88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-30 21:46:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Not valid before: 2021-12-26T09:46:02
|Not valid after: 2022-12-26T00:00:00
|_http-title: Not Found
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Not valid before: 2025-05-29T21:09:49
|Not valid after: 2025-11-28T21:09:49
|_ssl-date: 2025-05-30T21:48:12+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
57557/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
57558/tcp open msrpc Microsoft Windows RPC
57597/tcp open msrpc Microsoft Windows RPC
57614/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (89%)
Aggressive OS guesses: Microsoft Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|Message signing enabled and required
| smb2-time:
| date: 2025-05-30T21:47:32
|_ start_date: N/A
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 18.79 ms 10.8.0.1
2 19.34 ms 10.10.198.197
Nmap scan report for 10.10.198.198
Host is up (0.049s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-05-30T21:48:12+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
| Not valid before: 2025-05-29T21:09:51
|Not valid after: 2025-11-28T21:09:51
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|Message signing enabled but not required
| smb2-time:
| date: 2025-05-30T21:47:38
|_ start_date: N/A
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 10.10.198.197
2 18.96 ms 10.10.198.198
Post-scan script results:
| clock-skew:
| 0s:
| 10.10.198.197
|_ 10.10.198.198
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
The scan shows that one of the servers can be accessed anonymously via ftp. Accessing it reveals several user folders
These folders contain no files of interest. However, we can use their names to create a list of domain users and test their validity with Kerbrute.
This ensures that all the usernames in the list are valid usernames.
ASREPROASTING
With the list of valid users, we can check whether any of them has pre-authentication enabled, in order to perform an asreproasting attack. To do this, use the GetNPUsers script from impacket. We then recover the hash of the password for the ben.cox account, which we break with john, thus recovering the password for this account.
We can then use this account to retrieve the complete list of domain users:
Kerberoasting
With the ben.cox account, we can retrieve the list of users with a SPN in order to carry out a Kerberoasting attack.
We can see that two service accounts have a SPN. By retrieving a TGS from both services, we manage to break the password of the svc_web account with rockyou : However, after checking bloodhound, this account has no special privileges.
PSCredential decrypt
An analysis of the nmap scan performed at the beginning of this section reveals that winrm is enabled on the machines. Furthermore, ben.cox has winrm access on LUSMS.
When accessing winrm on this machine, a admin.xml file is discovered on the desktop, containing PSCredential identifiers.
A PSCredential object in PowerShell is a special type used to securely store a username and password. It is mainly used to pass credentials to commands or scripts requiring authentication.
The password contained in the PSCredential object is encrypted using DPAPI (Data Protection API), an API built into Windows. This encryption is `user or machine bound’, meaning that only the account that created the password (or the system, depending on the context) can decrypt it.
Here, since we’ve hidden the password from the ben.cox session, we can decrypt this PSCredential to recover the password. To do this, simply execute the following commands:
This retrieves the password for the machine’s local administrator account:
Secret note access
Once you’ve retrieved all the compromised machine’s secrets (SAM, LSA, etc.), you’ll quickly find yourself stuck. To unblock the situation, we need to review the nmap scan and try to exploit the web service. To do this, you need to modify the host file so that you no longer get the default IIS server page.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(kali㉿kali)-[~/ctf/vulnlab/lustrous]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.153.117 lusdc.lustrous.vl lustrous.vl
After modifying the file, we can access a web page which tells us that our identifiers are invalid, even though we haven’t entered any.
This is because the web application has Kerberos authentication. This means that if the browser supports it, it will automatically try to authenticate with the service tickets on our machine. However, in our case, we don’t have any service tickets to access the machine. To obtain a service ticket, we can use the ben.cox account, which is a domain account that should enable us to obtain a TGS.
To be able to request a TGS, we first need to modify the krb5.conf file, paying attention to case.
Next, we can request a TGS from the ticket using kinit.
You can then check that the ticket has been retrieved using klist : Then, by modifying the following keys in firefox about:config, you can tell firefox that you want to authenticate with the TGS on your machine
Firefox key
Value
network.negotiate-auth.trusted-uris
lusdc.lustrous.vl
network.negotiate-auth.delegation-uris
lusdc.lustrous.vl (optional for full SSO)
network.auth.use-sspi
false (important under Linux!)
This allows us to access the web page:
We then notice that some users store their password in clear text in this application:
Each user seems to have a personal note, so we’d need to access the notes of each of them in order to retrieve a potential secret.
Silver Ticket
As we compromised the svc_web account earlier, we can use it to generate tickets for any user to access the web service.
To do this, we need several elements:
Domain SID: this can easily be obtained with a whoami /user on the compromised machine (don’t forget to remove the number at the end).
This allows us to retrieve his password and compromise his account:
Backup operator privilege
Next, we discover that the user tony.ward is a member of the backup operators group
This group, which is normally empty, allows all its members to copy any DC file without restriction. In this way, the nxc backup_operator module can be used to retrieve the DC’s SAM, SYSTEM and SECURITY registers and compromise it.
Then, using secretsdump, you can rebuild the SAM and LSA databases:
