. I'm gonna start with RPC first, for that I will use rpcenum.

RPCEnum to enumrate domain users
RPCEnum to enumrate domain users' description

Perfect, looks like we have a password and users. let's move onto the next phase to get our foothold.


As we have valid users and a possible password, let us try password spraying with CrackMapExec.

Password Spraying with CrackMapExec

Great, we now have our first pair of valid credentials, let's see if we can connect to the machine with it.

Testing winrm for melanie user

Perfect, we can connect to winrm with evil-winrm using our valid credentials now.

Using evil-winrm to connect to the DC as melanie

We got the user flag, so we are now ready to escalate privileges to domain admin.

Domain Admin

As melanie doesn't seem to have any interesting privileges on the machine, it is good practice to retrieve the domain information to further analyze it with bloodhound. For that I will be using the remote ingestor.

Ingesting AD data with

We are now ready to visualize it with Neo4j and BloodHound.

However, not much we can find that is interesting from the user melanie. Going back to the machine we can find a hidden folder with a script.

Hidden script
Hidden script content

Great, we have our second pair of credentials. Going back to bloodhound, we can see an interesting path as Ryan.

Ryan in Contractors domain group
Contractors in DNSAdmins domain group

DNSAdmins is a very dangerous group and we can escalate our privileges to admin by abusing it to make the DC load an arbitrary DLL on load with SYSTEM privileges. This DLL will be a remote reverse shell in our case. The following would include the full kill-chain.

Generate a malicious DLL that invokes a reverse shell.
Host an SMB server with the malicious DLL
Configure the DNS service to load our malicious DLL and restart the service
Get a hit on our SMB server
System invokes Reverse Shell to us

And we finally rooted it! really fun machine. Optionally, I will also perform a DCSYNC attack to dump all the hashes and passwords. For that, you can follow these steps.

Perform a snapshot of the AD
Exfiltrate the generated files SYSTEM, SECURITY, and ntds.dit
Retrieve the passwords and hashes with secretsdump