Syk0

Arasaka

This box is provided by HackSmarter https://www.hacksmarter.org/

Scenario

Starting Credentials

faraday:hacksmarter123

Objective and Scope

You are a member of the Hack Smarter Red Team. This penetration test will operate under an assumed breach scenario, starting with valid credentials for a standard domain user, faraday.

The primary goal is to simulate a realistic attack, identifying and exploiting vulnerabilities to escalate privileges from a standard user to a Domain Administrator.

Overview

Arasaka is an assumed breach Active Directory penetration test set in the hacksmarter.local domain. Starting with low-privilege credentials for the domain user faraday, the goal is to fully compromise the domain by escalating to Domain Administrator.

The attack chain follows a classic AD exploitation path:

  1. Recon - Enumerate the environment with Nmap and BloodHound to map the attack surface and identify privilege relationships.
  2. Kerberoasting - Crack the TGS ticket for a service account (alt.svc) to recover its plaintext password.
  3. ACL Abuse (GenericAll) - Leverage alt.svc's full control over YORINOBU to force a password reset and gain access to a WinRM-capable account.
  4. Targeted Kerberoasting (GenericWrite) - Abuse YORINOBU's write permissions on soulkiller.svc to set an SPN and request a crackable TGS ticket.
  5. Privilege Escalation - (In progress) Continue up the chain with soulkiller.svc credentials.

Domain: hacksmarter.local Target DC: dc01.hacksmarter.local (10.1.232.138) Starting credentials: faraday:hacksmarter123

Recon

Nmap

The first step is a comprehensive port scan against the domain controller to understand what services are exposed. Two passes are run in parallel - the first uses default scripts and version detection against common ports for quick results, while the second scans all 65535 ports to catch anything running on non-standard ports.

sudo nmap -sC -sV -vv -oA tcp 10.1.232.138; sudo nmap -sC -sV -vv -p- -oA allports 10.1.232.138

The scan confirms this is a Windows domain controller, with expected services open: DNS (53), Kerberos (88), LDAP (389/636/3268/3269), SMB (445), RPC (135), and WinRM (5985). The presence of WinRM is notable - it means any account with Remote Management Users membership or PSRemote rights can get a shell via Evil-WinRM, making it a key lateral movement target.

BloodHound

With the domain confirmed, BloodHound is used to collect and visualize all AD objects, group memberships, ACL relationships, and attack paths. The bloodhound-python ingestor authenticates as faraday and queries the DC over LDAP, collecting users, groups, computers, sessions, and ACLs, then packages everything into a zip for import into the BloodHound GUI.

bloodhound-python -u faraday -p hacksmarter123 -d hacksmarter.local -dc dc01.hacksmarter.local -c All --zip --dns-tcp -ns 10.1.232.138 --dns-timeout 60

BloodHound reveals two critical findings:

  • alt.svc is Kerberoastable - it has a Service Principal Name (SPN) registered, meaning any authenticated domain user can request a TGS ticket for it. That ticket is encrypted with the account's password hash and can be cracked offline.
  • yorinobu has PSRemote rights - this account can authenticate to WinRM on the DC, making it a valuable pivot point if its credentials can be obtained or changed.

Kerberoasting alt.svc

Since alt.svc has an SPN, Impacket's GetUserSPNs is used to request a TGS ticket for the account while authenticated as faraday. The -request flag tells it to also fetch the actual encrypted ticket, which contains material derived from the account's NTLM hash - crackable offline without touching the target again.

impacket-GetUserSPNs hacksmarter.local/faraday:hacksmarter123 -dc-ip 10.1.232.138 -request

The DC returns a Kerberos RC4-encrypted TGS ticket for alt.svc in the $krb5tgs$23$... format. This hash is saved to a file for offline cracking.

Cracking the Hash

Hashcat is run against the TGS hash using the classic rockyou.txt wordlist. Mode 13100 targets Kerberos 5 TGS-REP etype 23 (RC4-HMAC), the most common format returned for legacy-configured accounts.

hashcat -m 13100 -a 0 alt_svc_hash /mnt/hgfs/I/data/rockyou.txt

The password cracks as babygirl1, giving full access to the alt.svc service account: alt.svc:babygirl1.

Foothold

ACL Abuse - GenericAll over YORINOBU

Back in BloodHound, querying the outbound permissions of alt.svc shows it holds GenericAll over the user YORINOBU. GenericAll is the highest-privilege ACE - it grants full control over the object, including the ability to reset the password, modify group memberships, write arbitrary attributes, or perform shadow credential attacks.

The most straightforward abuse is a forced password reset. Since yorinobu has WinRM access (identified in BloodHound), resetting their password to a known value gives us an interactive shell on the domain controller.

Forcing a Password Reset

net rpc password is used to reset yorinobu's password, authenticating as alt.svc with the cracked credential. This works because alt.svc holds GenericAll, which includes the User-Force-Change-Password right.

net rpc password "yorinobu" "newP@ssword2022" -U hacksmarter.local/alt.svc%babygirl1 -S 10.1.232.138

The password reset succeeds. YORINOBU can now be accessed with yorinobu:newP@ssword2022. Since this account has WinRM rights, Evil-WinRM can be used to establish an interactive session on dc01.

Lateral Movement

GenericWrite over soulkiller.svc - Targeted Kerberoasting

Enumerating yorinobu's outbound ACLs in BloodHound shows it holds GenericWrite over the account soulkiller.svc. GenericWrite allows an attacker to write to most non-protected AD attributes, including servicePrincipalName. If an account has no SPN, it isn't Kerberoastable - but GenericWrite lets us add one, making it Kerberoastable on demand. This technique is called Targeted Kerberoasting.

The targetedKerberoast.py tool automates this: it identifies accounts where the current user has GenericWrite or GenericAll, temporarily writes a fake SPN to each, requests a TGS ticket, captures the hash, then optionally cleans up the SPN. This avoids leaving persistent changes in the environment.

python3 targetedKerberoast.py -v -d 'hacksmarter.local' -u 'yorinobu' -p 'newP@ssword2022'

Tool reference: https://github.com/ShutdownRepo/targetedKerberoast

A TGS hash is returned for soulkiller.svc. The hash is saved for offline cracking.

Cracking the Hash

The same hashcat command is run against the new hash:

hashcat -m 13100 -a 0 soulkiller_svc_hash /mnt/hgfs/I/data/rockyou.txt

The password cracks as MYpassword123#, yielding credentials soulkiller.svc:MYpassword123#.

Privilege Escalation

To be continued