Martiniad

This box is provided by HackSmarter https://www.hacksmarter.org/

Overview

MartiniAD is a black-box internal Active Directory penetration test scenario set inside the corporate network of "Martini Bars," a fictional adult beverage company that suffered a corporate breach. The engagement simulates a realistic insider-threat or post-VPN-access scenario where no credentials are provided upfront.

The attack path follows a classic AD exploitation chain:

1. Unauthenticated SMB recon - Guest access to an SMB share reveals a plaintext credential in a notes file.
2. Credentialed enumeration - The recovered credentials allow RID brute-forcing of domain users, surfacing a service account.
3. Kerberoasting - The service account (ATHENA_SVC) has a crackable TGS ticket, yielding its cleartext password.
4. C2 foothold - ATHENA_SVC has WinRM access, allowing an agent binary to be uploaded and executed, establishing a beacon in AdaptixC2.
5. Credential discovery via Seatbelt - Post-exploitation enumeration uncovers Administrator credentials left in PowerShell history.
6. DCSync - With Administrator access and an AdaptixC2 beacon, a full DCSync dumps the krbtgt hash, representing full domain compromise.

Key techniques: SMB guest access, NetExec (nxc), RID brute-force, Kerberoasting, hashcat, evil-winrm, AdaptixC2, Seatbelt, PSReadline history credential harvesting, DCSync.

Objective

An adult beverage company "Martini Bars" recently had a corporate breach and the compliance and risk team dictates they perform a penetration test at one of their branch offices. The Hack Smarter team has been authorized to perform an internal black box pentest.

Initial Access

The client has provided you with VPN access to their internal network, but no credentials.

Recon

Port Scanning with Nmap

The first step is to identify what services are running on the target host. We run two Nmap scans in parallel - a default script/version scan against common ports, and a full port scan across all 65535 TCP ports to ensure nothing is missed on non-standard ports.

sudo nmap -sC -sV -vv -oA tcp 10.0.17.74; sudo nmap -sC -sV -vv -p- -oA allports 10.0.17.74

• -sC runs Nmap's default NSE scripts (banner grabbing, service fingerprinting, etc.)
• -sV probes open ports to determine service/version information
• -vv increases verbosity for real-time output
• -oA saves output in all formats (nmap, gnmap, xml) for later reference

The scan reveals a Windows domain controller with services typical of an AD environment - SMB (445), LDAP (389/636), Kerberos (88), WinRM (5985), and RDP (3389) are all open. The hostname and domain name are extracted from Nmap's SMB scripts.

SMB Guest Access Check

Before trying any credentials, we check whether SMB guest access is enabled. This is a common misconfiguration in older or poorly hardened Windows environments that allows unauthenticated enumeration of shares.

nxc smb 10.0.17.74 -u "guest" -p "" --shares

• nxc (NetExec) is the modern successor to CrackMapExec, used for network protocol enumeration and exploitation
• -u "guest" -p "" attempts authentication as the built-in guest account with a blank password
• --shares lists all accessible SMB shares

Guest access is permitted and we can see a list of shares. Among the default administrative shares (C$, ADMIN$, IPC$) there is a non-standard share named notes which is immediately interesting as it is likely to contain user-created content.

Foothold

Credential Discovery in SMB Share

We access the notes share and retrieve its contents. Inside we find a file called notes.txt which contains a set of credentials left behind by a careless user or administrator.

The file contains the credentials mprice / *martini* - a classic example of sensitive data exposure through unsecured internal file shares.

Credential Validation

Before using the credentials further, we validate them against SMB to confirm they are active and to see what additional shares mprice has access to.

nxc smb 10.0.17.74 -u "mprice" -p "*martini*" --shares

The credentials are valid - NetExec returns a [+] indicating a successful login. The share access for mprice does not reveal anything beyond what guest could see, so we pivot to Active Directory enumeration.

RID Brute-Force User Enumeration

With valid domain credentials, we can enumerate all domain user accounts using RID (Relative Identifier) brute-forcing over SMB. Every domain object has a SID composed of a domain SID plus a RID. By iterating over RID values, we can resolve account names even without LDAP access.

nxc smb 10.0.17.74 -u "mprice" -p "*martini*" --rid-brute

• --rid-brute iterates through RID values (default range 500–4000) and resolves each to an account name if it exists

The output enumerates all domain users and groups. Among them is a user account named ATHENA_SVC. The _SVC suffix is a strong indicator that this is a service account, and service accounts are primary targets for Kerberoasting because they are typically configured with SPNs (Service Principal Names) and often have weaker or static passwords.

Lateral Movement

Kerberoasting ATHENA_SVC

Kerberoasting is an attack against Active Directory's Kerberos authentication protocol. Any authenticated domain user can request a Ticket Granting Service (TGS) ticket for any account that has an SPN registered. The TGS ticket is encrypted with the target account's NTLM password hash, meaning it can be taken offline and cracked without generating noisy failed-login events.

nxc ldap 10.0.17.74 -u "mprice" -p "*martini*" --kerberoasting ATHENA_SVC

• nxc ldap switches to the LDAP module to interact with Active Directory
• --kerberoasting requests a TGS for the specified account and outputs the hash in hashcat-compatible format

NetExec successfully requests a TGS for ATHENA_SVC and outputs the $krb5tgs$23$*...* hash. The 23 indicates RC4 encryption (etype 23), which is the weakest and fastest to crack.

Hash Cracking with Hashcat

We take the captured TGS hash offline and attempt to crack it using hashcat against the rockyou wordlist.

hashcat -m 13100 -a 0 athena_svc_hash /mnt/hgfs/I/data/rockyou.txt

• -m 13100 specifies the hash type: Kerberos 5 TGS-REP etype 23 (RC4)
• -a 0 is dictionary attack mode
• rockyou.txt is the classic wordlist containing ~14 million commonly used passwords

The hash cracks successfully, revealing the password 1dirtymartini - a weak, theme-based password that would not survive even basic wordlist attacks.

Group Membership Enumeration

Before proceeding with the compromised service account, we check its group memberships to understand what privileges and access it has within the domain.

nxc ldap 10.0.17.74 -u "athena_svc" -p "1dirtymartini" -M groupmembership -o USER=athena_svc

• -M groupmembership loads the group membership module
• -o USER=athena_svc passes the target user as a module option

The output shows that ATHENA_SVC is a member of the Remote Management Users group (enabling WinRM access) and the Remote Desktop Users group (enabling RDP access). WinRM is preferable for our purposes as it is more scriptable and less visually noisy than RDP.

Establishing a C2 Beacon via WinRM

With WinRM access confirmed, we connect to the target using evil-winrm-py and upload an AdaptixC2 agent binary. AdaptixC2 is a modern C2 framework that provides a beacon-style implant for post-exploitation operations.

evil-winrm-py -i 10.0.17.74 -u athena_svc -p 1dirtymartini

• evil-winrm-py is a Python implementation of evil-winrm for interactive WinRM shells
• Once connected, we upload the pre-generated AdaptixC2 agent executable and execute it on the target

We successfully obtain an interactive shell as ATHENA_SVC. From here we upload and execute the AdaptixC2 agent binary, which calls back to our listener.

The beacon checks in to AdaptixC2, giving us a persistent, feature-rich C2 channel to the compromised host. This is preferable to a raw shell as it supports in-memory execution, process injection, and other post-exploitation capabilities that avoid writing tools to disk.

Privilege Escalation

Post-Exploitation Enumeration with Seatbelt

With a C2 beacon established, we run Seatbelt - a comprehensive C# post-exploitation enumeration tool that checks for a wide range of security misconfigurations, credential storage locations, and interesting host data. We execute it in-memory via the execute-assembly command to avoid touching disk.

execute-assembly ~/Documents/local-scripts/SharpCollection/NetFramework_4.7_x64/Seatbelt.exe -group=All

• execute-assembly loads and executes a .NET assembly directly in memory within a spawned process, bypassing many AV/EDR signatures that rely on file-based detection
• -group=All runs every Seatbelt check, covering credentials, system configuration, browser data, scheduled tasks, and more

Seatbelt runs all checks and returns a large volume of output. After reviewing the results, we find a critical finding in the PowerShell console history file.

Administrator Credentials in PSReadline History

Seatbelt's check of ConsoleHost_history.txt - the file where PSReadline stores PowerShell command history - reveals that an administrator previously ran a command containing their credentials in plaintext. This is an extremely common finding in Windows environments where administrators use credentials directly in command-line arguments rather than secure credential objects.

The credentials are found at: C:\Users\ATHENA_SVC\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

The history file contains a command revealing the Administrator password: ebz0yxy3txh9BDE*yeh.

Credential Validation

We validate the Administrator credentials against SMB before using them.

nxc smb 10.0.17.74 -u administrator -p 'ebz0yxy3txh9BDE*yeh' --shares

NetExec confirms the credentials are valid and shows (Pwn3d!) - indicating the account has local admin access and can be used with Impacket-style tools. We can see the Administrator has access to all administrative shares.

Administrator WinRM Session and New Beacon

We open a new WinRM session as Administrator and upload a second AdaptixC2 agent to establish a high-privilege beacon.

evil-winrm-py -i 10.0.17.74 -u administrator -p 'ebz0yxy3txh9BDE*yeh'

We now have an interactive shell as Administrator. We upload and execute the C2 agent to get a privileged beacon in AdaptixC2, which will allow us to run DCSync from memory.

DCSync - Full Domain Compromise

With a SYSTEM/Administrator-level beacon, we execute a DCSync attack from within AdaptixC2. DCSync abuses the Directory Replication Service (DRS) protocol, impersonating a domain controller to request replication of credential data from the real DC. This dumps the NTLM hash of any domain account - including the highly sensitive krbtgt account.

The krbtgt hash is significant because it can be used to forge Golden Tickets - Kerberos TGTs that grant access to any service in the domain for an extended period, representing complete and persistent domain compromise.

The DCSync dump returns the krbtgt NTLM hash, which is also the flag for this challenge. The domain is fully compromised.

Summary